OVERLOOK SYSTEMS TECHNOLOGIES, INC. Standard Practice Procedure

Transcription

1 OVERLOOK SYSTEMS TECHNOLOGIES, INC. Standard Practice Procedure for Safeguarding Classified Information 25 March 2013

2 FOREWORD As stated in the Overlook Security Policy, dated 23 January 2013, Overlook Systems Technologies, Inc. has entered into a formal written agreement with the Department of Defense and has been granted a U.S. Government Facility Clearances (FCLs) in order to perform work on government contracts requiring access to classified information. The Overlook Headquarters Facility in Vienna, VA has been granted a Top Secret FCL, as has the Overlook Facility in Los Angeles, CA. This agreement provides that the company, and all its employees, will follow the regulations and procedures established by the National Industrial Security Program Operating Manual (NISPOM) (DOD M). As required by the NISPOM, this Standard Practice Procedure (SPP) has been developed to provide detailed, company specific, amplification of NISPOM requirements to reasonably foreclose the possibility of loss or compromise of classified information. Failure to handle classified information properly can result in damage, in varying degrees, to the national security of the United States, including the potential for loss of life! Additionally it can result in severe penalties under the Federal Espionage Laws and Criminal Statutes. Egregious violations or infractions could be considered justification for revocation of individual security clearances and, possibly, suspension or revocation of the company s facility clearance. Therefore, it is incumbent on all Overlook employees to read, understand, and adhere to the provisions of this SPP. _(file copy signed) Ronald T. Hansson Principal Corporate Security Officer

3 Table of Contents Chapter 1. General Provisions and Requirements Section 1. Introduction Purpose Scope Waivers Section 2. General Requirements Facility Security Officer Standard Practice Procedure (SPP) Security Reviews Hotlines Cooperation with Federal Agencies and their Officially Credentialed Reps Section 3. Reporting Requirements General FSO Responsibilities Chapter 2. Security Clearances Section 1. Facility Clearance General PCLs Required in Connection with FCL Section 2. Personnel Clearances General Investigative Requirements Pre-employment Clearance Actions Verification of Citizenship JPAS/JCAVS Representative of a Foreign Interest (RFI) Interim Clearances Consultants Converting and Reinstating Security Clearances Clearance Terminations Records Maintenance Annual Personnel Clearance Review Section 3. Foreign Ownership, Control or Influence (FOCI) General Chapter 3. Security Education,Training and Briefings Section 1. Security Training and Briefings

4 General FSO Training Initial Security Briefings Refresher Training Training Records Debriefings Foreign Travel and Travel Threat Briefings Derivative Classification Training Chapter 4. Classification and Marking Section 1. Classification General Derivative Classification Responsibilities Security Classification Guidance Challenges to Classification IR&D and other Contractor Developed Information Classified Information Appearing in Public Media Declassification of Classified Information. Section 2. Marking Requirements General Training Chapter 5. Safeguarding Classified Information Section 1. General Safeguarding Requirements General Oral Discussions End of Day Security Checks Perimeter Controls Emergency Procedures Annual Classified Holdings Review Section 2. Control and Accountability General Policy External Receipt and Dispatch Accountability for TOP SECRET Receiving Classified Material Generation of Classified Material Section 3. Storage and Storage Equipment General GSA Storage Equipment Top Secret Storage

5 Secret Storage Restricted Areas Closed Areas Supplemental Protection Protection of Combinations to Security Containers and Closed Areas Changing Combinations Container Repair Supplanting and Automated Access Control Systems Mechanical Access Control Devices Section 4. Transmission General Preparation and Receipting TOP SECRET Transmission SECRET and CONFIDENTIAL Transmission Transmission outside U.S., Puerto Rico, or a U.S. Possession or Territory Addressing Classified Material Large Packages or Equipment Requiring Shipment by Commercial Carrier Use of Commercial Passenger Aircraft for Hand-carrying Classified Local or Metro Courier Authorizations Section 5. Disclosure General Disclosure Categories Section 6. Reproduction General Section 7. Disposition and Retention General Destruction Destruction Records Disposition of Classified Material Not Received on Specific Contract Section 8. Construction Requirements General Section 9. Intrusion Detection Systems General. Chapter 6. Visits and Meetings Section 1. Visits General Notification Need-to-Know Determination

6 Visitor Control and Records. Section 2. Meetings General Location and Security Arrangements for Meetings Chapter 7. Subcontracting Section 1. Prime Contractor Responsibilities General Chapter 8. Automated Information Systems Security Section 1. Responsibilities General Responsibilities Requirements and Procedures. Chapter 9. Special Requirements Section 1. Restricted Data and Formerly Restricted Data General Section 2. DoD Critical Nuclear Weapon Design Information (CNWDI) General Section 3. Intelligence information General Control Markings Authorized for non-sci Intelligence Information Chapter 10. International Security Requirements Section 1. General and Background Information General Section 2. Disclosure of U.S. Information to Foreign Interests General Section 3. Foreign Government Information General Section 4. International Transfers General Section 5. International Visits and Control of Foreign Nationals Foreign Visits to Overlook Facilities.

