2 Steps to Determining Need to Know

Take a look at the following dramatization. A Facility Security Officer (FSO) is engaged in an inquiry to determine whether or not a security violation led to the loss, compromise or suspected compromise of classified information. A cleared employee had left classified information out on his desk. A cleared employee asked another cleared employee to “keep an eye” on a classified document while she left for lunch.

A short time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk. At first glance, the unattended classified information is the most obvious violation. However, once the inquiry concluded another issue became evident. The co-workers did not work on the same contract or share in any kind of project relationship. The first co-worker entrusted the safeguarding of classified information to an employee who held the proper security clearance, but who did not have need to know.

Holders of classified information should verify two things prior to releasing it to another party. They should determine the recipient’s active security clearance level whether or not they have a valid need to possess the classified information. Determining clearance level can be easily accomplished by the FSO, Personnel Security Officer or equivalent. They can access the Department of Defense’s Joint Personnel Adjudication System (JPAS) for that information.  However, that’s just half of the requirement. To complete the process, the holder has to identify whether or not the recipient has need to know.

So, how does one determine need to know? Is it the FSO’s job? Is it the program manager’s job? Whose job is it? “Need to know” can be established using these 2 principals

1. Who determines need to know-Need to know is a determination exclusively made by the holder. Those in possession of classified information are responsible for the proper release or disclosure.

2.  How to determine need to know- Verifying contract number, performance on a project or program, validation by a project manager, access roster and other methods can be used to determine need to know.

Security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work. JPAS or even security clearance verification cannot provide need to know. Just because one has a clearance doesn’t mean they should be authorized access. Need to know is based on a contractual or work performance basis.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: “Get Rich in a Niche-Insider’s Guide to Self Publishing in a Specialized Industry” and “Commitment-A Novel”. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training” See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Five Ways For an FSO to Increase High Power Team Effectiveness

Maybe you think you are alone, fighting the one person fight that many leaders face. However, you would be wrong to assume that the head of security is the only one responsible for the security program. For cleared defense contractors, the Facility Security Officer is in charge of the security program, but not the only one with a vested interest in protecting classified contracts. So how does the FSO create a teaming environment or create a program where everyone works together?
 
Through High Power Teams

High power teams (HPT) are the most effective types of entities. Where groups form, storm and norm, HPTs go further to create a body more capable than any individual. They do this by agreeing to rules and primarily keeping in mind that throughout any process or problem, it’s not about the individual, it’s about the group. This allows the organization to benefit as a whole as each member sacrifices their individual desires. The members do not lose or give up the individuality that makes them unique. It does not stifle individual creativity. What each individual sacrifices are selfish desires and the need for self importance.
 
High power teams (HPT) consists of a small number of people with complementary skills. Individual members of HPTs are committed to a common goal and hold themselves mutually accountable. This structure and assembly of individual core competencies, skills and capabilities create a superpower stronger than any one person could ever be.

The charter defines the standards the HPT will perform under. It provides the purpose vision, norms, goals, expectations and procedures. The charter is the rudder that keeps the group focused and forms the basis for group discipline and accountability. For example, if someone arrives late or makes fun of another member’s contribution, corrections can be made by referring to the charter. Additionally, if the group loses focus, the members can refer to the vision and goals.

While the charter provides the fundamentals other dynamics provide the groups personality and incredible effectiveness. Typically, all groups go through a forming, storming, norming, and performing, but that’s where a group’s effectiveness ends. There is a distinct difference between groups and teams.

 Teams build on the four stages by engaging collective performance, positive environment, holding individuals and the entire group accountable for charter guidelines and taking advantage of complementary skills. This again increases effectiveness and provides results associated with the capabilities of the HPT.

Anyone can form an HTP and especially so for highly effective formal and informal leader. Let’s for the sake of relativity, consider a Facility Security officers, command security managers or other security specialist. In other words, how can an HPT help?

