Flashcards in Industrial Security Deck (30)
What is the purpose of Cognizant Security Agencies (CSA)?
These organizations establish industrial security programs and oversee security requirements
What is the purpose of Cognizant Security Offices (CSO)?
These organizations administer the NISP and provide security guidance, oversight, and policy clarifications
What is the role of an Industrial Security Representative (IS Rep)?
Serves as contractor’s primary point of contact for security matters
Works closely with the FSO to provide advice, assistance, and oversight
Conducts Security Vulnerability Assessments (SVAs) and administrative inquiries
Contractors report security violations to IS rep
What is the role of an Information System Security Professional (ISSP)/Security Control Assessor (SCA)?
Works closely with IS Reps and contractor personnel on all matters related to the authorization and maintenance of authorized contractor classified Information Systems (ISs)
Oversees authorized contractor IS use
What is the role of a Counterintelligence Special Agent?
Provides advice, oversight, and training regarding counterintelligence issues
Works with contractors to identify potential threats to U.S. technology, including insider threats
What is the role of the Installation Commander/Agency Head?
Serves as the CSO for government-controlled and leased facilities.
Has overall responsibility for the security of the installation
Reviews and updates installation directives to reflect minimum NISPOM guidance for those contractors who are required to work on the installation
What is the role of a Facility Security Officer (FSO)?
Has ultimate responsibility for the administration, oversight, and day-to-day operation of the contractor security program
Meets NISPOM requirements and contract specific DD 441 and DD 254
What is the role of an Information System Security Manager (ISSM)?
Manages each Information System (IS) and ensures all IS security requirements are met.
Implements NISPOM IS security requirements to include self inspections of IS
Establishes, documents, maintains, and monitors IS security programs and procedures
Conducts IS security education and training
Notifies the CSO of relevant changes to IS
Develops facility procedures for: handling media and equipment containing classified information, implementing security features, incident reporting, user acknowledgment of responsibility, and threat detection, including auditing and monitoring for malware attacks, phishing attempts, and other threats
What is the role of an Insider Threat Program Senior Official (ITPSO)?
Responsible for establishing and maintaining an Insider Threat Program that gathers, integrates, and reports any information that might indicate an insider threat
What is the purpose of a Government Contracting Activity (GCA)?
Defines the initial requirements for the product or service, as well as the acquisition strategy for the contract
Publishes a Request for Proposal (RFP) as part of the solicitation stage
Evaluates the submitted proposals and, based on the criteria outlined in the GCA’s RFP
Awards the contract to the contractor that provides the best value to the government.
What is included in a Request for Proposal (RFP)?
- Contract requirements
- Contract clause
- Work statements
- Delivery schedule
- Payment terms
What are the facility requirements for a classified contract?
The government must verify that the contractor has a valid Facility Clearance (FCL)
- At the appropriate level
- With the appropriate storage capabilities, if applicable
*If the company does not have a valid FCL:
- The government will need to sponsor the company for an initial FCL at the proper level
If the company has an FCL at a lower level:
- The government will need to sponsor an upgrade to the proper level prior to awarding any classified contracts
What is the role of a Contracting Officer (CO)?
Authority to enter into, administer, and terminate contracts.
Oversight and contract responsibility for numerous programs
Authority may be delegated for
- Contract administration to an Administrative Contracting Officer, or ACO.
- Settling terminated contracts may be delegated to a Termination Contracting Officer, or TCO
What is the role of a Contracting Officer’s Representative (COR)?
- Designated by the CO
- Assigned to specific contracts (SME), and oversees the contracting process, making sure that all of the necessary requirements are met
- Determine whether a contractor has the need for access to classified information, verify the contractor’s FCL, and sponsor the contractor for an FCL, if necessary.
- Communicate the security requirements, monitor contractor performance
- Not authorized to make any commitments or changes that will affect price, quality, quantity, delivery, or any other term or condition of the contract; these are the responsibility of the CO
What are the requirements for Contract Documentation?
- Include security clauses, as required by the Federal Acquisition Regulation, or FAR and the Defense Federal Acquisition Regulation Supplement, or DFAR.
- Follow the security classification guidance to include classified and CUI
What does the Statement of Work (SOW) contain?
Provides the contractor with background, objective and completion information on the desired end product
Contains contract information such as
- Project scope
- Deadlines and steps
- Contractor details
-Lists of contract working personnel
-Billing hours and rates
-Clearance levels required
-Travel, if applicable
What does the Department of Defense Contract Security Classification Specification (DD 254) provide to contractors?
Provides contractors with security requirements and security classification guidance to perform on the classified contract
- Specific clearance and access requirements
- Authorization to generate classified information
- Classified storage requirements
- Instructions about public disclosure
- Other special security regulations above and beyond those detailed in the NISPOM
*Mandatory for all contracts requiring access to classified information
What knowledge/roles are required to complete the DD 254?
- Contracting authority and knowledge (Example: the COR)
- Program knowledge and subject matter expertise (Example: program manager for the contract)
- Security knowledge of information and industrial security requirements (Example: FSO or security specialist)
What is a DoD Security Agreement (DD Form 441)?
- Legally binding contract between the U.S. Government and the contractor
- Executed when a company receives its FCL
- Must be completed before any work on a classified contract begins
What are the basics of a Facility Clearance (FCL)?
- Administrative determination that a company is eligible for access to classified information of a certain classification level and all lower levels
- Contractor or facility cannot access or possess classified material until the FCL is granted and safeguarding capabilities are approved
- All Key Management Personnel (KMP) must be granted a PCL before the FCL will be granted
- It is not the actual facility building or structure that is cleared, but the individuals who run, own, and manage the facility
What is the government's role in DoD Security Agreement (DD Form 441)?
- Establishes authority to review the contractor’s security program to ensure compliance
- Makes a commitment to process PCLs for contractor employees
- Agrees to provide security classification guidance and oversight
What is required in order to obtain a Personnel Security Clearances (PCL)?
- Favorable clearance eligibility determination at the proper level
- Possess a need-to-know
- Execute a Classified Information Non-Disclosure Agreement (SF 312)
What are the steps in the Personnel Security Clearances (PCL) Process?
- The GCA and RFP (not PM) decide if an employee needs a PCL based on requirements to perform on the classified contract
- The FSO initiates the process and the employee completes the SF-86
-The FSO sends the SF-86 to the Personnel Security Management Office for Industry (PSMO-I)
- PSMO-I determines whether the request for a clearance is legitimate and forwards the application to the investigative agency that will conduct the background investigation
- The investigative agency puts all of the information collected into a report that the DoD CAF reviews
- The DoD CAF uses the national standards laid out in the DoDM 5200.2, Procedures for the DoD Personnel Security Program, to make a national security eligibility determination
- If the determination is favorable, the DoD CAF records the eligibility level in the DoD system of record
- The FSO may then grant the employee access to classified information, up to the level for which the employee is eligible.
Who determines the level of clearance for the PCL?
The GCA based on the RFP
*Not the PM
Personnel Security Clearances (PCL) Process
1. FSO initiates the process
2. Employee completes the SF-86
3. FSO sends the SF-86 to Personnel Security Management Office for Industry (PSMO-I)
4. PSMO-I determines if the request for a clearance is legitimate
5. PSMO-I forwards the application to the investigative agency that will conduct the background investigation
6. Investigative agency puts all of the information collected into a report
7. DoD Consolidated Adjudications Facility (DoD CAF) reviews the report
8. DoD CAF uses the national standards laid out in the DoDM 5200.2 to make a national security eligibility determination.
9. If the determination is favorable, the DoD CAF records the eligibility level in the DoD system of record
10. FSO may then grant the employee access to classified information, up to the level for which the employee is eligible
What is the FSOs role in Terminating Access?
- Debrief employees who no longer require access
- Remove their names from any access rosters and/or any active visit certs
- Remove the employee’s access in the current DoD system of record
*Eligibility remains in the system of record even when access is terminated by the FSO
Who is responsible for ensuring visitors have the appropriate PCL and need to know?
The party who is disclosing the classified information (the host contractor) is responsible
Contractors are responsible for supplying their employee’s clearance information to the host facility prior to the visit through the current DoD system of record, or if that is not available, with a visit cert
How is a visitor's PCL verified?
Review of a CSA designated database that contains the information
By a visit cert provided by the visitor's employer
What is a contractor's main responsibility?
Implement NISP requirements for the protection of classified information