NISPOM Compliance Starts Here

 The Opportunity

Defense contractors fulfilling CMMC requirements should also consider developing an information control plan. While the CMMC certification evaluates systems, the plan will address information residing on the systems and networks.

Where NIST provides technical guidance and NISPOM might address the protection of classified information, there is still a need to address adequate protection of other information such as TAR, CUI, FGI and proprietary.

The Problem

Take a look at this paraphrase from Allen Dulles’ book The Craft of Intelligence:

In the 1950’s the US Congress was concerned that there was just too much technical information available on government programs. From that concern, they commissioned researchers to assemble as much information from public domain about a particular program as they could. The group scoured libraries, newsstands, TV, radio and other media common to the decade and provided a report. As a result, the government determined the information to be classified, safeguarded the information and disbanded the group. The lesson; intimate program details were not properly identified, marked and protected.

Here are a few examples of where this happens today.

1. CMMC ratings evaluate a contractors ability to protect data that resides on networks, devices and computers. However, the data residing on protected networks and devices is not marked. CMMC measures technical countermeasures to protect the data. However, the additional requirement is to “Develop a CUI program or information control plan complete with methods, policies and training. This is usually an area that falls under the IT manager, an expert at countermeasures, but not intimately knowledgeable of the information being protected.
2. An employee is required to provide white papers, pamphlets, or technical drawings for public event such as a conference or publication. While the employee is an expert on their information, they may not understand which products (drawings, technical references, research results, etc.) are CUI, ITAR or proprietary. This is usually an area controlled by a compliance officer, FSO, or other employee, who may not be familiar with the technical information. When the employee uses technical drawings to provide required products, and reviews are not in place, there is a potential CUI or ITAR violation.
3. Employees create work products, deliverables, purchase orders, etc and is distributed through shared drives, emails or other public facing method. This becomes an issue where reference documents such as technical manuals, statement of work, or other source documents and products are marked CUI, export controlled, or proprietary information, but not identified in derived products.

There are so many situations, too many to put into one article, on how vulnerable technical information can be. The above three situations can lead to information and data release violations if the correct measures are not taken.

Don’t believe the hype

Let’s use CUI as an example of what should be part of an information protection plan and how to apply it. There is bad advice going around that says: “contractors are not authorized to determine CUI”. or “contractors are not authorized to mark CUI on documents”. Don’t fall for this, it’s your responsibility to identify, document and control information.

How to implement your own program

For example, while it is true is that the government determines what information is CUI, contractors can derive CUI in products created from CUI source documents. Further, if a contractor is creating blueprints or providing a product using a source document marked CUI or export controlled, then anything produced from that source should carry over the new creation.

Unfortunately, sensitive information derived by contractors is not always carried over into work instructions, purchase orders, technical drawings, or other products. The solution can’t be only technical controls found in NIST, rather is should include the other requirements for applying an information control plan with the following objectives:

1. Identify or recognize source products
2. Train employees to identify protected source documents
3. Label and catalog decisions
4. Develop public release review process to ensure protected information is not released
5. Publish policies and training to ensure it is complete
6. Implement self-inspection

The work effort is huge, but rewarding. It involves working groups, records and accountability.

However, you might consider getting assistance. Where third party services ensure NIST compliance and perform CMMC reviews, they do not create CUI programs or information control plans as described above. If you need assistance with developing your program, please reach out to us.

Contact us for CMMC and CUI Protection Resources

Human Captial or Human Resources on board employees into the organization. This has been a practice for years and works very well. Part of onboarding should include verification of eligiblity to work as well as execution of a background check. 

With cleared defense contractors, FSOs should be incorporated into the onboarding process. The FSO role is to either grant access to already cleared personnel, intitiate background investigations for those not already cleared, and prepare employees to execute on classified contracts.

In many organizations, HR and FSOs might be the same person or share the same office. In this case, the onboarding process for cleared employees may not be an issues as the employees are either the same or shared. 

In larger organizations, the FSO and HR may be separated by distance, offices or other circumstances. However, they should be working together from onboarding to termination of cleared emloyees. Here are some important things to consider:

• If HR only uses I9 identification for onboarding, which is either a drivers license or social security number. These sources do not determine citizenship, just eligibility to work. 
• FSOs must ensure U.S. citizenship, which requires passport, birthcertificate and or citizenship documents such as naturalization forms, therefore should be part of the on boarding process
• FSOs must ensure cleared employees remain eligible. This may require involving HR in policimaking and documentation of emlpoyee non-compliance
• FSOs must debrief employees when access is no longer required, therefore should be part of the off boarding process

As your company grows, consider ensuring your FSO is part of the growth and has the opportunity to execute their requirements to demonstrate NISPOM compliance.

How many emails does it take to for an FSO to get a Visit Authorization Request (VAR) approved

a. 4

b. 10

c. 1

Hopefully your answer is none of the above. However, it’s more likely that the answer for some of you is unfortunately, four or more. Some have commented that they have exchanged email correspondence up to 10 times with a subject before finally getting the information needed to complete the VAR request in Defense Information System for Security (DISS). 10 or more emails per VAR; multiply that by the number of employees and that’s a lot of attention. Now, lets add foreign travel and other required reports. Using email as the primary information gathering resource can significantly increase administrative workloads.

Why use email for FSO tasks at all.

For those of you who work in cleared facilities with large budgets, you might ask the same question and it’s a good question. In your case, you might be enjoying the benefits of a dashboard and all of the benefits of being a well trained security profession and perhaps even a security team in support. As such, you might rarely get emails for security tasks as each employee might have their own portal.

However, there are a large number of FSOs who are not security professionals and have been appointed to the position and may not be aware of a better way. Many of the FSOs I serve are managing tasks through email and it does involve a lot of time devoted to answering email, requesting additional information and so much more. These email tasks are tedious and if they already receive abundant emails with their full time job, they could get buried, lost or misfiled.

A better way

While these FSOs may not have the resources such as security dashboards for employee and FSO tasks, email can be incorporated into their procedures, but should not be the primary way of gathering information.

The danger with email is that it’s email and not a very good system for tasking. Additionally, the information that is required to complete reports and requests in DISS is sensitive and unsecure email may create a vulnerability. There is a better way

Here are a few recommendations for making your FSO tasks more efficient and secure.

• Create a fillable form or eform for each type of request or report. Duplicate required DISS fields to create the forms.
• Upload form on shared drive for employees to access, populate and send to FSO
• Create an FSO Workbook to file forms, archive documents and demonstrate NISPOM Compliance

Email is a great communication tool, but not a good tasking mechanism. For example, email can be used to notify and FSO that a form has been filled and ready to process. It may be a great way to remind employees to take their training. However, conducting operations and tasks via email may lead to a breakdown in efficiency and compliance.

If you would like to see some sample forms, contact me and I’ll be happy to provide.

If you are ready for consultation, program building or creating your own FSO Workbook and system contact me.

Alternatively, you can download files, folders and templates in our FSO Workbook product. I’ll also be happy to set that up.