Start with the charter. A leader can form an HPT from all business units. Since the FSO is responsible for creating a security program to protect classified information, they may either suggest or take the lead and form the group. Once in the group, the individuals begin to discuss the vision, norms and etc. Such topics to tackle might include policy, security violations, refresher training, emergency operations planning, and communication for starters. A multi organizational HPT can bring depth and breadth to a stagnant security program.

The difficulty for some leaders will be to sacrifice their will and turn over problems for a group to solve. That’s natural, but one of the benefits is that security is now part of the organization’s DNA and not just “overhead” or a “necessary evil”. The effective group will have capabilities beyond just the one leader. The tradeoff is perfect and the results impressive.
 
Here are recommendations for forming an HPT:

1. Engage-Invite interested parties-canvas your corporation and determine who might be interested in joining this group. You may need to build security allies who might help you recruit effective individuals
2. Focus-Develop a game plan and respect other members time. You can increase effectiveness with a charter as described above
3.  Accountability-Have meeting minutes and document your work and products. Be sure to capture all important decisions and who will act on them. When the group assigns responsibilities to individuals, they tend to come through
4.  Followup-Let the group know you appreciate their efforts. Better yet, assign credit to your group members and ensure the executives and department heads (if they aren’t part of the group) understand who the members are and to buy in on decisions.
5.  Have fun-This is a time to allow creativity. Work within the confines of governing regulations and corporate policy, but allow out of the box thinking.

Five ways to improve annual security refresher training

Give your cleared employees the training they need to be able to focus on how to protect their classified contracts. We all know that to check the block, the annual refresher training should complement the initial security training. But does it have to be the same presentations over and over? Engineers, supervisors, program manager and others are extremely intelligent and want to be challenged. Here aer some great suggested to help you do just that.

     1. Build on last year’s training. Many FSOs make the mistake of providing initial security briefing every year with here’s how to mark, lock it up in a security container, and on and on. This insults people’s intelligence and limits your effectiveness.  For example, you might demonstrate the importance of reporting by highlighting how reporting has helped reduce security violations or even streamlined a process.

     2. Make training relevant to the cleared employee’s mission. Things to consider are contract statements of work, DD Forms 254, mission statements, vision and etc. Make the training real to how the employee performs.

     3. Change the format, location, time and setting. There is no rule that says training has to be PowerPoint based or a lecture. Consider using working groups or workshops and invite cleared employees to solve security issues. Develop a scenario, provide the NISPOM guidelines and have the group come up with the solution. Workshops and panel discussions provide out of the box thinking. The FSO becomes a facilitator and not a lecturer.

     4. Bring in experts. You can invite fellow FSOs, speakers from professional organizations, consultants, counter-intelligence experts and etc to provide your training for you.

     5. Provide training based on organizational structures. Executives and KMPs want to know how security policy impacts classified contracts and the organization. Cleared employees want to know how to engage security in their performance on classified contracts. Supporting elements such as human resources, facilities and legal might have other concerns. Creating tailored training gets results.

For more security clearance ideas, books and more, visit http://www.redbikepublishing.com

Comix

Free Downloads — Red Bike Publishing

Complimentary Downloads of Forms Cleared Defense Contractors and Facility Security Officers need.

All forms are referred to in DoD Contracts and Security Clearances Guidebook and can be downloaded straight to your computer.

Forms You Might Need to Know About

These standard security forms are used in administering the security classification programs in Government. Industry members should contact their contracting agency for information on how to obtain these forms.

The majority of these items are available through the General Services Administration’s (GSA) Federal Supply System. Some of the forms are available online at the GSA web site or can be obtained by calling

1(800) 525-8027.

*     SF-312 Classified Information Nondisclosure Agreement

The SF-312 is a contractual agreement between the U.S. Government and a cleared employee that must be executed as a condition of access to classified information. By signing the SF-312, the cleared employee agrees never to disclose classified information to an unauthorized person.

*     SF-700 Security Container Information

The SF-700 is a form that contains vital information about the security container in which it is located. This information includes location, container number, lock serial number, and contact information if the container is found open and unattended.

