Thinking of entering the defense contractor market place or wish to provide services to a classified government customer, Department of Defense, intelligence community or other government agency or department? You will want to familiarize yourself with the National Industrial Security Program Operating Manual (NISPOM) and the Director of Central Intelligence Directives (DCIDs). The NISPOM is your security operational bible, containing the many parameters surrounding the defense classified engagement, while the DCIDs serve the same purpose from engagement within the intelligence community.
Fair warning, engaging within the classified community you will encounter acronym overload, the manual contains over 103 of these. That said, there are acronyms which every entity supporting a classified government engagement will want to know. The CSA, CSO, and FSO are three of the most important.
CSA = Cognizant Security Authority
Within the NISPOM/DCIDs parlance, Cognizant Security Authority (CSA) denotes the department or agency which has security administrative responsibility for the classified activities and contracts under their remit. The CSA serves as the ultimate arbiter with respect to interpretation of the NISPOM or DCIDs, whichever is applicable. Inquiries are forwarded to the CSA either through the Cognizant Security Offices (CSO) for contractor facilities or the commander or head of facility for U.S. Government facilities. If a contractor is to utilize a CSO, the CSA will identify the entity to the contractor. In addition to providing interpretation of the operating manuals, the CSA also serves as the decision point with respect to obtaining a waiver.
FSO = Facility Security Officer
Within Defense contractor facilities, sits the Facility Security Officer (FSO). The FSO must be a US Citizen employee, who is cleared to work within the cleared facility. The FSO is appointed by his/her employer – the contractor – as the FSO. The FSO will “supervise and direct security measures” within the facility. Thankfully, one is not simply appointed FSO and cut loose, the FSO is required to take applicable training courses in order to understand fully the complexity of the requirements levied by the CSA and outlined within the NISPOM/DCIDs.
For those who enjoy the trust of their government, and are working within a classified environment, they can expect the FSO to provide a facility specific standard operating procedures (SOP). The SOP will include those portions of the NISPOM/DCIDs applicable, as well as any unique requirements levied by the CSA or the contracting government agency.