Free Essay

Self Inspection

In: Philosophy and Psychology

Submitted By shaan060
Words 10033
Pages 41
Self-Inspection Handbook for NISP Contractors
TABLE OF CONTENTS

The Contractor Security Review Requirement ...............................................................................1 The Contractor Self-Inspection Handbook .....................................................................................1 The Elements of Inspection ............................................................................................................1 Inspection Techniques ....................................................................................................................2 Interview Techniques ......................................................................................................................2 ELEMENTS OF INSPECTION A. B. C. D. E. F. G. H. I. J. K. L. M. N. O. P. Q. R. S. T. U. V. W. X. FACILITY CLEARANCE ..........................................................................................................3 ACCESS AUTHORIZATIONS ..................................................................................................3 SECURITY EDUCATION.........................................................................................................4 CONSULTANTS ......................................................................................................................5 STANDARD PRACTICE PROCEDURES (SPP) .....................................................................5 SUBCONTRACTING ...............................................................................................................5 VISIT CONTROL .....................................................................................................................6 CLASSIFIED MEETINGS ........................................................................................................6 CLASSIFICATION ...................................................................................................................7 EMPLOYEE IDENTIFICATION ...............................................................................................7 FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE .........................................................8 PUBLIC RELEASE ..................................................................................................................8 CLASSIFIED STORAGE .........................................................................................................9 CONTROLLED ACCESS AREAS ...........................................................................................10 MARKINGS .............................................................................................................................11 TRANSMISSION .....................................................................................................................11-12 CLASSIFIED MATERIAL CONTROLS ....................................................................................12 REPRODUCTION ...................................................................................................................13 DISPOSITION .........................................................................................................................13 INFORMATION SYSTEMS......................................................................................................14-19 COMSEC/ CRYPTO ................................................................................................................19 INTERNATIONAL OPERATIONS ............................................................................................19-21 OPSEC ....................................................................................................................................22 SPECIAL ACCESS PROGRAMS ............................................................................................22

INSPECTION ADDENDUM Suggested Questions When Interviewing Uncleared Employees ..................................................23 Suggested Questions When Interviewing Cleared Employees ......................................................23-25 The Program Specific Self-Inspection Process ..............................................................................25 A Program Specific Self-Inspection Scenario .................................................................................26 The Program Manager Interview ....................................................................................................26-27 Employee Interviews ......................................................................................................................27

November 2008

i

Self Inspection Handbook for NISP Contractors

SELF-INSPECTION HANDBOOK FOR NISP CONTRACTORS
The Contractor Security Review Requirement “Contractors shall review their security system on a continuing basis and shall also conduct a formal selfinspection at intervals consistent with risk management principles.” [1-206b, NISPOM] The Contractor Self-Inspection Handbook The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). The Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It also suggests various techniques to help you enhance the quality of your self-inspections. The Elements of Inspection The Self-Inspection Check List contained within this handbook addresses basic NISPOM requirements through a series of questions arranged according to “Elements of Inspection.” Before beginning your self-inspection, review the “Elements of Inspection” to determine which ones are applicable to your facility’s involvement in the NISP. Use those elements which you have identified as pertaining to your security program to create your selfinspection check list. The first three Elements of Inspection: (A) Facility Security Clearance (FCL), (B) Access Authorizations, and (C) Security Education apply to all facility security programs and should be covered during the self-inspection. Any remaining elements need only be covered if they relate to your security program. If you have questions about the relevancy of any element of inspection for your facility, please contact your Industrial Security Representative (IS Rep) for guidance. A look at your Standard Practice Procedure (SPP), if you have one, may also provide clues. Of course, as your program becomes more involved with classified information (e.g., changing from a non-possessing to a possessing facility), you will have to expand your self-inspection checklist to include those additional elements of inspection. Also remember that not all of the questions (requirements) within each element may relate to your program. Since each question includes a NISPOM paragraph citation, review each requirement against the context of your industrial security program. If your involvement with classified information invokes the requirement, your procedures should comply with it and your self-inspection should assess your compliance. Reading all questions in the relevant elements of inspection will help you become more knowledgeable of the NISPOM requirements. In all cases, the regulatory guidance takes priority over company established procedures.

November 2008

1

Self Inspection Handbook for NISP Contractors

Inspection Techniques To get a clear picture of your facility’s security posture, you must (1) know the requirements by which you are inspected (this is where the check list will help), (2) know your facility’s physical layout (i.e., where the classified material is stored, worked on, etc.), and (3) have knowledge of the processes involved in the classified programs at your facility. Remember, your primary sources of information are documents and people. Your job as the FSO is to verify and validate that your facility security program is properly protecting classified material and information. To do this, simply review the self-inspection questions against the appropriate documentation (including the classified information) and the people (including their actions) involved in the facility’s industrial security program. This is where the self-inspection check list comes in handy. It not only provides you with the NISPOM requirements, but organizes them into elements of common security concern. These elements should not be viewed independently during your self-inspection, but interdependently, as it will become obvious to you that they frequently interrelate. Interview Techniques A quality self-inspection depends on your ability to ask questions which may identify security problems. Seek information about current procedures and changes which could affect future actions. Get out of your office and into the facility working environment. Talk to the people!

F F F F F

All questions should be considered in the present and future sense. Let people tell their story. Ask open ended questions (using who, what, where, when, why and how). Let people show you how they perform their jobs that involve compliance with a security program requirement. Follow-up the check list questions with your own questions. Keep good notes for future reference and document corrective actions.

November 2008

2

Self Inspection Handbook for NISP Contractors

The Self-Inspection Check List A. FACILITY CLEARANCE
NISPOM REF: 1-302g(3) Question: Have all changes (e.g. changes in ownership; operating name or address; KMP information; previously reported FOCI information or action to terminate business) affecting the condition of the FCL been reported to your DSS IS Rep? Has the fact that the company has an FCL been used for advertising or promotional purposes? Are the senior management official, the FSO, and other Key Management Personnel cleared as required in connection with the FCL? Have the proper exclusion actions been conducted for uncleared company officials? Does the home office have an FCL at the same or higher level than any cleared facility within the Multiple Facility Organization? Are the DD Forms 441 and/or 441-1, SF 328, and DD Form 381-R, available, properly executed and maintained in current status? YES NO N/A

2-100c 2-104 2-106a-b 2-108 2-111

B. ACCESS AUTHORIZATIONS
NISPOM REF: Question: Have you validated all the information in JPAS / JCAVS pertaining to your cleared employees? Does each employee’s JPAS / JCAVS record indicate an appropriate “eligibility” and “access?” Have all JPAS / JCAVS users and account managers been officially appointed, issued unique user names and passwords and given the appropriate level in the JPAS /JCAVS? Have all JPAS / JCAVS users received training appropriate for their duties and responsibilities? 2-200d 2-202a Are the number of clearances held to a minimum consistent with contractual requirements? Are employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company? Are procedures in place to ensure that the applicant’s SF 86 and fingerprint cards are authentic, legible and complete to avoid clearance processing delays? Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified has been granted or denied, and then destroyed? Are all pre-employment offers based on acceptance to begin employment within 30 days of granting eligibility for a PCL? Has citizenship been verified for each PCL applicant? Have reports on all cleared employees been submitted to the DISCO or the DSS IS Rep as required? NOTE: JPAS / JCAVS may be used for submission of some of these reports. YES NO N/A

2-202b

2-202b

2-205 2-207 1-302

November 2008

3

Self Inspection Handbook for NISP Contractors

C. SECURITY EDUCATION
NISPOM REF: 3-102 3-103, 9-202 3-104 3-105 3-105 3-106 3-107 1-205, 3-100, 3-108 Question: Have you, as the FSO, completed security training considered appropriate by the CSA ? Have you, as the FSO, received special security briefings and debriefings provided by DSS or GCA when required? Do cleared persons at other locations receive the required security training? Are SF 312’s properly executed by cleared employees prior to accessing classified and forwarded to DISCO for retention? Are refusals to execute the SF 312 reported to DISCO? Do initial security briefings contain the minimum required information? Does the security education program include refresher security briefings? Are all cleared employees provided with security training and briefings commensurate with their involvement with classified information? YES NO N/A

Interview personnel throughout the work place to determine the effectiveness of your security education program. What do the employees remember from the last security briefing? Have them demonstrate the application of security procedures in the performance of their jobs.

3-108 1-300

Are cleared employees debriefed at the time of a PCL’s termination, suspension, revocation, or upon termination of the FCL? Are there established internal procedures that ensure cleared employees’ awareness of their responsibilities for reporting pertinent information to the FSO as required? Is there an effective procedure for submission of required reports to the FBI and to DSS? Is there a graduated scale of administrative disciplinary action in the event of violations or negligence? Do you cooperate with officially credentialed representatives of Federal Agencies conducting inspections, audits and investigations? Are employees aware of the Defense Hotline? The Defense Hotline The Pentagon Washington, D.C. 20301-1900 (800) 424-9098 (703) 604-8569

1-301,302 1-304 1-204 6-103 1-207

November 2008

4

Self Inspection Handbook for NISP Contractors

D. CONSULTANTS
NISPOM REF: 2-212 2-212 Question: Have you and your consultants jointly executed a “consultant certificate” setting forth your respective security responsibilities? Does the consultant possess classified material at his/her place of business? YES NO N/A

For security administrative purposes, the consultant shall be considered an employee of the using contractor.

E. STANDARD PRACTICE PROCEDURES (SPP)
NISPOM REF: 1-202 1-202 Question: Do you have an SPP? Is the SPP current and does it adequately implement the requirements of the NISPOM? YES NO N/A

Remember that a written SPP must be prepared when the FSO or the CSA believes it is necessary for the proper safeguarding of classified. 1-202

F. SUBCONTRACTING
NISPOM REF: 7-101 7-101b(1) 7-101b(2) 7-101c Question: Are all required actions completed prior to release or disclosure of classified information to sub-contractors? Are the clearance status and safeguarding capability of all subcontractors determined as required? Do requests for facility clearance or safeguarding include the required information? Is sufficient lead-time allowed between the award of a classified subcontract and the facility clearance process time for an uncleared bidder? If your company is the prime on a contract, have you incorporated adequate security classification guidance into each classified subcontract? Are contractor-prepared Contract Security Classification Specifications (DD 254) certified (signed) by a designated contractor official? Are original Contract Security Classification Specifications (DD 254) included with classified solicitations? Are revised Contract Security Classification Specifications (DD 254) issued as necessary? If your company is the prime on a contract, have you obtained approval from the Government Contracting Activity for subcontractor retention of classified information associated with a completed contract? YES NO N/A

7-102

7-102 7-102a 7-102b 7-103

November 2008

5

Self Inspection Handbook for NISP Contractors

G. VISIT CONTROL
NISPOM REF: 6-101 6-101 6-101 Question: Are classified visits held to the minimum? Are procedures established to ensure positive identification of visitors prior to disclosure of classified? Are procedures established to ensure that visitors are only afforded access to classified information consistent with their visit? (need-toknow) Is disclosure of classified information based on need to know (a contractual relationship) or an assessment that the receiving contractor has a bona fide need to access classified information? Are visit authorization requests sent and received through JCAVS whenever possible? Do visit authorization requests include the required informationand are they updated to reflect changes in the status of that information? Are long-term visitors governed by the security procedures of the host contractor? YES NO N/A

6-102

6-104 6-104 6-105

H. CLASSIFIED MEETINGS (Sponsored by the Government)
NISPOM REF: 6-201 6-201a 6-201c 6-201c (2) 6-201c (3) and 6-202 Question: Has the government agency sponsoring the meeting approved all security arrangements, announcements, attendees, and the meeting location? Did your request for authorization include all required information? Have all security arrangements been approved by the authorizing agency? Is attendance limited to persons appropriately cleared who have the need-to-know? Is prior written authorization obtained, from the relevant Government Contracting Activity, before disclosure of classified information? YES NO N/A

Remember that classified presentations can be delivered orally and/or visually. Copies of classified presentations, slides, etc. shall not be distributed at the meeting, but rather safeguarded and transmitted commensurate with the level of classification.

6-202b

Has a copy of the disclosure authorization been furnished to the Government agency sponsoring the meeting?

Authority to disclose classified information at meetings, whether by industry or government, must be granted by the Government Contracting Activity having classification jurisdiction. [6-202]

6-203

Are your employees properly screened for clearance and need-to-know prior to attending classified meetings?

November 2008

6

Self Inspection Handbook for NISP Contractors

I. CLASSIFICATION
NISPOM REF: 4-102 Question: Are employees designated to perform derivative classification actions sufficiently trained and do they have access to appropriate classification guidance? Is all derivatively classified material appropriately marked? Is all classification guidance adequate and is the Contract Security Classification Specification (DD254) provided as required? Do you possess a Contract Security Classification Specification (DD 254) for every classified contract issued to your company? Upon completion of a classified contract, did proper disposal of the relevant classified information take place or is the classified material being retained for two years? Is improper or inadequate classification guidance being challenged? Is contractor-developed information such as unsolicited proposals or other information not supporting the performance of a classified contract appropriately classified, marked, and protected? Are downgrading and declassification actions accomplished as required, and is action taken to update records when changing the classification markings? YES NO N/A

4-102b 4-103 4-103 4-103c

4-104 4-105

4-107

J. EMPLOYEE IDENTIFICATION
NISPOM REF: 5-410b 5-313a Question: Do personnel possess the required identification card or badge when employed as Couriers, Handcarriers or Escorts? Did the manufacturer of your automated access control devices provide written assurance that it meets NISPOM 5-313 standards? YES NO N/A

Security procedures should maximize the use of personal recognition verification for access to classified material. Note that the NISPOM makes only passing reference to IDs and badges for use in specific instances. When such programs are employed as part of your security-in-depth procedures, the specifics should be reviewed with your IS Rep.

November 2008

7

Self Inspection Handbook for NISP Contractors

K. FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE (FOCI)
NISPOM REF: 2-302 2-302a 2-302b 2-302b 2-302b Question: The following questions apply to all contractors: Have there been changes in any of the information previously reported on your SF 328, Certificate Pertaining to Foreign Interests? Has the presence of any/all FOCI factors been reported to your IS Rep in the manner prescribed? Does the SF 328 contain current and accurate information? Has the most current information pertaining to the SF 328 been provided to your DSS IS Rep? Has your DSS IS Rep been notified of negotiations for merger, acquisition, or takeover by a foreign interest? YES NO N/A

The Guide to Completion of the SF 328 should be used to ensure your SF 328 contains current and accurate information. Visit the FOCI webpage found on the DSS website – www.dss.mil – to access an electronic copy of the SF 328 with instructions, FOCI Mitigation Instruments, and a Technology Control Plan.

The following questions apply to facilities involved with FOCI: 2-302b 2-303c (2a) Has a FOCI Negation Plan been submitted to your DSS IS Rep? If cleared under a Special Security Agreement, has your company received a National Interest Determination (NID) for access to “proscribed information?” Proscribed information is TOP SECRET/Restricted
Data/Communications Security/Special Access Programs and Sensitive Compartmented Information.The special authorization must be manifested by a favorable national interest determinationthat must be program/project/contract specific from the appropriate GCA.

2-306

Has a Government Security Committee been appointed from the Board of Directors under a Voting Trust, Proxy Agreement, Special Security Agreement (SSA), or Security Control Agreement (SCA)? Have you developed a Technology Control Plan (TCP), approved by the DSS, when cleared under a Voting Trust, Proxy Agreement, SSA, or SCA? If operating under a Voting Trust, Proxy Agreement or SCA, do your senior management officials meet annually with the DSS to review the effectiveness of the arrangement? Is an annual Implementation and Compliance Report submitted to your DSS IS Rep?

2-307

2-308a

2-308b

L. PUBLIC RELEASE
NISPOM REF: 5-511 5-511a Question: Was approval of the Government Contracting Activity obtained prior to public disclosure of information pertaining to a classified contract? Is a copy of each approved “request for release” retained for one inspection cycle for review by your DSS IS Rep? YES NO N/A

November 2008

8

Self Inspection Handbook for NISP Contractors

M. CLASSIFIED STORAGE
NISPOM REF: 5-101 5-102a 5-103 5-103 5-104 5-302 Question: Do your cleared employees know where they can and can’t hold classified discussions? Is there a system of security checks at the close of each working day to ensure that classified material is secured? Is a system of perimeter controls maintained to deter or detect unauthorized introduction or removal of classified from the facility? Are signs posted at all entries and exits warning that anyone entering or departing is subject to an inspection of their personnel effects? Are procedures developed for the safeguarding of classified material during an emergency? Is TOP SECRET classified stored only in GSA- approved security containers, approved vaults, or approved Closed Areas with supplemental controls? Are supplemental controls being used during non-working hours for all SECRET material NOT stored in GSA containers or approved vaults? Are Closed Areas constructed in accordance with the requirements of the NISPOM? Has DSS approval been granted for the open storage of documents in Closed Areas? Is the number of people possessing knowledge of the combinations to security containers minimized? Is a record of the names of people having knowledge of the combinations to security containers maintained? Are security containers, vaults, cabinets, and other authorized storage containers kept locked when not under direct supervision of an authorized person? When combinations to classified containers are placed in written form, are they marked and stored as required? Are combinations to security containers changed by authorized persons when required? If any of your approved security containers have been repaired, do you have a signed and dated certification provided by the repairer setting forth the method of repair that was used? Do ID cards or badges used in conjunction with Automated Access Control Systems meet NISPOM standards? YES NO N/A

5-303, 307 5-306 5-306b 5-308 5-308a 5-308b

5-308c-d 5-309 5-311a

5-313a

The CSA may grant self-approval authority for closed area approvals. [5-306]

November 2008

9

Self Inspection Handbook for NISP Contractors

N. CONTROLLED ACCESS AREAS
NISPOM REF: 5-303 5-305 5-306 Question: Are supplemental controls in place for storage of SECRET material in Closed Areas? Do Restricted Areas have clearly defined perimeters and is all classified material properly secured when the area is unattended? Are persons without the proper clearance and need-to-know escorted at all times when in a Closed Area? YES NO N/A

Supplemental controls are not required for SECRET classified storage during non-working hours if Security-in –Depth has been approved. See definition of Working Hours in NISPOM Appendix C.