7 Technology Control Plans (TCPs) Foreign Visitor Control Foreign Disclosure Overlook Attendance at International Conferences or Meetings Section 6. Contractor Operations Abroad General Section 7. NATO Information Security Requirements General Section 8. International Requests For Visit (IRFV) Procedures for overseas meetings Overlook Employee OUTUS Visits Chapter 11. Miscellaneous Information. Section 1. TEMPEST, DTIC, and IR&D General APPENDICES Appendix A. Overlook Security Program Organization Chart Appendix B. Definitions Appendix C. Abbreviations and Acronyms Appendix D. Forms

8 Chapter 1. General Provisions and Requirements Section 1. Introduction Purpose. This Standard Practice Procedure is issued to amplify and specify the requirements of the NISPOM and is not intended to supplant its requirements. No requirement in this SPP may be less stringent than that provided by the NISPOM. However, in several instances, company procedures may include stricter or more detailed safeguarding measures. These specific measures will be delineated comprehensively to ensure understanding and reduce the potential for security incidents. Additionally, some NISPOM restrictions and safeguards will be summarized for reference. This SPP is keyed to the NISPOM. Chapters and, in most cases, Sections are numbered and titled similarly to enable easy cross-reference between the two documents Scope. The provisions of this SPP extend to all Overlook employees, whether or not cleared for access to classified information. While uncleared employees will certainly not be required to handle, store, or transmit classified information, it is critical that they understand the concepts and recognize the potential for serious damage to the national security when classified information is mishandled. They must also be aware of reporting requirements and methods, to ensure that, in the event an infraction or incident occurs, they can take proper steps to maintain the integrity of the Overlook security program. All cleared employees are charged with understanding and abiding by the regulations and specifications contained in this SPP, as well as appropriate sections of the NISPOM. Other security guidance may come in the form of procedural directives, such as the ISOO Marking Guide for Classified Information, Contract Security Classification Specifications (DD Forms 254), and Security Classification Guides, to name a few. According to their involvement with classified information, employees will be responsible for understanding and adhering to these instructions. Whenever there is a question related to security and safeguarding classified information, individual employees should always verify processes with their FSO BEFORE risking loss or compromise Waivers and Exceptions to the Manual. Requests for exceptions to procedures described in this SPP must be approved by the Principal Corporate Security Officer (PCSO). Requests must be considered against NISPOM requirements as well as company needs. Section 2. General Requirements Facility Security Officer. Each Overlook FSO must be cleared to the level of the Facility Clearance (FCL) for his or her facility and shall complete security training as required by the NISPOM Standard Practice Procedure (SPP). Each FSO will submit to the PCSO a Local Addendum to the SPP. The PCSO will ensure that, at a minimum, the following items are included in the SPP Local Addenda: Emergency Action Plans, Physical

9 Security specifics (such as alarms, key access, etc.), Security In Depth plans, perimeter control, and classified material storage locations, visitor controls, and references to Special Access Program and SCI Standard Operating Procedures Security Reviews. a. Government Reviews or Inspections will be conducted approximately annually by Defense Security Service (DSS) Industrial Security Representatives (ISRs) and Overlook FSOs will normally be informed in advance of a scheduled review. Additional inspections may be made by other government agencies for Sensitive Compartmented Information Facilities (SCIFs) and for Special Access Program Facilities (SAPFs). Each FSO will provide guidance to employees and assistance to government representatives for these reviews. b. Self-Inspections will be conducted annually (as a rule, midway between scheduled government inspections) by each FSO, with the assistance of one or more cleared staff members. The purpose of these inspections is to ensure that there has been no degradation of the security posture at Overlook and that security procedures are being observed. Self-inspections are an excellent tool for training Assistant FSOs, administrative personnel and others who will assist the FSO. A summary report of the results of each such self-inspection will be prepared and placed in facility security files. A copy of each summary report will be forwarded to the PCSO for corporate records Hotlines. Federal agencies maintain hotlines to provide an unconstrained avenue for contractor employees to report, without fear of reprisal, known or suspected instances of serious security irregularities and infractions concerning contracts, programs, or projects. While all employees are urged to report these issues to the FSO without fear of reprisal so that immediate and appropriate corrective action can be taken, they are also at liberty to use these hotlines and are encouraged to do so. The DoD hotline number is listed below, while numbers for CIA, NRC, and DOE are available from the NISPOM. Defense Hotline The Pentagon Washington, DC (800) (703) Cooperation with Federal Agencies and Officially Credentialed Representatives of Those Agencies. There are several instances where representatives of federal agencies, both government service and contractor personnel, will request and require assistance from Overlook personnel. While verification of the identity and credentials of such personnel is both appropriate and required, all Overlook staff shall provide willing and comprehensive support to these representatives.

