Secrets of a Successful Self-Assessment
DEFENSE CONTRACTORS must meet stringent requirements with regard to the handling of classified materials and the maintenance of access controls to the closed areas where such materials are processed and stored. To ensure that these requirements are being met, the government sends inspectors to contractor facilities about every 12 to 18 months. Since companies can’t continue to do business without passing such inspections, contractors conduct their own assessments in between official examinations to ensure that they will be ready when the government comes calling.
Although self-inspections are beneficial, no facility’s staff really wants to undergo them. The question for security personnel is: Can they make the process an experience that workers will welcome rather than avoid?
The answer is yes. It is possible to turn a dreaded inspection into a more positive and constructive visit. The key is to build a relationship with the facility prior to inspection by emphasizing the benefits of the visit, outlining the process step-by-step, and providing the facility with ample planning time.
The first step toward getting facility personnel to welcome the security team’s input is to change how the work is perceived. The language employed in describing the work helps to set the stage. Thus, it’s a good idea to refrain from using the term “inspection,” which connotes fault finding and finger pointing. Instead, security personnel should refer to their work as an “assistance-visit program,” where the focus is truly on helping a facility.
The new nomenclature should be coupled with a substantive move away from simply pointing out problems and toward providing assistance. This change is accomplished by ensuring that facility personnel feel included.
Security personnel should implement three principal phases of assistance visits to ensure that the process is well thought out and that facility personnel have time to prepare. These phases are the planning phase, the implementation phase, and the completion phase.
During the planning phase (which is the most critical phase), the security director or deputy security director appoints an assistance-visit coordinator (AVC), who sets the tone and provides all of the details for the assistance visit.
The AVC is the point person for organizing the planning and the visits to the facilities. This person serves as the contact for the facility security officer (FSO). Communication between these two parties should be continual; it lays the groundwork for a relationship between the facility and the headquarters or the business unit conducting the self-assessment.
This level of interaction sets the assistance visit apart from a common self-assessment relationship in which the only communication is when the security team tells the facility that it is coming. By consulting with the facility on issues such as visit timing, the security team begins to develop a sense of partnership with the facility, which can change the facility’s attitude regarding the self-assessment.
The AVC, sometimes along with the deputy security director, selects the members of the assistance-visit team and the team chief. The AVC may act as the team chief or another member of the team may be selected if the AVC cannot travel to that inspection site.
In putting together a team, the AVC must be sure to assess which subject matter experts are needed for each facility. For example, if a facility focuses on Department of Defense (DoD) programs, the AVC should select from among the company’s internal staff who work with DoD projects, rather than someone who is an intelligence expert.
Scope of work. The first inclination of the security team may be to focus the assistance visit narrowly on the handling of classified material and its protection. But many noncleared employees work in the vicinity of classified environments, and it is often these employees who cause a security breach when cleared employees discard proprietary information in regular trash cans or share passwords and leave screens unlocked. To fully address these issues, all aspects of the facility should be evaluated. Special Access Programs (SAP) as well as unclassified, collateral, and Sensitive Compartmented Information (SCI) should all be included (as appropriate to each facility).
The scope of the assistance visit should even extend beyond the facility itself. Determining who the neighbors are in the area of a facility could be extremely important. For example, in a business park with only large companies and a single small store, the store might seem to be out of place, raising some questions and requiring additional safeguarding measures.
Previsit paperwork. The AVC should send out three preliminary documents to each facility to outline the process of the visit. These documents are the guidelines for the assistance visit, a checklist of items for them to prepare, and a survey to be completed before the visit.
The guidelines should outline the process and the expectations of the assistance team at each phase of the process.
The checklist should outline items that the FSO will need to have ready for the team, such as a conference room for the assistance team to use for the duration of the visit, ladders for the inspection of ceiling tiles, and any other equipment that might be needed. The checklist will also list key management personnel (KMP) who should be invited to attend the briefs the team will hold to discuss findings (as discussed in the implementation phase).
