Friday, May 17, 2019

Security Responsibilities, Extra Duties and CDCs

Periodically, Defense Security Services conducts reviews of the Cleared Defense Contractors (CDC) under their pervue to ensure classified information is protected according to NISPOM and contractual requirements. Inherently, there are tasks that the CDC must complete to demonstrate requirements, and these tasks are outside of the scope of what the contractor usually charges their customer. If the CDC does not account for costs of maintaining classified information, it could come out of hide. In many cases, small CDCs of just a few employees perform full time on classified work and then spend extra hours on demonstrating compliance that extend beyond the 8 hour day.

Documenting evidence of compliance is a challenge that many Cleared Defense Contractors (CDC) face. Compliance is checked through reviews and audits conducted by customers to ensure contractual and government requirements are met. The best practice for CDCs include conducting self-inspections and documenting events to demonstrate how the CDCs incorporate the inspectable items into their daily practices and weave them into the corporate culture.

Depending on the CDC size and scope of work, the administrative and compliance challenges increase according to the size of the staff. The fewer supporting staff, the larger the work requirement for the employee. For example, in a CDC with 1000 or more employees, the security staff may include a Facility Security Officer with a dedicated staff of 4 our more employees dedicated to a security program designed to protect classified information. This staff addresses personnel and facility security issues including classified contracts and subcontracts, security awareness training, maintenance of security clearances and investigation, annual self-inspections, and etc. The dedicated staff of overhead employees can focus on Defense Security Services (DSS) reviews and customer security requirements.

For smaller CDCs, this work may be spread out to those employees that perform security functions in addition to other duties. It’s not unusual in these cases to see a CEO or other senior executive function as an FSO or an engineer performing on classified work also charging to overhead to conduct FSO duties. Smaller CDCs are still required to perform the functions of an FSO regardless of the size of the organization. Even if they have a full time job running the company or designing the latest high tech weapon, they still need to carve out valuable time to address the personnel and facility security issues and meet customer and DSS requirements.

Some excellent ways to meet these administrative requirements is to have employees log on to the DSS CDSE website and take classes and print off the certificates of completion. This requires the employees to create an account and register for the classes. Another method is for the CDC to create their own training, present to the employees, and create a sign in sheet to show that they attended required training.

Some events that are required to occur prior to each DSS inspection include:
·         Performing a self inspection-DSS has a self inspection guide book that CDCs can download and use.
·         Conduct required training-DSS has courses employees can take these courses include the following topics: These training topics are also available to download and present from Red Bike Publishing
o   SF312 briefing for cleared employees. Newly cleared employees must be briefed on how to protect classified information.

   While larger CDCs have a dedicated staff of security professionals to address security and compliance, smaller CDCs don’t have that luxury. More time and effort is required to research, implement and then document the compliance. There are some things small CDCs can do to better manage the requirements and we hope that these newsletters and articles better assist. If you know of someone who can benefit from these articles and newsletters, please share.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: