LRAFB SFPC - Safeguarding Classified Information in the NISP
Keys and Padlocks (2)
Follow these guidelines for protecting keys and padlocks for security containers: - Appoint a key and lock custodian to ensure proper custody and handling of keys and locks used for the protection of classified information. - Keep a key and lock control register to identify keys for each lock and their current location and custody. - Audit keys and locks each month, and inventory keys with each change of custody. - Provide protections for keys and spare locks equivalent to the level of classified information involved. - Change or rotate locks at least once a year, and replace them if a key is compromised or lost. Note: Removing keys from the premises and making master keys is strictly prohibited.
Hazards - Integrity Compromises & Deliberate Attacks
• GSA-approved security containers should be periodically check for integrity compromises and attacks. • Security personnel should routinely inspect their GSA-approved security containers for hidden drilled holes and openings. • A few places to check are behind label holders.
Storage by Classification Level
• Storage requirements are different for each level of classified information. • The higher the classification level of the information, the more secure the storage container or open storage area must be.
Storage Containers (1)
• There are two types of areas in which you may store classified information. • The first type is an approved vault. • Vaults have very substantial construction requirements. • Vaults are considered to be equivalent, from a security perspective, to a GSA-approved container.
Which of the following are approved for storing TOP SECRET information (with supplemental controls)? 1. Six-sided steel cabinet 2. GSA-approved container 3. Steel cabinet 4. Open storage area 5. Vault
Answer: - GSA-approved container - Open storage area - Vault Feedback: Storage containers or areas are all approved for storing TOP SECRET information include a GSA-approved security container, open storage area, or vault.
Where may classified information be discussed between authorized persons? 1. In elevators if only authorized persons are on the elevator. 2. In a restricted area. 3. On cell phones in restricted areas. 4. On secure telephones.
Answer: - On secure telephones.
Which of these cases represent good examples to reproduce classified information for operational needs? 1. TOP SECRET documents in preparation of a contract deliverable? 2. SECRET and CONFIDENTIAL documents in preparation of a solicited bid, quotation or proposal? 3. SECRET and CONFIDENTIAL documents in preparation of patent applications to be filed in the U.S. Patent Office? 4. SECRET and CONFIDENTIAL documents in the performance of a prime contract or a subcontract?
Answer: - TOP SECRET documents in preparation of a contract deliverable. - SECRET and CONFIDENTIAL documents in preparation of a solicited bid, quotation or proposal. - SECRET and CONFIDENTIAL documents in preparation of patent applications to be filed in the U.S. Patent Office. - SECRET and CONFIDENTIAL documents in the performance of a prime contract or a subcontract. Feedback: All of these are good examples of classified information that may be reproduced for a company's operational needs.
When must a combination be changed to the lock for a security container used to store classified information? 1. At the initial use of an approved container or lock. 2. When anyone who has knowledge of the combination is either terminated or has his or her clearance withdrawn, suspended, or revoked. 3. When a container or its combination has been compromised or suspected of compromise. 4. When a container has been left unlocked and unattended. 5. Other times when deemed necessary by the Facility Security Officer (FSO) or Cognizant Security Agency (CSA). 6. At least once per year.
Answer: - At the initial use of an approved container or lock. - When anyone who has knowledge of the combination is either terminated or has his or her clearance withdrawn, suspended, or revoked. - When a container or its combination has been compromised or suspected of compromise. - When a container has been left unlocked and unattended. - Other times when deemed necessary by the Facility Security Officer (FSO) or Cognizant Security Agency (CSA). Feedback: These are all requirements for changing the combination to the lock for a container used to store classified information. The National Industrial Security Program Operating Manual (NISPOM) does not require combinations to be changed annually, but an FSO may choose to change them annually in addition to the other items listed.
Which of the following must a person have to be authorized to handle classified information? 1. Classified jurisdiction. 2. Need-to-know for the classified information in performance of official duties. 3. Favorable determination of eligibility, or (PCL) for access to classified information. 4. A signed and approved nondisclosure agreement. 5. Original classification authority.
Answer: - Need-to-know for the classified information in performance of official duties. - Favorable determination of eligibility, or personnel clearance (PCL) for access to classified information. - A signed and approved nondisclosure agreement. Feedback: A person authorized to handle classified information must have a favorable determination of eligibility, also referred to as a personnel clearance (PCL) for access to classified information, has signed an approved nondisclosure agreement (NDA) and has a need-to-know (NTK) for the classified information in performance of official duties.
In which of these cases would you need to make a report to your DCSA Field Office?
Answer: - You need to store several cubic feet of CONFIDENTIAL documents and have decided to convert a room in the basement of your facility for this purpose. - An afternoon thunderstorm has knocked out the electrical power in your area. As a result, the alarm system that provides supplemental protection for your TOP SECRET storage during nonworking hours is not operating. You are told by the power company that service may not be restored until morning and you have no other way to adequately protect your classified material. Feedback: A "Change in Storage Capability" report must be submitted after the initial acquisition of an approved storage container that raises or lowers the level of classification that a contractor is able to safeguard, in this case because you have converted a room of your facility for the purpose of storing CONFIDENTIAL information. In the case of the power outage, the classified information must be protected continuously until the alarm system is restored and functioning properly. This may be accomplished by having an appropriately cleared authorized person stay with the material until the situation is resolved.
True or False? You must keep a written record of the combination lock of any container in which classified information is stored?
Answer: False Feedback: A written record of the combination is not required. If you keep a written record you must handle and store it at the same classification level as the information it is protecting.
True or False? An authorized person may lock classified information in a desk drawer while going down the hall to get a cup of coffee?
Answer: False Feedback: An authorized person may not lock classified information in their desk drawer when they are not present. Classified information must be under the constant surveillance of an authorized person or returned to its security container.
True or False? An authorized person must escort or control the activities of their classified visitor?
Answer: False Feedback: An authorized person must escort or control the movements of their classified visitor.
True or False? When supplemental protection is required, the facility must only use security guards?
Answer: False Feedback: An intrusion detection system is the form of supplemental protection required by the National Industrial Security Program Operating Manual (NISPOM), except where security guards were approved prior to January 1, 1995.
True or False? All classified information must be numbered in a series?
Answer: False Feedback: Only TOP SECRET information not stored in an electronic format on an authorized classified information system must be numbered in a series.
True or False? All employees may pick up classified packages at a P.O. Box as long as they sign a form stating they will not open the package?
Answer: False Feedback: Only an authorized person may receive and sign for packages that may contain classified information.
True or False? The intended recipient of classified information must assure the sender that they are an authorized person at a facility with classified storage capability?
Answer: False Feedback: Persons transmitting classified information are responsible for ensuring that intended recipients are authorized persons with the capability to store classified information.
True or False? All classified information should be afforded the same level of protection regardless of the classification level of the information?
Answer: False Feedback: The higher level of classification, the more protection the classified information requires to reasonably prevent the possibility of its loss or compromise.
After making copies of classified information, Sarah made three blank copies on the copier. Is this action permissible or problematic? 1. Permissible 2. Problematic
Answer: Permissible Feedback: To ensure that no image of classified information remains on any image bearing part or surface of a copier, you should make three blank copies after you have finished copying classified information.
You made copies of some classified information for your meeting in 10 minutes and noticed when you got to your meeting that some of the classification markings were cut off on the copies. You decided to distribute the copies to the meeting participants since they were just copies and not originals. Is this action permissible or problematic? 1. Permissible 2. Problematic
Answer: Problematic Feedback: All security markings on the originals should also appear on the copies of classified information.
John, an authorized person, has a very busy schedule today and, therefore, has requested that his administrative assistant, who is not an authorized person, make copies of classified information on his behalf for his 2 p.m. meeting. Is this action permissible or problematic? 1. Permissible 2. Problematic
Answer: Problematic Feedback: An authorized person may only designate someone who is also an authorized person to make copies of classified information on their behalf.
You are alone making classified copies and the machine jams. You go down the hall to ask for help. Is this action permissible or problematic? 1. Permissible 2. Problematic
Answer: Problematic Feedback: When copying classified information, you should stay with the copier if it malfunctions and send for help, if necessary.
True or False? Contractors are required to establish an information management system to protect and control classified information in their possession?
Answer: True Feedback: Although there is no required format, contractors are required to establish an information management system so that they are able to retrieve classified information or report on its disposition in a reasonable period of time.
True or False? An authorized person is responsible for safeguarding classified information in a restricted area?
Answer: True Feedback: An authorized person is responsible for not allowing anyone to have unauthorized access to classified information in the restricted area.
True or False? An authorized person may turn classified information over on their desk when an unauthorized person is present?
Answer: True Feedback: An authorized person may turn classified information over on their desk when an unauthorized person is present. An authorized person may also choose to cover the classified information with something or return the classified information to its security container when an unauthorized person is present.
True or False? Classified information identified for destruction must be safeguarded until it is destroyed?
Answer: True Feedback: Classified information identified for destruction must be safeguarded until it is properly destroyed.
True or False? A person may be authorized to receive and sign for classified information if they are cleared to the level of classified information they are receiving?
Answer: True Feedback: If receiving classified packages is an assigned duty of the cleared employee that establishes need-to-know to the extent necessary to receive the packages.
True or False? Only an authorized person may receive and sign for packages that may contain classified information?
Answer: True Feedback: Only an authorized person may receive and sign for packages that may contain classified information.
True or False? Security checks are required at the end of the last working shift of each day to ensure classified information is properly stored and security containers are locked?
Answer: True Feedback: Security checks are required at the end of the last working shift each day.
True or False? Storage of TOP SECRET information always requires supplemental protection or security-in-depth during non-working hours regardless of the type of security container used?
Answer: True Feedback: TOP SECRET information always requires supplemental protection (alarms or guards) or security-in-depth (SID) during non-working hours regardless of the type of security container used.
True or False? Working papers must be marked in the same manner prescribed for a finished document at the same classification level when it is transmitted outside the facility or retained for more than 180 days from the date of creation?
Answer: True Feedback: Working papers must be marked in the same manner prescribed for a finished document at the same classification level when it is transmitted outside the facility or retained for more than 180 days from the date of creation.
Best Practices - Equipment Vulnerabilities
Equipment Vulnerabilities: • Paper jams may cause paper with images to be retained in the machine. • Ink on rollers may retain images of classified information. • Extra copies or partial copies may be retained in the machine or discarded via a special port.
GSA-approved Security Containers - GSA Approved Label
GSA Approved Label: • Verifies that container is GSA-approved • Color-coding: - Black: pre-1990 - Red: post-1990 (container has a case-hardened locking drawer that requires a different method of neutralization and repair).
GSA-approved Security Containers - GSA Test Certification Label
GSA Test Certification Label: • Indicates class of security container. • Class relates to delay afforded against forced, covert, or surreptitious entry. • Only Class 5 and Class 6 containers are available new.
GSA-approved Security Containers - Types & Sizes
GSA-approved Security Containers (Types & Sizes): • 2-drawer • 4-drawer • 5-drawer • Legal size and letter size • Single, dual, or multi-lock • Map and plan containers
Protecting Combinations (3)
Here are some guidelines for protecting combinations to security containers and vaults (cont.): - For example, if your word is Harley, then the corresponding combination numbers would be 42-75-39. - There are special requirements for facilities at which only one person is assigned to make sure the combination is preserved if that person is unavailable for some reason. - It is important that your cleared employees know what they can and cannot do when it comes to remembering combinations. Note: Good security education is the key to safeguarding combinations.
Protecting Combinations (2)
Here are some guidelines for protecting combinations to security containers and vaults (cont.): - If a record is made of a combination, mark the record with the highest classification of information authorized for storage in the container. - Then safeguard the record accordingly. - However, it is better to create a combination that is easy to remember, so that you don't have to write it down. - A good way to do this is to think of a six letter word that you would easily remember, but that others wouldn't easily guess, and then use the numbers on a telephone keypad that correspond to the letters in your word.
Protecting Combinations (1)
Here are some guidelines for protecting combinations to security containers and vaults: - Allow only a minimum number of authorized persons to have knowledge of combinations to authorized storage containers. - Maintain a record of all persons who have knowledge of the combination. - Protect the combination in accordance with the highest classification of information authorized for storage in the container.
Storage Options - Storage Containers (1)
• A General Services Administration (GSA)-approved security container is the only type of container that may be used to safeguard classified information. • A GSA-approved security container is a steel file container with a built-in combination lock constructed to withstand certain hazards, such as lock manipulation, for specified lengths of time. • The GSA establishes and publishes uniform standards, specifications, and supply schedules for its approved containers. • All GSA approved containers must be procured through the GSA Global Supply System. • You can search for the container you need on the GSA website.
(U) Top Secret - Accountability (1)
• Access and accountability records must be kept at various points in the TOP SECRET information lifecycle. • Contractors are required to establish controls for TOP SECRET information and material to validate that procedures are in place to address accountability, need-to-know, and retention. • These controls are in addition to the IMS and must be applied to TOP SECRET information, regardless of the type of media. • This includes TOP SECRET information processed and stored on authorized classified information systems.
Obtaining Classified Information - Handling Upon Receipt (4)
• After verification of these items, the designated custodian notifies the intended recipient that the material has arrived and arranges for that person to access the information. • If the designated custodian cannot verify the intended recipient's clearance level or need-to-know, the designated custodian should contact the cleared project manager for that contract to determine who should receive the classified material. • A continuous receipt system is required for all TOP SECRET information within and outside the company's location.
Forms of Classified Information
• All forms of classified information must be protected. Forms of classified information include classified finished or final documents, both paper-based and electronic, classified working papers, classified information identified for destruction, and classification-pending material. • Classified working papers are documents that are generated to prepare a finished document. • Classified information identified for destruction is no longer needed and shall be destroyed using approved methods and equipment prescribed by the National Industrial Security Program Operating Manual (NISPOM) or other government guidance provided. • Classification-pending material is material that requires a classification determination from the Government Contracting Activity (GCA). • This material must be safeguarded in accordance with the proposed highest classification level until guidance is received from the GCA.
Best Practices (1)
• Although not required by the NISPOM, it is a best practice to reproduce classified information on equipment specifically designated for this purpose as use of some equipment may not be cost-effective. • Using only designated equipment gives the FSO another level of control, and some reproduction equipment have features such as memory that are not appropriate for use with classified information. • The location of the equipment is also important. • Use only equipment that is located within a controlled area. It is also a best practice to post the rules for using the designated equipment on or near the equipment so users know exactly what procedures to follow.
Keys and Padlocks (1)
• Although not used as frequently as combination locks, high-security keyed padlocks are still used on some security containers for classified information. • One drawback of using padlocks, however, is that there is no authorized method of repair for some models. • Like combinations, keys and padlocks to security containers must also be safeguarded.
Obtaining Classified Information - Clearance of Receiving Individual (2)
• An authorized person means a cleared person who has been assigned this duty and, therefore, has a need-to-know. • This means that the individual who picks up the mail or accepts deliveries from the U.S. Postal Service or commercial delivery entities approved for transmitting classified material must be cleared to the level of the classified material expected to be received by the contractor. • All employees who are authorized to receive or sign for U.S. Registered or U.S. Express mail must have SECRET clearances.
Storage Options - Storage Containers (2)
• Because the type and size of storage container you need depends on how much classified information and the types of classified information you need to store, including classified information identified for destruction, there are various types and sizes of GSA-approved storage containers. • All GSA-approved storage containers must have two labels affixed to them: - a GSA test certification label on the side of the locking drawer. -a GSA-approved security container label on the left-hand side of one of the upper drawers. • Always ensure these two labels are affixed. • And, if the container has been repaired, you must also obtain the locksmith certification from the seller that the container's integrity has not been impaired. • In the event that any of these storage containers is not operating correctly, there are special requirements about repairing them.
Disclosure of Classified Information - Disclosure to Authorized Persons (2)
• Before disclosing classified information to another DOD activity, Federal agency, foreign person, attorney, or Federal or state courts, you must have authorization from the DOD activity or Federal agency that has classification jurisdiction over the information in question. • Finally, classified information must never be disclosed to the public, and unclassified information about classified contracts may only be released to the public in accordance with the National Industrial Security Program Operating Manual (NISPOM). • Although it is no longer classified, declassified information may not be disclosed to the public, unless approved in the same manner as classified information
Government Contracting Activity (GCA) - Authorizations
• Before reproducing classified information, you must follow these guidelines regarding when to obtain prior authorization from the contracting officer or some other government authority. • The National Industrial Security Program Operating Manual (NISPOM) states that unless restricted by the Government Contracting Activity (GCA), classified information may be reproduced to the extent required by operational needs, or to facilitate review for declassification. • Some examples of this include, reproducing TOP SECRET documents in preparation and delivery of a contract deliverable, or reproducing SECRET and CONFIDENTIAL documents in the performance of a prime contract or a subcontract, in preparation of a solicited or unsolicited bid, quotation, or proposal or in preparation of patent applications to be filed in the U.S. Patent Office. • Reproductions of classified information for any other purpose would require authorization from the GCA.
Combination Locks (1)
• Built-in combination locks are the most widely used type of lock on security containers and vaults for protecting classified information. • Six locks have been approved under FF-L-2740B for the protection of classified material. • The X-10 and the Sargent and Greenleaf (S&G) 2740B are the two models currently in production. • They have sophisticated anti-manipulation security features to resist certain types of attacks, such as an attack using an auto-dialer. • Older locks on GSA-approved containers can continue to be used until they no longer work properly.
(U) Confidential Storage (1)
• CONFIDENTIAL information must be stored in any of the areas approved for SECRET information. • However, supplemental protection is never required for storage of CONFIDENTIAL information.
Changing Combinations (2)
• Change them when anyone who has knowledge of the combination is either terminated or their clearance withdrawn, suspended, or revoked. • Also change combinations when a container or its combination has been compromised or suspected of compromise, or when a container has been left unlocked and unattended. • Finally, combinations must be changed at other times when deemed necessary by the FSO or Cognizant Security Agency (CSA).
Classification Levels
• Classified information is categorized into three classification levels, CONFIDENTIAL, SECRET, and TOP SECRET. • Classification levels are applied to national security information that, if subject to unauthorized disclosure, could reasonably be expected to cause damage, serious damage, or exceptionally grave damage to national security. • Each classification level has its own set of requirements for safeguarding. • The higher level of classification, the more protection the classified information requires to reasonably prevent the possibility of its loss or compromise.
Obtaining Classified Information - Clearance of Receiving Individual (1)
• Classified information shall be transmitted and received in an authorized manner which ensures that evidence of tampering can be detected, that inadvertent access can be precluded, and that provides a method which assures timely delivery to the intended recipient. • Classified material coming into a facility must be received directly by authorized personnel, whether it's in the form of a package, envelope, fax, email, or phone call.
Combination Locks (2)
• Combination padlocks may also be used to secure classified information. • The current padlock model that meets Federal specifications is S&G 8077AD. • To ensure that classified information inside a security container or vault is fully protected, the combination must be protected. • In addition, there are specific requirements and procedures for changing combinations.
Changing Combinations (1)
• Combinations must be changed by an authorized person, or by the Facility Security Officer (FSO), or his or her designee. • Never allow a commercial locksmith to change your combination. • Change combinations at the initial use of an approved container or lock.
Obtaining Classified Information - From Commercial Delivery Entities
• Commercial delivery entities may transmit SECRET or CONFIDENTIAL information within the U. S. and its territorial areas if the entity is a current holder of the GSA contract for overnight delivery and provides nation-wide, overnight service with computer tracking and reporting features, and is approved by the Cognizant Security Agency (CSA). • When a shipment is received via a commercial delivery entity, the company must have procedures in place to ensure that the incoming shipments are received by appropriately cleared personnel.
Information Management Systems (IMS)
• Contractors are required to establish an information management system (IMS) to protect and control all classified information in their possession, regardless of media, to include information processed on authorized information systems. • The purpose of the IMS is to verify that classified information in the contractor's custody is used or retained for a lawful and authorized U.S. Government purpose only. • There is not a required format for information management systems. • An information management system can be in the form of an electronic database, or as simple as a spreadsheet or log. • You must demonstrate how the IMS accounts for, protects, and justifies the retention of classified information at the facility.
Physical Handling Classified Information (1)
• Contractors are responsible for safeguarding classified information in their custody or under their control to reasonably protect it from loss or compromise. • When classified information is out of its security container, it must be kept under constant surveillance of an authorized person who can exercise direct security controls over the information. • This means that if the authorized person has to leave their work area, even momentarily, he or she must carry the classified information with them, have another authorized person watch it, or return it to its storage container. • When unauthorized persons are present, classified information must be covered, turned face down, placed back in its storage container or otherwise protected.
Emergency Procedures
• Contractors must develop procedures for safeguarding classified information in emergency situations. • The procedures should be as simple and practical as possible, and should be adaptable to any type of emergency that may arise. • They should also take into consideration employee safety. • When formulating your emergency procedures, it is best practice to consult with your company's safety officer.
Retention - Requirements (1)
• Contractors must establish procedures for reviewing their classified holdings on a regular basis to reduce their classified inventories to the minimum necessary for effective and efficient operations. • The National Industrial Security Program Operating Manual (NISPOM) states that contractors are authorized to retain copies of U.S. government classified information received or generated under a classified contract for two years after completion of the contract, provided the Government Contracting Activity (GCA) does not instruct otherwise. • All original documents and deliverables must be provided back to the GCA at contract conclusion. • By the end of the retention period, classified information must be destroyed, declassified if appropriate, or returned to the GCA.
Derivatively Classified Material (2)
• Contractors must follow guidance from the Central Office of Record (COR) for entering any Communications Security (COMSEC) material they generate into the accountability system. • The National Industrial Security Program Operating Manual (NISPOM) also contains guidance about generating and marking North Atlantic Treaty Organization (NATO) materials. • Finally, contractors must properly mark all classified information they generate, or derivatively classify.
Retention - Classified Information (1)
• Contractors must identify classified information for retention beyond two years as follows: - TOP SECRET information must be identified in a list of specific documents unless the Government Contracting Activity (GCA) authorized identification by subject matter and the approximate number of documents. - SECRET and CONFIDENTIAL information may be identified by general subject matter and the appropriate number of documents.
Retention - Classified Information (2)
• Contractors must include a statement of justification for retention based on the following: - The material is necessary for the maintenance of the contractor's essential records. - The material is patentable or proprietary data to which the contractor has title. - The material will assist the contractor in independent research and development efforts. - The material will benefit the U.S. Government in the performance of other prospective or existing agency contracts. - The material will benefit the U.S. Government in the performance of another active contract and will be transferred to that contract (specify contract).
Derivative Classification
• Derivative Classification is the incorporating, paraphrasing, restating, or generating in new form, information that is already classified, and marking the newly developed material consistent with the classification markings that apply to the source information. • Derivative classification includes classifying information based on classification guidance. • Duplicating or reproducing existing classified information is not derivative classification.
Best Practices (3)
• Do no leave waste at the copier. • Take all classified waste with you to be disposed of properly. Note: Some copiers are designed to store images of what they reproduce. If this is the case with your copier, you must erase all stored images of classified information according to the manufacturer's instructions. • This type of equipment may have to be authorized as an information system. • Since copiers that have memory or hard drives may have to be authorized as an information system, always contact your IS Rep prior to using any of these types of equipment for reproduction of classified information. • Finally, always keep in mind the vulnerabilities of the reproduction equipment you are using.
Oral Classified Discussions (2)
• Good security education and awareness training is a key for ensuring that your employees know where classified discussions are allowed. • It is particularly important to provide guidance to employees working in a non-possessing facility where there is no capability to store any classified material, such as notes from a classified discussion. • No matter where the discussion takes place, employees must ensure that classified information is disclosed only to authorized persons in a manner that prevents interception by unauthorized persons.
Retention - Requirements (2)
• However, if retention is required beyond the standard two year period, additional retention authorization must be requested from the Government Contracting Activity (GCA) in a certain format, depending on the level of classified material involved, and must always include a statement of justification. • If the request for retention authority is approved, the GCA may issue a final DD Form 254, Department of Defense Contract Security Classification Specification, for the classified contract and will enter the authorized retention period and final disposition instructions on the form. • In some cases the GCA provides a letter authorizing retention beyond the two-year period.
(U) Top Secret - Accountability (3)
• If the TOP SECRET material is not stored in an electronic format on an authorized classified information system, each TOP SECRET item must be numbered in a series and the copy number must be placed on each TOP SECRET document and all associated transaction documents. • The Cognizant Security Agency (CSA), may make specific determinations regarding the contractor's procedures for TOP SECRET accountability. • TOP SECRET control officials must be designated to receive, transmit, and maintain access and accountability records for TOP SECRET information. • An inventory must be conducted annually unless a written exception is obtained from the GCA.
Obtaining Classified Information - Handling Upon Receipt (2)
• If the receiver does not suspect any tampering of the outer package, they must immediately turn the package over to the designated document custodian, who may be the Facility Security Officer (FSO), or the FSO's designee for processing. • If the designated custodian is not able to open and process the package at that time, it must be protected as if it were classified until it is opened and a classification determination is made. • When the designated custodian opens and processes the package, the inner package should also be inspected for evidence of tampering. • If tampering is detected, the FSO or designee must conduct an inquiry and determine whether a loss, compromise or suspected compromise of classified information in accordance with the National Industrial Security Program Operating Manual (NISPOM) has occurred. • If a loss, compromise or suspected compromise has occurred, the FSO must notify both the sender and their Cognizant Security Agency (CSA).
Reports (2)
• Imagine there is a sudden evacuation of your facility due to a fire alarm. • There was no time for you to properly store your classified information and it was too voluminous for you to carry with you. • Any time there is an inability to safeguard classified information, steps must be taken to ensure that the material is protected at all times until the situation is corrected. • Depending on the circumstances, this may require an authorized person to stay with the material until it is properly secured.
Derivatively Classified Material (1)
• In addition to receiving classified information from outside sources, contractors may produce classified information internally. • This process of generating new classified materials from already existing classified information is known as derivative classification. • Contractors are required to properly safeguard any classified materials they generate, or derivatively classify. • Depending on the type of information, additional requirements may apply.
Supplemental Protection - Alarms & Guards
• In certain cases, supplemental protection is required to protect classified information. • This usually takes the form of an intrusion detection system (IDS). • For more information about intrusion detection systems and their requirements, refer to the National Industrial Security Program Operating Manual (NISPOM). • Under certain circumstances security guards may continue to serve as supplemental protection. • Only those facilities who were authorized to use guards prior to January 1, 1995 may continue their use. • These guards must make rounds at least every 2 hours for TOP SECRET and 4 hours for SECRET information. • One of the reasons security guards have been eliminated as a supplemental security measure is because IDS is a more cost-effective security option.
Obtaining Classified Information - Clearance of Receiving Individual (3)
• Likewise, employees who are authorized to receive or sign for U.S. Certified Mail must have CONFIDENTIAL clearances. • If the person who normally accepts deliveries is not cleared, that individual must call the Facility Security Officer (FSO) or other cleared person to sign for packages that require signatures. • If no cleared employee is available, the uncleared person must refuse the package. • This is true even if the uncleared person does not have any intention of ever opening the package. • In the case of delivery to a P.O. Box, an authorized person must go to the post office, unlock the post office box, sign for its contents when a signature is required, and bring the classified information directly back to the facility.
Procedures - Equipment Requirements
• Most modern copy machines, printers, and other multifunction devices have memory or hard drives where information is stored digitally. • These machines are actually information systems. • As such, they need to be authorized in accordance with the National Industrial Security Program Operating Manual (NISPOM) before they are used for any classified work. • The facility should coordinate with their DCSA Industrial Security Representative (IS Rep) prior to purchasing or using any such equipment if it is to be used with classified information. • The IS Rep may work with the Defense Counterintelligence and Security Agency (DCSA) Information Systems Security Professional (ISSP) also known as a Security Control Assessor (SCA), to determine what authorizations are needed for a particular piece of equipment and what procedures need to be followed.
Obtaining Classified Information - Handling Upon Receipt (3)
• Next, the designated custodian incorporates the material into the facility's Information Management Systems (IMS), and checks the contents of the package against the receipt, if a receipt is provided. • If there is a discrepancy, the sender must be contacted immediately. • If the package contents match the provided receipt, the designated custodian should sign and return it to the sender. • Next, the designated custodian verifies through the current DOD personnel security system of record or the facility's records that the intended recipient has the appropriate clearance level, and verifies the intended recipient's need-to-know. • This may be done by contacting the recipient's supervisor or project manager. • In many cases this determination will be made by the Facility Security Officer (FSO) who is aware of what projects each cleared employee is working on.
Wireless Devices
• One of the biggest challenges security professionals will face is protecting classified information from disclosure through the use of wireless devices. • Many of these devices, such as cell phones, including those with remote activation capability, camera phones, mobile devices, such as smartphones, e-readers, tablets and so on, can be used to record and transmit classified information either orally or photographically. • Their use is strictly prohibited. • Different devices require different security measures, based on their capabilities.
Special Requirements
• One-person facilities have special requirements for protecting combinations which are to: - Provide current combination to the Cognizant Security Agency (CSA) field office, or in the case of an Multiple Facility Organization (MFO), to the home office. - Establish procedures for CSA notification upon the death or incapacitation of that person.
Guard
• Only companies that used guards prior to 1995 have been grandfathered to still use guards. • Any company cleared after 1995 is not authorized to use guards for open storage areas.
Perimeter Controls (1)
• Perimeter controls are entry and exit inspections that deter and detect the introduction or removal of classified information from a facility without proper authority. • Contractors who are authorized to store classified information are required to establish and maintain such perimeter controls. • Signs must be posted conspicuously informing everyone that they are subject to inspection upon entry and exit.
GSA-approved Security Containers - Repairs
• Repairs of storage containers must be completed by appropriately cleared or continuously escorted personnel who are specifically trained in approved methods of maintenance and repair of these containers. • In order to continue to be used to protect classified information, an approved security container must be restored to its original state of security integrity and have a signed and dated certification stating the method of repair used. • All repairs must follow Fed Standard 809 (FED-STD-809), Neutralization and Repair of GSA Approved Containers and Vault Doors.
(U) Secret Storage (1)
• SECRET information must be stored in any of the three areas approved for TOP SECRET information. • Supplemental protection is required during non-working hours only for SECRET information that is stored in an open storage area. • Supplemental protection is not required for storage of SECRET information if it is stored in a GSA-approved security container or vault.
Locking Devices
• Security containers, open storage areas, and vaults must be kept locked when not under direct supervision of an authorized person entrusted with the contents. • Depending on the type of storage container or area, the locks can be either built-in combination locks or padlocks. • All locks on security containers and vaults must meet Federal specifications. • The DoD Lock Program has a website with useful information, and a hotline number you can call with any questions related to locks for security containers and areas. • You can also call the hotline to obtain free magnetic Secured and Open signs to attach to the side of your security containers. • These signs are a great way to indicate whether a security container has been locked or not.
Security-In-Depth (SID)
• Security-in-depth is a determination made by the Cognizant Security Agency (CSA) that a contractor's security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within a facility.
(U) Top Secret Storage (2)
• Supplemental protection may NOT be required for GSA-approved security containers and approved vaults secured with a locking mechanism meeting Federal Specification FF-L-2740 (X-07, X-08, X-09, X-10 or S&G2740B) when the Cognizant Security Agency (CSA) has determined that the GSA-approved security container or approved vault is located in an area of the facility with security-in-depth. • Security-in-depth is a determination made by the CSA that a contractor's security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within a facility. • Written authorization from the CSA is required before security-in-depth can take the place of supplemental controls such as intrusion detection system (IDS) or guards.
(U) Top Secret Storage (1)
• TOP SECRET information must be stored in a GSA-approved security container, vault, or open storage area. • Supplemental protection is required during working hours and non-working hours for TOP SECRET information that is stored in a GSA-approved container or vault. • Additionally, it is required during non-working hours for TOP SECRET information that is stored in an open storage area. • However, supplemental protection is not always required for storage of TOP SECRET information if it is located in an area of security-in-depth.
End-of-Day Security Checks
• The NISPOM requires end-of-day security checks to ensure that all classified information is protected and that the security container or area has been secured. • Security checks must be conducted at the end of the last working shift, unless operations are conducted 24 hours per day. • Although not required, records of security checks are a good security practice. • Use Standard Form (SF) 702, Security Container Check Sheet to document security checks.
Working Papers
• The National Industrial Security Program Operating Manual (NISPOM) also contains requirements that apply when a contractor creates classified working papers to prepare a finished document. Working papers must be dated when created. • Each page must be marked with the highest classification level and protected at that level, marked with the annotation "WORKING PAPERS," and destroyed when they are no longer needed. • Working papers must be marked in the same manner prescribed for a finished document and at the same classification level when transmitted outside the facility, or retained for more than 180 days from the date of creation.
Procedures - Reproduction Request
• The National Industrial Security Program Operating Manual (NISPOM) imposes requirements on the reproduction of classified documents, including parts of documents. • To ensure that these requirements are met at a facility, the Facility Security Officer (FSO), should consider requiring that authorized personnel submit a request form prior to reproducing classified information. • Although not a NISPOM requirement, a formal procedure for requesting permission to reproduce materials will ensure that all proposed reproduction is routed through the FSO. • This process will help to avoid any unnecessary or improper reproduction of classified materials. • If your facility decides to use these requests, include it in your Standard Practice Procedures (SPP), if you have one.
Oral Classified Discussions (1)
• The National Industrial Security Program Operating Manual (NISPOM) requires contractors to ensure all cleared personnel know the rules about discussing classified information. • Authorized persons may discuss classified information only over secure telephone lines, or in areas where the discussion cannot be overheard by an unauthorized person. • Classified information may not be discussed over unsecure telephones or wireless devices, or in public conveyances or places that might permit unauthorized interception, such as in cubicles or in rooms where you can hear through the walls. • Best Practice: A best practice to prevent discussion of classified information in inappropriate locations is to post signs reminding employees that classified discussions are not authorized.
Reports (1)
• The National Industrial Security Program Operating Manual (NISPOM) requires reports related to storage be sent to the Cognizant Security Agency (CSA). • For DoD, these reports are sent to the Defense Counterintelligence and Security Agency (DCSA), field office. • A report titled "Change in Storage Capability" must be submitted after the initial acquisition of an approved storage container that raises or lowers the level of classification that a contractor is able to safeguard - for example, when your facility acquires its first storage container for classified information. • The next report, "Inability to Safeguard Classified Material," is required to be submitted after an emergency that renders the facility's location incapable of safeguarding classified material as soon as possible.