5-306 5-312

Are Closed Areas afforded supplemental protection during non-working hours?
If Supplanting Access Control Systems are used, do they meet NISPOM criteria, 5-313 & 5-314, and were they approved by the FSO prior to installation?

Watch entrances to Closed Areas to determine the procedures followed when supplanting access control devices are utilized. Are authorized users allowing unauthorized persons to piggy-back into the area?

5-900 5-901 5-307 5-900

Is IDS approved by DSS prior to installation as supplemental protection and does it meet NISPOM or UL 2050 standards as required? Do intrusion detection systems (IDS), utilized as supplemental protection, meet NISPOM requirements?

When guards are authorized as supplemental protection [5-307b], required patrol is two hours for TOP SECRET and four hours for SECRET. GSA approved security containers and approved vaults secured with locking mechanisms meeting Fed. Spec. FF-L-2740 and located in areas determined by the CSA to have security-in-depth do not require supplemental protection, NISPOM 5-307c.

5-902b 5-902d 5-902d-e 5-903a (3)

Are trained alarm monitors cleared to the SECRET level in continuous attendance when the IDS is in operation? Are alarms activated at the close of business? Are alarm records maintained as required? Does the Central Alarm Station report failure to respond to alarm incidents to the CSA as required?

Commercial Central Station Alarm Company guards do not require PCLs unless their duties afford them the opportunity to access classified material when responding to those alarms. [5-903a(2)]

5-904 5-905 5-904, 905

Are all IDS at the contractor facility installed by UL-listed installers and so certified? Has a UL 2050 CRZH certificate been issued?

November 2008

10

Self Inspection Handbook for NISP Contractors

O. MARKINGS
NISPOM REF: 4-200 4-201 4-202, 203 4-206 4-207 4-202, 4-208 4-210 Question: Is all classified material, regardless of its physical form, marked properly? Is all classified material conspicuously marked to show the name and address of the facility responsible for its preparation, the date of preparation and overall security markings? Are all portions of classified documents properly marked? Are subject line and title markings placed immediately following the item? Are all additional markings applied to classified as required? Are special types of classified material marked as required? YES NO N/A

Special types of classified material include: 1) files, folders or groups of documents; 2) E-mail and other electronic messages; 3) messages; 4) microforms; and 5) translations.

4-213 4-216

Are appropriate classification markings applied when the compilation of unclassified information requires protection? Are downgrading/declassification notations properly completed?

Contractors must seek guidance from the GCA prior to taking any declassification action on material marked for automatic declassification. If approved by the GCA, all old classification markings shall be cancelled and new markings substituted whenever practical. [ 4-216a]

5-203

When classified working papers are generated are they dated when created, marked with the overall classification and annotated “Working Papers,” and destroyed when no longer needed?

P. TRANSMISSION
NISPOM REF: 5-202 5-401 5-401 5-401 5-401b 5-402 5-403 5-404 Question: Are procedures established for proper receipt and inspection of classified transmittals? Is classified information properly prepared for transmission outside the facility? Are receipts included with classified transmissions when required? Is a suspense system established to track transmitted documents until the signed receipt is returned? Are authorized methods used to transmit classified outside the facility? YES NO N/A

The requirement to maintain receipt and dispatch records has been eliminated. Remember that transmission of TOP SECRET outside of the facility requires written authorization from the Government Contracting Authority. [5-402] Additionally, TOP SECRET material may NEVER be transmitted through the U.S. Postal Service.

November 2008

11

Self Inspection Handbook for NISP Contractors

2-100 5-408 5-408 5-409 5-410 5-410 5-411 5-412 5-413

Is the facility clearance and safeguarding capability of the receiving facility determined prior to transmission of classified? Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material? Are classified shipments made only in accordance with the NISPOM or instructions from the contracting authority? Are Couriers, Handcarriers, and Escorts properly briefed? Is handcarrying of classified material outside the facility properly authorized, inventoried, and safeguarded during transmission? Is handcarrying aboard commercial aircraft accomplished in accordance with required procedures? Are sufficient numbers of escorts assigned to classified shipments and are they briefed on their responsibilities?

Change: The requirement for escorts applies only when an escort is necessary to ensure the protection of classified information during transport. [5-412] For information concerning international transmission of classified, see International Operations. NISPOM 10, Sec. 4

Q. CLASSIFIED MATERIAL CONTROLS
NISPOM REF: 5-100 Question: Do your cleared employees understand their safeguarding responsibilities? YES NO N/A

Facility walk-throughs are a good way to determine employees’ knowledge of in-use controls for safeguarding classified. Interview and observe how classified is handled in the work place.

5-200

Is your information management system (IMS) capable of facilitating the retrieval and disposition of classified material as required?

Evaluation of your IMS may be accomplished by conducting employee interviews. Your interview results, classified contract administration, and the results of classified materials reviewed at your facility will indicate whether or not your IMS is consistent with the NISPOM requirements.

5-201a 5-201a 5-202 5-102 5-103 1-300 1-303 5-104

Are TOP SECRET control officials designated at facilities possessing TOP SECRET information? Are TOP SECRET accountability records maintained as required and is an annual inventory conducted? Is all classified material received directly by authorized personnel? Are security checks to ensure proper storage of classified materials conducted at the end of each working day? Does your system of controls deter or detect unauthorized introduction or removal of classified from the facility? Are your cleared employees aware of their responsibility to promptly report the loss, compromise, or suspected compromise of classified? Are procedures adequate to protect classified during emergencies?

Conduct a walk-through inspection during lunch breaks, after hours or on late work shifts when classified is being accessed, to determine the actual security posture at your facility. November 2008 12 Self Inspection Handbook for NISP Contractors

R. REPRODUCTION
NISPOM REF: Question: Does the equipment used for classified reproduction have any sort of memory capability? If yes, the equipment may require accreditation as aninformation system. 5-600 5-600 5-601 5-602 5-603 Is reproduction of classified material kept to a minimum? Is the reproduction of classified accomplished only by properly cleared, authorized, and knowledgeable employees? For Top Secret material, is reproduction authorization obtained as required? Are reproductions of classified material reviewed to ensure that the markings are proper and legible? Is a record of reproduction maintained for TS material and is it retained as required? YES NO N/A

Any review of classified reproduction should include concern for waste (copy overruns, etc.), any materials used in production which may retain classified information or images requiring destruction or safeguarding, and type of copier used. A copier that includes any sort of memory may have to be accredited as an information system rather than a copier. Remember, the NISPOM requires a formal accountability system for Top Secret material, and an Information Management System (IMS) for Secret and Confidential material. [5-201; 5-203]

S. DISPOSITION
NISPOM REF: 5-700b 5-701 5-703 5-701 5-702 5-704 5-705 5-706 Question: Are procedures established to review classified holdings on a recurring basis for the purpose of reduction? Is the disposition of classified material accomplished in accordance with the required schedule? Is retention authority requested as required? Is classified material destroyed as soon as possible after it has served its purpose? Is an effective method of destruction employed that meet NISPOM standards? Is classified material destroyed by appropriately cleared authorized personnel who fully understand their responsibilities? (may include appropriately cleared subcontractor personnel) YES NO N/A

The NISPOM requires two persons for the destruction of TOP SECRET and one person for the destruction of SECRET and CONFIDENTIAL.

5-707

Are proper records maintained for the destruction of TOP SECRET classified and do those who sign have actual knowledge of the material’s destruction? Is classified waste properly safeguarded until its timely destruction?

