Self - Inspection and the DSS Security Review Process
Download
Report
Transcript Self - Inspection and the DSS Security Review Process
Self-Inspection and the DSS Security
Review Process
DSS and Contractor Interface
ISRs should be part of your security
team to helps understand, interpret
and comply with all security
requirements. They can also help
contractors learn “Tips” that can aid in
becoming an “above and beyond”
organization and eligible to receive a
Commendable or Superior” rating.
Self-Inspection
More than following and completing
the DSS Self-Inspection Checklist.
Must be a “total review” of the
security program. Must be an honest
examination of the program and an
indicator to senior leadership that we
can safeguard our nations secrets!
Gives a “snapshot” picture of current
security operations and allows us to
determine shortcomings and how to
resolve them before the Security
Review.
DSS Security Review
Their program designed to
ensure contractors are
compliant with NISPOM
and other security
requirements. Can be
painful/ semi-painful or
true learning experience.
.
Contractor Security Reviews SelfInspection
• Can be done by both large and small facilities
• It is a continuing review of the methods used to safeguard classified
– Are they adequate
– Compliant
• Frequency of Self-Inspections
– No longer ½ way through each inspection cycle
– Consistent with “Risk Management” principles
• Serves as a “second chance” to find any deficiencies that could
result in the unauthorized exposure of classified information
• Should emulate the DSS Security Review
– Use the DSS Checklist disseminated October 2006
– Check all subfunctional areas
– Conduct interviews of employees using the questions in the DSS
Checklist
• Can use contractor developed checklists
– Supplement DSS Checklist
Self-Inspection Process
•
1st step to success is developing a good Self-Inspection Plan
– Doesn’t have to be written
– It should be simple and not complex
•
The plan is a mechanism that helps ensure that you cover “all the bases”
and complete the entire Self-Inspection within a specified time
•
The plan helps you assign personnel
– Based upon experience and expertise
• Can be used as an opportunity for mentoring
– Paring less experienced with experienced security
professionals
•
Allows you to examine your operation “piece by piece”
•
ALWAYS brief your senior leadership on the Self-Inspection, the DSS
Security Review and any deficiencies and corrective actions!
Team Selection
•
If you are a FSO at a one person facility the selection is easy…
– It’s YOU!
•
Larger facilities can employ more people to help
– May not be faster, but, can cover more
•
Have an experienced “Team Leader” for each team
– Well versed in the NISPOM
– Capable of keeping a team enthused
Self-Inspections can become laborious
•
Meet regularly to discuss deficiencies, corrective actions and need for
further review
•
Complete a Self-Inspection Report to document the teams findings and
corrective actions
•
The Report is provided to the FSO
First Impressions
•
Don’t let anyone tell you that “first impressions don’t count”
•
THEY DO!
This is the one opportunity to start the
Security Review on a positive note and to
influence what the DSS inspectors will
remember about your program
•
It can set the tone for the Security Review
•
How to make a good impression?
– Positive attitudes of security personnel
– Neat files and records
– Neat security containers
– Attention to detail. The small things do count!
– Facilities clearance and associated data are neatly maintained, easy to
get to and well organized
Conducting The Self-Inspection
•
Be professional
•
Always be prepared to make “Corrected On The Spot” or COS and explain
what is being corrected to the employee
– If possible involve the employee so they can learn
•
Use the same methods or techniques used by DSS
– Allows the employee to get familiar with their inspection methods and
feel comfortable with DSS when they do their review
•
Take good notes on findings, employees who are knowledgeable of security
requirements and areas that should be recognized as “Best Practices”
•
Always make sure findings are referenced in the NISPOM or other
Government regulations, manuals or directives
– No reference…..No finding!
Conducting the Self-Inspection
•
Use the DSS and other Checklists embraced by your company as the
foundation for the Self-Inspection
– It makes sense to inspect to the same requirements as the Cognizant
Security Agency
– Keep an eye out for “Best Practices” or items that are “Above and
beyond” the requirements in the NISPOM
Best Practices
•
Best Practices are things that contractors do that exceed the requirements
found in the NISPOM or that provide an added level of safeguarding
capabilities to classified materials!
– Use of company or business unit sponsored Self-Inspection programs
– Strong teaming relationships between security, employees and senior
leadership
– Innovative use of computer based security training for initial/ refresher
training or tutorials for NATO, FGI
• Establishing recertification requirements beyond the scope of the
NISPOM
– Use of other security awareness programs
• Newsletters
• E-mails
• Bulletin board items
• Posters
• Face-to-face briefings
Best Practices
– Participation in the industrial security and law enforcement community
(ISAC/JSAC/NCMS/ Federal and State Anti-Terrorist Committees)
– Use of NCMS and DoD posters in the security awareness programs
– Use of DSS Q&As found in the Self-Inspection Checklist
– Use of Self-Inspection tools to allow Facility Security Officer (FSO) to
quantify deficiencies and implement security awareness programs to
respond to needs
– Establishment of a FSO and other security notebooks that are
maintained and used as a “one stop shopping” book where inspection
data is retained.
– Poster of the Security Management team or FSO in the facility
– Having a “Strategic Operating Plan” that outlines departmental goals
and objectives
• Each functional area has its own goals, objectives and metrics for
each departmental goal
Best Practices
– Creation of security handbooks, checklists or guides for marking,
security instructions, etc.
– Having quarterly AIS and Closed Area training meetings
– Having COMSEC custodians training during the year
Tool For Self-Inspections
•
Interviews
– Use the DSS Self-Inspection Checklist interview questions
– Determine who has conducted foreign travel or hosted a foreign national
visit
– Do your own pre-security review employee interviews
• Ask about suspicious contacts and the reporting process
– Provide employees with a Q&A sheet that has the answers
•
Ask DSS if there are any Special Interest Items for this inspection cycle
– Interviewing employees that host foreign national visitors
– Interviewing employees that do overseas travel
– Suspicious Contacts
Tools for Self-Inspections
•
Document Review Marking Forms
– Makes assessment of marking problems easy
– Provides quantitative analysis capability
– Helps determine what marking requirements are not familiar to
employees
– Allows you to focus your training efforts on specific areas thereby
cutting time and cost
•
Security Knowledge Questionnaires
– Derived from DSS checklist questions
– Allows statistical analysis of answers
– Allows you to focus ancillary training efforts on specific marking
problems
End-Of-Day Meetings
•
The Self-Inspection team should meet at the end of each day to discuss
their findings, issues and “best practices”
•
The Self-Inspection team should then meet with the Facility Security Officer
and his team to discuss the items referenced above
– This where the “rubber meets the road”
– Keeps the FSO current of the findings
– The FSO may have waivers or deviations in place to negate the findings
– The teams findings may be invalid or not consistent with the NISPOM
•
At the end of the session all should be in agreement on the findings
•
No items will be briefed to Security Leadership that IS NOT discussed
during these meetings
Writing the Self-Inspection Report
•
Reports documenting your Self-Inspection can be done in any format you
would like
•
Should identify the following:
– Areas inspected
– Commendable areas
– Findings/ Dependencies
– Corrective Actions
– Findings/ Dependencies COS
– Findings/ Dependencies that would need long term monitoring
• Normally done where there are significant problems where it will
take a long time to close out.
• Status report every 30 days
Conclusion
•
Self-Inspections are a tool that allows Security Department to ensure they
are compliant with the NISPOM
•
A good Self-Inspection should emulate the DSS Security Review process
•
Be aggressive and not afraid to have findings
•
Write honest and accurate Self-Inspection Reports
•
Remember a “Bad finding” is the one that DSS finds during their Security
Review
•
There are good findings…it’s the ones you catch during your Self-Inspection
Conclusion
•
Have a strong self-inspection program and use it as a tool rather then just
another “block to check” for the DSS Review
•
Make DSS an effective member of your security team!
•
Consider passing on your inspection results to other sites for your company,
your local ISAC or NCMS Chapter
•
Using all these tools can not guarantee higher DSS inspection ratings, but,
it will make the process more organized and less stressful
Do We Communicate Inspection Results
Effectively?
•
Not normally outside our immediate corporate chains of command!
– Sometimes not even then
•
Why Not?
– No requirement to share results
– Not enough time to document results of self-inspection or DSS Review
– Other companies have security officers and it’s their job to be compliant
– Don’t know who to share results with in area
– Does anybody care about inspection results
•
What we want to communicate?
•
How can we communicate?
– Internal company/corporate communications
– To local JSAC or ISACs
– NCMS Chapters
Lessons Learned
•
Security Administration
– DD Form 441s were not on file and DD Form 441s are out of date or
incorrect
– SF 328 are not re-accomplished every five years
– Appointment letters were not correct or current
• Departed individuals still on the list
• No TSCOs, ISSM, etc were appointed
– KMP List did not reflect current key personnel
– Old forms were retained
• Not required
– No off-site approval letters on file
– AIS approvals not available for review
– Common Service Agreements not on file
– Suspicious Contacts not available
Lessons Learned
•
Access Authorizations
– DSS Agents wandered throughout the facility without badges or “Escort
Required” type badges and were not challenged
– Employees did not understand the badge formats
– Access lists for Closed Areas were not current
– JPAS validation list were not current or available to DSS
– Employees were not trained on JPAS administration
– Contractors were not using JPAS as the system of choice for validation
of security clearances
– FSOs were not validating who needs security clearances for the year or
checked on status of transactions to change clearance status
Lessons Learned
•
Security Education
– Employees were not familiar with badge formats and how to challenge
those who may not be authorized access to the facility
– Employees were not familiar with the Security Classification Guide
concept or what purpose it serves
– NATO and FGI briefings not current
– Employees did not know what “Adverse Information or Suspicious
Contacts” were
– Consultants were not receiving annual refresher training as required
– The FSO was not briefed by a Government representative for caveated
(Collateral Special Access) materials
Lessons Learned
•
Security Education
– Interviews of employees indicated they did not know who was the
Facility Security Officer (FSO)
– Security programs were in need of innovation and updating
• Use of posters
• Use of face-to-face briefings
• Computer based education
– Easy to use
– Easy to get participation reports
• Non-company presenters (FBI,OSI,902nd MI,DSS)
Lessons Learned
•
Standard Practice Procedures
– SPPs were not current with requirements in the NISPOM
•
Employee Identification
– Employees did not know what the badge format represented
•
FOCI
– FSOs did not have, if required, the current SF 328 on file
– FSO did not file SF 328 as required
•
Subcontracting
– SCGs were not available to employees
– Ensure Consultants meet the DSS definition otherwise they are to be
considered “subcontractors”
Lessons Learned
•
Consultants
– Consultant security agreements not in files
– Consultants represented firms with more than 1 employee or others
then immediate family wherein the Consultant gets paid.
– Consultant annual training not being completed
•
OPSEC
– No tracking system established to determine what contracts had
OSPEC requirements and/or if they were met
•
Classification Management
– SCGs were not current
– SCGs were not available to employees
– Notes from meetings and seminars were retained beyond the one year
allowed by the NISPOM
– Retention authorizations were not on file beyond 2 year timeline
approved by NISPOM
– Employees did not know how to challenge classification of items
Lessons Learned
•
Public Release
– Contracting officer did not know that the DD Form 254 identifies if and
how the public releases are processed
– The public release process was not well documented; company release
approvals provided, requests files and responses received
•
Classified Storage
– Security checks not done
– Emergency classified destruction processes were not documented
– Names of employees who have combinations recorded
– Opened containers were not under observation by cleared employees
– Combinations for containers holding NATO and COMSEC were not
changed as required
– Lock bar containers did not preclude unauthorized access
Lessons Learned
•
Transmission/ Classified Material Control
– Receipt and dispatch log (when used) was properly filled out
– Shipments were processed using shipping transmittal documents and
not being entered onto the dispatch log
– During an interview shipping clerk indicated that he did not know he
could not place classified materials in a locked desk drawer when
leaving the area for a short while and he had the only key
– Top Secret Control Officer letter of appointment not on file
– Tracers for classified materials were not being sent out
Lessons Learned
•
Marking
– Printed documents had hand written data on them without portion
markings
– Working Papers over 180 days old
– Write protected “Unclassified” applications media were not marked
“Unclassified for maintenance only”
– Unclassified media not marked “Unclassified”
– Parts or hardware did not have markings or tags on them
Lessons Learned
•
Marking
– Classified media not marked at all
– Documents received from U.S. Government or contractors not properly
marked
• Were not remarked by receiving company
• Were not returned to originator by receiving company
– Combination logs not marked with special access caveats
– Classification markings were not removed from declassified, destroyed
materials (tapes, transmittal documents)
Lessons Learned
•
Disposition
– Documents were retained beyond the Government authorization
– Classified was not destroyed in a timely fashion
– Accountable documents were not destroyed as stated on the Certificate
of Destruction
– Proprietary bins did not indicate they were not authorized for classified
materials
– Security was using the Two Person Integrity rule for destruction of
Confidential and Secret materials
– Notes from symposiums were retained beyond the one year
authorization
– Classified clean out was not being accomplished
Lessons Learned
•
AIS
– Systems were operating under an old SSP or had minor version errors
for McAfee, and Microsoft Visual 6.0.
– Boot configurations were not properly done.
– PC administrative passwords were checked to never expire.
– User account icons were not hidden.
– Software lists were not maintained or updated as required.
– AIS Users not briefed to new Chapter 8 requirements
– Virus definitions were not current.
– Operating System protection measures were not set IAW Chapter 8.
– A sanitization upgrade form was missing when returned from calibration.
– VMS password length set to zero and password never expires.
– Classified system was found to be logged on but left unattended.
– User briefings not on file.
– SSP did not reflect the current upgrade and down grade procedures and
the configuration diagram.
Lessons Learned
•
AIS
– Systems were operating under an old SSP or had minor version errors
for McAfee, and Microsoft Visual 6.0.
– Boot configurations were not properly done.
– PC administrative passwords were checked to never expire.
– User account icons were not hidden.
– Software lists were not maintained or updated as required.
– AIS Users not briefed to new Chapter 8 requirements
– Virus definitions were not current.
– Operating System protection measures were not set IAW Chapter 8.
Lessons Learned
•
AIS
– A sanitization upgrade form was missing when returned from calibration.
– VMS password length set to zero and password never expires.
– Classified system was found to be logged on but left unattended.
– User briefings not on file.
– SSP did not reflect the current upgrade and down grade procedures and
the configuration diagram.
Lessons Learned
•
AIS
– AISSP for a new copying machine that had removable hard drives was
not submitted to DSS for approval before utilizing the copier for
classified reproduction.
– Infrared ports on computers were not covered.
– Non-removable hard drives in CPU’s were not marked, their serial
numbers logged in the AISSP or the hardware lists.
– Software lists were not maintained or updated as required.
– Some computers did not have technical safeguard audits software
installed or they did not have Government Program Office approval for
“legacy” systems status.
Lessons Learned
•
AIS
– New Chapter 8 AISSP’s were not submitted to DSS for approval.
– AIS Users not briefed to new Chapter 8 requirements
– Procedure provides instructions on how to hide the icon in the Control
Panel.
– A system was not approved for classified processing
Lessons Learned
•
AIS
– Virus definitions were not current
– Questions were raised on the volatility of memory
– User briefings not on file
– CD’s marked IAW military service customer requirements; however, the
markings were not compliant with NISPOM requirements
– Seals were not inspected as required, damaged seals were allowed to
remain on the computer and log entries were not made as required
– Engineering staff did not mark magnetic media as it was created and
had to take the time to re-review all media to determine proper
classification
Lessons Learned
•
AIS
– The Windows Operating System, using "Users and Passwords"
(Windows 2000) or "Users Accounts" (Windows XP) in the Control
Panel WILL allow the creation of an account with an empty password
– One stand-alone system had one user that needed to have their
account terminated and a new user added
•
Reproduction
– Classified hard drive for reproduction machine was not found on an
approved DSS AISSP
Lessons Learned
•
COMSEC
– Areas that are used for storage of keying material must have a Visitor Log
maintained
– Ensure that all COMSEC Protective Packaging of Lock Combinations are
followed as required in NSA Manual 90-1 page 76
– If, after you establish your own COMSEC account, you have COMSEC
instruments, keys, etc, that are on hand receipt you must transfer them to your
COMSEC account
– Destruction of materials were not done properly.
– NOTE: You do not absolutely have to shred keying materials; you can still burn
them, but, you must add specific instructions to your COMSEC SOP. The
verbiage that was recommend by the NSA auditor was “Keying material is
destroyed by burning until the material is white ash. Examine the residue and
reburn materials that are not ash. The burning is witnessed by two cleared
personnel (Primary and Alternate Custodians) and annotate the SF 153 that the
material is burnt. In some cases custodians also flush the ash down a toilet or
sink. Again the key is specifically outlining how the materials are destroyed
Lessons Learned
•
COMSEC
– If the COMSEC custodian and the FSO are one in the same they must
receive their initial COMSEC/CRYPTO briefings from a Government
representative. Only the Primary and Alternate COMSEC custodians
can have access to security containers containing future keying
materials.
– Emergency COMSEC plans were available, but, needed more accurate
information or nobody knew where the plans were located.
– COMSEC access lists were not up-to-date.
COMSEC TIPS
Keying canisters can not have classification stickers/labels on them.
If you feel compelled to label the canister mark them in wax pencil.
Additionally, it is authorized to place the canister in a plastic bag and label the bag.
When receiving canisters you must remove the bar code label and shred it.
SCN on the tape means SECRET/CRYPTO/NOFORN.
Lessons Learned
•
International Security
– NATO briefings on all employees having access to NATO were not on
file
– NATO and FGI information was co-mingled with collateral materials
– NATO materials were in a container and not all persons having access
were cleared
– Employees did not know how to recognize or challenge foreign
nationals visiting the facility
Lessons Learned
•
Physical Security
– Truck receiving gate did not close all the way
– Fencing did not go to the ground allowing for unauthorized access
– Access lists for the Closed Area was not current
– DSS 147s were not up-to-date or reflect Security-In-Depth above roof
and below floor requirements
– DSS 147 was not the right revision number
– Above false ceiling and below false floors were not conducted IAW the
ISL 03L-1
• Questions?
• Comments?
• Concerns?
• Puzzled Looks?
Thank you
The End