What is A Standard Practice Procedure (SPP)?
The Standard Practice Procedure is your process for applying the NISPOM to your organization as you work on unique classified contract requirements. The SPP should be tailored to your specific organization. To be effective, it should reflect performance requirements on classified contracts as reflected in the statement of work, DD Forms 254 and security classification guides.
Who should have an SPP?
Every cleared defense contractor should have one as a best practice. SPPs could set you apart and provide evidence of above and beyond security practices that could lead to a Cogswell Award recommendation. Written procedures should be prepared to describe effective implementation of this Manual or when Defense Counterintelligence and Security Agency (DCSA) determines them to be necessary to reasonably. The SPP should demonstrate how the cleared defense contractor will reduce the possibility of loss or compromise of classified information.
In some cases DCSA could require an SPP. Perhaps an annual review has determined vulnerabilities exist that must be mitigated to adequately protect classified information. In that case, DCSA may direct an analysis and additional countermeasures. They could also direct development of security procedures and documenting them in an SPP. Another reason DSS could require an SPP is if the cleared facility needs to upgrade clearance level or storage approval in execution of new classified contracts. The SPP would address new procedures implemented to protect a higher classification of information.
Additionally, the FSO can use the same rationale as a basis for creating a new or updating an existing SPP. A self-inspection, sudden growth in cleared employees, new and growing classified holding locations, new work requirements, corporate policy and other factors may drive the decision to develop and implement an SPP
The first step is to determine what parts of the NISPOM apply to your facility. Chapters 1-3 and parts of Chapter 6 apply to all cleared contractor facilities. Therefore, fundamentally, the SPP should cover the organization\’s mission, applicability of the NISPOM, facility and personnel security clearances, security education and general security procedures. For facilities with storage capability, the SPP would expand to protecting classified information, storage of classified information, closed areas, security containers and etc. The point is to provide a tangible standardized process for cleared employees on the requirements of protecting classified information while performing on classified contracts.
There are a few source documents FSOs can refer when determining what should be covered in the SPP. These sources include but are not limited to:
DD Forms 254-provides security requirements and expectations of the government contracting activity or prime contractor. Specific requirements will be found in blocks 10, 13 and any additional pages. FSOs should include these requirements in the SPP. FSOs might consider either a separate SPP or annexes to a single SPP to distinguish between unique requirements by program, project or contract.
Security Classification Guides (SCG)-SCGs provide classification levels and reasons for classification. These are the expectations of what to protect and at what level. SCGs might be included in the SPP language or at least used as a reference document.
Statements of Work-SOWs can provide explicit requirements and expectations made by the customer. Incorporating SOW language will help develop the right positive for the desired performance.
FSOs should lead a team of contractual, program, project and other internal employees who are subject matter experts. The team should review requirements and work together to develop procedures that help enforce and execute work based on those requirements. The FSO keeps focus by transposing requirements into procedures that support protecting classified information according to the NISPOM.
Once complete the SPP should be staffed throughout the organization for additional input or to see how the SPP would impact other business units. This input is necessary to gain support of the organization and leadership and to determine where or if there is conflicting policy. Once staffed and approved, the SPP should be adopted as corporate policy. Once adopted by the enterprise, leadership backing will provide credibility and ensure that security procedures will be followed.
Creating Your SPP
The following is a list of possible topics to include in your SPP:
- Facility Information
- General Security
- Security Clearances
- Security Education
- Self-Inspections / Vulnerability Assessments Individual
- Reporting Responsibilities
- Graduated Scale of Disciplinary Actions
- Visit Procedures
- Public Release/Disclosure
- Classification
- Security Forms
- Definitions and Acronyms
- Safeguarding Classified Information
- End-of-Day Security Checks
- Perimeter Controls
- Information Mgmt. System
- Transmission
- Reproduction
- Destruction Information Systems Security
FSOs can use the above list as a table of contents where appropriate while constructing or building upon their SPPs. Use it as the foundation, form a team and fill in the applicable sections.
SPP development can be a long and detailed task, requiring a lot of time and resources that you may not have available. Red Bike Publishing does have a track record of producing great writing products such as SPPs, Technology Protection Plans, processes and procedures, and books and training.
If you would like to have us write your SPP, contact us for an estimate at editor@redbikepublishing.com
Join our reader list for more articles.
Resources:
Live NISPOM Seminar: https://www.redbikepublishing.com/nispom-seminar/
NISPOM Fundamentals training: https://bennettinstitute.com/course/nispomfundamentals
Books and training
Newsletter