5-708

November 2008

13

Self Inspection Handbook for NISP Contractors

T. INFORMATION SYSTEMS
System No. Overall Review Finding: Reviewed By: Date:

Administrative
NISPOM 8-202 8-202a 8-202 8-202a 8-202g 8-202g 8-202d 8-202e 8-202f 8-202e Question: Has written accreditation for the SSP been obtained from DSS? If no, was interim approval granted? Up to 180 Days F 181 to 360 Days F Did the user begin processing classified information before interim approval or written accreditation? If interim approval was granted, has the specified time period expired? Has the Information System Security Manager (ISSM) been authorized self-certification authority? If yes, does the ISSM certify all IS under the Master SSP? If yes, does the ISSM provide notification to DSS? Does the IS require reaccreditation based on 3 year limit? Has accreditation been withdrawn? Has accreditation been invalidated? If withdrawn or invalidated, has memory and media been sanitized? YES NO N/A

Responsibilities
8-101b 8-101b 8-103 8-104 8-104 8-307 8-307 Has management published and promulgated an IS Security Policy? Has an ISSM been appointed? If yes, are the ISSM’s duties and responsibilities identified and being carried out? Has the ISSM designated one or more Information System Security Officer(s) (ISSOs)? If yes, are the ISSO(s) duties and responsibilities identified and being carried out? Are the privileged users’ duties and responsibilities identified and understood? Are the general users’ responsibilities identified and understood?

System Security Plan (SSP)
8-402 8-401 What protection level (PL) is authorized? PL 1 F PL 2 F PL 3 F PL 4 F Highest level of data processed? Confidential F Secret F Top Secret F

User Requirements
Table 4 Table 4 Clearance level of privileged users? Confidential F Secret F Top Secret F Clearance level of general users? Confidential F Secret F Top Secret F
14 Self Inspection Handbook for NISP Contractors

November 2008

Table 4 8-303a

Do the users understand the need-to-know requirements of the authorized PL? How is the user granted access to the IS? User-IDs F Personal identification F Biometrics F

If passwords are used, does the user understand his/her responsibility for password creation deletion, changing, and length? NISPOM REF: 8-311 8-311 Question: Is the “user” involved in configuration management (i.e., adding/ changing hardware, software, etc)? If yes, does the user understand and following the configuration management plan? YES NO N/A

IS Hardware
8-311a 8-311d 8-306a Does the SSP reflect the current hardware configuration? If not, do the maintenance logs reflect changes in the hardware configuration? Does the IS equipment bear appropriate classification markings?

Physical Security
8-308 How is the IS physically protected? (Check all that apply) Closed Area Approved Containers Approved Locks Patrols F IS Defined Perimeter F Boundary Area
(Restricted Area)

PDS [1] Devices Guards

F

F F F

Access Control Alarms Seals

F F F

F F

Other (Specify) F

[1] Protected Distribution System Intrusion Detection System F 5-800 5-306 5-306 5-312 5-307 5-307b 5-900 5-306b If closed area, are all construction requirements met? Is access controlled by cleared employee, guard or supplanting access control device? If access is controlled by cleared employee, what criteria is used before granting access? If access is controlled by a supplanting access control device, are all requirements met? If required, is supplemental protection provided by guards or an approved IDS? If supplemental protection is provided by guards, are all requirements met? If supplemental protection is provided by an IDS, are all requirements met? Is open shelf or bin storage of classified information, media or equipment approved?

November 2008

15

Self Inspection Handbook for NISP Contractors

NSTISSI 7003 NSTISSI 7003 NSTISSI 7003

If classified wirelines leave the closed area, are all PDS construction requirements met? If PDS is used, are all inspection requirements followed? If PDS is used, do they contain unclassified wirelines? If closed area has false ceilings or floors, are transmission lines not in a PDS inspected at least: Monthly (Security In-Depth) c Weekly (No Security In-Depth) c

8-502b

If restricted or IS protected area, is the IS downgraded before/after use? If seals are used to detect unauthorized modification, are the website guidelines followed? If seals are used, does the audit log reflect why the seal was replaced?

8-308c

Is visual access to the IS or classified information obtainable by unauthorized individuals?

Software
Are contractor personnel that handle system or security related software appropriately cleared? 8-302a 8-306c NISPOM REF: 8-306c 8-202c 8-305 8-305 8-305 8-305 8-502d Are the installation procedures identified in the SSP being followed? Is the media on which software resides write-protected and marked as unclassified? Question: Is non-changeable media (e.g. CD read-only) appropriately handled and marked? Is security relevant software evaluated before use? Is software from an unknown or suspect origin used? If used, is the software from an unknown or suspect origin validated before use? Is software tested for malicious code and viruses before use? Are incidents involving malicious software handled in accordance with SSP procedures? Is separate media maintained for periods processing?
YES NO N/A

Media
8-306 5-300 Is media marked to the classification level of the data? Is media appropriately safeguarded when not in use? Are approved procedures followed when unclassified media is introduced into the system?

November 2008

16

Self Inspection Handbook for NISP Contractors

Security Audits
Are all appropriate Audit entries recorded? 8-602a 8-602 8-602a 8-602a 8-602 8-602 Are processing times reasonable (i.e., hours between breaks)? Are the protection requirements for each audit requirement recorded? Are the Audit Logs/Records reviewed: Weekly? F Daily? F Is the reviewer authorized and briefed on what and how to review the audit records? Does the reviewer understand his/her responsibility for handling audit discrepancies? Are audit Logs/Records retained for 12 months?

Security Awareness
8-103a 8-103a Has the contractor implemented an IS training program? Are users briefed before access is granted?

IS Operations
8-502 8-502 8-502 8-502 8-310 8-310 8-310 If possible, have the user demonstrate the security level upgrading procedures. Is the user responsible for clearing memory and buffer storage? If yes, does the user know how to clear memory and buffer storage? Is magnetic media cleared/sanitized before and after classified processing? Does the user understand his/her responsibility for handling/ reviewing data and output (in-use controls)? Does the user follow approved procedures when doing a trusted download? If possible, have the user demonstrate the security level downgrading procedures.

Maintenance and Repair
NISPOM REF: 8-304a 8-304a 8-304b 8-304b 8-304b Question: Is maintenance done at your facility with cleared personnel? If yes, is need-to-know enforced? Is maintenance done at your facility with uncleared personnel? If yes, are the maintenance personnel U.S. citizens? Does the escort understand his/her responsibilities? Does the audit log reflect the escort’s name? Is diagnostic or maintenance done from a remote location using secured / nonsecured communication lines? Is maintenance physically done away from your facility?
YES NO N/A

November 2008

17

Self Inspection Handbook for NISP Contractors

8-304b (4) 8-304b 8-304b 8-103

If uncleared maintenance personnel are being used, is a dedicated copy of the operating system software maintained? Is the system and diagnostic software protected? Is the entire IS or individual components sanitized before / after maintenance? Has the ISSM approved the use of maintenance tools and diagnostic equipment?

Media Cleaning, Sanitization and Destruction
8-502 8-502 8-502 8-502 8-502 8-502 Is the user responsible for clearing memory (volatile / nonvolatile)? Is the user responsible for sanitizing memory (volatile / nonvolatile)? If yes, does the user annotate the audit records? Ask the user to describe or demonstrate the procedure. Is the user responsible for clearing magnetic storage media? Is the user responsible for sanitizing magnetic storage media? If yes, does the user annotate the audit records? Ask the user to describe or demonstrate the procedure. Is an approved overwrite utility used to clear or sanitize magnetic media? If yes, does the user annotate the audit records? IA Website Do you have approved procedures for the destruction of nonmagnetic media (e.g. Optical Disks)? What level magnetic tape is used? Type I F Type II F Type III F Unknown F

Does the contractor use an approved tape degausser to sanitize magnetic tapes? If yes, what level tape degausser? Type I F Type II F Type III F Unknown F

If yes, does the user annotate the audit records? If yes, does the tape degausser comply with NSA specifications? Are approved procedures followed for clearing / sanitizing printers?

STU-III
NISPOM REF: Question: If yes, are users briefed on proper use and security practices? Are installed terminals supported by a COMSEC account or hand carry receipt?
Are installed terminals in controlled areas? Does the SSP reflect the outside STU-III connections? If yes, has someone verified that the outside connections are authorized and accredited?

YES

NO

N/A

November 2008

18

Self Inspection Handbook for NISP Contractors

Networks
NISPOM REF: 8-700 8-700e(3) 8-700b 8-700c 8-700c 8-700c 8-610a 8-700 8-700 Question: Are all outside network connections known, authorized and accredited? If the network leaves your facility, are NSA approved encryption device(s) used? Is this a unified network? Is this an interconnected network? If yes, does each participating system or network have an ISSO? Does the network have a controlled interface? Is a network security plan being followed? Is this a contractor only network? If no, is a DISN circuit being used or has the customer obtained a waiver from DISA? If the network is not contractor only, has a MOU been coordinated between all DAAs? Are data transfers (receipt and dispatch) across the network audited? YES NO N/A

Note: NISPOM Chapter 8 and ISL 2007-01. U. COMSEC / CRYPTO
The primary source of information for COMSEC inspections is the NSA / CSS Policy Manual No. 3-16, November 2005. Requirements exceeding those in the NISPOM must be contractually mandated. The NISPOM does not provide detailed guidance for protection of COMSEC material. If you require training and audit information, contact the NSA.

