Free Administrative Record - District Court of Federal Claims - federal

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 1 of 15

Introducing the National Industrial Security Program
This issue of the BuIletin is devoted entirely to the inauguration of the National Industrial Security Program (NISP) wlfich fulfills the vision of many in both government and industry who several years ago proposed that the Executive Branch of government have a common standard for industrial security. The NISP was conceived to eliminate c0nflict~ng, redtmdant, and unnecessary requirements through standardization ofp01icies mad procedures, coupled with interagency reciprocity. The guiding document for this government-wide program, the National Industrial Security Program Operating Manual (NISPOM)was signed in late 1994 by the Deputy Secretary of Defense and promulgated in early 1995. Administration of fl~e Program within DoD by the Defense Investigative Service is to Support the national security strategy of the UnitedStates by working in partnership with ¯ industry to develop and maintain security systems which provide critical technology with a level of protection that is rational, threat-appropriate, and cost-effective. Since the NISPOM replaces the Department of Defense Industrial Security Manual, it is important for all ~ofus to focus on the important~ changes in this program. With the assistanceofthe Office 0fthe Secretary of Defense, Industrial Security staff, the DoD Security Institute's Industrial Security Team has summarized some of the more significant changes. DoDSI's Industrial Security Team has also revised and improved the Self-inspection Handbook, first issued in February 1992 as an issue-of the Bulletin. The Handbook, developed to assist FSOs in the internal evaluation mad review of their facility's security posture, promises to be an invaluable tool for security professionals in industry as they come to terms with the risk management philosophy underlying the new and leaner NISPOM.

676
Security Awareness Bulletin dated July 1995, Nmnber 1=95 ]~age 2

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 2 of 15

The DoD Self-Inspection Handbook
TABLE OF CONTENTS
¯ Contractor Security Review Reqmrcment ......................................................... The 4 The Contractor Serf-Inspection Handbook ............................................................... 4 Inspection Techniques ............................................................................................ 4 Questioning Techniques .......................................................................................... 5 ELEMENTS OF INSPECTION A. B. C. D. E. F. G. H. I. J. K. L. M. N. O.. P. Q. R. S .T. U. V. W. X. FACILITY CLEARANCE * .........................................................................6 ACCESS AUTHORIZATIONS * .................................................................6 SECURITY EDUCATION * ........................................................................7 STANDARD PRACTICE PROCEDURES ................................................... 8 SUBCONTRACTING ..................................................................................8 VISIT CONTROL * ......................................................................................9 CLASSIFICATION * ...................................................................................9 EMPLOYEE IDENTIFICATION .............................................................. 0 I FOREIGN OWNERSHIP, CONTROL, AND INFLUENCE * ....................10 PUBLIC RELEASE * ................................................................................. 10 CLASSIFIED STORAGE ..........................................................................11 MARKINGS ..............................................................................................12 TRANSMISSION ......................................................................................13 CLASSIFIED MATERIAL CONTROLS ...................................................14 CONTROLLED ACCESS AREAS ............................................................15 DISPOSITION ........................................................................................... 16 REPRODUCTION ...........................................................i .............: ........... 16 CLASSIFIED MEETINGS * ......................................................................17 CONSULTANTS .................................................................. ..................... 17 AUTOMATED INFORMATION SYSTEMS .............................................18 COMSEC/CRYPTo ................................................... ........... i .....................20 INTERNATIONAL OPERATIONS * ........................................................ 2 2 OPSEC ................................................................................................. i ......24 SPECIAL ACCESS PROGRAMS .............................................................. 24

For faciliti(s: not having any approved classified storage (safcgnarding) capability, [the FSO should review (at minimum) the subject areas marked with an asterisk. " 'l INSPECTION ADDENDUM ' Suggested Questions When Interviewing Uncleared Employees .............. 25 Suggested Questions When Interviewing Cleared Employees ................................. 25 The Program Specific Self-Inspection Process ............ ................................ ........ 26 A Program Specific Serf-Inspection Scenario ........................................................ 27 The Program Manager Interview ........................................................................... 28 Employee Interviews ............................................................................................. 28
Security Awareness Bulletin dated July 1995, Number 1-95

I

677

Page

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 3 of 15

DoD CONTRACTOR SELF-INSPECTION HANDBOOK
The Contractor Security Review Requirement Contractors shall review their security system on a continuing basis and shall conduct a formal selfinspection at intervals consistent with risk management pNaciples. [1-21)7, NISPOlVl]

The Contractor Serf-Inspection Handbook The National Industrial Security Program Operating Manual (NISPOM) requires all participants inthe NISP to conduct their own security reviews (serf-inspections). This handbook is an updated version of the Self-Inspection Handbook first published in February of 1992. It contains the NISPOM's requirements in check list form, explains their arrangement into the "'Elements of Inspection," and suggests various techniques to enhance the quality of your reviews.
The Self-Inspection check list is a list of the more prominent NISPOM seculqty requirements #7 question form. The answer to each can be located within the NISPOM paragraph citation given at the end ~of each question. Your immediate task is to determine which of these requirements relates to your security program. These questions are located within alphabetically delineated areas (A thru V),. of common security concern. Traditionally known as the "Elements of Inspection, "' they combine to make up your Self-Inspection check list.

The first three Elements of Inspection: (A) Facility Clearance, (B) Access Authorizations, and (C) ~ Education must be covered during the .inspection of all Cleared facilities: Any remaining elements need only be covered if they relate to your security program. The easiest and quickest way to determine this is to ask the I.S. Representative which elements were covered during the last inspection. A look at your SPP (if you have One) will also provide clues. Of course, as your program becomes more involved with classified (e.g., changing from a non-possessing to a possessing facility), you'll have to expand your review process to include those new elements of inspection. Remember also that not all of the questions (requirements) within each relevant area relate to your program. The best way to determine this is to review each question (requirement) in the context of your industrial security program. If your involvement with classified invokes .the. requirement, your procedures should comply with it. Reading each question in the relevant areas of inspection is a good way to become knowledgeable of the Manual's requirements.
Inspection Techniques To get a clear picture of the state of security at your facility you must (1) know the requirements by which you are inspected (tiffs is where the check list will help), (2) know your facility's physical layout (i.e.; where the classified is stored, worked on, etc:), and (3) have knowledge of the processes involved in the classified programs at your facility. Remember, your primary sources of inforrnation are documents and people.

Yottr job as an inspector is.to verify and validate that your facility security program is properly protecting classified. To do this you simply review the self-inspection questions against appropriate documentation,

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 4 of 15

people and theft actions, and classified information involved in the faCility;s industrial security program. This is where the Serf-inspection check list comes in handy. It not only gives you the Manual's requirements, but it organizes them into elements .of common security concern. These elements Should not be held mutually exclusive during the inspection process. In fact, it will become obvious to you that they ¯ frequently interrelate. Questioning Techniques A quality self-inspection depends .on your ability to ask questions whicli may identify security problems. Seek information about current procedures, but also about change which could affect future actions. Get out of your office and into the facility working environment. Talk to the people! 0 0 0 0 0 All questions ~should be considered in the present and future sense. Let people tell their story. Don't be satisfied with Yes or No responses. Let people show you how flaey perform their job while handling classified. Follow-up the check list questions with your own questions. Keep good notes for fiiture reference mad corrective action. '

679
Security Awareness Bulletin &d.xl July 1995, Number 1-95 Page 5

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 5 of 15

A.

FACILITY CLEAILANCE
Are the DD Forms 441 and/or 441-1 mad 441 s properly executed and maintained ~n curreut status? (2-111) Have all Changes affecting the condition of the FCL been reported to the Field Offee? (1-302h) Does the home off~ce have an FCL at the same or higher level than any cleared facility within the Multiple Facility Organization? (2-108) Are the senior management official, the FSO, and other Key Management Persomlel cleared as required in co~mection with the FCL? (2-104) Have the proper exclusion procedures been conducted for uncleared company officials? (2-106a-b) Have the required reports been submitted to DISCO regarding employee Representatives of a Foreign Interest? (1-302d)

ACCESS AUTHORIZATIONS Is a curr(nt record maintahaed of all cleared employees at each facility? (2-219) Are the ntanber of clearances held to a minimmn consistent with contractual requirements? (2200d) Has a Lcttcr of Consent (LOC) bccn issucd for cach pcrsonncl ciearm~cc (PCL)? (2-208) Are all pre-employment clearance applications based on a written offerand acceptance of employment? (2-204) Are all required forms and information, regarding cleared perso~mel, fi~mished to DISCO? (Chap. 2, Sec 2)
B"s a good idea to retain a copy of the DISCO Form 562 used for required "Change in Cleared Employee Status Reports." This enables you to maintain a current and continuous clearance history of Your cleared personnel.

Are employees.in process for security clearances informed of their options regarding completion of the privacy portions of the DD 398, 398-2, and SF 86 application forms? (2-218)
Ensure adequate review proceduresof clearance application forms to preclude error/omission and increased clearance turn-around time.

680
Security Awareness Bulletin dated July 1995, Number 1-95 ~age 6

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 6 of 15

Does the contractor have PCLs issued to the home office facility (HOF) or has an alternative arrangement been approved by the DIS Field Office? (2-200c) Does the contractor provide reports on all cleared employees to the DISCO or the DIS Field Office as required? (1-302) SECURITY EDUCATION Does the contractor provide all cleared employees with security training and briefings cormnensurate with their involvement with classified information? (1-206, 3-100 thru 37108) 2~ Axe contractors who employ cleared persons at other locations ensuring the required security training? (3-104) Axe SF 312's properly executed by cleared employees :prior to accessing classified and forwarded to DISCO for retention? (3-105) . Axe refusals to execute the SF 312 reported to DISCO? (3~105) Do initial security briefings contain the mh~num required information? (3-106) ( Does the contractor's security education program include refresher security briefings?3-107)
Conduct personnel interviews in the work place during inspection tours of the facility and determine the effectiveness of your security education program. What do the employees remember from the last security briefing? Have them demonstrate the application of security procedures at their job fimction.

Co

Are cleared employees debriefed at the time of a PCL's temainatio~g suspension, revocation, or FCL termination? (3-108)
Has.the contractor established internal procedures that ensure cleared employees' awareness of their responsibilities for reporting pertinent information to the FSO, the FBI, and other Federal authorities as required by the Manual? (1-300)

Does the contractor have an effective procedure for submission of required reports to the FBI, the DIS, mad DISCO? (1-301, 1-302) 10. 11.
AXe Government special security briefings and debriefings provided by the DIS or GCA as required? (3-103, 9-202)

Has flae contractor established a graduated scale of administrative disciplinary action to be applied against employees who violate .the Manual? (1-304)

681
¯ Security Awareness Bulletin dated July 1995,.Number 1-95

Page 7

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 7 of 15

12.

Are employees aware &the Defense Hotline? (1-208)
TheDefense Hotline The Pentagon Washington, D.C. 20301-1900

(800) 424-9098 (703) 693-5080 13. Does management support the industrial security program? STANDARD PRACTICE PROCEDURES Is the SPP current and does it adequately implement the requirements of the NISPOM? (1-202) Remember that the SPP need only be prepared When the FSO or the DIS FieM Office believes it necessary for the proper safeguarding of cIassified SUBCONTRACTING
Does the contractor complete all actions required m the Manual prior to release or disclosure of Classified to sub-contractors? (7-101)

(1,204)

Eo

Are the clearance stares and safeguarding capability of all subcontractors determined as required? (7-102) Do requests for, facility clearance or safeguarding include the required informatibn? (7-101 c) Are all requests for facility clearance of prospective contractors based on bona fide procurement needs? (7-102d) Does the contractor allow sufficient lead time between the award of a Classified subcontract and the facility clearance process thne for an uncleared bidder? (7-102d) Does the prime, contractor ensure that adequate security classification guidance is incorporated into each classified subcontract? (7-103) Are contractor-prepared Contract Security Classification Specifications signed by a designated contractor official? (7-103)

Are original Contract Security Classification Specifications included with classified solicitations? (7-103a)
Are revised Contract Security Classification Specifications issued as necessary? (7-103b)

682
Security Awareness Bulletin dated July 1995, Nmnher 1-95 .

Page 8

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 8 of 15

10.

Does the prime contractor obtain approval, from the G0vemment Contracting Agency, for subcontractor retention of classified associated with a completed contract? (7-105)

VISIT CONTROL Can the contractor determine that all classified visits require access to or disclosure of classified information? (6=101) Does notification of classified visits allow sufficient lead time for the receiver's timely approval? (6-101) Do Visit Authorization Letters (VAL) include the required information, and are they updated to reflect changes in the status of that information? (6-103, 6-104) Are procedures established to ensure positive identification of visitors prior to disclosure of classified? (6-105) Are procedures established to ensure that visitors are only afforded access to classified information consistent with their visit (i.e., need-to-know)? - (6-106) Does the facility Visitor Record includethe required information? (6-107) Are long-term visitors governed by the security procedures of the host contractor? (6-108) Has the contractor secured the approval of the relevant Government Contracting Agency prior to disclosure of classified during non-contract related visits? (6-109b)

CLASSIFICATION

Is all classification guidance adequate and is the Contract Security Classification Specification provided as required? (4-103) Does the Govenunent Contracting Agency issue revised Contract Security Classification Specifications as needed? (4-103b) Does the contractor have adequate procedures for applying derivative classification to classified material being Created, extracted, or stmarnarized? (4-102)
Is improper or inadequate classification guidance being challenged? (4-104)

Upon completion of a classified contract, does the contractor properly dispose Of the relevant classified information? (4-103c)

.Is contractor-devel0Ped information appropriately classified, marked, and protected? (4-105) Are downgrading and deelassification actions accomplished as required, and is action taken to update records when changing the classification markings? (4-107)

683

Security Awareness Bulletin dated .July 1995, Humber 1-95

Page 9

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 9 of 15

EMPLOYEE IDENTIFICATION Do persounel possess the required identification card or badge when employed as Couriers, Handearriers or Escorts? (5-410b) Do ID cards or badges, used in conjunction with Automated Access Control Systems, meet Manual standards? (5-313b) Security procedures should maxTmize the use of personal recognition verification for access to classified material Note that the NISPOM makes Only passing reference to 1Ds and badges for use in specific instances. When such programs are employed as part ojyour security-in-depth procedures, the specifics should be reviewed with your DIS representative. FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE Is the contractor under any Foreign Ownership, Control, or Influence (FOCI) wlfich could adversely affect performance on classified contracts? (2.301b, 2-302) Has the contractor reported the presence of any/all FOCI factors to the DIS Field Office in the manner prescribed? (2-302)
Has the DIS Field Office been notified of negotiations for merger, acquisition, or takeover by a foreign person? (2-303b)

Has a FOCI Negation Plan been submitted to the DIS Field Office?

(2-305)

Do contractor senior manageinent officials of companies, operating under a Voting Trust, Proxy Agreement, Special Security Agreement or Security Control Agreement, meet annually with the DIS to review the effectiveness of the arrangement? (2-307)
Is an annual Implementation and Compliance Report submitted to the DIS Field Office? (2-307b)

Has a G0vermnent Security Committee been appointed from the Board of Directors undera Voting Trust, Proxy Agreement, Special Security Agreement (SSA), or Security Control Agreement (SCA)? (2-308) Have companies cleared under a Special Security Agreement received the special authorization needed to access "proscribed information"? (2-309) Has the contractor developed a Teclmology Control Plan (TCP), approved by the DIS, when cleared tmder a Voting Tn~st, Proxy Agreement, SSA, or SCA? (2-310)

PUBLIC RELEASE Does the contractor have flle approval of the Government Contracting Authority prior to public disclosure of reformation pertaining to a classified contract? (5-51 l)

684
Security Awareness Bulletin dated July 1995, Nmnber 1-95

Page 10

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 10 of 15

Is a copy of each approved"request for release" retained for one inspection cycle for review by the DIS Field Office? (5-511 a)

Ko

CLASSIFIED STORAGE Has the contractor established a system of security checks at the close of each working day to ensure that classified material is secured'? (5-102a) Does the contractor maintain a system ofpermaeter controls to deter or detect unaulhorized introduction or removal of classified from the facility? (5-103) Are procedures developed for the safeguarding of classified material during an emergency? (5104)

4

Is the number of persons possessing knowledge of the combinations to security containers minimized? (5-308) Is a record of the names of persons having knowledge of the combinations to security containers maintained? (5-308a)

Are security contmners, vaults, cabinets, and ottaer authorized storage containers kept locked when not under direct supervision of an authorized person? (5-308b) When combinations to classified containers are placed in written form. are they marked and stored as required? (5-308c-d)
Are combinations to security containers changed by authorized persons when required? (5-309) Are General Services Administratiou-approved containers repaired as required by the Manua!? (5311) 10.

Are supplanting access control syste~ns or devices used for controlling admittmace to Closed Areas during working hours? (5-312)
Is TOP SECRET classified stored only in approved GSA security containers, approved vaults, or Closed Areas? (5-302) Remember, TOP SECRET classified requires supplemental protecOon, unless the GSA container or vault is fitted with a locking device meeting the Government FF-L-2740 standard.

11.

12. 13. 14.

Does the contractor provide supplemental protection for all SECRET classified not stored in GSA containers, approved vaults, or Closed Areas? (5-303) Are Closed Areas constructed in accordance with the requirements of the Manual? (5-306, 5-8) Has DIS approval been granted for the open storage of documents in Closed Areas'? (5-306)

685
Securily Awareness Bullelin daled July 1995, Number 1-95

Page I 1

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 11 of 15

Intrusion Detection System Concerns
15.

Do intrusion detection systems (IDS), utilized as supplemental protection, meet NISPOM requirements? (5-307, 5-900) Remember that GSA security containers tTnd apprm, ed vaults secured with a locking device meeting Fed. Spec. 1@'-L-2740 may waive the supplemental protection requirement (see
5-307c),

~4qTen guards are authorized as supplemental protection (see 5-307b), required patro! is two hours Jbr TOP SECRET andJbur houm./br SECRET. 16. 17. 18. 19. 20. Are Intrusion Detection Systems (IDS) approved by DIS prior to installation as supplemental protection? (5-900, 5-901) Are trained alarm monitors cleared to the SECRET level ,and in continuous attendance when the IDS is in operation? (5-902) Are alarms activated immediately at the end of business? (5-902) Are alarm records maintained as required? (5-902d, e)

Does the Central Alarm Station report "Failure to Respond to Alarm" incidents to the DIS as required? (5-903a(3)) Commercial Central Station Alarm Company g~mrds do not require clearance unless their duties af]brd them the opportuniO, to access class{iied material when responding to alarms.

21.

Are all IDS at the contractor facility installed by UL-listed installers and so certified? (5-904, 5-905)
MARKINGS ls all classified material regardless of its physical form, marked properly?(4-200, 4-201) Is all classified material marked to show the name and address of the facility responsible for its preparation and the date of preparation? (4-202) Are overall markings marked conspicuously as required? (4-203) Are portions of classified documents properly marked? (4-206) Are all additional markings applied to classified as required'? (4-202 tlma 4-208) Are special types of classified material marked as required? (4-210)

Are classification markings applied to unclassified compilations as required?

(4-213)

686
Awareness Bltllelin dated .hdy 1995, Nttmber IO5

Page 12

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 12 of 15

Are downgrading/declassification notations properly completed? (4-216) Holders of classified material may take atttomatic downgrading or declm's!/]cation action as specified without fi~rther authoriO,. Does the contractor follow Manual procedure when classified material is distributed without proper classification or when it is upgraded? (4-218)

M.

TRANSMISSION Is classiticd inl'ormation properly prcpared lbr transmission outside the lhcility? (5-401) Arc receipts included when classified transmission rcquircs? (5-401) Is a suspense system established to track transmitted documents until the signed receipt is returned? (5-401 ) Are procedures established for proper receipt and inspection of classified transmittals and are returned receipts retained for two years? (5-202, 5-204, 57401) Are authorized methods used to transmit classified outside the facility? (5-402, 5-403, 5-404) Remember that transmission of TOP SECtLET, outside the_[~tciliO, requires written authorization from the Govetv~ment Contracting Authority. Is the facility clearance and safeguarding capability of the receiving facili~" determined prior to transmission of classified. (2-100)
Are Couriers, Handcamers, and Escorts properly briefed'?

(5-410)

Is handcar~ing of classified material outside the facility properly authorized, inventoried, and safeguarded during transmission? (5-410) Is handcart3:ing aboard conm~rciat aircraft accomplished ha accordance with required procedures? (5-411)
i0.

Are classified shipments made only in accordance with the Manual or instructions from the contracting authority? (5-408, 5-409) Does the contractor use a qualified career, authorized by the Govemmen(i when shipping classified material? (5~408) Are sufficient numbers of escorts assigned to classified shipments and are they briefed on their responsibilities? (5-4 12, 5-413)
For information concerning international transfer of classified, see International Operations (Chap. 10, Sec. 4 NISPOM).

11.

12.

687
Security Awareness Bullefill daled July 1995, Nunlber 1-95

Page 13

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 13 of 15

No

CLASSIFIED MATERIAL CONTROLS Do contractor employees understand their safeguarding responsibilities ? (5-10~3)
Facili~.. walk-throughs are a good way to determine employee IoTowledge qf sq/&guarding classi./ied when in-use. Interview and observe how classified is handled m the work place.

ls the contractor's information management systctn capable of facilitating the retrieval and disposition of classified material as required? (5-201)
Test 3,our system Jbr document retrieval by conchtcting jbn~,ard and revet:s'e checks of your class(Bed holdings. Take a sample of classo%d material from your information management register and attempt to locate it within your facility. Conversely, conduct spot checks at sample locations throughout the ./iwiBty where classified is stored. Ident~ items and determine ~/" they are reconciled in the inJbrmation management system. Remember, the inspector may no longer conduct such thorough checks, so it's up to you t Are external receipt and dispatch records maintained as required? (5-202)

Are TOP SECRET control officials designated at facilities possessing TOP SECRET classified'? (5-203) Are TOP SECRET accountability records maintained as reqnircd and ~s an annual inventory conducted? (5-203) Is all classified material received at the contractor facility and delivered directly to designated personnel? (5-204)
Are contractor-gdnerated TOP SECRET documents and "working papers" entered into accountability as required? (5-205) Remember that all classified workTng papers must be marked with (1) the "wor&'ng paper" designation, (2) the overall classification level, and (3) the date of creation. However. accozmtability requirements relate onh, to TOP SECRET.

Does the contractor maintain a system of controls to deter or detect unauthorized introduction or removal 0fclassified from the facility? (5-103) Do contractor employees promptly report the loss, compromise, or suspected compromise of classified to the FSO? (1-300. 1-303) 10. 11. Are pr0ccdurcs adequate to protcct classified during c~ncrgcncies? (5-104) Are security checks conducted at the end of each working day to ensure proper storage Of classified materials? (5-102)
Conduct an inspection walk-through during lunch breaks, after hours, and on late work shifts, if classified is being accessed, to determine the actual state of security at your facili&.

688
Securily Awareness Bulletin dated July 1995, Number 1-95

Page 14

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 14 of 15

CONTROLLED ACCESS AREAS Do Restricted Areas have clearly dclined perimeters and is all elassitied material properly secured when the area is unattended'? (5-305) Are Closed Areas approved by the DIS and properly constructed in accordance with the Manual? (5-306, 5-8)
Remember that Closed Areas require DIS, Field Office approval and an approved Intrusion Detection System (IDS) unless security guard~ were approved prior to this Manual. !~en guards are authorized as supplemental protection (~'ee 5-307b), the required patrol is two hoz~rs f!)r TOP SEC~T and four hOurs for SEC~Z

Are Closed Areas afforded adequate supplemental protection during non-working hours? (5-306, 5-307)
During non-working hours (see definition of Worlang Hours. Apx. C, NISPOM), Supplemental Controls are required for TOP SECRET and SECRET elass(/ied storage. Do supplanting access control devices used for Closed Area access control, during working hours, meet Manual requirements and have FSO approval prior to installation? (5-312 tlu-u 5-314) Watck entrances to Closed Areas to determine the procedure employed when supplanting access control devices are utilized. Are authorized users allowing unauthorized persons to piggy-back t~to the area?

Are persons without the proper clearance and need-to-know escorted at all times when in a Closed Area? (5-306)
Intrusion Detection System Concerns Is IDS approved by the DIS prior to installation as supplemental protection and does it meet NISPOM or UL 2050 standards as required? (Chap. 5, Sec. 9, 5-900, 5-901)
o

Are trained alarm monitors cleared to the SECRET level in continuous attendance when the IDS is in operation? (5-902) Are alarms activated at the end of business'? (5-902)

Arc alarm records mahltaincd as required? 10.

(5-902d-c)

Does the Central Alarm Station report failure to respond to alarm incidents to the CSA as required? (5-903a(3))
Commercial Centra! Station Alarm Company guards do not require a personnel clearance unless their duties afford them the opportunity to access classified material when responding to those alarms.

689
Security Awareness Bulletin dated Ju]ly 1995, Number 1-95

Page 15

Case 1:07-cv-00243-LMB

Document 15-27

Filed 05/12/2007

Page 15 of 15

11.

Are all IDS utilized as supplemental controls installed bv UL-listed or DIS-approved installers and so certified? (5-904, 5-905)

DISPOSITION Is a program established to review classified holdings on a recurring basis lbr the purpose of reduction? (5-700) Is the disposition of classified material accomplished in accordance with the required schedule? (5701) Is retention authority requested as required? (5-702)

Is classified material destroyed as soon as possible after it has served its purpose'? (5-704) Does the contractor employ an effective method of destruction? (5-705) NISPOM language does not require prior approval for any of the listed methods of destruction. Is classified material destroyed by appropriately cleared contractor employees? (5-706) The NISPOM still, requires two persons./-or the destruction of TOP SECRET and one person..For the destrucn'on qi'SECRET and CONFIDENTIAL. Arc proper records maintained for the destruction of TOP SECRET classified and do those who sign have actual knowledge of the materials destruction? (5-707) 7"he NIA'POM has eliminated the accountability requirement Jbr SEC1~27" classitTed material. However. keep m mind the U.S. Government rese~,es the r~ght to retrieve ?ts class~ed material or cauxe appropriate dispositTon. Thus. your inJbrmation management .Lvstem shall be capable of ./i~c'ilitating such retrieval and c#sposition m a reaxonable period o.f time O'easonabte period time ~s not defined). [5-201] Is classified waste properly safeguarded until its timely destruction? (5-708)

Qo

REPRODUCTION Does the facility's reproduction control system keep reproduction of classifi~ material to a minimu~n? (5-600)
Efibctive access control through Jbcilio, conJiguration, technology, and operat/onal procedures is encouraged and shouM be published in the SPP.

Is fl~e reproduction of classified accomplished only by properly cleared, authorized, and knowledgeable employees? (5-600) Is reproduction authorization obtained as required? (5-601)
Seeur~ .ly Awareness Bulletin dated July 1995, Number 1-95

690
Pago 16