What you need to know about the Senior Management Official (SMO) role
In the new NISPOM Rule, 32 CFR part 117, the role of Senior Management Official (SMO) is given defined responsibilities and increased accountability for the safeguarding of national security information. Your company’s SMO is a high-ranking member of leadership at the company with “ultimate authority over the facility’s operations and authority to direct actions necessary for the safeguarding of classified information,” according to the NISPOM Rule. This will be someone like the CEO or president.
The SMO holds a number of responsibilities and is the figure accountable for the facility’s safeguarding. This new level of accountability is likely part of a larger industry push to switch from a compliance-based security mindset to a risk-based one.
Responsibilities
A SMO has many important responsibilities when it comes to the security of a cleared facility. Regardless of the size of your company, the responsibilities the SMO holds remain the same. They may be more complicated for a larger facility, so the SMO can delegate responsibilities. Their overarching responsibility is to ensure the facility maintains its security in accordance with the NISPOM Rule.
One of the most important responsibilities is appointing the Facility Security Officer (FSO) and the Insider Threat Program Senior Official (ITPSO) if it’s a different person. These two positions will be important parts of maintaining your facility’s security.
They’ll need to know the ins and outs of the security for the facility and work in tandem with the security team to ensure compliance. The decisions the SMO makes will be based on classified threat reporting and their knowledge and understanding of threat information and potential impacts.
SMOs also play a major role in your facility’s annual self-inspection. They’ll write the letter to your Defense Counterintelligence and Security Agency (DCSA) representative that outlines what vulnerabilities were found and what the company will be doing to address them.
The DCSA has released a video overview of these responsibilities, which you can watch here.
Beyond these responsibilities, the most important part of being a SMO is maintaining accountability.
Compliance vs. Risk-Based Mindset
Ultimately, the SMO is accountable for the security of the facility. They need to know what’s going on, such as with their oversight of the facility self-inspection. While some responsibilities can be delegated, the SMO accountability for them never can.
This change in accountability may be part of a years-long push in the security industry to shift from a compliance-based approach to national security to a risk-based one. This means that rather than just meeting bare minimum requirements for safeguarding and checking off boxes, you take into account the unique needs of your facility and work to meet those. You still meet the requirements necessary, but a risk-based mindset allows for a more dynamic and adaptable security framework that will ultimately be better at deterring national security threats.
There is an ever-evolving and changing threat landscape that people entrusted with national security information must navigate and manage. U.S. adversaries are getting smarter and faster, and technology is becoming more advanced, easier to use, and less difficult to acquire. The SMO should treat security as part of the company’s mission, being willing to reassess safeguarding necessities on an ongoing basis.
There are no shortcuts when it comes to safeguarding national security information. If keeping your facility secured begins to feel overwhelming, our experts at Adamo can partner with your team and assist your FSO in all aspects of cleared facility security. Contact us today to learn more about how Adamo can help you.