10 Section 3. Reporting Requirements General. As a cleared contractor under the National Industrial Security Program (NISP), Overlook is required to report certain events that have an impact on the status of our FCLs as well as employees personnel clearances (PCLs), that affect safeguarding of classified information, or that indicate classified information may be lost or stolen. Most of these reports are prepared and submitted by FSOs and are not listed here. However, all employees are responsible to report any of the following conditions or situations to their FSOs: a. Any information concerning actual, probable or possible espionage, sabotage, or subversive activities; actual, probable, or possible terrorism. b. Adverse Information. Any information that adversely reflects on the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security. Self-reporting is encouraged, since information of this nature will almost certainly be revealed at the next periodic reinvestigation and non-reporting may be perceived as an attempt to prevent discovery. Examples of adverse information include: Criminal activity Treatment for mental or emotional disorders Bizarre or notoriously disgraceful conduct Excessive use of intoxicants Use of illegal, controlled substances Excessive indebtedness or recurring financial difficulties Garnishment of wages Moving violation with a fine over $ c. Suspicious contacts. These include efforts by any individual to obtain illegal or unauthorized access to classified information or to compromise a cleared employee. Contacts by cleared employees with known or suspected intelligence officers of foreign countries must also be reported. Suspicious Contact Reports (SCRs) may also include indirect contacts, such as cyber phishing attempts. d. Change in status. Some of these are changes to name, marital status, and citizenship. e. Representative of a Foreign Interest. Any cleared employee who becomes a representative of a foreign interest (RFI). Example: working as a sales representative for a foreign company. (This item is no longer reportable to DSS, but shall be maintained in the employee s security personnel file for reference during reinvestigations and adjudications.)

11 f. Loss, compromise, or suspected compromise. Any such loss or compromise must be immediately reported to the FSO, who will conduct inquiries appropriately in accordance with the NISPOM. Employees must remember, when reporting such incidents, that any details could reveal a vulnerability and, therefore, must only be reported via face-to-face contact or via secure communications, such as a STE. g. Foreign Travel. All cleared Overlook employees must report planned foreign travel, whether for business or pleasure, to their FSOs at least 30 days in advance of scheduled travel. While there are a variety of different reporting formats, based on program level directives and other instructions, employees will use the Overlook Notification of Foreign Travel, January 2013 attached at Appendix D, unless directed otherwise by their FSO. Additionally, when travel is for business, an employee will complete the Overlook Draft International Request For Visit (IRFV) (also attached at Appendix D) and submit it to his or her FSO at least 35 days prior to planned travel. While completion of two separate forms may seem redundant, each form serves a specific purpose and each meets specific regulatory requirements. A Foreign Travel Checklist, intended for the convenience of the traveler, is also attached at Appendix D. Overlook employees whose access to classified information is either wholly or partly at other cleared contractor facilities or government facilities must observe reporting requirements levied by these organizations in addition to their Overlook requirements FSO Responsibilities. Copies of preliminary and final reports to DSS, the FBI, or CSAs will be filed in official company security records. Individual culpability reports, when punitive actions are taken against an employee, will be approved by management prior to such actions being initiated. Changes in employee status and adverse information will be reported via JPAS. A copy of the JPAS report will be printed and retained in company security files.

12 Chapter 2. Security Clearances Section 1. Facility Clearances General. While Overlook operates as a single facility organization with a Top Secret FCL, Overlook s Los Angeles office has a separate CAGE Code and Top Secret FCL. Changes to these authorizations will be requested by the FSO through DSS and other agencies, as necessary PCLs Required in Connection with the FCL. The senior management officials designated as Key Management Personnel (KMPs) and the FSO must always be cleared to the level of the FCL. Section 2. Personnel Clearances General. Employees who will perform tasks in conjunction with a classified contract, which will require access to classified information, will be processed for a PCL at the level of the access required. The majority of work currently performed by Overlook requires access to Top Secret information. Therefore, in most cases, a Top Secret clearance will be requested Investigative Requirements. A Single Scope Background Investigation (SSBI) is required for Top Secret eligibility and SCI access. A National Agency Check with Local Agency Check and Credit Check (NACLC) is required for Secret eligibility Pre-employment Clearance Actions. No action may be taken to initiate security clearance processing for an applicant until a written commitment for employment has been received with a clause indicating that employment will commence within 30 days of granting of eligibility at the required level. (In other words, when the position which is being offered requires Secret or Top Secret eligibility, and the candidate does not currently possess the requisite eligibility, but is otherwise qualified, the company may issue an offer letter for employment, contingent on successful completion of a Personnel Security Investigation (PSI) and adjudication of eligibility at the appropriate level, to commence within 30 days after adjudication.) At that point, the FSO may commence clearance processing procedures, including Initiating a Personnel Security Investigation (PSI) in JPAS, getting the candidate started on e-qip, and all other required actions, such as fingerprinting Verification of Citizenship. FSOs will verify U.S. Citizenship for each candidate prior to starting clearance processing. A copy of the individual s Birth Certificate or U.S. Passport will be made and placed in the employee s Security Personnel File as proof of verification. If a birth certificate or passport is not available, other documentation may be used. See NISPOM for acceptable proofs of citizenship.

13 JPAS/JCAVS is the CSA approved database for eligibility and access approvals. FSOs will retain the Person Summary page in JPAS for each cleared employee Representative of a Foreign Interest (RFI). Any candidate for a security clearance, who is an RFI, must submit a statement, as part of their PSQ data, that fully explains the foreign connections and identifies all foreign interests. This statement becomes part of the person s Investigative File. The Cognizant Security Agency (usually the DoD Central Adjudication Facility or DODCAF) will then determine whether the candidate is eligible for access to classified information. Overlook employees are discouraged from representing foreign organizations, businesses, or interests while employed by Overlook Interim Clearances. Interim Secret and Top Secret eligibility may be granted (when possible) by DODCAF at the appropriate stage in the investigative process. An interim Secret eligibility is valid for access to classified information at the level of the interim PCL, except for Restricted Data, COMSEC Information, and NATO information. An interim Top Secret PCL is valid for access to Top Secret information and for Restricted Data, NATO information and COMSEC information at the Secret and Confidential level. SCI and SAP accesses may be granted at the discretion of the CSA, based on an Interim eligibility. An interim eligibility may be withdrawn, if derogatory information is subsequently developed, until completion of the investigative and adjudicative process Consultants. A consultant is defined in the NISPOM as an individual under contract to provide professional or technical assistance to a contractor or Government Contracting Authority (GCA) in a capacity requiring access to classified information. Consultants will be processed for security clearances in the same manner as employees, except that, in each case a Consultant Security Agreement will be prepared by the appropriate FSO. This agreement must specify that, except in connection with authorized visits to installations on behalf of Overlook Systems Technologies, Inc: a. the consultant shall not possess classified material away from Overlook premises; b. Overlook shall furnish classified material to the consultant only at Overlook premises; c. the consultant shall accomplish performance of the consulting services only on Overlook premises. The appropriate Overlook FSO will provide classification guidance to the consultant and will brief the consultant on all security controls and procedures in the same manner as an employee. The consultant s PCL is only valid for access directly related to tasks assigned by Overlook and may NOT be used for other business. FSOs must carefully review requests

14 from cleared consultants for Visit Authorization Letters to ensure that the requested visit is required to perform work for Overlook Converting and Reinstating Security Clearances. Eligibility of new employees for access to classified information will be determined by the FSO from JPAS records. The employee must have been eligible and briefed for access to classified material within the previous two years in order to be eligible for immediate access. Once the employee is determined to be eligible for a given level of access, the FSO will brief the employee and make appropriate entries in JPAS Clearance Terminations. Overlook must terminate a security clearance for any employee who (a) terminates employment or (b) will not need access to classified information in the foreseeable future. Clearances may NOT be terminated by Overlook due to Adverse Information or other disqualifying factors. FSOs who discover serious Adverse Information about a cleared employee should request direction from the PCSO. As a general rule, the employee may be temporarily relieved of duties requiring access to classified information. However, the PCL may not be suspended or terminated until directed by DSS or other CSA Records Maintenance. Each Overlook FSO will maintain a record of all cleared employees at his or her location, to include clearance level and status, additional accesses (such as NATO or COMSEC), investigation type and date, and other relevant information. Copies of documents used to support the eligibility and accesses, as well as briefings, required reports, and debriefings, will be maintained by the FSO in the Overlook Security Personnel File for each employee. Details of file format and retention requirements will be provided by the PCSO. FSOs are cautioned that JPAS is the official database for individual eligibility and access; therefore it must accurately reflect the current status of all Overlook Employees eligibility and accesses Annual Personnel Clearance Review. The FSO at each cleared Overlook facility will conduct an annual review of personnel clearances at the facility to ensure that the number of cleared personnel is kept to the minimum necessary to accomplish contractual or support requirements. Section 3. Foreign Ownership, Control, or Influence (FOCI) General. Overlook is a privately owned company whose owners are U.S. citizens and whose entire management are U.S. citizens who hold Top Secret security clearances. Therefore, the only FOCI issue is with influence from foreign interests with whom Overlook does business directly. At this time, these are few. Details of FOCI requirements may be found in NISPOM, section 2-3.

15 Chapter 3. Security Training and Briefings Section 1. Security Training and Briefings General. It is Overlook s responsibility to provide training and briefings in accordance with employees involvement with classified information FSO Training. Overlook FSOs must complete the prerequisites for and attend the DSS FSO Program Management Course within six months of appointment, unless this training has been completed while previously employed by a NISP contractor Initial Security Briefings. FSOs are responsible to ensure that all cleared employees are thoroughly briefed on their responsibilities BEFORE granting them access to classified information. Initial security briefings must include: a. A threat awareness briefing; b. A defensive security briefing; c. An overview of the security classification system; d. Reporting obligations and requirements; e. Security procedures and duties applicable to the employee s job; f. Site specific and contract specific requirements. The PCSO will review all initial briefing materials to ensure that at least minimum requirements are met and that all employees will understand the procedures and processes necessary to properly safeguard classified information Refresher Training. Overlook FSOs will administer an ongoing Security Education program at each location to ensure that security issues are kept in the forefront of employee consciousness at all times. Annual refresher briefings, while not specifically required, are strongly recommended. The PCSO will develop and make available training and education resources for FSOs to use, including broadcast s relating to current security-related subjects, bullets and new items of threat information sent directly to FSOs for local use, and any materials acquired through government sources which the PCSO deems appropriate for use at Overlook locations Training Records. Records of NATO, COMSEC, CNWDI, and Courier Briefings will be maintained in the Security Personnel File of each cleared employee. Filing plans will be developed by the PCSO to help maintain continuity between different Overlook sites. Refresher training records may be kept in the Security Personnel Files, but may also be kept in a Security Training and Education file within each FSOs office. Employees are required to affirm by signature that they have received annual refresher training. Records of attendance at other briefings or distribution of mail and bulletins must be maintained by the FSO.

16 Debriefings. FSOs will conduct debriefings in accordance with paragraph of the NISPOM Foreign Travel and Travel Threat Briefings. Upon receipt of a Notification of Foreign Travel form from an Overlook employee, the applicable FSO will review it to ensure that all required information is completed and that the employee dated and signed the form. The FSO will then provide the employee with a copy of the latest Department of State Country travel advisory or warning, regional warnings, and current threat warnings or advisories. If the employee has not had a Foreign Travel Briefing within the past three years, the FSO will conduct a Foreign Travel Threat Briefing or Defensive Security Briefing and provide a copy of the pamphlet Your Passport to a Safe Trip Abroad and any other appropriate travel safety information. The FSO will retain the Notification of Foreign Travel form in a suspense file until the employee returns, at which time the FSO will administer the Foreign Travel Debriefing. Should the employee have had suspicious contacts with foreign nationals, the FSO will report immediately to the PCSO, relevant Program Security Officers, and DSS, as required. Completed Notification of Foreign Travel forms will be filed in the subject s Security Personnel File for reference and for future use by the employee when completing periodic reinvestigation forms Derivative Classification Training (DCT). All employees who have been identified as performing functions which could require them to derivatively classify information shall complete initial required Derivative Classification Training PRIOR to performing these duties. The approved training program can be accessed at the following URL. Thereafter, DCT will be completed on a biannual basis, in Sep/Oct of every odd numbered year. Employees will certify completion of DCT to their FSO, who will maintain a record of this training in each employee s Security Personnel File.

17 Chapter 4. Classification and Marking Section 1. Classification General. Original classification of information may only be made by a U.S. Government official who has been delegated the authority in writing. Original Classification Authorities (OCAS) may then issue a security classification guide (SCG) for use in making Derivative Classification decisions. Contractors make derivative classification decisions either by: a. referring to the SCG; b. continuing the classification marking for information extracted from an already marked document; c. referring to the Contract Security Classification Specification (DD Form 254) provided with each classified contract; d. referring to programmatic classification instructions provided by the government contracting authority Derivative Classification Responsibilities. Overlook employees who extract or summarize classified information, or who apply classification markings derived from a source document or SCG are making derivative classification decisions. As such, they must be trained in their responsibilities and in the procedures inherent in derivative classification. See paragraph Security Classification Guidance. Government Contracting Authorities (GCAs) must provide classification guidance with each contract which requires access to and generation of classified material. This guidance is provided by means of the DD Form 254. The DD Form 254 is a contractual specification necessary for performance on a classified contract. If a classified contract is received without a DD Form 254, the FSO shall advise the GCA, with a copy to the PCSO. When changes occur, the GCA must issue a revised DD Form 254. Upon completion of the contract, the GCA must issue a final DD Form 254, specifying disposition instructions for all classified material. FSOs will review all DD Forms 254 at least annually to determine their currency and validity. If issues cannot be resolved through the GCA, the FSO will refer the problem to the PCSO for action Challenges to Classification. Whenever an Overlook employee believes that information is classified improperly or unnecessarily, or that the classification is either too high or too low, or that security classification guidance provided is improper or inadequate, he or she is encouraged to immediately report this to the FSO. The FSO, working with the GCA, should attempt to resolve the situation. If no resolution can be obtained, the FSO will begin the process of a formal classification challenge, in accordance with paragraph of the NISPOM. Any such challenges must be made through the PCSO, to validate corporate identity and management support.

18 IR & D and other Contractor Developed Information. Procedures described in of the NISPOM will be followed when an employee believes that Overlook developed information should be classified. The Classification Determination Pending marking must be used on all such documents Classified Information Appearing in Public Media. Overlook employees are reminded of the fact that just because classified information has been made public does not mean that it is automatically declassified. Employees shall continue the classification safeguards and controls until formally advised to the contrary. Remember! Information, which appears to have been extracted from classified sources, may actually be only speculation on the part of the writer. Confirmation by a knowledgeable, cleared person may serve to validate the truth of the information and change the status from guesswork to compromise! Declassification of Classified Information. Overlook employees will downgrade or declassify information based on a DD Form 254 or upon formal notification by a CSA. Declassification dates on documents are not automatic authorization for declassification. Prior to declassifying any document (or classified information extracted from the document), FSOs will make contact with either the originator of the document or the GCA of the contract under which it is held. Formal confirmation of the declassification of the document by one of these two parties is mandatory prior to declassification. Only FSOs are authorized to officially downgrade or declassify information held by Overlook. NOTE: Declassification of information is not automatic approval for public disclosure! Section 2. Marking Requirements General. Physically marking classified information serves to warn and inform holders of the degree of protection required to safeguard it properly. It is essential that all cleared Overlook employees pay strict attention to marking requirements. All documents, media, and other forms of classified material will be marked in accordance with Chapter 4-2 of the NISPOM and the Information Security Oversight Office (ISOO) directive Marking Classified National Security Information Training. The PCSO will develop a Document Marking training program to ensure that all Overlook employees are well versed in their responsibilities and the appropriate procedures. FSOs will ensure that ALL cleared personnel are trained in marking classified material and are periodically updated on changes to marking requirements.

19 Chapter 5. Safeguarding Classified Information Section 1. General Safeguarding Requirements General. Overlook is responsible for safeguarding all classified material in its possession or control. All Overlook employees are responsible for safeguarding classified information entrusted to them. The extent of protection will be determined by the level of classification and shall always be sufficient to reasonably preclude the possibility of loss or compromise. FSOs will establish local procedures for the handling and storage of classified material, commensurate with Chapter 5 of the NISPOM Oral Discussions. All Overlook employees will pay particular attention to accessibility by unauthorized personnel when preparing to discuss classified information. They are prohibited from discussing classified over unsecured telephones, in public conveyances or public places (including common areas of Overlook facilities, such as kitchens, entrance foyers, and similar gathering places), or in any other manner that permits interception by unauthorized persons. Remember! To be an authorized person, the individual must have both the appropriate clearance AND the Need To Know for the information being discussed! End of Day Security Checks. FSOs at all Overlook facilities will establish a system of security checks at the end of each working day to ensure that all classified material and authorized containers have been appropriately secured. Detailed procedures will be included in the location specific addendum to this SPP. Records of such checks will be kept in the FSO s security files for one year Perimeter Controls. Overlook is required to establish controls to discourage the unauthorized introduction or removal of classified material from its premises. To do so, all Overlook facilities, where classified storage is authorized, will observe the following procedures: a. FSOs will post warning signs at all pertinent entries and exits that All persons who enter or exit the facility are subject to an inspection of their personal effects, to include bags, parcels, briefcases, totes, computer cases, and luggage, to preclude the unauthorized introduction or removal of classified material. (Inspections are not required of wallets, change purses, etc.) b. FSOs will conduct random sample inspections of persons entering or departing, including visitors, employees, vendors, and consultants. FSOs should consult with the PCSO prior to commencing inspections to assure maximum results with minimal impact on operational effectiveness. Results of these inspections will be maintained in FSO files for two years.

20 c. FSOs will conduct an annual review of perimeter access control measures, in conjunction with the annual self-inspection, to determine if these measures should be altered or upgraded to reflect changes in access requirements Emergency Procedures. FSOs will develop location specific action plans for safeguarding classified material in an emergency and include them in their SPP addenda. Plans should be keyed to emergency situations most likely to occur in the particular geographic area. For example, while an earthquake emergency plan would be appropriate in California, it would not be so in Virginia. All locations must include a plan for fire emergencies. All plans will be based on the following criteria: a. Protection of life and limb takes precedence over safeguarding classified material. In other words, returning a large volume of classified material to approved locked storage prior to evacuation of the premises must NEVER be required if it would endanger the life or health of an employee. b. Provisions must be made for the removal of classified material to an identified alternate storage location in the event that it cannot be properly safeguarded after a fire or other natural disaster. c. Provisions must be included for collecting, safeguarding, and properly storing classified material that could not be properly stored prior to evacuation. In this case, steps should be identified for interviewing emergency response team members and others who might have gained inadvertent access Annual Classified Holdings Review. FSOs, at cleared Overlook facilities which are authorized storage of classified material, will conduct an annual review of classified holdings to ensure that only the minimum necessary to accomplish contractual requirements is maintained. This review will be held in conjunction with appropriate management personnel and cleared employees who work with the material held. Documents or media, which are determined to be in excess or are no longer authorized retention due to expiration of relevant contract, will be returned to the GCA or destroyed by authorized means. Section 2. Control and Accountability General. Overlook must establish an information management system and control classified material in its possession Policy. While NISP has eliminated the requirement for a document accountability system for SECRET material as a security protection measure, all classified material must be accessible to those requiring it, must be retrievable by the government for disposition, and must be protected to ensure that it is used or retained only in furtherance of a lawful and authorized U.S. Government purpose. Therefore,

21 ALL classified material received or generated by Overlook, will be entered into a document accountability system maintained and controlled by the FSO at each facility External Receipt and Dispatch. FSOs shall maintain records of all Classified Material Receipts (CMRs) for both incoming and outgoing material. Signed copies of all CMRs will be maintained for one year. Before destroying CMRs, FSOs will ensure that relevant information is entered into the document accountability system. To facilitate retrieval, the Overlook document control number and copy number, assigned to an incoming classified document, will be noted on the Overlook copy of the incoming CMR Accountability for TOP SECRET. Overlook does not currently have authorization for the storage of Top Secret material at any Overlook facilities. Should this change, procedures established by paragraphs of the NISPOM will be followed Receiving Classified Material. FSOs will establish procedures, in their SPP addenda, to ensure that all signature mail, to include FedEx, UPS, and other courier services, is delivered to and signed for only by properly cleared individuals and that safeguarding procedures are followed until all such mail can be opened to determine if it contains classified material. The envelope or packaging shall be examined for evidence of tampering and the classified contents (when found to be so) checked against the CMR. Discrepancies will be reported to the PCSO and the originator of the material. All CMRs will be signed and returned within two working days of receipt Generation of Classified Material. a. Finished Documents. All finished classified documents, produced by Overlook, will be entered into the classified document accountability system by the FSO. b. Classified Working Papers. Working papers are intended for short-term, temporary use. As such, they must be dated on the date of creation, marked with the overall classification and Working Papers, marked with the name of the creator, and destroyed when no longer needed. If transmitted outside the facility, they must first be entered into the accountability system and marked in the same manner as a finished document (including portion markings, page markings, and declassification instructions), and receipted by the FSO. Secret and below Working Papers retained beyond 180 days after creation will also be entered in the accountability system. Working Papers must be reviewed quarterly to ensure that they are still required and that they have not exceeded the 180 day limitation. Section 3. Storage and Storage Equipment General. This section details and amplifies Chapter 5, Section 3 of the NISPOM, same subject. Physical protection of classified material must always meet at least the minimum standards set by the NISPOM and will frequently exceed them. FSOs

22 requiring storage for classified material will coordinate efforts with the PCSO, PRIOR TO purchasing any equipment or contracting for any construction designed to meet government standards for physical safeguarding of classified information GSA Storage Equipment. It is Overlook s policy to use GSA-approved, Class VI or higher storage cabinets to store classified material. Exceptions will be made for Closed Areas which are approved for Open Storage of classified material. However, in general, requests for exemption will not normally be approved if Class VI containers are available Top Secret Storage. Should future changes to Overlook s storage authorization warrant Top Secret Storage, FSOs will coordinate with the PCSO to ensure that TS storage requirements, including supplemental protection (alarms), are met Secret Storage. Only GSA-approved, Class VI or higher, containers will be used to store Secret or Confidential material at Overlook. FSOs are responsible for the acquisition and installation of approved containers. Coordination with the PCSO is suggested Restricted Areas. In general, a Restricted Area is an area within a facility which is used for work on classified information. It is only for use when appropriately cleared employees with Need-to-Know are present and its purpose is to prevent inadvertent access to classified information by persons who would not intentionally do so. While no physical barriers are required, they are recommended. Example: while work may be done in an open bay environment, provided that warnings and visual protections are in place, it is safer to do the work in an office or conference room, where the doors can be closed and access physically barred, if only for a few moments. FSOs will approve locations for classified work and include them in their local SPP addenda Closed Areas. When a closed area is required, due to the size and nature of the material, or operational necessity, it may be necessary to construct one. FSOs must review carefully all requests for Closed Areas to ensure that they are valid and not just a matter of convenience. Construction costs for Closed Areas can be significant! FSOs must submit conceptual plans to the PCSO prior to contracting for any design or construction of Closed Areas. Closed Areas must be constructed according to Chapter 5, Section 8 of the NISPOM and DSS must approve them. Procedures for use of Closed Areas will be described in the local SPP addenda, to include securing by approved locking device when the area is unattended during working hours and procedures for ensuring structural integrity above false ceilings and below raised floors Supplemental Protection. If required, supplemental protection at Overlook will be in the form of Intrusion Detection Systems or IDS. FSOs must take great care when investigating IDS requirements and researching vendors to ensure that vendors can meet established standards and any upgrades. Particular care must be taken when a space will be both a Closed Area and a SCIF or SAP Facility, as there are different standards for

