THE ART OF SELF INSPECTION and how to

THE ART OF SELF INSPECTION (and how to have fun conducting it!) Jennifer L. Rossignol Lockheed Martin GTL Security

Carnak …. “Who is …. “me”’? – Who is: Who doesn’t like to do self inspections? – Who is: Who looks at self inspections as a necessary evil? – Who is: Who just “checks the box”?

Fun? How can that be? !? • Don’t do it alone • Make it a team effort – conduct it with another employee, a team, another FSO • Do it differently • Start at the end of the checklist and work to the front …. • Pretend you’re a detective! CSI: Orlando! • It really requires you to THINK … which is good for your health

Philosophy … Self inspection is an art …. It’s much more than checking off items on a checklist!

Purpose of Self Inspection • An effective self inspection program is the key to any successful security organization • Serves many purposes: – Assesses the health of your organization – Provides training opportunities and employee development – Promotes your product – Meets a requirement – Prepares you for your DSS audit • The value and importance of self-inspections has increased in the eyes of DSS

What is a Self Inspection? • It’s more than following and completing the DSS Self. Inspection Checklist • It must be a “total review” of the security program • It must be an honest examination of the program and an indicator to senior leadership that you can safeguard classified material • It provides a “snapshot” picture of current security operations and allows you to determine shortcomings and resolve them before your DSS audit • It is a continuing review of the methods used to safeguard classified…. are they adequate? compliant?

Self-Inspections Ideas • There is no one way to do self inspections - Be creative! • No need to wait for 6 months after your last audit – Can audit year-round – Can audit more than once (sounds like an “enhancement” to me!) • Remember to review your security incident reports, adverse information reports, etc. … • Review past audit findings - AVOID repeats! • Share your findings and corrective actions with your DSS representative • Enhance with a “Security Day”

What to do • • • Do interview employees (not just yourself!) Do GET UP FROM YOUR DESK Do emulate the DSS audit process – How will you feel when your DSS representative talks to your employees? Will you be worried about how they will respond? Not if you have prepared them! What not to do • Don’t stick to the checklist • Don’t talk to only cleared employees – What about the receptionist? – What about the employees who receive packages?

Self-Inspection Process 3 Key Components – – – Preparation Inspection Follow-up

Step 1 - Preparation • 1 st step to success is developing a good Self-Inspection plan – Doesn’t have to be written – It should be simple and not complex • The plan is a mechanism that helps ensure that you cover “all the bases” and complete the entire Self-Inspection within a specified time • The plan helps you assign personnel – Based upon experience and expertise • Can be used as an opportunity for mentoring – Pairing less experienced with experienced security professionals

Step 1 - Preparation • Gather your materials, such as: – Audit checklist – Standard Operating Procedures – Reports – incidents, adverse, etc. – Checklists – DD 254’s – Previous audit results/findings – IS equipment lists – Receipt and dispatch records – FCL documentation – JPAS listing – NISPOM and ISL’s • Allows you to examine your operation “piece by piece” • Brief your senior leadership

Step 1 Continued: Team Selection • If you are a FSO at a one-person facility … • Larger facilities can employ more people to help – May not be faster but can cover more • Have an experienced “Team Leader” – Well-versed in the NISPOM – Capable of keeping a team enthused - Believe it or not: Self-Inspections can become laborious

Step 2: Conducting Self-Inspection • Be professional • Review currency of policies and procedures and/or SSP • Remember to interview receptionist, Shipping, Receiving, guards • Always be prepared to correct issues on-the-spot and explain what is being corrected to the employee – If possible involve the employee so they can learn – Bring a box of “tools” with you – stickers, markers, cover sheets

Step 2: Conducting Self-Inspection • Remember, employees may be defense - Don’t condemn or make it personal – educate! • Use the same methods or techniques used by DSS – Allows the employee to get familiar with their inspection methods and feel comfortable with DSS when they do their review • Keep an eye out for “best practices” or items that are “above and beyond” the requirements in the NISPOM • Watch for trends

Tools for Self-Inspections • Document Review Marking Forms – Makes assessment of marking problems easy – Helps determine what marking requirements are not familiar to employees, allowing you to focus your training efforts • Security Knowledge Questionnaires – Derived from DSS checklist questions – Allows you to focus training efforts on specific areas • Interviews – Use the DSS Self-Inspection Checklist interview questions – Determine who has conducted foreign travel or hosted a foreign national visit – Provide employees with a Q&A sheet • DSS – Ask DSS if there any Special Interest Items for this inspection cycle

Step 2: Self-Inspection Ideas Develop checklists CLOSED AREA CHECKLIST Verify that all entries in Visitor Log are completed If entries missing: request that escort complete; educate occupants; if unknown, prepare MFR and file in the Visitor Log. If repeat findings, notify FSO Look for non-U. S. citizen entries Look for company represented. Are they from an HVAC company? If so, follow up to determine if there might be a breach to the area integrity. Are they from a computer company? Verify they did not access the classified systems Remove all paperwork from prior to last DSS audit Verify that media in area is properly marked Quarterly: Review the area 147 and notify DSS if any changes are needed Check area access list Are all listed still active employees? If visitors are listed, are they still cleared and working on the program? Check supplies of Security posters and brochures.

Self Inspection Methods Example: A review of the company’s receipt and dispatch records • Is incoming or outgoing media a different classification level than the majority of approved equipment at the facility? • How and where was the Confidential CD created? Was the trusted download procedure approved? Is trusted downloading approved for that system? Is the person who performed the trusted download authorized to do so? • How is the Missile Control Unit (MCU) protected against contamination? Are there procedures in place to properly sanitize the unit if contamination occurs? Is the procedure approved by the customer? • Do we have a contractual relationship (i. e. DD 254) with the sender/receiver? This is just an example of how a little analysis and creativity can provide a more comprehensive review of the existing processes and procedures

Self Inspection Methods Example: Review of Closed Area visitor logs • Pay close attention to the visitor’s company name. • Did someone visit from an HVAC service? If so, ask the area custodian what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? • Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified IS? • Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AS? • Did any visitors have “keyboard” access? If so, was that authorized? • Remember to dispose of visitor logs from before the last DSS audit

Enhancing Your Self Inspection A. FACILITY CLEARANCE NISPOM: 1 -302 g(3) Question: Have all changes (e. g. changes in ownership; operating name or address; Key Management Personnel (KMP) information; previously reported Foreign Ownership Control or Influence (FOCI) information or action to terminate business) affecting the condition of the Facility Clearance Level (FCL) been reported to the DSS Industrial Security Rep (ISR)? YES NO N/A Note: Is the site’s Industrial Security Facility Database (ISFD) record accurate? Physical address? Classified mailing address? Facility clearance level? FSO name? Special accesses? (If special accesses are listed, is the FSO properly briefed? ) Ensure the FSO has a current copy of the site’s ISFD record on file. If data is not accurate, contact the site’s DSS Rep to request an update. Question: Has the fact that the company has an FCL been used for advertising or 1 -100 c promotional purposes? NISPOM: Question: Are the senior management official, the FSO, and other Key Management 2 -104 Personnel cleared as required in connection with the FCL? Note: Must be cleared to the level of the facility clearance. NISPOM: Question: 2 -104 *Is the Key Management Personnel list current? YES NO N/A YES NO N / A

Step 3 – Follow-up Writing the Self-Inspection Report • Reports documenting your Self-Inspection can be done in any format you would like • Should identify the following: – – Areas inspected Commendable areas Findings/ Deficiencies/Corrective Actions Findings/ Deficiencies that need long-term monitoring • Normally done where there are significant problems where it will take a long time to close out. • Status report every 30 days • Reference applicable compliance document

Step 3 – Follow-up Writing the Self-Inspection Report • Include corrective action – Correct the process – DSS will validate – Update your procedures • A well-written report seldom generates more questions

Conclusion • Self-Inspections are a tool that allows Security Department to ensure they are compliant with the NISPOM • A good Self-Inspection should emulate the DSS Security Review process • Be aggressive and not afraid to have findings • Write honest and accurate Self-Inspection Reports • Remember a “bad” finding is the one that DSS finds during their Security Review • There are “good” findings… the ones you catch during your Self-Inspection

Conclusion • Have a strong self-inspection program and use it as a tool rather than just another “block to check” for the DSS Review • Make DSS an effective member of your security team! • Consider sharing your inspection results with other sites of your company or with your local NCMS Chapter members • Using all these tools cannot guarantee higher DSS audit ratings, but it will make the process more organized and less stressful NOW … GO HAVE SOME FUN!