*     SF-701 Activity Security Checklist

The SF-701 is a checklist that is filled out at the end of each day to insure that classified materials are secured properly and allows for employee accountability in the event that irregularities are discovered.

*     SF-702 Security Container Check Sheet

The SF-702 provides a record of the names and times that persons have opened, closed and checked a particular container that holds classified information.

The following three cover sheets are placed on top of documents to clearly identify the classification level of the document and protect classified information from inadvertent disclosure.

*     SF-703 Top Secret Cover Sheet

*     SF-704 Secret Cover Sheet

*     SF-705 Confidential Cover Sheet

The following labels are placed on various forms of U.S. Government property (i.e. CDs, diskettes, computers, etc.) to clearly identify the classification level of the information located in or on that property.

*     SF-706 Top Secret Label

*     SF-707 Secret Label

*     SF-708 Confidential Label

*     SF-709 Classified Label

*     SF-710 Unclassified Label

 In a mixed environment in which classified and unclassified materials are being processed or stored, this label is used to identify media that contains unclassified information. It’s function is to aid in distinguishing among those media that contain classified information in a mixed environment.

*     SF-711 Data Descriptor Label

Used to identify additional safeguarding controls pertaining to classified information that is stored or contained on various forms of media. 

For more information, visit the Industrial Security Oversight Office

Classified storage approval… Three Steps to Prepare Defense Contractors for Closed Areas

As a Facility Security Officer, you take the lead in creating a security program designed to protect classified information. You are at the cutting edge of your cleared contractor organization’s capability of getting and keeping classified contracts. As such, you should also be the senior executive’s right hand and have successfully established the required relationship to provide sage security council.

Some topics relevant to your organization might be:

Where are we heading?

What type of classified storage might this require?

What will be the cost and impact to the company?

How is my security program poised to support current and new contracts?

If a new or existing contract requires dedicated space to perform on and store classified information, a “Closed Area” may be required. A closed area is used to safeguard classified material of unusual “size, nature, or operational necessity, and cannot be adequately protected by the normal safeguards or stored during nonworking hours in approved containers” and NISPOM 5-306 provides minimal guidance on cleared contractor responsibilities and 5-800 provides construction information.

1.  Ensure you have a classified contract that approves classified storage and performance at the prospective closed area location.

You can find this information on the top right corner of the DD Form 254. There are two blocks there that indicate Facility Clearance Required and Level of Safeguarding Required. Block 11 should be marked with the Cleared Contractor’s requirements in performance of the classified contract (store, receive only, fabricate, etc). Further instructions may be found in Blocks 13 and 14. If you have any questions, you should clear it up with the customer. Your responsibility as FSO is to ensure your company is capable of understanding the security requirements and performing as instructed. It is vital that your executives and customers are in complete synchronicity

2. Work with your Defense Security Services to ensure they understand the requirements and there are no surprises. 

DSS has oversight and as such, they will verify that your classified contract, storage capability, and security program will protect classified information.  As such, the cleared defense contractor, your organization will also have to produce and demonstrate storage and performance procedures before approval.

3. Identify level of security.

For the storage of SECRET and above in a closed area, you will need to use supplemental protection during non-working hours and use approved locking devices for access control during working hours (see NISPOM 5-306). Access control can either be a cleared person making checks or an automated system. If you don’t already have an area that meets approved construction requirements, you might have to make significant modifications to an existing room or completely build a new room. If so, consider taking pictures throughout the construction as you build so that you can demonstrate compliance. After construction is done, it will be hard to verify proper construction once construction is complete. At any rate, work closely with your DSS rep and Prime contractor or GCA.

That’s it, these three steps should be addressed as a minimum before you invest critical resources to dedicate construct space for a “closed area”. Closed areas help protect classified information that cannot be otherwise protected, but it costs money. Approval of closed areas may require further approval of open bin storage. 

For more information, check out our new book, DoD Security Clearances and Contracts Guidebook