Printer Friendly

Get it right the first time.

GET IT RIGHT THE FIRST TIME

IT'S ONE OF THOSE DAYS. GOING INTO the staff meeting, you know you are going to be put on center stage. The bean counters have already warned you that the information on your department's overruns has been passed along to upper management. You find yourself in the position of knowing the question but not the answer--at least not one the boss will accept.

So here you are, squirming in your seat, trying to answer your boss's question about why the security cost for the XYZ program is eating heavily into profits. You respond that the initial contract bid for security was apparently too low. Inevitably, your boss asks, "Why?"

Unfortunately, this scene is played out often among government contractors. Many factors must be considered when a company bids on a new contract that includes increased security requirements. A manager must research all security requirements for the new project to establish what the cost is really going to be and then bid accordingly. The problem is that not enough research is usually done to see what the projected costs will be. What little research is done often leads to the conclusion that the costs will be minimal and should be dumped into administrative overhead and absorbed by the company.

While an inspector for a special access required (SAR) program, I repeatedly heard complaints from the program security officer (PSO) and program manager that security requirements were more expensive than they had expected. The conractors that seemed to be hardest hit were those that were relatively small and had little or no experience with classified contracts under Defense Investigative Service cognizance. These companies saw great potential for business but unfortunately underbid contracts to make sure of winning them.

Unfamiliarity with the extent of security requirements for SAR programs may also lead to the use of a nonsecurity professional as the PSO. Although this practice is not necessarily a problem, the PSO's lack of experience compounds the difficulty of developing an accurate cost assessment for security. Unfortunately, even some companies with large, dedicated security staffs lack experience in the SAR arena and face the same pitfalls experienced by smaller companies.

SAR PROGRAMS HAVE A SCOPE ALL their own. They typically have specific and strict requirements regarding personnel, dedicated areas, and storage of classified material. All these requirements consume large amounts of time and money.

By developing a good base program at the beginning, a manager can avoid having to reinvent the wheel if the customer finds security requirements are not being met. The following are some general questions a manager should ask himself or herself and the potential customer when a new proposal is being prepared:

* Does this program require segregation from other SAR programs or other classified programs?

* Are there specific room or building requirements? Can existing rooms be used? If not, can they be modified?

* If dedicated rooms or areas are required, what are the entry and exit control requirements? Are guard posts required for entry and exit control, or can requirements be satisfied with supplemental access controls (cipher locks, electromechanical devices, etc.)?

* What are the alarm system requirements? Are they compatible with the current system?

* What are the storage requirements for classified documents? Are safes required? Are lock-bar cabinets acceptable to the customer? If so, what are the padlock requirements?

* What are the document control procedure requirements? Is the current system compatible with customer requirements, or must a new system be developed?

* What are the classification requirements of the program? Some programs require the classification of information not normally considered classified. The contractor's association with the project, the customer's identity, schedules, budget costs, and vendors' identities all might need to be classified. The increase in classified material and information may also increase the number of personnel who will require access, a situation that will proportionally increase administrative requirements.

* What are the reproduction and destruction requirements? Are dedicated machines required?

* Are sterile (blind) telephone lines and mailing addresses needed? What about secure (encrypted) lines for facsimile machines and telephones?

* What are the special requirements for personnel record keeping?

* What are the requirements for automated information systems (AIS) security for classified and unclassified use? What are the declassification requirements for AIS media? If a system has a hard disk, can the hard disk be used on other programs or for unclassified work after it has been degaussed or declassified?

* How long will the program remain SAR? Will portions be declassified, or will the entire program be made non-SAR at once?

* What are the recurring reporting requirements?

* What are the recurring security education requirements?

* Can the anticipated work load be handled by the contractor's existing staff, or must dedicated personnel be assigned? Do those workers have to be full-time, or can they work on several programs at once?

These questions should be answered as soon as a request for proposals is issued by the potential customer. However, sometimes the information is not provided or the person who receives the information does not evaluate it properly. The importance of the questions listed depends on the size of the contract, the number of personnel who will require access to the program, the compatibility of the contractor's current systems with the new requirements, and the security requirements of the specific program.

Renegotiating a contract is difficult, and with a fixed-price contract the money to cover overruns has to be taken from other departments or from the company's profits. In estimating for a bid, the bottom line is this: You have to get it right the first time.

Rod Clagg is a specialist in special projects security at the Electronics Division of Northrop Corporation in Hawthorne, CA. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:security costs on special access-required programs
Author:Clagg, Rod
Publication:Security Management
Date:Apr 1, 1989
Words:952
Previous Article:On the line with DES.
Next Article:Why not try theory Y?
Topics:


Related Articles
Access by design.
Can you keep a secret?
Fusing security and science.
A gallery of security.
The fine art of museum security.
Deducting education costs as medical expenses: the right answer?
Security seals the deal.
Government security reform progresses.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters