What great FSO’s read!
Prepare to be sorted.
What Type of FSO Are You?
At FSO PRO, we work with hundreds of FSOs. In our observation, most FSOs
can fall into one of the categories below. They are:
- The Owner FSO – This FSO owns a small business that has recently begun classified work. As part of the facility clearance process, someone had to be named FSO and since he or she had to be cleared anyway in their role as FSO, it made the most sense that they hold the title.
- The Multi-Hat FSO – You are the FSO, but it is not your primary job. You may be named (or volun-told) as the FSO because you are also in HR and deal with personnel. Or, you are in Contracts Administrator and work with DD254s and other compliance areas already. Or, you are the Program Manager for the largest cleared contract and it made sense to assign the FSO responsibility to you. Or, your organization may only have a very small security program so it barely even comes up, but it is still assigned to you!
- Start talking to my SMEs, PMS, and Personnel about each contract.
- Log into JPAS and any other timed database so I don’t get locked out.
- Run a personnel report to review the status of all personnel – does their non-SCI access match their contractual work?
- Remove any personnel who should not be in JPAS.
- Run a PR report to determine who is due for a periodic reinvestigation. If it is 90 days out or less, start the re-investigation.
- Check visit requests or VARS to see if they are going to expire or have out-processed people on them.
- Begin any new hire clearance actions 30 days out if needed. Implement strategies for upping my FSO game.
- Pat myself on the back for being an amazing FSO!
Which FSO Are You?
- The Primary FSO – Whether full or parttime, being an FSO is your only job/title with your organization. The program requirements at your company have grown to the point where a fullydedicated person holds the position and you may even need an active assistant or two. You are constantly working with DSS regulations, CDSE training, DD254s, self inspections, accesses, JPAS, etc. – all day every day. !
- FSO King or Queen … There is also the granddaddy of them all, the FSO of FSOs … those who are over a security program so large they have multiple FSOs or AFSOs under them and helping to manage their LARGE program. For the purpose of this article – we will leave them to their own devices because they could probably teach us all how to be better FSOs! Cheers to you and we aspire to be you one day (maybe – it sounds kinda stressful and I hear the inspections are a week long!) but for now – we are addressing the needs of the other three.
Speaking of Queens… I wanted her to sit there so badly. Does that make me a bad person?
Now – let’s look to the strengths, challenges, and plans for improvements for each position. (Hey – feel free to skip to the one that applies to you – we know you are busy – you are an FSO, after all!)
Everyone wants success until they see what it takes.
The Owner FSO
The Challenges of the Owner-FSO:
You are the owner of the company and you are constantly pulled into other high priority areas such as payroll, business development, contracts, and working directly in the programs. You care about the security program very much, but the constant demands in other high priority areas means you don’t give it the attention you know you should and you worry about whether or not you are compliant with all of your requirements.
Strengths of the Owner-FSO:
The strength of the owner FSO: With the new “risk based” direction that that DSS is moving towards in regard to
inspections – you know the ins and outs of the programs better than most. You will be able to answer the governments
questions (see later in this newsletter) with less research because you already know it. You also can get your
personnel to complete their training faster than anyone. You are THE boss and that gets results.
Where to Improve:
It is not impossible for you to be the owner and FSO and have a strong program. FSO PRO helps many of you do just that. If you don’t want to hire a consultant to help you, the best idea is to take the resources offered to you by your DSS Representative or download the Self-Inspection Handbook and take a couple of hours to review the requirements. If you have a non-possessing facility, one of the FSO Superheroes (our club members) created an easy-to-use spreadsheet that shortens the document quite a bit. After review, break down any areas that need more attention and put them on a schedule by month to make it manageable. Or ask this guy for affordable ways in which FSO PRO can help.
Tell Betty from HR to call Betty from Sales.
The Multi-Hat FSO
> The Challenges of the Multi-hat FSO:
Like the owner-FSO, you are constantly pulled into other high priority areas that come with your main job. You also care
about the security program very much, but the constant demands of your main job make it an extra albatross to all the other
things you have to do. Depending on what hat you wear, your focus in other directions may leave a gap in areas such as:
knowing the exact details of the contract or being behind on the company training requirements for personnel. The biggest
challenge is you may be called on to be the subject matter expert for all things NISPOM when it is not your main field.
This is Betty from Sales returning a call from Betty from HR. Don’t judge.
> Strengths of the Multi-hat FSO:
The strength of the multi-hat FSO: Your unstoppable work ethic. You are not a worker bee—you are the entire hive. You are used to getting it done and are no stranger to doing what you have to do – late nights or weekends to get it done. If you manage personnel, you are sure that they are matched with the needs of their DD 254s and are on top of training. If you are on the contract management or program management side, you, like the owner-FSO, know the ins and outs of the programs and requirements of the DD254s in ways that most people don’t. You also can get your personnel to complete their training faster than anyone. You are in the chain of command and that helps!
> Where to Improve:
You can also be the FSO and have a strong program, you just need to merge some of your areas where they overlap and an extra set of hands during “surge” times. Surge times typically occur upon new award, a new DSS Requirement (like the Insider Threat Program) ,or right before your inspection. Having an extra set of hands to help administratively can make this work much smoother. It may be hard for you to ask for help but it’s worth it for your sanity and the health of the program. It is also a good idea to use your Outlook to block off 1 -2 hours a week for FSO-focused activities such as CDSE classes or reviewing your monthly requirements. This newsletter can help with that. Plus, we are constantly adding to the resources and “FSO hacks” for our FSO-Superheroes (club members) to help make the most of the time you have to devote to FSO work.
Which FSO Are You?
The Primary FSO
> The Challenges of the Primary FSO:
When FSO work is all you do, you need to stay engaged with the team. Everyone is busy and has trust that you “got” the FSO and NISPOM requirements down … but they can unintentionally leave you out of critical discussions. They can also disregard the annual requirements such as the Annual Refresher or you may not know what you need to know about Executive Management decisions or the details of the contracts. Your biggest challenge may be that you are assigned “other” compliance areas that do not fall under DSS’ purview or the standard FSO Job Description. These areas may include ITAR and EAR requirements, Export Officer duties, and the new NIST 800 requirements.
> Strengths of the Primary FSO:
You are self-directed and driven. You have to be – you are the frontline to ensure your company is compliant and safeguarding information from those who would harm this great Nation. Since it is your job, you have more time within your regular workday to manage all the details of the program. It may be a large program, but your focus is all in the same direction. You can take online training and attend NCMS events as PART of your job. You can learn the NISPOM and become a subject matter expert on all things security to include the other compliance areas.
Betty from Sales, please don’t forget to follow up on your follow up from your last follow up from Betty from HR. I hope everyone is keeping up with this, there will be a quiz.
All Bettys agree: It takes team work to make a dream work.
> Where to Improve:
Your diplomatic skills and creative juices will be most used for a dynamic program. You will need to be a quick team player with all the areas of your company to ensure their cooperation with your requirements. For your executive management, provide metrics and reports of your self-inspections and ways you have improved the security posture of the organization. Share your goal for a higher company rating and get their support. For your business development teams, provide “proposal data calls” and quick response for new work. For personnel and HR, create interactive and creative training, use case studies or fun “security events” to keep everyone engaged and finally, meet regularly with Contracts and Program Managers to ensure you have good working knowledge of each contract – let them know how important their feedback is to the security program and brag on them to your executive management when they provide valuable input.
*Each month, the FSO PRO Success Newsletter will be providing ideas and strategies for helping EACH type of FSO (except for you King and Queen FSOs – you got this!) We benefit greatly from your feedback and areas of concern so don’t hesitate to let us know how we can address what concerns you the New SVA or Inspection Style of DSS.
At this point, FSO PRO personnel has attended several of
the new DSS-In-Transition or DiT “Risk-based” assessments.
What is different? Well, all the same compliance items
still apply but they REALLY dig into the DD254s. It is not
just the document itself that is being reviewed but they
want to know all the details about each contract.
Here is a list of questions that have been asked during
SVAs about the contracts.
No Bettys were harmed in the making of this FSO newsletter. Also, this is the second to last Betty reference. We apologize for the overuse.
As a result, each contract/DD254 should be reviewed by:
- What is the most critical asset for the contract?
- How many people work on the contract and where are they located?
- What can they access – outside of the contract – at this location?
- Who is the SME(s) for the contract?
- Where does the work take place – where is it located? Is it overseas? Is it in a SCIF? What are the access requirements? Who can the workers see going in and out of the building?
- Who are your suppliers? Have they been reviewed?
- Which contract has the highest monetary value?
- What is the percentage of revenue for the organization from the contract?
- What agency or branch of DOD is this contract supporting?
- Is any exporting occurring?
- What technologies are used supporting this contract?
- What systems?
- Who grants approvals for these systems?
During an inspection, I just shout Multi-Pass over and over. It seems to work.
Under the new “risk-based” assessment, DSS is focusing on the risks associated with:
- Critical Assets
- Information Systems
- People and Operations
If you are not in a position to know this information, start talking with your SMEs, PMs, and Leadership now.
Who is FSO PRO?
PO BOX 70095
Fort Bragg, NC 28307
Terms This Month:
FSO= Facility Security Officer but FSO PRO calls them “FSO Superheroes!”.
NISPOM= National Industrial Security Program Operating Manual. This is the over-arching policy for the Industrial Security Program managed by FSOs.
DD254= The form used to provide Security Classification Guidance for each classified contract.
CDSE= Center for Development of Security Excellence – online training for FSOs.
SVA= Security Vulnerability Assessment. Some refer to this as the inspection or audit but DSS prefers this name.
SME= Subject Matter Expert.
PM= Program Manager.
ITAR= International Trafficking Arms Regulations.
EAR= Export Administration Regulations.
NIST 800.171- = National Institute of Standards and Technology Special Publication 800-171.
FSO PRO thanks all the FSOs out there for everything you do to keep the warfighter safe. Even the smallest task is designed to keep our nation’s information out of the hands of those who would do harm. We, as FSOs, are doing our part to stay vigilant and determined to protect those who protect us, even in our own small way.
That is why we say how awesome you are. And thank you.