1 / 38

National Industrial Security Program (NISP) Self Inspections

National Industrial Security Program (NISP) Self Inspections. Presented By: Kat Boyer Raytheon Company For 2010 Joint Security Awareness Council (JSAC). PURPOSE.

velika
Télécharger la présentation

National Industrial Security Program (NISP) Self Inspections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. National Industrial Security Program (NISP) Self Inspections Presented By: Kat Boyer Raytheon Company For 2010 Joint Security Awareness Council (JSAC)

  2. PURPOSE • To define the requirement for all participants in the NISP to conduct their own security reviews (self inspections). National Industrial Security Program Operating Manual (NISPOM) (1-206b) • Discuss how an effective self inspection program will compliment your overall Security posture • Discuss some self inspection tools or processes • Discuss past findings from various sources

  3. Why It’s Important • Ultimately to protect our war fighters and our war fighting edge

  4. Let’s Get To It • Self Inspections are not just a NISPOM requirement, they are a really good idea (www.dss.mil) search for self inspection • Start with a self inspection process or plan that fits your facility (usually the elements are interdependently vs independently) • Don’t pencil whip it, make the time to make it count, schedule it and commit to doing a thorough job

  5. Let’s Get To It • The first 3 elements apply to everyone • Facility Security Clearance • Access Authorizations • Security Education • These must be covered during your self inspection process and you build from here using the Elements of Inspection • Verify and Validate-DSS will

  6. Let’s Get To It • If you are a part of a large Company you may use self inspection teams from other divisions • If you are a smaller facility, look for fresh eyes, ask other departments for assistance (HR, EHS, Quality) • Go in with an open mind, this is your opportunity to find the things DSS may find

  7. Let’s Get To It • The requirement is no longer than half way through each inspection cycle, be creative on how you meet the requirement • The process should ensure you cover all the functional areas appropriate to your facility • Consider covering one area a month or quarter culminating in a complete inspection • Do the IS portion at least quarterly and daily the week of your inspection • Talk to the people performing the functions, have them walk you through their process

  8. Let’s Get To It • Use the DSS Checklist (dated November 2008) • If your Company has it’s own version, be sure to complete the DSS Checklist too • Brief Security topics every chance you get (All Hands, daily meetings, etc.) • Ask questions, for document markings try to have a 2nd set of eyes

  9. Let’s Get To It • Keep your Senior Leadership involved, make them part of the process • Attention to detail • Containers tidy and in order • Documentation in an accessible and easy to read order (use the pink sheet)

  10. Really Now • Did we talk about passion and how much your energy will feed others • Smile, be open to suggestions and smile some more • Find the positive (I call it the “upside”), if you look for the upside you will surely find it

  11. Really Now • The Self Inspection should be part of your Security Education Program • Let everyone know that they are part of the self inspection process, make people take the time to give Security serious consideration • Conduct employee interviews using the questions in the DSS Checklist • Mix it up, tailor some questions to the employee’s specific task or job

  12. Are You Sure? • You cannot do a self inspection from your desk, you have to get out of your office and to the employees working on classified programs • You cannot do a self inspection from your desk, you have to get out of your office and to the employees working on classified programs • Listen to the employees when you are interviewing them, listen sometimes just listen • Your self inspection should not be hard, you just keep it at the forefront everyday

  13. Check the Little Things • Document your findings and your corrective actions, use estimated completion dates (ECD’s) and hold yourself to them • Check your security posters monthly, try to rotate them or even move them to a different location-make them relevant to what you do • DoD Hotline number, is it posted and is it current (800) 425-9098 • Let your employees know how important it is that they help you

  14. Check the Little Things • When was your last OPSEC review, be sure to include information about traveling with a laptop • Reporting requirements-know how many suspicious contacts you have reported during the last inspection cycle, if you have none, your employees may not be providing you information. Encourage everyone to report and forward the report so that the Government may review-DSS is your first contact but cc other applicable agencies (FBI, NCIS, 902nd, DHS, etc.)

  15. Tie It All Up • Ensure there will be no surprises for you or your DSS Industrial Security Representative (ISR) • Know your other sources (COMSEC Manual, JFAN, NISPOM Supplement, DoD Overprint to the NISPOM Supplement etc.)

  16. Tie It All Up • Document your self inspection and identify the following: • Inspected areas • Commendable areas (great chance to call out any above and beyond stuff) • Findings/deficiencies (you want to correct on the spot (COS) as much as possible)

  17. Tie It All Up • Remember, this is your tool, it should be used to ensure you are NISPOM compliant • You want your self inspection to emulate the DSS Security Review • Be honest with your findings, that’s how you learn • There are no bad findings during a self inspection, it’s all good

  18. Good to Know-Above and Beyond • An outstanding overall security program in which the contractor routinely resolves problems independently and is extremely responsive to changes in the National industrial Security Program (NISP) • Management’s active support and involvement in maintaining an excellent security posture • Knowledge and professionalism on the part of the Facility Security Officer (FSO)

  19. Good to Know-Above and Beyond • A record of outstanding (superior) security review results that set standards for emulation by other contractors • Internal operating procedures which implement or exceed applicable requirements of the NISPOM • An absence of security violations that impact on the integrity of security systems

  20. Good to Know-Above and Beyond • An effective, ongoing security education and awareness program • Support for DoD personnel security initiatives by all levels of management • A program to limit the number of classified holdings in the facility

  21. Things to Look For • Administrative Security • KMP list did not reflect current Key Management Personnel • SF 328 are not updated every five years • DD Form 441s not on file, incorrect or out of date • Self approval letters should be readily available (including ISs) • Old forms being retained (not required)-old SF 86’s being retained after final clearance issuance • Suspicious contact information not available (there is always at least one but you have to get your folks to report to you)

  22. Things to Look For • Access Authorizations • DSS Representatives wandered throughout the facility without badges or “Escort Required” type badges and were not challenged • Employees did not understand the badge formats • Access lists for Closed Areas were not current • JPAS validation list were not current or available to DSS – be sure to double check PSM Net, some folks out process and debrief but forget to go back to the add, modify, display screen and separate there • Be sure to use JPAS as the system of choice for validation of security clearances • FSO's must stay on top of who needs security clearances for the year and review JPAS weekly for updates

  23. Things to Look For • Security Education • Employees were not familiar with the Security Classification Guide concept or what purpose it serves (where it applies) • NATO and FGI briefings not current (NATO requires annual rebriefing) • Employees did not know what “Adverse Information or Suspicious Contacts” were (deer in the headlight look) • The FSO must be briefed by a Government representative for caveated (Collateral Special Access) materials

  24. Things to For • Security Education • Interviews of employees indicated they did not know who the Facility Security Officer (FSO) was • Security programs MUST be current • Use of posters • Use of face-to-face briefings • Computer based education • Easy to use but takes out the human factor • Not always applicable across the Company, always tailor your rebriefings to your Site or Facility • Bring in the experts for CI (FBI,NCIS,OSI,902nd MI,DSS)

  25. Things to Look For • Standard Practice Procedures • SPPs (when required) were not current with requirements in the NISPOM • Ensure all IS SSPs are current and readily available (attend Regina Saunders workshop on IS Self Inspections for more information) • Do you have contractual OPSEC requirements, always great to have a plan anyway but if it required, know by whom

  26. Things to Look For • Consultants • Consultant security agreements not in files • Review your Consultant security agreements to ensure they are compliant • Consultant annual training not being completed

  27. Things to Look For • Classification Management • SCGs were not current (if it’s a Navy program the date may actually be 1984) • SCGs were not available to the appropriate employees • Notes from meetings and seminars were retained beyond the one year allowed by the NISPOM • Retention authorizations were not on file beyond 2 year timeline approved by NISPOM • Employees did not know how to challenge classification of items (here we refer all those items through Security)

  28. Things to Look For • Public Release • The public release process was not well documented; company release approvals provided, requests files and responses received • Contracting and/or Engineering personnel did not know that the DD Form 254 identifies if and how the public releases are processed

