Monday, July 29, 2013

Security through the NISPOM

The National Industrial Security Program (NISP) was established by Executive Order 12829 on January 6, 1993 to safeguard in a cost effective and efficient manner classified information held by contractors, licensees, and grantees of the U.S. Government. The DoD, DoE, NRC and CIA all adhere to the NISP. The National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M) prescribes the requirements, restrictions and other safeguards that are necessary to prevent unauthorized, as well as control the authorized, disclosure of classified information released to contractors by U.S. Government Executive Branch Departments and Agencies. Industrial Security Letters (ISL) are binding NISPOM addendums issued between NISPOM publications. The Defense Security Service (DSS) is the office delegated to administer industrial security in a contractor’s facility on behalf of the contracting service agency. Their objectives are to foster greater security awareness in response to the potential threat to the facility and ensure that the security measures imposed are rational, appropriate and cost-effective.

To be eligible for receipt of a ‘classified contract’ the Contractor must first implement Facility Clearance (FCL) risk-management principles, security controls, personnel clearances (vetting) and supporting writt en ‘standard practice procedures’, as well as pass a site inspection conducted by the DSS. Where appropriate, the Contractor must also comply with Foreign Ownership Control and Influence (FOCI) mitigation measures, as well as establish procedures to ensure compliance with U.S. export control laws before executing any agreement with a foreign interest that involves access to classified information by a foreign national. (Please see the DMG Briefing Notes on FCL and FOCI). Further, NISPOM 1-304 requires that contractors establish and enforce policies that provide for appropriate administrative actions taken against employees who violate NISPOM requirements.

Implementing the NISPOM

Due to the immense risks posed to companies and employees for violating the NISP, it is important that companies doing business in the U.S. and engaging with foreign entities create, implement, and maintain physical controls and security procedures compliant with the NISPOM. Accomplishing this alone and without experience is a daunting task. Some help can be had from your sponsor and the Government agencies responsible for ensuring compliance, but when you need an extra boost, DMG is here and ready.

Monday, July 15, 2013

Security and the Facility Clearance

A Facility Clearance (FCL) is a Defense Security Services (DSS) administrative determination issued in accordance with the National Industrial Security Program Operating Manual (NISPOM), that a ‘facility’ is eligible for access to U.S. Government classified information or award of a classified contract. Essentially, an FCL is a ‘secure site’ where routine access is denied to U.S. citizens not holding appropriate security clearances and to all non- U.S. citizens. An FCL normally is awarded for a specific program, at a specific classification level. It is not transferable and may not be used in support of marketing. For every U.S. Military program being considered for supply by a U.S. or Foreign owned company there is a strong probability that holding an FCL will improve the likelihood of an award by granting a cleared company access to the classified supporting documents describing the threats, requirements and program goals.

In the absence of an FCL and security cleared personnel, Government representatives as well as other cleared companies must limit all conversations and information exchange to non-classified data. Demonstrably, having access to such data is necessary for a company to make an informed bid for the vast majority of U.S. Government military programs. The FCL determination is based upon favorable background investigation adjudications of Key Management Personnel (KMP). These can include the chairman of the board, senior management officials, and the Facility Security Officer (FSO). All other KMP defined in company bylaws or operating agreements must be formally excluded unless they require access to classified information to perform work duties. Note that the granting of an FCL can be complicated by any Foreign Ownership Control and Influence (FOCI). To counterbalance the risk of exposing classified information, the U.S. Government requires foreign owned companies to take measures to mitigate FOCI. (Please see DMG Briefing Notes on NISPOM and FOCI).

Mitigation Measures

Due to the immense risks posed to companies and employees for violating the NISP, it is important that companies doing business in the U.S. and engaging with foreign entities create, implement, and maintain physical controls and security procedures compliant with the NISPOM. For foreignly owned companies wishing to secure an FCL, extra care must be taken to mitigate FOCI and negotiate a proxy agreement. For further information please feel free to contact DMG.

Monday, July 8, 2013

Mitigating the Control and Influence of Foreign Owners (FOCI)

To counterbalance the risk of exposing classified information, the U.S. Government National Industrial Security Program (NISP) requires that foreign owned companies being considered for award of a ‘classified contract’ take measures to mitigate Foreign Ownership, Control and Influence (FOCI). These measures are additional to the physical controls and security procedures necessary for determination by the Defense Security Services (DSS) of a Facility Clearance (FCL), as mandated under the National Industrial Security Program Operating Manual (NISPOM). (Please see the DMG Briefing Notes on NISPOM and FCL).

Essentially, to comply with FCL and FOCI mitigation measures, it may be necessary for a corporation to conduct significant changes to its physical assets, internal management structures and operating procedures. These include implementing on-site security and controls to permit the safe receipt, handling and storage of classified data and items in a manner that prevents foreign nationals from gaining unauthorized access; implementing changes to corporate control structures through establishing a ‘proxy board’ comprising only U.S. citizens eligible for appropriate security clearance so as to isolate foreign ownership from full visibility and operational control of ‘classified programs’; as well as ensuring that all Key Management Positions are filled by such U.S. citizens.Note that the FOCI mitigation measures require that the Proxy Board will be precluded under U.S. Law from disclosing to foreign shareholders, management and employees all information (technical and commercial) that has a bearing on classified and/or sensitive contracts.

What Actions Should You Take to Mitigate?

Due to the immense risks posed to companies and employees for violating the NISP, it is important that companies doing business in the U.S. and engaging with foreign entities create, implement, and maintain physical controls and security procedures compliant with the NISPOM. Drafting and executing a proxy agreement, while heavily dictated by the US Government, is not a one size fits all deal, but it is something you will have to live with for the life of the contract or longer. Take the time to do it right, and don't hesitate to get help when you need it.

Tuesday, July 2, 2013

Battlespace Electronics News Services

By the nature of our business DMG has come across many examples of excellence and best practice within both the US and the international defense industrial base.  We are delighted to be able to endorse the skills, capabilities and qualities of Battlespace Electronics News Services with whom we have gained experience and recommend their services.

For DMG’s U.S. clients seeking a United Kingdom centric perspective on defense and security emerging and current issues, we recommend your visiting ‘BATTLESPACE’.  This website along with its associated E-Zine and hard copy magazine are the products of an international defence electronics news service providing its readers with up to date developments within the UK defense industrial base, covering UK defence policy, MOD requirements, contracting and delivered capability.  Though broad in coverage there is a strong focus on the defence electronics industry. The publications and associated e-mail services reach an international readership across the world and report on a range of issues not necessarily easily visible within the U.S.  BATTLESPACE readers range from military electronic specialists through defence research establishments to the defence industry.

Monday, July 1, 2013

General Services Agreement (GSA)

Every year thousands of companies supply the U.S. Government and its agencies
through a Multiple Award Schedule (MAS) administered by the General Services
Administration (GSA). The MAS program enables US Governmental Agencies to
purchase commercial supplies and services quickly and efficiently while still complying
with the Federal Acquisition Regulations (FAR) and Defense Supplement to the FAR
(DFARS). The MAS program divides commercial products and services into 43
distinct schedules. Currently the MAS program offers over 11 million items under
nearly 19,000 contracts. The offerings under the MAS program grow every year as
thousands of firms submit offers to the GSA.

To qualify under the MAS the offer must generally meet the following guidelines:
  • The goods must be ‘off-the-shelf ’ (standard, non-customized) product, available for purchase by civilian customers under a published price list.
  • The goods must be produced in the U.S. or be capable of being produced in the U.S. if placed on the schedule.
  • The Offeror must have a two-year commercial history with at least six, but preferably 15, customers, and be able to estimate future sales volume. 

For U.S. and Foreign companies wishing to compete for the supply of goods and services through the GSA it is necessary to implement appropriate measures regarding Program Familiarization and Internal Preparation, complete the Application Process and maintain subsequent Reporting and Compliance requirements.

To learn more, please contact Defense Management Group.