The role of a Facility Security Officer (FSO) is often misunderstood.
People may think that an FSO just walks around with a clipboard and issues warnings to people about their incomplete security tasks and bad behavior. However, the duties required by law are much more extensive than this.
The role of an FSO in reporting to the government is also vitally important for maintaining security compliance - but what does it entail?
Let’s take a look at a couple aspects of 32 CFR 117, the National Industrial Security Program Operating Manual (NISPOM), as well as discuss why all these requirements are part of an FSO's toolkit.
What is the NISPOM?
The National Industrial Security Program (NISP) and associated National Industrial Security Program Operating Manual (NISPOM) is a federal program that regulates how private companies and organizations handle and protect classified information. It’s basically the rulebook for cleared companies.
As most professionals like you know, it was established by Executive Order 12829 and recently became part of the Combined Federal Regulation (CFR). You might now see NISPOM referred to as “32 CFR part 117.”
32 CFR 117 / NISPOM includes a wide range of specific controls that your company must have in place, and those rules change frequently. Most recently, Security Executive Agent Directive 3 (SEAD 3) became part of the NISPOM, significantly increasing your reporting obligations.
Some of the types of information that must be reported include:
- Specific threats like espionage and sabotage
- Adverse information based on the 13 adjudicative guidelines
- Suspicious contacts
- Foreign travel and foreign contacts
- Adverse information on other employees
- Indicators of insider threat
- Unlawful or inappropriate informations system activity
- Investigations and your response
- Cyber incidents
However, NISPOM isn’t just about reporting, it’s about how you keep records, train employees, handle materials and information systems, conduct self-assessments, and work with other parties.
But Wait, My Customers Aren’t DoD.
Sorry, you aren’t off the hook. If your customers are intelligence agencies or civilian agencies with classified information like DHS or DOE they are still covered – intelligence information is under the jurisdiction and control of the Director of National Intelligence (DNI), who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes.
You will probably just get to enjoy a few extra rules and contract requirements that are a little different from standard DoD rules.
It’s important to understand the structure of the National Industrial Security Program in order to comprehend the role of the FSO and why the “tools” in their toolkit are so important.
Each cleared contractor facility has to designate an FSO whose job is to oversee the overall administration of the security program in the facility and to ensure that reports are completed consistently and quickly. If you work for a large company you might have tens or even hundreds of FSOs and Assistant FSOs (AFSOs), not to mention ITPSOs, ISSOs, ISSAs, and other critical NISPOM stakeholders.
The FSO is the important link between the industry and the government, but reporting can come from anyone and anywhere in the company – which means you need to build structures for reporting that everyone can use.
Why is Reporting Important?
Cleared contractor facilities are attractive targets of foreign intelligence services. And they’re focused on far more frequently than most people realize..
Not only that but our adversaries are patient, waiting months and years for us to make hundreds of small security mistakes and omissions, none of which are “espionage” but together help them piece together critical national security information and expose valuable unclassified information.
An FSO toolkit is vital to prevent breaches to national security, protect our service members, law enforcement, and intelligence professionals, and maintain economic stability.
And we haven’t even mentioned the importance of protecting your company’s competitive advantage in the marketplace.
The Two Types of Reporting
One important thing to remember about reporting is that it’s not only about what the FSO reports to the government. It’s also about what employees report to you.
The insider threat requirements of the NISPOM require you as the FSO to identify patterns of behavior among employees. They might report a lot of minor foreign travel, foreign contacts, cyber incidents, financial changes, and other information that might never meet the threshold of what you report to the government.
You still need to keep track of that data so that you can identify patterns of behavior among people and at facilities.
The other kind of reporting is what you, as the FSO, report directly to the government.
That might be something that meets a critical threshold like theft or arrest, or it may be a pattern of behavior consisting of many actions that – taken individually – don’t seem important but combine to create big risks.
Work with your counterintelligence points of contact at FBI, DCSA or other agencies to discuss these gray areas.
Report Personnel Changes
The FSO toolkit has to include certain changes in personnel, as well. Numerous situations could impact an individual’s security clearance status.
The reporting of adverse information has to be high on the priority list. You may have heard of these as the “13 adjudicative guidelines,” but as an FSO your job is to think critically about any activity or behavior that may be risky, and document internally even if you don’t report it to the government.
It refers to any behavior that might call into question a person’s fitness to have access to classified information. One of the reasons it’s such an important part of the FSO toolkit is that it could be an indicator of an insider threat.
You should have a system in place to report adverse information and make sure employees understand what the term means and how they can report it, as well.
Here are some examples of what could be considered adverse information:
- Information about an employee’s financial situation
- Personal conduct
- Allegiance to the United States
- Reliance on drugs or alcohol
- Criminal convictions
- Any factor that calls a person’s judgment, reliability, character, or credibility into question
A suspicious contact may be an indicator of a serious threat to national security.
Small instances may seem inconsequential but a collective report can tell a different story.
But suspicious contacts can be hard to pinpoint and could seem like benign interactions on the surface.
Here are some indicators you can look for:
- Individuals or organizations making unsolicited requests for information about your company
- An overqualified individual seeking an intern role, aka academic solicitation
- Individuals displaying inappropriate conduct during visits to your facility (This can include visitors asking questions outside the scope of the visit.)
- Suspicious offers to perform work for your company, ie foreign scientists, engineers, or interns offering their services for free
- A foreign contact with individuals in your company based on their family origin
- Suspicious network activity such as multiple attempts to unsuccessfully log into a system that is unrelated to the cleared employee’s domain
Recognize Security Violations
NISPOM defines a security violation as “failure to comply with the policy and procedures established by the NISPOM that reasonably could result in the loss or compromise of classified information.”
Here are some examples:
- Leaving a classified storage container open and unattended
- Allowing unauthorized individuals access to classified material
- Sending classified material by unclassified fax
- Allowing unauthorized individuals access to combinations for containers authorized to store classified material
- Removing classified material from the facility without proper authorization
- Using an unauthorized computer to process classified information
Put the FSO Toolkit to Work
These tools all work together to ensure the safety of your employees, your facility, and sensitive, classified information.
It’s important to report facility and personnel changes, as well as to recognize any situations or circumstances that don’t comply with the rules and standards set forth by NISPOM.
The key to protecting what matters most is having the right software. Get in touch and let’s talk about how ThreatSwitch can help keep you, your people, and restricted information secure.