Procedures - Copy Requirements
• The National Industrial Security Program Operating Manual (NISPOM) requires that reproduction of classified information be limited to the minimum consistent with contractual and operational requirements. • You will need to determine for each situation exactly how many copies you will need. • You should also consider if it is possible to reduce the number of copies. • The NISPOM also requires that the only individuals who can reproduce classified information be authorized personnel knowledgeable of the procedures for classified reproduction. • The NISPOM does not require that these individuals submit reproduction requests, but it is a security best practice to do so.
Obtaining Classified Information - Handling Upon Receipt (1)
• The company is responsible for establishing procedures for transmitting and receiving classified information. • Once a Registered or Certified package has been received by an authorized person, the receiver should examine the outer package for evidence of tampering. If the receiver suspects tampering, the Facility Security Officer (FSO), should be immediately notified. • The FSO or FSO designee should first determine if the package contains classified information by inspecting the inner package. • If it does contain classified information and the inner package has been tampered with, then the FSO or designee must conduct an inquiry and determine whether a loss, compromise or suspected compromise of classified information in accordance with the National Industrial Security Program Operating Manual (NISPOM) has occurred. • If a loss, compromise or suspected compromise has occurred, the FSO must notify both the sender and their Cognizant Security Agency (CSA).
Perimeter Controls (2)
• The extent, frequency, and location of inspections must be accomplished in a manner consistent with contractual obligations and operational efficiency, and they must be applied consistently. • For example, inspections should occur in a set manner such as on every person, every other person, and so on. • Contractors are encouraged to seek legal advice when formulating their inspection policies. • These procedures are limited to buildings or areas where classified work is being performed.
Storage Containers (2)
• The second type of area for storing classified information is an open storage area. • Due to the size and nature of the classified material to be stored, or for operational necessity, GSA-approved containers may not be practical. • In these cases, it may be necessary to construct an open storage area. • Open storage areas are much less expensive to build than vaults and are more commonly used. • The Cognizant Security Agency (CSA), and the contractor must agree on the need to establish an open storage area and its extent, based on the safeguarding requirements of a classified contract, either before or during the life of the contract. • If qualifying criteria are met, the CSA may grant an interim approval for an open storage area. • Access to open storage areas must be protected either through use of a guard, an authorized person, or an access control system. Note: The National Industrial Security Program Operating Manual (NISPOM) contains specific construction requirements for both vaults and open storage areas.
Physical Handling Classified Information (2)
• This includes taking appropriate steps to prevent an unauthorized person from seeing classified information on a computer screen in accordance with the Information System's System Security Plan (SSP). • Best Practice: Though not required, it is a good best practice to make room or area checks during working hours to ensure that employees are keeping classified information under constant surveillance or storing it properly. • Such checks foster good security habits. • Once classified work is finished, classified material must be returned to the storage container for protection.
(U) Top Secret - Accountability (2)
• When TOP SECRET information is produced by a contractor, a record must be kept of the following: - when the finished document was completed. - when the information is retained for more than 180 days regardless of its stage of development. - when it is transmitted inside or outside the facility.
Classified Visits
• When a visitor arrives at your facility for a classified visit, you must positively identify the visitor and verify clearance and need-to-know prior to disclosing any classified information. • You must brief the visitor on the security procedures at your facility and then escort the visitor or otherwise control their activities in your facility so that they only have access to the classified information consistent with the authorized purpose of their visit. • Before the visitor leaves, you must also ensure all classified information that they handled during their visit has been returned.
Restricted Areas
• When it is necessary to control access to classified information in an open area during working hours, a restricted area may be established. • A restricted area will normally become necessary when it is impractical or impossible to protect classified information by simply covering it or turning it over because of its size, quantity, or other unusual characteristic. • Although physical barriers are not required by the National Industrial Security Program Operating Manual (NISPOM), the restricted area must have clearly defined perimeters. • Examples might be roped off areas, a specially designated cubicle, or an office with a closed door. • Authorized persons in the restricted area are responsible for protecting the classified information from unauthorized access. • Once classified work is finished, classified material must be returned to the storage container for protection and the area becomes a regular work area once again.
Disclosure of Classified Information - Disclosure to Authorized Persons (1)
• You must ensure that classified information is disclosed only to authorized persons. • An authorized person is someone who has a favorable determination of eligibility, also referred to as a personnel clearance (PCL), for access to classified information, has signed an approved nondisclosure agreement (NDA), and has a need-to-know (NTK) for the classified information in performance of official duties. • So you are only authorized to disclose classified information to your cleared employees, to another cleared contractor or sub-contractor, to a cleared parent company or subsidiary, within a multiple facility organization (MFO), to Department of Defense (DOD) activities, or to Federal agencies when their access is necessary for the performance of tasks or services essential to the fulfillment of a classified contract, prime contract, or subcontract. Note: Disclosure of classified information may be done in oral form.
Best Practices (2)
• You should always ensure that only the planned number of copies are made. • If the copier malfunctions, do not leave it, but request help, if needed. • Fix the problem and verify that no classified pages remain inside the copier. • You should always ensure that the security markings on the original appear on all of the copies and have not been cut off. • You should account for all originals and copies before leaving the copier. • In order to ensure that no image remains on any image bearing part of the machine, make three blank copies and handle them as classified waste.