V. INTERNATIONAL OPERATIONS
NISPOM REF: If YES, 10-200 10-202 Question: YES NO N/A

Disclosure of U.S. Information to Foreign Interests
Continue!

Does your company have any classified contracts with foreign interests? Was appropriate export authorization obtained prior to disclosure of classified information?

Remember that an export authorization is required before making a proposal to a foreign person that involves eventual disclosure of U.S. classified information. [10-202]

10-200 10-401d

Is proper disclosure guidance provided by the Government Contracting Activity? Are requests for export authorizations of significant military equipment or classified material accompanied by Department of State Form DSP-83, “Non-Transfer and Use Certificate?” Have the required security provisions and classification guidance been incorporated into the subcontract document for all direct commercial arrangements with foreign contractors involving classified information?
19 Self Inspection Handbook for NISP Contractors

10-202

November 2008

Possession of Foreign Classified Information
10-300 10-302a 10-304a 10-306 Has your DSS IS Rep been notified of all contracts, awarded by foreign governments, which involve access to classified information? Is foreign government information provided protection equivalent to that required by the originator? Are U.S. documents containing foreign government classified information marked as required by the NISPOM? Is foreign government material stored in a manner that prevents its mingling with other material?

The receipt of classified material from a foreign source through non-government channels shall be promptly reported to the DSS IS Rep. [10-311]

10-312

Is the subcontracting of contracts involving access to foreign government information conducted in accordance with the NISPOM?

International Transfers
10-401 10-402 10-404 10-405 10-405 b-c Do all international transfers of classified material take place through channels approved by both governments? Is an appropriate transportation plan prepared for each contract involving international transfer of classified material as freight? Does the use of freight forwarders for the transfer of classified material meet the requirements of the NISPOM? Is classified material hand carried outside of the U.S.? If so, is such action always approved by the CSA? Are couriers provided with a Courier Certificate and do they execute a Courier Declaration before departure?

Paragraphs 10-405a thru j provide detailed requirements for employees acting as couriers when hand carrying classified across international boundaries.

10-406 10-408

Are all international transfers of classified controlled by a system of continuous receipts? Is adequate preparation and documentation provided for international transfer of classified pursuant to an ITAR exemption? Note: For FMS the GCA is responsible for the preparation and approval of the transportation plan.

International Visits and Control of Foreign Nationals
10-500 10-508 10-509 2-306 2-307 Has a TCP been established to control access to all export controlled information? If yes, are these procedures current and effective?

November 2008

20

Self Inspection Handbook for NISP Contractors

10-501 10-506 10-507

Have you established procedures to monitor/control international visits by your employees and by foreign nationals?

Visit authorizations shall not be used to employ the services of foreign nationals to access export controlled materials; an export authorization is required in such situations. [10-501b]

10-506

Are requests for visits abroad submitted on a timely basis?

The Visit Request format is contained in NISPOM Appendix B.

10-508 10-509

Do you properly control access to classified by on-site foreign nationals?

All violations of administrative security procedures or export control regulations by foreigners shall be reported to the CSA. [10-510]

Contractor Operations Abroad
10-600 10-603 10-604 Do any of your employees have access to classified information outside of the United States? Has all transmission of classified information to cleared employees overseas been conducted through U.S. Government channels? Are employees assigned outside of the US properly briefed on the security requirements of their assignment?

The storage, custody, and control of classified information required by U.S. contractor employees assigned outside of the US are the responsibility of the U.S. Government. Contractors are NOT allowed to store classified information overseas – all storage MUST be under the auspices of the U.S.Government.

NATO Information Security Requirements
10-706 Are briefings / debriefings of employees accessing NATO classified conducted in accordance with the NISPOM, and are the appropriate certificates and records on file?

Remember that a personnel clearance is not required for access to NATO RESTRICTED, although an facility clearance is. [NISPOM 10-702 & 704]

10-709 10-710 10-712a 10-712b 10-713 10-717 10-721

Are all classified documents properly marked? Have you received adequate classification guidance? Are NATO classified documents kept separate from other classified documents? Have the combinations to containers holding NATO classified been changed annually as a minimum? Has all NATO classified been properly received and transmitted? Are the accountability records for NATO classified maintained as required? Are visits of persons representing NATO properly handled and is the visit record maintained as required?

November 2008

21

Self Inspection Handbook for NISP Contractors

W. OPSEC
NISPOM REF: None Question: Are OPSEC requirements implemented in accordance with contractual documentation provided by the GCA? YES NO N/A

X. SPECIAL ACCESS PROGRAMS (SAP)
Reference: Question:

Yes

No

NISPOM, NISPOM Supplement; and DoD Overprint to the NISPOM Supplement

Is this a potential site for arms control inspections under START, OPEN SKIES, Chemical Weapons Convention (CWC) or International Atomic Energy Agency (IAEA)? If Yes: Is the DoD component sponsoring or acting as the executive agent for a SAP providing arms control implementation guidance and direction? Reference: 11-704 DoD Overprint to the NISPOM Supplement. Is there any Special Access Program contract activity at your company? Note: The FSO should discuss this with the senior management official of the facility. If Yes: Remember that such programs are subject to NISPOM, NISPOM Supplement, DoD Overprint to the NISPOM Supplement or the JAFAN 6/0 - Revision 1 and Program Security Guide requirements. A self inspection of the SAP(s) is required annually IAW 1-206e of the DoD Overprint to the NISPOM Supplement or IAW 1-206 of the JAFAN6/0Revision 1. The Security Review Checklist is found in Appendix 1J of the Overprint and Appendix F of the JAFAN 6/0 – Revision 1. If Yes: During the self-inspection, it is important for you to coordinate with the internal Contractor Program Security Officer (CPSO) to ensure that individual program security requirements are being followed.

November 2008

22

Self Inspection Handbook for NISP Contractors

Suggested Questions When Interviewing Uncleared Employees:

F What is classified information? F Have you ever seen classified information? F If you found classified information unprotected, what would you do? F Have you ever heard classified information being discussed? F Have you ever come into possession of classified materials? How?
Suggested Questions When Interviewing Cleared Employees:

F What is your job title / responsibility? F What is the level of your security clearance? F Which contract or program requires the use of your clearance? How? F How long have you been cleared? F If recently cleared, what were the process / steps in applying for your security clearance? F When was your last access to classified information and at what level? F Have you ever accessed classified information outside of this facility? F What are the procedures for going on classified visits? F How about visitors coming here for a classified visit? F Did anyone else from the facility accompany you on this visit? F What procedures did you follow prior to your classified visit? F Did you take any classified notes or bring any classified information back to the facility? F What procedures were followed to protect this information? F Where is this information now? F Have you ever allowed visitors to have access to classified information? F How did you determine their need-to-know? F Have you ever been approached by anyone requesting classified information? F Do you ever work overtime and access classified information? F When was the last time that you had a security briefing? F What can you recall from this briefing?

November 2008

23

Self Inspection Handbook for NISP Contractors

Can you recall any of the following being addressed in briefings?

 Risk Management  Public Release  Adverse Information

 Job Specific Security Brief  Safeguarding Responsibilities  Counterintelligence Awareness

F What is meant by the term adverse information and how would you report it? F Can you recall any other reportable items? F What is meant by the term suspicious contact and how would you report one? F Have you ever been cited for a security violation, infraction, or incident? F What would you do if you committed a security violation or infraction or discovered one? F Do you have the combination to any storage containers, access to any Closed Areas, etc.? F What are the security requirements regarding combinations regarding combinations to security containers? F Who other than yourself has access to these containers? F How do you keep track or maintain your knowledge of the combination? F Is a record maintained of the safe combination? If so, where? F Do you generate classified information? Tell me about it. F What security controls are established? F How do you know it’s classified? F Where do you typically work on classified information? F What procedures do you follow to protect classified while working on it? F What do you do with classified information? F Do you ever use a computer to generate classified information? F How do you mark this information? F What information or references do you use when classifying information? F Please produce the classification guidance that you used. Is it accurate? F What would you do if you determined that the classification guidance was not accurate? F What are the security procedures for publishing classified papers, etc.? F Do you ever hand carry any classified information outside of your company? F What procedures do you employ when hand carrying classified material? F Have you ever reproduced classified information? Describe the procedures. F Have you ever destroyed classified information? What procedures were used? F Do you have any questions regarding security?

