As discussed in an earlier installation in the series covering the Self Inspection Handbook for NIST Contractors, Defense Contractors depend heavily on reproducing, printing, or otherwise providing hard copy documents as contractual deliverables or work products. This installation focuses on the handling and protection of the reproduced classified information. The reproductions should be accomplished by highly trained cleared employees with the required need to know. Additionally, as available, technology should be used to detect, discourage, or prevent unauthorized classified output.
5-600 Is the reproduction of classified information accomplished only by properly cleared, authorized, and knowledgeable employees?
NISPOM 5-600. General. Contractors shall establish a control system to ensure that reproduction of classified material is held to the minimum consistent with contractual and operational requirements. Classified reproduction shall be accomplished by authorized personnel knowledgeable of the procedures. The use of technology that prevents, discourages, or detects the unauthorized reproduction of classified documents is encouraged.
The Facility Security Officer should ensure that all material entering the facility, including reproduced internally is positively controlled. This means being able to account for its existence by format and location. Contractors could practice this control with an Information or Inventory Management Service (IMS) such as SimsSoftware or simply track with a spreadsheet. This control helps maintain traceability and accountability the classified material by location (security container, closed area, SCIF) and format (software, document, hardware) while allowing prevention of unauthorized disclosure. One never knows what to protect if they are not aware of what exists.
The introduction of classified information controls should include reproduction. Once a document is copied, printed, or otherwise derived, it should be controlled. Classified information should only be reproduced in response to a contractual requirement such as in the performance of a deliverable. The FSO should be able to easily justify the duplication and maintain copies based on the justification.
The FSO should make the determination of how many and who to authorize to perform the tasks. This can be based on contractual needs, workload or other valid reason. However, procedures should be established that identify authorized persons and train them how and when to copy classified information and how to protect it. Procedures should include detecting and deterring unauthorized reproduction, documenting copies, marking, storing and disseminating the classified information.
A real threat may exist when an employee copies classified information in uncontrolled environments. Limiting reproduction to authorized equipment and personnel only protects classified information reproduced by trustworthy employees. It does not protect against acts of espionage where employees access classified information and copy it at uncontrolled copiers, load them to unauthorized formats, fax them using unauthorized machines all in an effort to remove it from the company undetected. This may be prevented by requiring a login code on reproduction equipment, putting all reproduction equipment in access controlled areas, or using technology to control all copying functions. However, the ultimate protection resides with controlling who accesses classified information, when they access it and what they do with it.
Copy machines, scanners and other reproduction equipment should be identified and designated for classified information reproduction. Where possible technical measures should be applied to trace and log not only print commands, but also commands where electronic documents are transferred electronically or copied. The FSO could also implement controls that include a list of authorized persons, access codes or other technology to prevent unauthorized personnel, procedures to govern the use and type of designated reproduction equipment.
Training should include classified reproduction policy, marking classified information, derivative classification training, and should emphasize that only trained and authorized personnel are the only ones prepared to and capable of reproducing classified information.
Reproduced classified information should only be done as a last resort. When copies are made, it generates the need to protect additional classified material that employs resources and functions of an IMS. Only authorized employees should make copies of classified material. These authorized employees should do so only after being properly trained according to NISPOM. Such NISPOM and security training includes identifying who is authorized, equipment authorized, horizontal protection of the copied information, classification markings, and where to store or how to dispose of the copies.
- Review the list of authorized employees. If one doesn’t exist, create one.
- Provide authorized employees with adequate security training and briefings.
- Employ an IMS to help trace and account for classified copies.
- Trace all classified copies to determine origin and final disposition.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Post a Comment