What is a Security Review?
The four types of security reviews that FSOs need to know and how to prepare for them
The security review process for companies that hold a facility clearance (FCL) is thorough and multi-faceted. In-depth reviews and check-ins conducted by an Industrial Security Representative (ISR) are essential for making sure a facility meets set requirements to maintain their FCL. There are four types of security reviews, and while an FSO is primarily responsible, it is also a team effort to maintain requirements and stay informed and up to date. These four reviews are typically what an FSO and their team should expect in order to maintain the company’s FCL.
While all four may be generally referred to as security reviews, the first and most in-depth report is just called a security review. This process is the most thorough review that a Facility Security Officer (FSO) will be responsible for. For a security review, an Industrial Security Representative (ISR) will set up a time with the FSO to review policies and procedures, facilities and employee clearances, as well as NISS/DISS updates and potential vulnerabilities. A security review can be set roughly every 12 to 18 months, and depending on how large the company is, the review usually takes anywhere from four to six hours, and in some cases, can take one to two days.
During the in-person visit, the ISR will be interested in speaking with both cleared and uncleared personnel as well as the Security Management Official (SMO). An ISR will also need to ensure that the SMO is up to date with everything and knows the security program. Possessing facilities, which are certified buildings that store classified information and equipment, are also important for the ISR to look at. Both possessing and non-possessing facilities will need to be examined by the ISR.
The ISR will give the FSO a scoring at the end of the security review, which will break down which areas are commendable and where vulnerabilities might be present within five categories. The highest possible score is superior, and the next two lower scores are commendable and satisfactory. Marginal and unsatisfactory reflect scores that would cause an FCL to become invalidated, which means the company has the potential to lose its FCL, along with their contracts that deal with classified information.
The overall score for this review can only be as high as the lowest rating, meaning if every category gets the highest rating and one gets a lower rating, the lower category will represent the overall score. For example, each category may be scored as commendable, but if one category is scored satisfactory, the overall score will be satisfactory. The importance of the security review is to show what needs improvement.
Security Monitoring Action (SMA)
An SMA is also organized and conducted by an ISR, typically over the phone. A phone call will be set about once a year with the FSO to confirm everything is compliant with the set policies. To prepare, the FSO is responsible for sending the ISR the company’s policies and procedures ahead of time for the ISR to review. During the call, which is usually one or two hours, the ISR will prepare questions and give recommendations for changes. The ISR may have questions that address whether the insider threat policy is updated, which members are cleared and uncleared, and, if your facility is possessing, that your daily login checks are completed.
It is also crucial for the ISR to make sure the NISS and DISS portals are up to date. This type of review does not give the FSO a score, but any vulnerability that is detected will need to be addressed within 30 days. The ISR will check back after that time period to ensure that the vulnerability was solved.
Targeted Engagement Action (TEA)
An ISR will send a TEA to an FSO when there is one specific issue to address with a company. For example, if a document is missing on a company’s NISS portal, a TEA form will be sent to the FSO to address the problem. Like the SMA, an FSO is given 15 to 30 days to fix the targeted problem. If an ISR comes back to check on the issue and it is not fixed, the company can consequently go into invalidation.
The last review is more of a notification. A communication strategy is sent by the ISR to give a formal update or communicate information to the FSO. These notifications are less common and typically happen once a year or less. The ISR sends these notifications to the NISS portal, showing any changes in policies or updates to information.
While an FSO is responsible for these reviews, there are a few things they can do to prepare themselves and the team. The most important aspect is to be organized. The ISR will need to see policies and procedures ahead of time, and they will expect certificates and online accounts to be up to date. Communication is also significant for an FSO. Making sure that the SMO is prepared and knowledgeable about the security review requirements is crucial. It is also important to communicate with the security team, both cleared and uncleared personnel, that the ISR will be at the facility or addressing something about the facility.
Lastly, an ISR is there to help a company and the FSO. These reviews exist to identify vulnerabilities to help the company, and the ISR will do their best to make sure a company is following NISPOM standards and guidelines. If your facility is preparing for a security review or needs more information on requirements, Adamo can help. Our FSO support services provide valuable information on maintaining a facility clearance and successfully navigating ISR reviews.