November 2008

24

Self Inspection Handbook for NISP Contractors

NOTE: In addition to asking questions, it is a good idea to ask cleared employees to demonstrate how they perform their security-related tasks, e.g., “Show me what you do before processing classified information on your computer” or “Show me how you prepare a package for shipment.” This will allow you not only to verify what the correct procedures are, but to ensure those procedures are being carried out and that classified information is being protected. The Program Specific Self-Inspection Process Your company may be one of the many NISP contractors performing on numerous classified contracts requiring the administration of a complex security program. The self-inspection of your security program can be time consuming and possibly very challenging. A technique that can facilitate your self-inspection process to help you determine your facility’s security posture focuses on one or more classified programs and assesses your compliance with the security requirements involved with those programs. This technique for evaluating your facility’s security program describes the program specific self-inspection process. Are there any benefits to using the program specific approach when conducting your self-inspection? The program specific self-inspection can help you gain a better understanding of what your company’s responsibility is for a particular classified program in addition to providing you insight as to what each person contributes to the effort. The following is provided to explain the program specific self-inspection. Your DSS IS Rep puts great emphasis on providing recommendations and suggestions to improve your security practices. But this can only be accomplished when you have a good grasp of your operations and the manner in which classified information is handled. By taking a detailed look at one or more classified programs and interviewing key individuals to determine what they do and how they handle classified information, you will be able to evaluate how well your facility’s overall security program is functioning. Many classified programs require a variety of tasks such as manufacturing, report writing, testing, researching, and transmitting, etc. In a program specific inspection, you select one or more programs to be closely examined. This program specific self-inspection process usually begins with the interview of the program manager (in some facilities this could even be the President) to learn what the program or contract is all about. Start by asking for a layman’s overview of the program and question the level of classified access required, the procedures for classifying information, what, if any, problems have been experienced, and who in the facility is responsible for what on the program. Follow these leads to interview other employees including technical, clerical, and secretarial personnel. During these interviews, explore all security requirements connected with the employees’ responsibilities in the program such as classified material controls, classified storage, markings, classification management, transmission, disposition, security education, and reproduction. Elements of a more administrative nature, relating to the facility’s security program, such as the review of JPAS /JCAVS records and briefing statements, are ordinarily covered by reviewing your records within the Security Office. The main rule is: if an element is applicable to your facility’s classified involvement, cover the element in your self-inspection and, whenever possible, consider using the program specific techniques illustrated below. You may find that exploring one classified program is not enough to give you a “feel” for how well your security program is functioning. One program may represent only a small part of the classified activity that takes place at your facility. If that’s the case, you will want to examine several, if not all, of your classified programs in detail. It’s important that you explore each inspection element thoroughly to ensure that your facility is in compliance with the NISPOM. Your underlying concern is that classified information and materials are properly protected and that your employees are knowledgeable of their security responsibilities.

November 2008

25

Self Inspection Handbook for NISP Contractors

A Program Specific Self-Inspection Scenario The following scenario illustrates a self-inspection conducted on a specific program. For the purpose of this example, it is not an all-inclusive inspection. Fenster Dinwiddie, FSO of Capabilities Limited (CL) has decided to focus his self-inspection on the SCUD Intercept Countermeasure (SIC) Project, one of three classified contracts awarded to CL. As we join Fenster, he has accomplished most of the administrative portion of the inspection. He has reviewed JPAS / JCAVS records, records of briefings, etc. and has completed his inventory of all classified materials and records. He has already touched base with the President of CL to make sure there were no recent organizational changes or foreign involvement that he should report. Certain elements like Subcontracting, Consulting, COMSEC, and International Operations do not apply. Emulating the inspection techniques of his IS Rep, Fenster has decided to go out on the floor and find out what the employees do and how knowledgeable they are about their security responsibilities. The Program Manager Interview Fenster recalled that his IS Rep began each inspection by interviewing the person most knowledgeable about a particular contract. In this case it means talking to Conrad Floot, the lead engineer on the SIC Project. Fenster went upstairs to “Engineering Row” to locate Conrad. “Fenster!” cheered the engineers as he entered the department. Fenster is always tickled to receive such a salutation. He feels honored to maintain such a congenial relationship with the engineers. After all, he does represent the security department. “Say, Conrad, can you fill me in on this SIC Project of yours? I’m doing my recurring self-inspection and decided to focus in on your program.” Conrad is impressed. No one has ever expressed that much interest in his project before and he loves to talk, especially about the SIC Project, his “baby” as he prefers to call it. “Sure, what do you need to know, Fence?” “Well, why don’t you start by giving me a program update? You know, what we’re doing for the customer, what’s classified about it, and things like that. But keep it simple, okay?” Conrad is thrilled. He proceeds to give Fenster a detailed overview of the program, its history, and current status. Fenster is thinking, “You know this is pretty interesting stuff. I should get out on the floor more often.” During the interview, Fenster took careful notes. He discovered that eight other engineers plus a contingent of secretarial and support personnel are working on at least some portion of the program. He decided he would interview each individual over the next couple of days. They discussed the classified design modifications which were being tested down the hall. Fenster had Conrad describe each step of the test procedure including whether aspects of the tests themselves were classified. He asked what makes the design modifications classified, how they’re protected, who protects them, how and where they’re tested, etc. To his relief, he found that all the procedures at least appeared to be in conformance with the NISPOM. Later, he would interview key members of the test and evaluation staff individually. He never realized there were so many security considerations! Conrad identified his customer point-of-contact just in case Fenster or the IS Rep needed to call. They spent a lot of time on classification management. Fenster wanted to know what classification guidance had been provided by the customer and whether he felt that it was adequate. He asked what Conrad would do if they were to experience problems in determining what should be classified. They reviewed classified marking procedures, the kind of classified information that’s been received, who is allowed access, procedures for generating classified information, reproduction, disposition, transmission, public release, and access authorizations. By the time he was done, Fenster had a pretty good idea of what the SIC Project was all about and whom to talk to for more information.
November 2008 26 Self Inspection Handbook for NISP Contractors

In addition to addressing the program-specific security concerns, Fenster remembered to question Conrad regarding important overall security program-related issues such as security education, adverse information, and foreign travel. Employee Interviews Next, Fenster interviewed each of the engineers on the project. He asked many of the same questions, but this time he was more interested in learning exactly what each person’s responsibilities were and how they handled classified information. He already knew a great deal about the program just by talking to Conrad. It was time to “zero in” on the nuts and bolts of the SIC Project. His first stop was at Elmo Platz’s office. According to Conrad, Elmo has been involved in the program from the start and, as the assistant program head, has major responsibilities. First, Fenster asked Elmo to explain his job and how it relates to the SIC Project. Fenster asked what level of access he needed for the job, how he obtained his classification guidance and whether there were any problems in this area that he should be aware of. There were other questions as well, all designed to determine whether Elmo and his SIC Project staff were following the requirements of the NISPOM. Fenster asked:

F How often and under what circumstances did Elmo access classified information? F Was he aware of his adverse information reporting responsibilities? F Did he generate classified material in-house and, if so, on what equipment? F How was the information protected? F Did he know the combination to the security container? Was the combination properly safeguarded? F Did he attend any classified meetings at the customer’s site or at CL? Did anyone else from CL attend? F Did he reproduce classified material? On what equipment? F Was he familiar with the rules on retention, hand carrying, “need-to-know,” marking, accountability, and disposition of classified information?

F Was he aware of any unreported security violations? F Did any of his classified work require a special briefing, e.g., NATO? F Was there anything relating to security that he thought Fenster should know about? F Did he have any classified information that was not logged into the facility’s accountability or Information
Management System? Where did it come from? You can see that Fenster was trying to cover all of the relative inspection elements listed in the self-inspection handbook during his interview. This line of questioning was continued with each of the major participants in the SIC Program, from the engineering staff to the mailroom personnel. When he was done, Fenster had covered every pertinent self-inspection element and had discovered only one or two administrative errors. His selfinspection was a success. We hope yours is, too!

November 2008

27

Self Inspection Handbook for NISP Contractors

Security Education, Training and Awareness Directorate Defense Security Service Academy 938 Elkridge Landing Road Linthicum, MD 21090 www.dss.mil

November 2008

28

Self Inspection Handbook for NISP Contractors…...

Similar Documents

Premium Essay

Safety Inspection

...I am one of my company’s safety officers; we have a committee that meets monthly to discuss safety. Some of our typical conversations cover our workplace area, and good housekeeping. Before our meeting there is several inspections that occur, these will be reported about in our meeting. Last month I s tasked to inspect all the companies safety equipment and personal protective equipment. My inspection was broke down into three categories, availability, serviceability and whether it was within calibration standards. During the availability portion I was to find out how easy it was to get if needed, and if there was enough available according to how many personnel used it. Having enough PPE was the biggest issue that I found. Safety glasses, hard hats and leather gloves were items that I found not every person had. We did have adequate amounts of disposable earplugs. I had my supply order the shortages and ordered earmuffs that attach to the hard hats, so everybody had them. We have several generators at our company; hearing protection is a high priority. Serviceability was next on my agenda. There is a lot of equipment in my company that is getting old and out dated. This equipment is very expensive, so I needed to justify major purchases. I did not find much that was not functional. I was able to get little tools purchased, and put an order in for more updated equipment. We are very reactive, not proactive. When things break they are purchased, if they’re not broke we......

