Tips to ensure your company’s ready for security reviews
Security audits are a continuous reality for all companies holding a Facility Clearance (FCL). To best prepare for these in-depth security reviews, your company needs to ensure it’s closely following the rules and regulations of the 32 CFR Part 117, NISPOM. Otherwise, your company risks losing its FCL. 
The DCSA (Defense Counterintelligence and Security Agency) has assigned all defense contractors an Industrial Security Representative (ISR). Their responsibility is to determine if your company is compliant with the required NISPOM policies, procedures and educational training for cleared individuals and for the company’s FCL.
The type of security review your company will undergo depends on whether your company handles classified information. For those handling classified information, it is likely your ISR will be coming to your facility for the security audit. Although it depends on the size of your company, the security audit typically takes between four to six hours. If your company does not handle classified information, your ISR may conduct a Security Monitoring Action (SMA), formerly known as Continuous Monitoring, which can be done over the phone.
Typically, your company will have a security review every 12 to 18 months and will be notified at least three weeks prior. But if your company has been compliant in the past, the timeframe between audits could be longer.
One of your company’s essential requirements is to have an Insider Threat Program Senior Official (ITPSO) with the key responsibility of managing your company’s Insider Threat Program. The program must include an insider threat working group of five to six employees either cleared or uncleared. The working group must meet periodically, typically every quarter, to identify any threat to the company and ensure the company is adhering to all required policies and procedures in reporting these threats.
The ITPSO position can also be held by your Facility Security Officer (FSO), but it must be a cleared employee with training specific to the role. These requirements and procedures are only a few that your ISR will likely be checking during the security audit.
In rare cases, your company may undergo a Targeted Engagement Action (TEA). This type of security review is not comprehensive and only occurs if the ISR wants to address a specific issue. And if your company is partly owned by a foreign entity, the Foreign Ownership Control or Influence (FOCI) office would oversee your security review.
Best Practices
First and foremost, your company needs to be organized. The best way is to have a folder where all of your company’s security policies and procedures are stored. This could be either actual folders or in digital format. The various documentation your ISR will want to review includes how your company is tracking the education of employees, documentation of your company’s Insider Threat Program and details of the program’s working group.
Also, be sure your company has a good relationship with your ISR. There may be times when your ISR requests documentation that’s not required by the 32 CFR Part 117, NISPOM, but if the request is reasonable, it’s best to comply.
It’s also important that your government portals, NISS and DISS, are current. This includes making sure your company’s Key Management Personnel (KMP) list is up to date, which is a list of employees with a personnel clearance (PCL), and your PCLs are enrolled in Continuous Evaluation (CE). Another requirement is to be sure your government contract, DD 254, which establishes the facility clearance, has been uploaded.
During the security audit, your ISR will want to see numerous types of documentation, policies and procedures that you are required to provide. Once the security audit is complete, the ISR will give your company a rating that could include satisfactory or commendable. If the result of the security audit is unsatisfactory, your company risks losing its FCL. If your ISR identifies a missing or incomplete requirement, your company will have 15 to 30 days to respond and provide a plan to fix the oversight.
Adamo can provide your company the knowledge, organization and structure it needs to best prepare for security audits. This includes providing preparation questions to show your company has an in-depth knowledge of all the NISPOM regulations and requirements necessary to maintain your FCL. Adamo can also assist with your company’s insider threat policy by scheduling quarterly meetings, drafting agendas and taking down meeting minutes to provide after meetings are held. Adamo also offers briefings to your employees that include a real world example of an insider threat followed by an open discussion. If you need help preparing for your security audit, don’t hesitate to reach out.
