Common NISPOM Violations and How an FSO Prevents Them

A review of the types of NISPOM violations will show that having proactive FSO involvement can prevent the occurrence of these violations before they happen.

Improper Control of Classified Material

The improper handling of classified information is an ongoing problem in the NISPOM. Improper handling can occur by leaving classified documents unsecured in the open, using materials incorrectly by storing them in an unauthorized container, not using proper cover sheets, or transporting classified information through unapproved methods. Oftentimes, this occurs because the employees responsible for handling classified information are operating in a busy environment and have chosen to do things quickly as opposed to following procedures. Other times, employees believe that their informal method of doing things has been accepted as proper.

An FSO reduces the risk of improper handling of classified information by developing a planned process for the handling of classified information. The use of accountability logs, container checks, and end-of-day security checks gives some assurance to the FSO that classified information is secured and has been accounted for. The FSO performs regular inspections to determine if there are issues with the classification of materials – for example, containers left open, not properly identifying classified information, and not properly documenting the movement of classified materials. By resolving items such as these early, the FSO can prevent them from becoming formal incidents.

The FSO also assists in the prevention of improper handling of classified information through training. This training covers an understanding of how to identify classification markings, how to meet storage requirements, and how to understand the responsibility of document control. Employees who are knowledgeable about compliance and the reasons why compliance is required are more likely to comply. The FSO also reinforces a culture of compliance by providing reminders, conducting walkthroughs with employees, and giving corrective guidance. This ongoing reinforcement fosters the establishment of a culture of discipline by employees, with respect to the control of classified materials.

Access Authorization and Clearance Management Gaps

Unauthorized access is just one of the many forms of abuse caused by an individual’s lack of access control to records, lack of communication, and/or assumptions regarding eligibility to gain access to classified information. Employees may change assignments with no access changes, visitors may enter restricted areas without being verified at the time of access, and supervisors may provide access to employees without verifying the need-to-know requirements prior to granting access, creating a reportable event even if it is a temporary access issue.

The facility security officer (FSO) is the access control authority. The FSO’s ability to apply valid clearance tracking and provide need-to-know verification prior to granting access reduces opportunities for unauthorized data to be disclosed. The management of visitors falls within the charge of the FSO. By collecting and reviewing visit requests, monitoring escort requirements, and providing temporary badges, the FSO prevents the release of unauthorized data via a controlled process in high-traffic or shared environments.

Experienced coordination between all the departments involved in the access control process is essential. The FSO works in conjunction with each program manager to align access and appropriate contract provisions. The FSO also coordinates with human resources to monitor the onboarding and offboarding process of employees. Upon transferring to new positions or leaving the company, the FSO removes employee access to the facility. Therefore, by applying a life-cycle methodology, the FSO ensures that employees’ eligibility for access, authorization for access, and operational requirements for access align. The ability to consistently manage access provides a significantly reduced chance of accidental access violation.

Training Deficiencies and Insider Threat Awareness Gaps

Insider Threat Identification: Training Gaps and Lack of Awareness

Security training gaps are one of the primary sources of non-compliance with the NISPOM due to employees’ lack of awareness of discussing classified materials in unsecured areas or mishandling classified systems and of identifying reportable activities.

Inadequate training creates a cycle of complacency over time and results in increased exposure to both accidental and intentional threat risks.

The FSO contributes to compliance through continuous training and awareness programs, starting with establishing clear processes during the initial orientation session and providing reiteration of changed processes and regulations in the form of follow-up training.

The more successful FSOs don’t simply use an outdated PowerPoint presentation, with either generic information (ex, insider threat training) or generic examples, but instead use the organization’s own employees, in organization-specific scenarios, during the training.

Communication is essential for the successful reporting of insider threats. The FSO should have established reporting mechanisms for employees to report without fear of retribution. The FSO works closely with leadership and IT teams to develop tools for identifying behavioral patterns associated with insider threats and identifying system-related risks to the organization.

The earlier the organization identifies a potential insider threat, the less likely the organization is to be compromised as a result of negligent acts and unknown risks.

Documentation and Reporting Weaknesses

Often, during NISPOM inspections, you will find missing and outdated documentation as well as delayed reporting. Missing training records, outdated procedures, and inadequate self-inspection documentation make it appear that you do not have enough controls over your program. Good operational practices can still result in adverse findings if the associated documentation is not accurate and adequate.

The FSO can minimize violations by having documented processes for document management. For example, training logs, access approvals, incident records, and inspection records are all maintained in organized systems. Your FSO will periodically review these documents to ensure that they are current and easily accessible. Maintaining this level of administrative discipline demonstrates that your program is mature and ready for audits.

Incident reporting is extremely important as well. If a security issue develops, the FSO will evaluate the issue, gather facts, and will submit a report within the required time frames. Prompt reporting decreases uncertainty, supports corrective actions, and highlights the need for centralized oversight in order to reduce the possibility of missing any reportable events. The FSO will ensure that all security events are handled consistently and transparently.

Conclusion

You cannot just comply with NISPOM requirements through policy training; it’s essential to continuously monitor and implement disciplined processes while creating a culture that emphasizes protecting classified information. Improperly handled materials or supporting documentation (e.g., employee training records) have serious consequences because they are all examples of operational security control failures, and the Facility Security Officer will address those failures by exemplifying how to integrate security into everyday activities.

Deep Security Security begins at the structure itself, i.e, the Facility Security Officer creates a well-defined set of procedures to handle all classified materials, including access into facilities, etc., to enable employees to understand what they must do to remain compliant with NISPOM policies and procedures (and reduce the risk of committing deviations from NISPOM). By creating a predictable environment, you can reduce opportunities for human-caused errors. The ability to conduct regular inspections and self-assessments will provide organizations with a way of tracking their compliance status, as well as giving them time to correct small issues before they become a reportable violation.