23 Collateral, SCI, and SAP classified material protection. FSOs will coordinate all efforts requiring IDS with the PCSO Protection of Combinations to Security Containers and Closed Areas. FSOs will keep a record of the names of all employees holding the combination to any classified container or Closed Area. Since combinations to containers and Closed Areas provide a method to gain access to classified material, they must be protected at the same level as the highest level of classified protected by them. In other words, they cannot be written down and stored ANYWHERE but in a safe or container which is approved for storage of that level and category of information. Employees must memorize combinations, NOT write them down Changing Combinations. FSOs will ensure that combinations to containers or Closed Areas are changed in accordance with Chapter 5, Section 309 of the NISPOM Container Repair. Should repair of a classified material container become necessary, the FSO will advise the PCSO of the situation, contract with an approved locksmith who has the relevant experience and training in maintenance and repair of containers, and escort the vendor at all times. As a general rule, if a safe must be drilled open in order to access it, the vendor must be escorted at all times and removed from the area as soon as the drawer or container is open. Classified material enclosed in the container is then removed or covered and the technician is allowed to finish the repair, under escort. Certification of container repair shall be provided by the repairer in accordance with Chapter 5 of the NISPOM Supplanting and Automated Access Control Systems. Due to the complexity and cost of supplanting and automated access control systems, perimeter access to Closed Areas while they are open, is controlled by properly accessed employees. In other words, while a cipher-lock, or similar device, may be in place to prevent inadvertent access, it is the responsibility of employees who are present in the Closed Area to assure that only properly cleared and briefed personnel gain access. When Closed Areas are unoccupied during working hours, they must be secured by the approved locking device, but need not be alarmed. Outside normal working hours, when not occupied, they must be locked and alarmed Mechanical Access Control Devices. Combinations to mechanical devices, such as Unican push button locks, used to prevent inadvertent access, will be changed whenever an employee who holds the combination is terminated or no longer requires access. Combinations will be changed only by the FSO. Section 4. Transmission General. Classified material will be transmitted outside an Overlook facility only by DSS approved means. With the exception of voice transmission via STE Secure

24 Communications Devices, classified material will be prepared for transmission only by the FSO Preparation and Receipting. a. Classified material will be wrapped in two opaque covers. The sealed inner wrap will include the name and address of both the sender and addressee, as well as the highest classification of material contained. The outer wrap will contain sender and addressee information, but will not display any indication that it contains classified information. b. A Classified Material Receipt (CMR) will be included with each classified package to ensure that it reaches its final destination. The receipt will identify the sender, the addressee, and the document (Overlook control number and copy number, classification, and Unclassified title). Receipts will be held in a suspense system until the signed copy is received. A tracer copy will be sent to the addressee whenever a signed receipt is not received within 30 days TOP SECRET Transmission. At this time, Overlook is not authorized to receive, generate or store Top Secret information. Should that change, transmission procedures will be in accordance with NISPOM Chapter SECRET and CONFIDENTIAL Transmission. Secret and Confidential material may be transmitted by: a. approved electronic devices (such as STE Securefax); b. a designated courier cleared for access to Secret information; c. USPS Express Mail and USPS Registered Mail; d. other methods approved by DSS with the advance approval of the PCSO. Note: FSOs will meet the requirements of NISPOM Chapter 5-4 regarding specific restrictions and procedures when using Express Mail Transmission outside the U.S., Puerto Rico, or a U.S. Possession or Territory. Should such transmission become necessary, FSOs will use methods specified in NISPOM Chapter 5-4. Carrying sealed envelopes and packages through the Customs and Immigration checkpoints in foreign countries is an invitation to disaster. Therefore, Overlook employees WILL NOT be authorized to hand-carry classified material outside the United States without the approval of the PCSO Addressing Classified Material. Classified mail must not be addressed to individuals. The approved classified mailing address must always be used on the outer wrap, while attention lines or for lines may be included on the inner wrap or receipt.