By: David Wilson, IT Manager and Facility Security Officer
Personnel and cyber security comprise two of the greatest challenges to government contractors, particularly in today’s fluid and volatile Internet climate. Every device, from kid’s toys to watches, computers to porch lights and door locks, is connected, and every point of connection is a potential leak. Security breaches in large companies have exposed massive dumps of data and personal information to the Internet at large, and even those contractors charged with investigating security clearances have not avoided their share of the constant barrage of hacks and threats.
At VectorCSP, we’ve learned that for an Industry contractor desiring to work on military contracts, there is something of a Catch 22. To have cleared employees, you have to have a Facility security clearance. To get a Facility clearance, you have to have won a contract that requires it – and it is very difficult to get if you need to have boots on the ground, with clearances, on the day of award. The easier route is to subcontract with a prime contractor already in possession of an FCL (Facility Clearance) and get them to sponsor your company for positions requiring clearance – it’s a precise and lengthy process, but well worth the wait once the door opens and you are invited into the secure world.
The facility clearance is just the tip of the iceberg. Long delays in processing new clearances have put a strain on recruiting and hiring; new requirements for training and inspections are regular occurrences; and key to it all is the responsibility, a very real and tangible thing, to provide the promised security, keep abreast of changes and regulations, and ensure that your employees are trained, equipped, and prepared to perform at the highest levels of trust. It’s not just a matter of “dotting the i” or “crossing the t” … the days of security by simple compliance are being replaced by proactive risk management processes, and more intuitive methods of training are rising to the challenge presented by ever-increasing numbers of “adversaries” at home and abroad.
The most important aspect of entering into a new cleared contract is establishing communications. Every branch of the military, and every base, has its own rules, regulations, forms, and processes. Establishing early contact with base Security Officers, the COR (Contracting Officer’s Representative), any incumbent staff you are working with who will be familiar with procedures, and your site’s DSS (Defense Security Service) representative can create an efficient, complete, and positive environment for onboarding new hires, acquiring the proper access and CAC cards for employees, and determining what – if any – computer and hardware requirements are involved.
Additionally, it is the responsibility of the company’s Facility Security Officer (FSO) to remain vigilantly aware of the requirements of each contract, in accordance with the DD-254 associated with the contract. This form is the guideline for what types of access are required under the contract, any extra security requirements or references that apply, and should be inspected carefully at the earliest opportunity. If there is, for instance, a need for OPSEC (Operations Security) or COMSEC (Communications Security) access listed on the first page of this form, guidance on each should be included on either the second page, or on addendum sheets, outlining what that access entails, and how it will be regulated. This form should, ideally, be the product of a collaboration between the Contracting Officer, the COR, and the Government Security Officer, in conjunction with those who will actually supervise the work.
DSS is currently “in transition,” moving to modern and more efficient web-based processing and risk-management approaches for inspections, as opposed to checked-box compliance. Representatives from the FBI, as well as the security agencies for each branch of the service, are ready and available to receive information on cyber-attacks, or suspicious communications. Training both online and in person can be arranged for management and employees alike.
It is vital that you protect your company, your employees, and your clients. Take advantage of the resources available. Be patient but persistent, and establish a network of security professionals (both in Government and Industry) that you can engage to overcome new security challenges. In the world of Industry contracts, security is everyone’s responsibility.