Saturday, January 2, 2021

Protecting classified security container combinations

 Here's an interesting scenario. Imagine you are walking the floor and talking to employees when you approach a security container and employees who controlled its access. As part of your inspection, you wanted to verify all documents were properly marked and stored appropriately. After asking for the custodian to open the container, he pulled out his cell phone and began scrolling. you asked what he had been looking for and he stated: "I can't remember the combination, but I'm sure that it's in here somewhere."

Whoa! Hold the presses. You immediately changed the combination, filed the necessary report, and investigated whether or not classified information was compromised (not necessarily in that order). You also provided a clear policy and training agenda and that problem disappeared. The story may be true or a similar situation may be familiar.   

But here's the question: Do your employees really understand how to protect classified information? Some novice cleared defense contractors and their employees may require extra and unrelenting training and diligence to make sure such situations never happen. More successful programs include security training conducted by managers and supervisors as they apply to the employee specific duties.

So who has access to your security containers? Do you limit it to only security personnel or do cleared program employees have it as well. This access depends on your program. Regardless of who has access, authorized employees having access to combinations or keys should be kept to the bare minimum amount necessary.

Agencies and contractors maintain administrative records and tight control for a sound security system designed to protect the classified information and to demonstrate effectiveness during security inspections. The security specialists also maintain a log of those with knowledge of combinations, change combinations, and fill out the Security Container Information Form, Standard Form 700. Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination is protected at that same level of the contents in the security container. If the contents are CONFIDENTIAL, then so is the combination. To ease in memorization, many who assign combinations use a six letter word or the first six letters of a longer word. 

Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers. Many have magnetic combinations reminders similar to telephone touch pads. For example the number 2 corresponds with ABC, three with DEF, etc. If the memorized word is CORKIE, then the combination is 26-75-43. When persons have access to multiple safes, they may commit security violations by writing the combinations down. Using combination word clues and providing an administrative security container helps reduce the risk of such violations.

So, see if you can answer this question.

How often should you change combinations according to the NISPOM?

The answer: Change combinations upon initial use, change in status of authorized users, compromise or suspected compromise of container or combination, when safe is left open or when required by FSO or CSA. Did anyone say "annually"? If so, better check the NISPOM.

 W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


No comments: