‘Tis the Season—Wrapping up the year in a big bow!

Around this time each year, it is recommended that FSO Superheroes employ a
few strategies to ensure the security program ends on a high note before the
new year begins!

Here are a few ideas to ensure there’s more to your holiday season than too much food and Amazon shipments!

Great. Now I’m too hungry to FSO.

ISFD

1. 1. You Better Watch Out! At the end of the day, this is THE most important thing that each cleared person can do. Each person should be aware of how to best protect the classified items they access. This can be accomplished by:

1. 1. • Selecting a few cleared personnel and conducting one-onone interviews with them to gauge their understanding of what they protect and how. Sample interview questions can be found in the SelfInspection checklist.

1. 1. • Providing a short training to cleared personnel to ensure they are constantly vigilant against anyone who would do harm and how to thwart their efforts.

1. 1. • Reviewing the list of assets being targeted by the enemy and the methods they are using to ensure everyone holds the line against those methods.

1. 1. Making a List and Checking it Twice: Remind each person to take stock of the last year and report.

1. 1. • There are thirteen adjudicative guidelines that the government reviews before granting a clearance. Sending a list of these guidelines to your personnel reminding each that it is their responsibility to keep their FSO informed of any changes will PROTECT their clearance, not harm it. Need that list? Ask this guy!

1. 1. Gonna Find Out Who’s Nice! Provide your cleared personnel and Executive Management with the security successes for the year.

1. 1. • Did more personnel report foreign travel in a timely manner?

1. 1. • Did you host security awareness events?

1. 1. • Did you improve your security ratings?

1. 1. • Did you have more security education this year?

1. 1. • Provide any highlights/enhancements and the impact for the organization to your Management but cc your DSS Representative!

We all support the warfighter… in our own ways.

Not too bad! …or is it?

Why Do They Do This?

Remember when we were in school and there was always that one teacher who would give a reading assignment or a report to do over the holidays? Well, the government likes to do that too by providing a deadline for something right in the middle of your shopping-parties-decorating-traveling to grandmas-recital attending-card writing-bicycle assembly-extravaganza!

This year, it is the “Implementation of the NIST SP 800-171” by 31 December 2017.

And, just like it wasn’t helpful when “Dwayne-the-Brain” would tell you that he did HIS report right when the teacher first announced it – it isn’t helpful to tell you how long this deadline has been announced this year. What matters now is: what do FSOs have to do? Here is what we know so far:

1. 1. This is NOT under Defense Security Service (DSS) purview.
      The good news is that this will not be part of your audits from DSS. (Whew!) The bad news is: DSS does have a lot of resources to provide to you for it when being questioned about what the company will need to do. (“Dude – we are still working out the NISS kinks – go Google the NIST thing!” They did not say it like that, but that was the gist of the responses we received.)

1. 1. So … is this an FSO thing? Depends on your company. It is mostly IT-cybersecurity related: SPPs, Plans of Actions, and reported as part of acquisition regulations. Your company may prefer to have your IT department or Contracts provide the compliance steps since they will need to be heavily involved.

1. 1. Resources galore! Regardless of who is responsible, as the organization’s security officer, you will be asked about it so here are some great resources, toolkits, FAQs and videos on the topic or you can ask FSO PRO for the briefing slides for review. These resources will help you to educate yourself on what is required and calm your team about the word “deadline” that keeps surfacing across the email chains.

1. 1. Will there be more than this? Yes, there will and FSO PRO will get it to you! As you can tell, when something is new to the Industry, it is new to FSO PRO as well. The difference for us is that we have a TEAM of people who are dedicated to reviewing, researching, and making recommendations for any new FSO-related item.

False. My papers are always on time and I love
to tell you about it.

You get free stuff! And YOU get free stuff! Everyone gets free stuff!! (Just ask FSO PRO)

Section D of the Self Inspection

Recently, one of our team members went to a training about “Getting Started for FSOs” to see what new information is “hot” for our company to share with FSOs. Hands-down the most “energized” session was regarding the DD254: the security classification guidance that accompanies (or is supposed to) each classified contract. This section is VERY important!

Here is what you need do to ensure your DD254 information is compliant:

1. 1. Make a list of all your active DD254s. This list should include: Prime Contract #, COR information, program name, a period of performance dates, and the level of classification. Want a spreadsheet for this? You know the drill by now…email this guy.

1. 1. Obtain Missing DD254s. If you are – first request the DD254 from the government customer or the Prime FSO. If that does not work, remember the government considers the DD254 to be a “jointly executed” document so you may have to create the DD254 (make sure you use the NEW VERSION) based on the performance work statement on the contract and send it to the Prime or government customer for review or signature. Keep copies of any emails showing you have requested a DD254 or created one for signature to utilize at your own inspection.

1. 1. Challenge Mistakes on the DD254s. “Challenge” is the word utilized by NISPOM, but don’t worry – no one expects you to insult or demand things from your government customer. (Whew!) What is expected is that you review for errors and request (keep the emails!) modifications. Here is a list of what DSS calls “common mistakes” that need to be “challenged” on the DD254:

1. 1. • Copy/pasted guidance from previous DD254s which utilizes over-classification or manuals/training links that no longer exist.

1. 1. • Incorrect addresses of companies or DSS field offices.

1. 1. • “Safeguarding” indicated where it is not needed.

1. 1. • Higher levels of classification than the organization has – such as TS when your organization is Secret and no TS-level clearances are needed for the contract performance.

Completing the DD254 can be a daunting task but no FSO is alone with this. DSS/CDSE provides Job Aids and Student Guides to ensure you get it right. Finally, you can ALWAYS send your DD254s to your DSS Representative for review. And of course….(Warning: shameless promotion)….You could always ask FSO PRO.

“Where… Are… My… DD254’s?!?!” – FSO Stormborn, the First of Her Name. Or perhaps you could ask nicely. Whatever works.

Need more explanation or assistance with any items mentioned this month? Contact FSO PRO!

Each year around this time, we like to take advantage of the holiday season to send
Security reminders. Here are a few ideas:

• • Holiday Scams! Provide a list of latest “holiday” scams and ways to protect their information.

• • Travel Alerts! Remind everyone to travel defensively and report suspicious activity.

• • “Security Does Not Take a Holiday” Briefing– We cannot take credit for this but there is a fun security briefing in our possession which describes the “Mr. Scrooge” versus “Mr. Snowman” (flaky) versus “Saint Nick” way of doing things from a security perspective. If you want the script, we will send it to you and you can make it for your team.