Another important aspect of the checklist is that it will lay out what will be inspected so that the facility is not caught off-guard. The government inspection list should be included, but the self-assessment checklist will go a step further so that the facility is more than prepared for the government’s visit. For example, where the government standards require facilities to keep personnel records, a self assessment might make sure not only that they know where their records are but that the databases are cleaned up and any record discrepancies are taken care of.
The previsit survey gives the team advance information about the facility. In this survey, the AVC should ask questions about the facility’s size, the type of classifications handled, storage capabilities, computer systems, customers, accreditation information, co-uses, and personnel located at the facility.
Information gathered from the survey will assist the AVC in determining the size and expertise of the assistance team. After all of the surveys have been returned, the AVC can firm up who is on the team, work out the schedule, and make sure that the necessary resources will be available.
Schedule. Developing and maintaining a master schedule is key, because the AVC will plan out the visit a year to a year-and-a-half ahead of time. The advance notice helps with scheduling and gives the facility ample time to prepare.
Previsit meeting. The final step in the planning phase will be conducting a preliminary meeting with the team. This meeting is usually held two weeks prior to the assessment. For the meeting, the AVC should provide a packet of information that includes copies of the survey, travel information, and the appropriate checklists to be used to conduct the inspection. An in-brief should be created to explain the purpose of the assessment, who will conduct it, what it will cover, and the process. The AVC will send the in-brief and staff assignments to the FSOs with adequate time for them to prepare.
In this manner, everyone receives the exact information that will be used to conduct the assistance visit. Having detailed previsit paperwork and a well-crafted schedule with the appropriate resources reduces the potential for surprises.
The implementation phase should be simple, since all of the groundwork will have been laid during planning. The team should show up at the facility, conduct an in-brief with the security staff and KMP, conduct the inspections, and provide an out-brief at the conclusion of the visit.
The in-brief is extremely important in that it sets the tone for the visit. It is essentially a PowerPoint presentation re-emphasizing the guidelines and checklist of what will be inspected. The team chief should present the brief and reiterate that the purpose of the visit is for assistance.
The assistance visits (like the government inspections) may also include random interviewing of workers. Interviews help inspectors to assess whether all workers know that they are working in a security-cleared facility. Additionally, the team might ask a worker what he or she would do in a certain situation, such as if he or she found a piece of classified information. The team will also often ask workers whether they know and communicate with the security staff.
Once the assessment has been conducted, the out-brief meeting is held to explain the findings. In addition to pointing out concerns, the team chief should make sure to highlight any positive findings in the out-brief.
Security personnel should avoid using a ranking system in the context of the assistance-visit model. Rather, the team should use a system that uses neutral terminology such as: findings (matters of official USG policy or procedure deficiency), recommendations (matters not based in official doctrine, but provided as “guidance”), and observations (comments, both pro and con, relative to the state of the security program).
If there are any unacceptable conditions identified among the findings, security should negotiate a timetable for when these conditions will be corrected. The team chief can suggest sending back one of the subject matter experts to help the facility staff with certain issues, such as document control.
The final phase would reiterate the overall nature of the out-brief to upper management. A formal verbal report, given by the security director or an individual of similar standing, should outline the state of the facility, deadline dates for fixing any unacceptable conditions, and any future assistance recommended.
Within 30 days of the visit, the facility should receive a formal written report. Along with the report, all of the checklists that were used for the assistance visit should be provided. The facility can retain these documents for its records. If government inspectors ask for the self-assessment documents, they are entitled to them. However, since the self-assessment goes above and beyond the government inspection and might find issues outside of the government standards, the report should not necessarily be offered.
Periodic monitoring needs to occur to ensure that the facilities are correcting any issues identified by the site visit. In addition, it can be helpful to conduct a survey of the facility’s security staff after the site visit. The survey should focus on what the facility personnel thought of the assistance visit team and the assessment process.
Communication and proper planning, coupled with a helpful attitude, will ensure facility cooperation. That support is the key to conducting successful and efficient self-inspections, which help to ensure that when the government inspectors arrive, the facility will have nothing to worry about.
Kerrie L. Kavulic is the security awareness training and education manager for the Space & Geospatial Intelligence Business Unit at Science Applications International Corporation (SAIC). She is also publications coordinator for ASIS International’s Defense and Intelligence Council.