Tips and tricks for NISP contractors to get the most of their self-inspection
For facilities holding a Facility Clearance (FCL), the annual inspection is one of the most important parts of maintaining their security standards and a requirement under 32 CFR Part 117, NISPOM. This is your best chance to discover any vulnerabilities your facility has, whether it is gaps in employees’ security knowledge or issues with your physical security.
Your inspection is meant to expose vulnerabilities in the form of a lack of employee security knowledge, missing processes to address security risks, weaknesses in your safeguarding of classified information, and more. The Self-Inspection Handbook supplies checklists that outline topics like reporting requirements or standards for security equipment, and you check off if you do or don’t meet these requirements.
These inspections are typically run by your Facility Security Officer (FSO), though the Assistant Facility Security Officer can step up to conduct the inspection if need be. In the self-inspection, you need to be sure to interview and review processes with both cleared and non-cleared personnel. It’s a good practice to choose someone from each of your organization’s departments.
After you conduct your inspection, you’ll write a letter to your Defense Counterintelligence and Security Agency (DCSA) representative outlining the vulnerabilities found and how you’ll address them, which will need to be signed by your Senior Managing Official (SMO).
If your facility doesn’t meet the standards laid out in 32 CFR, and you don’t find and address your vulnerabilities, you run the risk of losing your FCL. After your self-inspection, your DCSA Industrial Security Representative (ISR) will schedule then conduct their Security Review, at which time they will give you 90 days to fix any vulnerabilities found within your facility.
Part of a successful self-inspection is identifying as many potential vulnerabilities your facility may have as possible, as that gives you more time to fix them before your official review. To conduct a thorough inspection, your work needs to begin before the inspection itself.
Preparation is Your Best Friend
The handbook breaks the inspection into three sections: pre-inspection, inspection, and post-inspection. Don’t just dive into your inspection without making sure you have a few things ready, such as being familiar with the Self-Inspection Handbook.
This handbook is the most important document you’ll be referencing when doing your self-inspection. It includes all the questions you’ll need to answer as well as some further advice on how to approach interviewing personnel, like making sure to ask open-ended questions, like “Can you tell me who you report a security violation to?” (instead of closed-ended questions, like “Is your FSO who you’d report a security violation to?”) and asking follow-up questions when they answer.
You also need to know which of the 21 checklists you’ll be using when doing your inspection: Some apply to all cleared companies, while others only apply to companies that are safeguarding information. These checklists will give you the questions you need to answer and will help inform your letter to your DCSA representative.
Honesty is the Best Policy
It can be easy to fudge your results here and there to make yourselves look better. Maybe you help an employee work their way to the correct answer on a security question or decide an answer is sufficient when it’s only half right. But at the end of the day, trying to make yourself look good in your self-inspection notice letter to your DCSA representative will only hurt you and your business.
Be on the Lookout Year-Round
While this annual inspection is an important part of your security, it shouldn’t be the only time you’re watching out for issues. Again, the clock on when you must fix your vulnerabilities officially begins when your ISR conducts the Security Review.
You want to be vigilant and checking on security concerns regularly, so if something happens in the months between your inspection and the Security Review, take immediate action to address it rather than finding out about it when you only have a limited amount of time to fix it.
Outsource Your Inspection
If you are nervous about running the inspection yourself, you can outsource to an FSO consulting service. They can act as your AFSO in running the inspection. These services have experience running these self-inspections for multiple facilities and can help make sure yours runs smoothly and catches any potential risks.
If you do outsource, make sure your FSO is still engaged with the process and informed of what’s going on. Ultimately, they are responsible to answer any questions your DCSA Rep may have about the security in your facility.
If you’re looking for help with your facility’s self-inspection, consider bringing on Adamo’s FSO support. They can not only help with your inspection, but they can also take on a number of other tasks including managing your insider threat program, running annual security refreshers and handling investigations.