  29. Things to Look For • Classified Storage • Security checks not done • Emergency classified destruction processes were not documented • Names of employees who have combinations were not recorded • Opened containers were not under observation by cleared employees • Combinations for containers holding NATO (annually) and COMSEC (every 2 years) were not changed as required • If you still have lock bars, have your plan to meet 2012 requirements available for review

  30. Things to Look For • Transmission/ Classified Material Control • Receipt and dispatch log (when used) was not properly filled out • Shipments were processed using shipping transmittal documents and not being entered onto the dispatch log • Ensure everyone knows proper storage requirements (not desks) • Top Secret Control Officer letter of appointment not on file • Tracers for classified materials were not being sent out (this is easy to do so check it monthly)

  31. Things to Look For • Marking • Printed documents had hand written data on them without portion markings • Working Papers over 180 days old • Write protected “Unclassified” applications media were not marked “Unclassified for maintenance only” • Unclassified media not marked “Unclassified” • Parts or hardware did not have markings or tags on them • Classified media not marked at all or improperly marked (be sure to have the current Marking Guide on hand) • Documents received from U.S. Government or contractors not properly marked • Were not remarked by receiving company • Were not returned to originator by receiving company • Combination logs not marked with special access caveats • Classification markings were not removed from declassified, destroyed materials (tapes, transmittal documents)

  32. Things to Look For • Disposition • Documents were retained beyond the Government authorization • Classified was not destroyed in a timely fashion • Accountable documents were not destroyed as stated on the Certificate of Destruction • Proprietary bins did not indicate they were not authorized for classified materials • Classified clean out was not being accomplished (donuts help)

  33. Things to Look For • IS • Systems were operating under an old SSP or had minor version errors for McAfee, and Microsoft Visual 6.0 • Boot configurations were not properly done • PC administrative passwords were checked to never expire • User account icons were not hidden • Software lists were not maintained or updated as required • IS Users not briefed to Chapter 8 requirements • Virus definitions were not current • Operating System protection measures were not set IAW Chapter 8

  34. Things to Look For • IS • A sanitization upgrade form was missing when returned from calibration • VMS password length set to zero and password never expires • Classified system was found to be logged on but left unattended • User briefings not on file • SSP did not reflect the current upgrade and down grade procedures and the configuration diagram

  35. Things to Look For • IS • ISSP for a new copying machine that had removable hard drives was not submitted to DSS for approval before utilizing the copier for classified reproduction • Infrared ports on computers were not covered • Non-removable hard drives in CPU’s were not marked, their serial numbers logged in the SSP or the hardware lists • Software lists were not maintained or updated as required • Some computers did not have technical safeguard audits software installed or they did not have Government Program Office approval for “legacy” systems status

  36. Things to Look For • COMSEC • Ensure that all COMSEC Protective Packaging of Lock Combinations are followed as required in NSA Manual 90-1 page 76 • After you establish your own COMSEC account, if you have COMSEC instruments, keys, etc., that are on hand receipt you must transfer them to your COMSEC account • Destruction of materials were not done properly • NOTE: You do not have to shred keying materials; you can still burn them, but; you must add specific instructions to your COMSEC SOP. The verbiage that was recommend by the NSA auditor was “Keying material is destroyed by burning until the material is white ash. Examine the residue and burn materials that are not ash. The burning is witnessed by two cleared personnel (Primary and Alternate Custodians) and annotate the SF 153 that the material is totally destroyed. Again the key is specifically outlining how the materials are destroyed

  37. Conclusion • The NISP Self Inspection process is for you. You will get out of it what you put in to it. Bring your passion, an open mind for new ideas and be sure you follow through with any findings or discrepancies. • Your annual DSS Security Review should be something that you look forward to as it will affirm that you and your Staff are doing the right things. • It is not DSS’ charter to “catch you doing things wrong”. As Security Professionals, it is our responsibility to ensure that we do it right and embed that into all Management, Leaders and Employees.

  38. Thank You for Your Attention Questions? Comments? Ideas? Concerns? Be sure to use this day to network with other Security Professionals. When you need assistance, you may reach out to someone who may be able to help (always do your homework before contacting DSS)

More Related