Facility Security Officers (FSO) at cleared defense contractor facilities are very valuable to the success of the National Industrial Security Program (NISP). After all, they are the designated points of contact for applying NISP requirements while performing on classified contracts at the cleared contractor facility.
Successful leaders in industry understand the responsibilities of their organization’s FSOs and do very well to resource and support FSO activities. Corporate policies and procedures should also incorporate required training to bring the organization in line with National Industrial Security Program Operating Manual (NISPOM) compliance.
According to the latest NISPOM, 32 CFR Part 117, cleared defense contractors should provide all employees holding security clearances with security training and briefings commensurate with their involvement with classified information. Generally, this required training consists of initial briefings, refresher briefings, and debriefings when clearances are no longer necessary. More specific training categories include insider threat, derivative classifier and handling controlled unclassified information.
While the requirements to train cleared employees remains constant, not all defense contractors are created equally. Larger businesses may have staff supported FSOs devoted to the protection of classified information, physical security, operations security, contracts security, special access and etc. On the other hand, smaller contractors have equal responsibilities, but operate with fewer employees, one of which is appointed as FSO.
Just because an entity does business with the government or is cleared for classified work, doesn’t mean they are at the same level of performance as more experienced organizations. It’s tempting to assume that every FSO as “appointed” possesses the same level of experience, know how or the time to dedicate to the administrative FSO tasks. Regardless of resources and skill levels, requirements are the same.
Administering training is as important as developing and delivering it
Regardless of the size of the organization or how well the FSO is staffed, the training requirements are the same. The FSO is responsible for conducting the training and documenting it. If the FSO does not have the training available, they either acquire it, outsource it or develop it in house.
There is not a specific requirement for how the training is to be conducted, but rather that all of the NISPOM required topics are covered. Newsletters, presentations, videos, and webinars are some of the most popular methods for providing training. While developing training can take a tremendous amount of time, organizing and documenting training is the most important task. Without the documentation, the training can’t be accounted for.
How the FSO is held accountable under the NISP
Several events could lead auditors and reviewers to the FSOs training. Quality assurance audits and maturity manufacturing level assessments are two such events that the government customer might use to inspect a contractor’s work performance. However, the most impactful occurs as the Defense Counterintelligence and Security Agency (DCSA) conducts reviews of cleared defense contractor facilities; they go with a purpose.
Their priority may be to conduct a risk assessment of classified information in the contractor's possession. Part of the risk assessment includes verifying NISPOM compliance, which includes delivering and documenting training.
There are many ways to document training depending on how much time the FSO can devote to it. This can be documented with signed certificates, memos, spreadsheets and helpful information management systems and software.
Some things an FSO might document as proof of training include a schedule of upcoming training, past training, names of employees trained as well as training topics or titles. There is a lot to manage, recall and present to inspectors.
For example, while using newsletters or other print media for training, FSOs should account for where brochures, posters or other training items are located and keep them up to date. For presentations or videos, it is necessary to keep signatures, dates, and topics of training.
FSOs should have a well-documented training program, organized and readily available for DCSA reviews. This documentation should demonstrate to the reviewer how training is applied enterprise wide and how it might be assessed to reduce risk. FSOs should use a reliable system to demonstrate that they are conducting required training, accounting for it and that the efforts are making a difference.