FSO PROS Snippet Category: Security Policies & Reporting Requirements
Monthly Newsletter
Tax season is a great time to discuss financial considerations, and life changes that federal contractors and federal contractor personnel must report.
Every individual that works in and around the U.S. Government is a potential target for exploitation by malicious actors intending to do harm to the United States and its people. Certain situations make us more susceptible to compromise and we must be aware of those that must be reported to our company’s Facility Security Officer (FSO).
Financial Difficulties and Distress
One of the easiest pathways for our adversaries to elicit information is through offers of gifts and money or threats of exposing our difficulties.
Financial distress can happen to anyone and may be caused by a variety of circumstances. Regardless of the reason, when a person is overextended or having difficulty satisfying debts, there is a greater risk that they might engage in illegal or questionable activity to generate additional funds. Financial pressure makes us a prime target for exploitation.
Unexplained Affluence
Unexplained affluence refers to a lifestyle, standard of living, or accumulation of wealth that cannot be reasonably attributed to a person’s known income or legal sources. It can be a red flag, suggesting that a person may have access to illegal or undisclosed sources of income, and raises concerns about the person’s trustworthiness or vulnerability to bribery or coercion.
Financial Awareness and Reporting Financial Considerations
Keeping a close eye on your financial data and credit information can help you identify if you are running into financial difficulty and if there is any questionable activity happening in your name. All 3 credit bureaus will allow you to run your own credit report for free each year. We recommend you run all 3 annually.
If you suspect your Social Security number is being used fraudulently, contact the Social Security Administration at www.ssa.gov or call toll-free at 1-800-772-1213.
Reporting Financial Considerations — The following circumstances must be reported to your company’s FSO:
- Excessive indebtedness or inability to satisfy debts
- History of not meeting financial obligations
- Unpaid obligations over 120 days, liens, judgements, collections
- Bankruptcies, foreclosures, or wage garnishments
- Deceptive or illegal financial practices (embezzlement, fraud, etc.)
- Failure to file, pay, or fraudulently filing Federal, state, or local income tax returns
- Any indicator of unexplained affluence inconsistent with known income sources
- Borrowing money or engaging in significant financial transactions to fund gambling
- Receipt of a large sum of money, property, or wealth not readily identifiable by typical income (e.g., inheritance, lottery winnings, proceeds from sale of a home)
- Concern that your identity or credentials have been compromised
Changes in Personal Status / Life Changes
If you have been granted security clearance or suitability for access to sensitive information, the following life events and changes must be reported to your company’s FSO:
- A name change, for any reason
- Marriage, separation, or divorce
- Changes in cohabitation status
- Cohabitation with any Non-U.S. citizen
- New relatives and additions to your family (new children by birth or adoption)
- Adoption of Non-U.S. citizen children
- Any change in U.S. citizenship status
- Change in employment status
- Change in need for access to classified information
Why Reporting is Critical
Despite the cause, both financial difficulties and unexplained affluence can raise concerns about an individual’s reliability, trustworthiness, and ability to protect classified or sensitive information.
Financial considerations must be reported immediately upon occurrence. Changes in personal status must be reported to your company’s FSO as soon as you become aware that the change will occur.
Resources and Additional Learning
- CDSE Financial Considerations
- DCSA Reporting Changes, Concerns, or Threats
- Experian Credit Bureau
- Equifax Credit Bureau
- Transunion Credit Bureau
- 32 CFR Part 117 (NISPOM Rule)
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!
All cleared contractor facilities are required to have written procedures in place that dictate how their facility will implement and maintain a system of security controls within the organization in alignment with the requirements of 32 CFR Part 117 (NISPOM rule) and other U.S. Government laws and policies.
Two written policies that every cleared facility should have are:
- A Security Standard Practice Procedures (SPP)
- An Insider Threat Program Plan (ITP)
The Security Standard Practice Procedures (SPP)
The Security Standard Practice Procedures (SPP) is a written document that implements requirements for the contractor’s operations and involvement with classified information. Key aspects of a SPP include:
- Opening Statement: Outlines the purpose of the document and includes a statement of support for the National Industrial Security Program (NISP).
- Facility Information: States the company’s facility clearance level, classified storage requirements, and outlines security roles within the organization.
- Personnel Security Clearances: Outlines how personnel clearances for employees and consultants are handled.
- Reporting Requirements: Outlines reporting requirements for both personnel and the facility, and establishes the necessary processes and procedures all company personnel are required to follow.
- Security Education: Outlines the training requirements for the organization per U.S. Government and contractual requirements.
- Self-Inspections: Outlines how the organization will meet self-inspection requirements and the intervals at which the company will perform these inspections.
- Classified Visits and Meetings: Outlines how classified visits and meetings will be handled.
- Safeguarding Classified Information: Establishes the organization’s procedures for protecting classified information.
The Insider Threat Program Plan (ITP)
The Insider Threat Program Plan (ITP) is a comprehensive strategy designed to deter, detect, and mitigate potential threats posed by individuals within an organization who have authorized access to sensitive information or systems. Key aspects include:
- Risk assessment: Identifying critical assets and evaluating the likelihood of an insider threat occurring.
- Employee screening: Conducting thorough background checks and reference verifications during the hiring process.
- Access controls: Implementing strong user access management practices, including the least privilege principle.
- User activity monitoring: Continuously monitoring employee actions on company systems to detect suspicious behavior.
- Security awareness training: Regularly educating employees about insider threat risks and reporting procedures.
- Incident response plan: Defining clear steps for investigating and responding to potential insider threats.
Insider Threat Program Plans must also consider balancing privacy concerns, establishing clear reporting mechanisms without fear of retaliation, and promoting a culture of security awareness.
How and Why Is This Relevant to You?
All cleared contractor personnel, both employees and consultants, are required to follow all policies and procedures set forth in company and U.S. Government policies. Your organization is required to make security policy documents available to you and all personnel. If you do not know where to find them, please contact your company’s security team immediately.
If you have any questions or concerns about the security policies within your organization, your FSO and Insider Threat Program Senior Official can certainly assist. You should never hesitate to reach out to your FSO and ITPSO for guidance.
Resources and Additional Learning
- CDSE Resources for Standard Practice Procedures
- Written Standard Practice Procedures for Industry Video
- DCSA Information about Insider Threat
- Deliver Uncompromised Toolkit
- 32 CFR Part 117 (NISPOM Rule)
As always, if you have any questions about security or reporting requirements, ask your FSO! FSO PROS® is here to help you navigate things to ensure you fulfill all requirements.