SelfInspection and the DSS Security Review Process DSS

Self-Inspection and the DSS Security Review Process DSS and Contractor Interface ISRs should be part of your security team to helps understand, interpret and comply with all security requirements. They can also help contractors learn “Tips” that can aid in becoming an “above and beyond” organization and eligible to receive a Commendable or Superior” rating. Self-Inspection More than following and completing the DSS Self-Inspection Checklist. Must be a “total review” of the security program. Must be an honest examination of the program and an indicator to senior leadership that we can safeguard our nations secrets! Gives a “snapshot” picture of current security operations and allows us to determine shortcomings and how to resolve them before the Security Review. DSS Security Review Their program designed to ensure contractors are compliant with NISPOM and other security requirements. Can be painful/ semi-painful or true learning experience. .

Contractor Security Reviews Self-Inspection • Can be done by both large and small facilities • It is a continuing review of the methods used to safeguard classified – Are they adequate – Compliant • Frequency of Self-Inspections – No longer ½ way through each inspection cycle – Consistent with “Risk Management” principles • Serves as a “second chance” to find any deficiencies that could result in the unauthorized exposure of classified information • Should emulate the DSS Security Review – Use the DSS Checklist disseminated October 2006 – Check all subfunctional areas – Conduct interviews of employees using the questions in the DSS Checklist • Can use contractor developed checklists – Supplement DSS Checklist

Self-Inspection Process • 1 st step to success is developing a good Self-Inspection Plan – Doesn’t have to be written – It should be simple and not complex • The plan is a mechanism that helps ensure that you cover “all the bases” and complete the entire Self-Inspection within a specified time • The plan helps you assign personnel – Based upon experience and expertise • Can be used as an opportunity for mentoring – Paring less experienced with experienced security professionals • Allows you to examine your operation “piece by piece” • ALWAYS brief your senior leadership on the Self-Inspection, the DSS Security Review and any deficiencies and corrective actions!

Team Selection • If you are a FSO at a one person facility the selection is easy… – It’s YOU! • Larger facilities can employ more people to help – May not be faster, but, can cover more • Have an experienced “Team Leader” for each team – Well versed in the NISPOM – Capable of keeping a team enthused Self-Inspections can become laborious • Meet regularly to discuss deficiencies, corrective actions and need for further review • Complete a Self-Inspection Report to document the teams findings and corrective actions • The Report is provided to the FSO

First Impressions • Don’t let anyone tell you that “first impressions don’t count” • THEY DO! This is the one opportunity to start the Security Review on a positive note and to influence what the DSS inspectors will remember about your program • It can set the tone for the Security Review • How to make a good impression? – Positive attitudes of security personnel – Neat files and records – Neat security containers – Attention to detail. The small things do count! – Facilities clearance and associated data are neatly maintained, easy to get to and well organized

Conducting The Self-Inspection • Be professional • Always be prepared to make “Corrected On The Spot” or COS and explain what is being corrected to the employee – If possible involve the employee so they can learn • Use the same methods or techniques used by DSS – Allows the employee to get familiar with their inspection methods and feel comfortable with DSS when they do their review • Take good notes on findings, employees who are knowledgeable of security requirements and areas that should be recognized as “Best Practices” • Always make sure findings are referenced in the NISPOM or other Government regulations, manuals or directives – No reference…. . No finding!

Conducting the Self-Inspection • Use the DSS and other Checklists embraced by your company as the foundation for the Self-Inspection – It makes sense to inspect to the same requirements as the Cognizant Security Agency – Keep an eye out for “Best Practices” or items that are “Above and beyond” the requirements in the NISPOM

Best Practices • Best Practices are things that contractors do that exceed the requirements found in the NISPOM or that provide an added level of safeguarding capabilities to classified materials! – Use of company or business unit sponsored Self-Inspection programs – Strong teaming relationships between security, employees and senior leadership – Innovative use of computer based security training for initial/ refresher training or tutorials for NATO, FGI • Establishing recertification requirements beyond the scope of the NISPOM – Use of other security awareness programs • Newsletters • E-mails • Bulletin board items • Posters • Face-to-face briefings

Best Practices – Participation in the industrial security and law enforcement community (ISAC/JSAC/NCMS/ Federal and State Anti-Terrorist Committees) – Use of NCMS and Do. D posters in the security awareness programs – Use of DSS Q&As found in the Self-Inspection Checklist – Use of Self-Inspection tools to allow Facility Security Officer (FSO) to quantify deficiencies and implement security awareness programs to respond to needs – Establishment of a FSO and other security notebooks that are maintained and used as a “one stop shopping” book where inspection data is retained. – Poster of the Security Management team or FSO in the facility – Having a “Strategic Operating Plan” that outlines departmental goals and objectives • Each functional area has its own goals, objectives and metrics for each departmental goal

Best Practices – Creation of security handbooks, checklists or guides for marking, security instructions, etc. – Having quarterly AIS and Closed Area training meetings – Having COMSEC custodians training during the year

Tool For Self-Inspections • Interviews – Use the DSS Self-Inspection Checklist interview questions – Determine who has conducted foreign travel or hosted a foreign national visit – Do your own pre-security review employee interviews • Ask about suspicious contacts and the reporting process – Provide employees with a Q&A sheet that has the answers • Ask DSS if there any Special Interest Items for this inspection cycle – Interviewing employees that host foreign national visitors – Interviewing employees that do overseas travel – Suspicious Contacts

Tools for Self-Inspections • Document Review Marking Forms – Makes assessment of marking problems easy – Provides quantitative analysis capability – Helps determine what marking requirements are not familiar to employees – Allows you to focus your training efforts on specific areas thereby cutting time and cost • Security Knowledge Questionnaires – Derived from DSS checklist questions – Allows statistical analysis of answers – Allows you to focus ancillary training efforts on specific marking problems

End-Of-Day Meetings • The Self-Inspection team should meet at the end of each day to discuss their findings, issues and “best practices” • The Self-Inspection team should then meet with the Facility Security Officer and his team to discuss the items referenced above – This where the “rubber meets the road” – Keeps the FSO current of the findings – The FSO may have waivers or deviations in place to negate the findings – The teams findings may be invalid or not consistent with the NISPOM • At the end of the session all should be in agreement on the findings • No items will be briefed to Security Leadership that IS NOT discussed during these meetings

Writing the Self-Inspection Report • Reports documenting your Self-Inspection can be done in any format you would like • Should identify the following: – Areas inspected – Commendable areas – Findings/ Dependencies – Corrective Actions – Findings/ Dependencies COS – Findings/ Dependencies that would need long term monitoring • Normally done where there are significant problems where it will take a long time to close out. • Status report every 30 days

Conclusion • Self-Inspections are a tool that allows Security Department to ensure they are compliant with the NISPOM • A good Self-Inspection should emulate the DSS Security Review process • Be aggressive and not afraid to have findings • Write honest and accurate Self-Inspection Reports • Remember a “Bad finding” is the one that DSS finds during their Security Review • There are good findings…it’s the ones you catch during your Self-Inspection

Conclusion • Have a strong self-inspection program and use it as a tool rather then just another “block to check” for the DSS Review • Make DSS an effective member of your security team! • Consider passing on your inspection results to other sites for your company, your local ISAC or NCMS Chapter • Using all these tools can not guarantee higher DSS inspection ratings, but, it will make the process more organized and less stressful

Do We Communicate Inspection Results Effectively? • Not normally outside our immediate corporate chains of command! – Sometimes not even then • Why Not? – No requirement to share results – Not enough time to document results of self-inspection or DSS Review – Other companies have security officers and it’s their job to be compliant – Don’t know who to share results with in area – Does anybody care about inspection results • What we want to communicate? • How can we communicate? – Internal company/corporate communications – To local JSAC or ISACs – NCMS Chapters

Lessons Learned • Security Administration – DD Form 441 s were not on file and DD Form 441 s are out of date or incorrect – SF 328 are not re-accomplished every five years – Appointment letters were not correct or current • Departed individuals still on the list • No TSCOs, ISSM, etc were appointed – KMP List did not reflect current key personnel – Old forms were retained • Not required – No off-site approval letters on file – AIS approvals not available for review – Common Service Agreements not on file – Suspicious Contacts not available

Lessons Learned • Access Authorizations – DSS Agents wandered throughout the facility without badges or “Escort Required” type badges and were not challenged – Employees did not understand the badge formats – Access lists for Closed Areas were not current – JPAS validation list were not current or available to DSS – Employees were not trained on JPAS administration – Contractors were not using JPAS as the system of choice for validation of security clearances – FSOs were not validating who needs security clearances for the year or checked on status of transactions to change clearance status

Lessons Learned • Security Education – Employees were not familiar with badge formats and how to challenge those who may not be authorized access to the facility – Employees were not familiar with the Security Classification Guide concept or what purpose it serves – NATO and FGI briefings not current – Employees did not know what “Adverse Information or Suspicious Contacts” were – Consultants were not receiving annual refresher training as required – The FSO was not briefed by a Government representative for caveated (Collateral Special Access) materials

Lessons Learned • Security Education – Interviews of employees indicated they did not know who was the Facility Security Officer (FSO) – Security programs were in need of innovation and updating • Use of posters • Use of face-to-face briefings • Computer based education – Easy to use – Easy to get participation reports • Non-company presenters (FBI, OSI, 902 nd MI, DSS)

Lessons Learned • Standard Practice Procedures – SPPs were not current with requirements in the NISPOM • Employee Identification – Employees did not know what the badge format represented • FOCI – FSOs did not have, if required, the current SF 328 on file – FSO did not file SF 328 as required • Subcontracting – SCGs were not available to employees – Ensure Consultants meet the DSS definition otherwise they are to be considered “subcontractors”

Lessons Learned • Consultants – Consultant security agreements not in files – Consultants represented firms with more than 1 employee or others then immediate family wherein the Consultant gets paid. – Consultant annual training not being completed • OPSEC – No tracking system established to determine what contracts had OSPEC requirements and/or if they were met • Classification Management – SCGs were not current – SCGs were not available to employees – Notes from meetings and seminars were retained beyond the one year allowed by the NISPOM – Retention authorizations were not on file beyond 2 year timeline approved by NISPOM – Employees did not know how to challenge classification of items

Lessons Learned • Public Release – Contracting officer did not know that the DD Form 254 identifies if and how the public releases are processed – The public release process was not well documented; company release approvals provided, requests files and responses received • Classified Storage – Security checks not done – Emergency classified destruction processes were not documented – Names of employees who have combinations recorded – Opened containers were not under observation by cleared employees – Combinations for containers holding NATO and COMSEC were not changed as required – Lock bar containers did not preclude unauthorized access

Lessons Learned • Transmission/ Classified Material Control – Receipt and dispatch log (when used) was properly filled out – Shipments were processed using shipping transmittal documents and not being entered onto the dispatch log – During an interview shipping clerk indicated that he did not know he could not place classified materials in a locked desk drawer when leaving the area for a short while and he had the only key – Top Secret Control Officer letter of appointment not on file – Tracers for classified materials were not being sent out

Lessons Learned • Marking – Printed documents had hand written data on them without portion markings – Working Papers over 180 days old – Write protected “Unclassified” applications media were not marked “Unclassified for maintenance only” – Unclassified media not marked “Unclassified” – Parts or hardware did not have markings or tags on them

Lessons Learned • Marking – Classified media not marked at all – Documents received from U. S. Government or contractors not properly marked • Were not remarked by receiving company • Were not returned to originator by receiving company – Combination logs not marked with special access caveats – Classification markings were not removed from declassified, destroyed materials (tapes, transmittal documents)

Lessons Learned • Disposition – Documents were retained beyond the Government authorization – Classified was not destroyed in a timely fashion – Accountable documents were not destroyed as stated on the Certificate of Destruction – Proprietary bins did not indicate they were not authorized for classified materials – Security was using the Two Person Integrity rule for destruction of Confidential and Secret materials – Notes from symposiums were retained beyond the one year authorization – Classified clean out was not being accomplished

Lessons Learned • AIS – Systems were operating under an old SSP or had minor version errors for Mc. Afee, and Microsoft Visual 6. 0. – Boot configurations were not properly done. – PC administrative passwords were checked to never expire. – User account icons were not hidden. – Software lists were not maintained or updated as required. – AIS Users not briefed to new Chapter 8 requirements – Virus definitions were not current. – Operating System protection measures were not set IAW Chapter 8. – A sanitization upgrade form was missing when returned from calibration. – VMS password length set to zero and password never expires. – Classified system was found to be logged on but left unattended. – User briefings not on file. – SSP did not reflect the current upgrade and down grade procedures and the configuration diagram.

Lessons Learned • AIS – Systems were operating under an old SSP or had minor version errors for Mc. Afee, and Microsoft Visual 6. 0. – Boot configurations were not properly done. – PC administrative passwords were checked to never expire. – User account icons were not hidden. – Software lists were not maintained or updated as required. – AIS Users not briefed to new Chapter 8 requirements – Virus definitions were not current. – Operating System protection measures were not set IAW Chapter 8.

Lessons Learned • AIS – A sanitization upgrade form was missing when returned from calibration. – VMS password length set to zero and password never expires. – Classified system was found to be logged on but left unattended. – User briefings not on file. – SSP did not reflect the current upgrade and down grade procedures and the configuration diagram.

Lessons Learned • AIS – AISSP for a new copying machine that had removable hard drives was not submitted to DSS for approval before utilizing the copier for classified reproduction. – Infrared ports on computers were not covered. – Non-removable hard drives in CPU’s were not marked, their serial numbers logged in the AISSP or the hardware lists. – Software lists were not maintained or updated as required. – Some computers did not have technical safeguard audits software installed or they did not have Government Program Office approval for “legacy” systems status.

Lessons Learned • AIS – New Chapter 8 AISSP’s were not submitted to DSS for approval. – AIS Users not briefed to new Chapter 8 requirements – Procedure provides instructions on how to hide the icon in the Control Panel. – A system was not approved for classified processing

Lessons Learned • AIS – Virus definitions were not current – Questions were raised on the volatility of memory – User briefings not on file – CD’s marked IAW military service customer requirements; however, the markings were not compliant with NISPOM requirements – Seals were not inspected as required, damaged seals were allowed to remain on the computer and log entries were not made as required – Engineering staff did not mark magnetic media as it was created and had to take the time to re-review all media to determine proper classification

Lessons Learned • AIS – The Windows Operating System, using "Users and Passwords" (Windows 2000) or "Users Accounts" (Windows XP) in the Control Panel WILL allow the creation of an account with an empty password – One stand-alone system had one user that needed to have their account terminated and a new user added • Reproduction – Classified hard drive for reproduction machine was not found on an approved DSS AISSP

Lessons Learned • COMSEC – Areas that are used for storage of keying material must have a Visitor Log maintained – Ensure that all COMSEC Protective Packaging of Lock Combinations are followed as required in NSA Manual 90 -1 page 76 – If, after you establish your own COMSEC account, you have COMSEC instruments, keys, etc, that are on hand receipt you must transfer them to your COMSEC account – Destruction of materials were not done properly. – NOTE: You do not absolutely have to shred keying materials; you can still burn them, but, you must add specific instructions to your COMSEC SOP. The verbiage that was recommend by the NSA auditor was “Keying material is destroyed by burning until the material is white ash. Examine the residue and reburn materials that are not ash. The burning is witnessed by two cleared personnel (Primary and Alternate Custodians) and annotate the SF 153 that the material is burnt. In some cases custodians also flush the ash down a toilet or sink. Again the key is specifically outlining how the materials are destroyed

Lessons Learned • COMSEC – If the COMSEC custodian and the FSO are one in the same they must receive their initial COMSEC/CRYPTO briefings from a Government representative. Only the Primary and Alternate COMSEC custodians can have access to security containers containing future keying materials. – Emergency COMSEC plans were available, but, needed more accurate information or nobody knew where the plans were located. – COMSEC access lists were not up-to-date. COMSEC TIPS Keying canisters can not have classification stickers/labels on them. If you feel compelled to label the canister mark them in wax pencil. Additionally, it is authorized to place the canister in a plastic bag and label the bag. When receiving canisters you must remove the bar code label and shred it. SCN on the tape means SECRET/CRYPTO/NOFORN.

Lessons Learned • International Security – NATO briefings on all employees having access to NATO were not on file – NATO and FGI information was co-mingled with collateral materials – NATO materials were in a container and not all persons having access were cleared – Employees did not know how to recognize or challenge foreign nationals visiting the facility

Lessons Learned • Physical Security – Truck receiving gate did not close all the way – Fencing did not go to the ground allowing for unauthorized access – Access lists for the Closed Area was not current – DSS 147 s were not up-to-date or reflect Security-In-Depth above roof and below floor requirements – DSS 147 was not the right revision number – Above false ceiling and below false floors were not conducted IAW the ISL 03 L-1

• Questions? • Comments? • Concerns? • Puzzled Looks? Thank you

The End