Words: 421 - Pages: 2

Premium Essay

Self

...suggest that certain people are predisposed to certain outcomes based on life behavior. Others say that it all boils down to how one person metabolizes alcohol compared to another person. Only future research will provide an answer and, hopefully, a cure. E.M. Jellinek was one of the earliest and most recognized authorities on alcoholism during his era. His work on alcoholism was the first of its kind to establish stages of alcohol dependency. Jellinek proscribed the three stages of alcoholism, which are separate and distinguished by drinking styles: Pre-alcoholic drinkers drink to relieve workday or life stresses. Prodromal drinkers may have blackouts or memory losses. Crucial drinkers distinguish themselves with a total lack of self-esteem and control. It is not uncommon to see people in these stages in the daily bar environment. Many of us have gone to a drinking establishment and observed people who come in and begin to complain about work or something in their personal lives. Then, as the evening goes, they begin to stagger while walking and to rock back and forth while seated. This type of person will drink until someone intervenes or drinking more becomes impossible. Treating alcoholics is particularly challenging for the substance abuse rehabilitation professional (SARP). Alcoholics, especially those that became addicted early in the life, are very crafty in terms of avoiding treatment or denying they have a problem. It is not usual for alcoholics to......

Words: 725 - Pages: 3

Premium Essay

Site Inspection Report

...TO: Dr. Fike, CEO FROM: Lamis Niggis SUBECT: Site Inspection Report - Belk DATE: June 27, 2013 The Location This store is located in Valdosta, GA at the Valdosta mall. The mall is located on the intersection of Norman Drive and Saint Augustine Road. The mall has one of the highest visitor counts in all of South Georgia. Belk can be found on the west side of the mall in between Old Navy and JC Penny if you come in through the front mall entrance. I have included a map of the mall so that you will know exactly where it is. [pic] Customer Service This Belk serves over 350 patrons while bringing in over $15,000 in sales on an average day. The average transaction takes 7 minutes and costs $45. ¾ of sales come from Belk credit card holders. Card holders enjoy many benefits that regular customers do not, including: special sale days, more coupons, tailoring, free shipping, and cash back. One negative is that at times due to not enough workers being present the wait times for a transaction can rise. Décor The store has white ceiling and walls with carpet on the areas containing clothing. The store in laid out in a way that I feel is somewhat cluttered and lacking space between the clothing racks. As I walked between the clothing areas I felt that I was rubbing shoulders with other customers. There isn’t any art or real design to the store. Market Potential The current......

Words: 651 - Pages: 3

Premium Essay

Self

...Self-esteem, according to Introduction to Psychology by Dennis Coon, is defined as regarding oneself as a worthwhile person or a positive evaluation of oneself1. This study focuses on the examination of African American adolescent self-esteem based on the independent variables of parental marital status, income, and family structure. Is it possible that these variables could affect a confidence that is supposed to come from oneself? According to Mandara and Murray, these variables greatly affect the self-esteem in African American boys and girls in different but significant ways.      It was important for me to choose an article that I could relate with and also that interested me. I found this article to have both these qualities and also be the most accurate with several tables and outside references to make it as comprehensive as it could be. I found the material easy to read and understand as well. It also stood out because it was narrowly focused on a specific topic with specific factors. I found other articles that were so broad, I could hardly imagine them having accurate results.  Once I chose this topic, the articles available to me were few and far between, which I feel is too bad because it is an important topic and before we can begin helping those adolescents who are lacking self-esteem, we must first find out where the problem originates. Having grown up in a single parent, middle class income family and being the oldest of two children, I feel that I can now......

Words: 751 - Pages: 4

Free Essay

Volkswagen Inspection

...Global Compact Case Study Final Version 23 March 2007 Better Health and Safety for Suppliers A partnership project between Volkswagen, ILO & GTZ Maria Kristjansdottir Reykjavik University, School of Law mariak02@ru.is Tel: + 354 699 0482 Better Health and Safety for Suppliers Case Abstract This case study focuses on the “Better Health and Safety for Suppliers” project and how Volkswagen AG seeks to strengthen their policy in Health Protection, Promotion and Occupational Safety by promoting social protection, improving safety and health standards and strengthening labour inspection. The project is a partnership project between Volkswagen, the International Labour Organization and the German Corporation for Technical Cooperation. The project entails first facilitating the participation of selected Volkswagen suppliers in Brazil, Mexico and South Africa in audits with respect to Occupational Safety and Health in their workplace. Based on the findings of these initial audits, several recommendations are given and used to generate a checklist for a second review (conducted up to 6 months after the initial audit). A report is then created which documents the audit findings, including any improvements that have taken place at such supplier. When all the suppliers have been assessed, best practices and solutions found across all project countries will be developed and collected into an online network. This......

Words: 7303 - Pages: 30

Free Essay

Framework for School Inspection

...framework for school inspection The framework for inspecting schools in England under section 5 of the Education Act 2005 (as amended). |This framework sets out the statutory basis for inspections conducted under section 5 of the Education Act 2005 (as amended) from | |September 2012. It summarises the main features of school inspections and describes how the general principles and processes of | |inspection are applied to maintained schools, academies and some other types of school in England. This version of the framework is | |effective from September 2014. | Age group: 0–19 Published: January 2015 Reference no: 120100 Contents Introduction 4 What is the purpose of school inspection? 4 How does inspection promote improvement? 4 Key features of the framework for school inspection 5 What are the legal requirements for the inspection of schools? 7 What determines the timing of a school’s inspection? 10 What are the principles of school inspection? 13 What is the relationship between school self-evaluation and inspection? 14 Who inspects schools? 15 Inspection grades used to make judgements 15 Schools judged to be causing concern 17 Part B. The process of inspection 18 What happens before the inspection? 18 What happens during the inspection? 19 What happens after the......

Words: 7537 - Pages: 31

Premium Essay

Airworthiness and Associated Inspections

...Airworthiness and Associated Inspections An Airport Manager’s Perspective for Aircraft Owners & Operators on Airport Property Embry-Riddle Aeronautical University Introduction Airport management is required to enforce airport regulations for legality and safety. Airport regulations specify that any person who leases property from the airport, or is engaged in any activities at the airport must ensure that the aircraft they store, or operate is legally airworthy in the United States. All hanger lease applications require an airworthy aircraft, and verification must be presented upon the offer of a lease. All aircraft must pass annual and 100 hour inspections in order to prove airworthiness. Inspections must be conducted and documented by Federal Aviation Administration certified airframe and powerplant mechanics. The responsibility for the airworthiness of any aircraft belongs to the owner/operator of the aircraft, the type certificate holder, and the pilot in command, and can be requested at anytime by airport management. Defining an Airworthy Aircraft For the purposes of establishing a uniform definition between airport management and the public of what constitutes an airworthy aircraft, management refers to the Federal Aviation Regulations (FAR). According to section 21.185 of the FAR, The term airworthy means that the aircraft conforms to its approved normal, utility, or acrobatic type design, complies with all applicable airworthiness directives,...

Words: 1222 - Pages: 5

Free Essay

Site Inspection

...Report of Site Inspection: An inspection of The Charles E. Smith Center. Address: 600 22nd Street NW, Washington, DC General Introduction: The Charles E. Smith Center is located in the George Washington University, and has served as the home of the GWU department of athletics and recreation for more than 30 years. It was founded in 1821, room for 4338 seats, and the enrollment of Smith Center is 24,531 and the NCAA Division 1 is its affiliation. The purpose of the smith center is hold variety of GW’s 27 intercollegiate varsity sports. In there, there are several different venues processing different competitions or practices, like women’s and man’s basketball, volleyball and gymnastics. Other than holding sports events, the Smith Center also hosts some major events, like freshman convocation, concerts, commencement ceremonies and fall career and internship fair. Moreover, the Smith Center is also available to hold smaller scale events in two clubrooms: the colonials club and champions club. It is convenient to get the Smith Center, no matter take metro or drive a car by yourself. The Foggy Bottom metro station is so closing to the Smith Center that only take 5 minutes walk to get there. Smith Center provides three different parking areas, van parking, bus parking and visitor parking, but visitors should be attention about there is no parking directly adjacent to the Smith Center, and it highly recommends that bus drivers park the bus in the designated bus spots located......

Words: 1163 - Pages: 5

Free Essay

Self

...a person who is self-aware is one who has a deep understanding of his emotions, strengths, weaknesses, needs, and drives. Atwater & Yammarino (1992) states that self-awareness stems from the ability of combining the assessment of the evaluation of the self by others together with one’s self-evaluation. In another words, self-perception as compared to what is perceived by others. On the other hand, Mayor & Salovey (1995) suggest that self-awareness is to be conscious of one’s mood and thoughts about that mood. Self-awareness helps in elevating effectiveness, it roots and fosters the virtue of leadership. All leadership begins with self-leadership and self-leadership begins with knowing oneself. By definition, management is one individual achieving results through others. As suggested by Goleman (2011), self-aware people are self-confident people with a strong understanding of what they are capable of and what they are not. Self-awareness generates the kind of confidence to take the required action when new opportunities are presented. With self-awareness, we become more understanding of others and it is this understanding that leads to effective communication. Being self-aware requires reflection by oneself or with others, in both good and bad times. A better self-understanding will allow one to have more control and intuitive decision-making capability, have the flexibility and ability to effectively meet and handle challenges, have better communication and......

Words: 254 - Pages: 2

Premium Essay

Customs Declaration and Inspection

...How will cross-border ecommerce affect the customs declaration and inspection? 1.0 Introduction International ecommerce is called cross-border ecommerce, when consumers buy online from merchants, located in other countries and jurisdictions. In today’s complex economic world, neither individuals nor nations are self-sufficient. In 2012, Cross-border ecommerce sales reached $300 billion, while global online trade is expected to rise to $1.4 trillion by 2015. We can find that fast-developing business is changing the way of doing business in almost all aspects especially for the customs. Customs declaration and inspection are of great importance when a country importing goods or exporting. But because the features of e-commerce, the traditional way of declaration and inspection began to be low-efficiency. So some changes must be made. According to these views, this essay will give a comprehensive study about e-commerce. Firstly, this essay will make a general overview of cross-border e-commerce, and the second part will focus on the current situation of customs declaration and inspection. Then it will analyze the pros and cons of some customs policy. Finally it will put forward some recommendation for countries to expand cross-border ecommerce. 2.0 An overview of cross-border ecommerce In the modern society, the Internet allows consumers to shop online globally, purchasing products and services which may be unavailable or expensive in their home countries from websites......

Words: 1157 - Pages: 5

Premium Essay

Inspection, Acceptance and Warranties

...Inspection, Acceptance, and Warranties: How important are these Clauses to Government Contracting and how do they impact both the Government and the Contractor. The Government going into a contract for supplies, services, or construction, has a primary goal of obtaining timely performance in tune with the contracts specification. Another goal of the government is to preserve the integrity of the competitive procurement system. In order to ensure that these goals are adhered to, various clauses are added to the contract that will give the government the ample rights to monitor performance and be able to take the necessary steps when it feels that the performance is unsatisfactory. The inspection, acceptance, and warranties clauses are some of these clauses that are included in the contracts, which allows the government to monitor its contracts. FAR 46.0 prescribe procedures and policies that ensure that services and supplies acquired through government contract should conform to the contract’s quality and quantity requirements. Included are inspection, acceptance, and warranty. “ Acceptance” means, “the act of an authorized representative of the government by which the government, for itself or as agent of another, assumes ownership of existing identified supplies tendered or approves specific rendered as partial or complete performance of the contract.” FAR 46.101. (Farsite.hill.af.mil). Inspection on the other hand,......

Words: 3105 - Pages: 13

Free Essay

Site Inspection for Event Planning

... Both hotels are located on the Grand Lakes property and are connected by the Conference Center and walking breezeway. Guest can travel offsite to nearby attractions that the whole family can enjoy. Some attractions include: Discovery Cove, SeaWorld, Universal Studios, Islands of Adventure, Hollywood Studios, Magic Kingdom, Animal Kingdom, and Epcot, all within a 20 minute drive. Restaurants located offsite may include: Red Brick Pizza, Spencer’s For Steaks & Chops, Thai Thani, Red Lobster, and Delmonico’s Italian Steakhouse. III. Accessibility Due to the hotel being located on large golf course, public transportation is not easily accessible, however guest with private vehicles will have the ability to self-park or valet park on the property. Self-park is $20 per night and valet parking is $25 per night. IV. Property Description The location was chosen because of how well it balances stellar recreation with sophisticated style. The property offers approximately 15,696 square feet of ballroom space and approximately 20,000 square feet of outdoor reception space. Not to mention, the ceremonial areas are secluded from regular hotel activities. The overall décor of the hotel is immaculate. Driving up to the grounds, you will notice manicured landscaping and sculptures. Once you walk through the entrance guest are greeted by high ceilings with crown molding and crystal chandlers. There are fresh florals on almost every table and fresh plants in each corner.......

Words: 1274 - Pages: 6

Free Essay

Restaurant Inspection Report

...RESTAURANT INSPECTION REPORT TABLES Dining Room Topic | Score | | 1Poor | 2 | 3 | 4 | 5Excellent | Windows * no dust, dirt, streaks, smudges | | Lights * no dust * clean and in working order | | Ceilings * no dust, dirt, in good repair | | Air vents * no dust, no cob webs, is painted | | Floors * in good repair, no trash, no spills | | Tables * no gum underneath, clean, in good repair | | Chairs * in good repair, legs are clean | | Menus * not sticky, clean, in good repair | | Table tops * in good repair, clean | | Bar area-Glassware * clean, no spots | | Indoor Windowsills * no dirt, no dust, is clean | | Walls-pictures * no dust, no dirt | | Stairs * clean, no obstructions, in good repair | | Table sugar caddies/salt and pepper shakers * no dirt inside caddies, clean | | Table tents * clean, in good repair, no dirt | | TOTAL SCORE | ____ / out of 75 possible | Exterior Topic | Score | | 1Poor | 2 | 3 | 4 | 5Excellent | Condition of sidewalks * no gum, trash, cigarette butts | | Condition of parking lot * no trash | | Windows * clear, clean, no dirt | | Lighting * all lights working, not broken | | Landscaping * well maintained, no trash | | Dumpster area * no visible trash, no smells, well maintained | | Front doors * clean, in good repair | | Building exterior * clean, good repair, no graffiti | | TOTAL SCORE | ____ / out of 40 possible | Employees ......

Words: 332 - Pages: 2

Premium Essay

Inspection Report

...To: John Jameson, Supervisor, Meadowlands Development From: Seoungho (Ryan) Back, Safety Inspector, CanSafe Workplace Safety LLC Date: March 21, 2016 Inspection of Meadowlands Development for Safety This is Seoungho(Ryan) Back and I performed the safety inspection exam for the Meadowlands Development construction site. I found many deficiencies in my inspection that included improper basic safety regulations. Some of these deficiencies included nails in boards and a poorly maintained construction site. This inspection did not meet expectations. I am an occupational health and safety inspector working for CanSafe Workplace Safety LLC. My job is to conduct safety and health inspections for companies who require this in their workplace by WorkSafe BC. Our firm has been hired by Welbit Construction Ltd to conduct spot safety inspections on one of their larger worksites because they have been forced to divide the construction supervisor’s time between two projects. This inspection would determine whether the Meadowlands Townhome Estates was following the safety regulations according to WorkSafe BC. I started at about 10:30 a.m. and finished write my report its closer to 4:00 p.m. Overall, I concluded that the worksite poorly followed the standards and regulations according to WorkSafe BC. The exterior of a building is good, but there is some problem inside of building. The specific safety violations I found included the following: * Wood lying all over the site. ......

Words: 412 - Pages: 2

Premium Essay

The Self

...The Self Keepa Secret PSY/400 February 6, 2011 Ingrid Lewis The Self Philosophers and Psychologists have been debating and pondering the question of what exactly constitutes the self for many years. Considering that there are certain concepts and aspects that makes up what psychologists refer to as “the self” in the social world is definitely worth taking a look at since defining what exactly it is can help us understand our roles in society and move us a little closer to understanding our motivations, desires, and why we do the things we do. In this essay we will examine the concept of self in the social world and discuss how I apply the self to my own life. In addition we will also examine the roles of self concept, self-esteem and self efficacy, and how these concepts build a framework for my conception of self. I will also describe two social experiences that affected my personal development in an effort to help the reader understand why I am who I am today. Self in the Social world The concept of the self cannot be found in any book or dictionary. It is not something any one person can concretely define. It cannot be explained in third person because the self is an individual topic. I can’t decide for another person what the definition of self is for them, especially as it relates to their experiences in the social world. I can only decide what self is and how it manifests itself in my own life based on my own experiences, thoughts, feelings and...

Words: 1240 - Pages: 5