Compliance to requirements for protecting classified information
My first job in computing security in 1982 was facilitating compliance with US Government regulations for protecting classified information in computing systems. Each system was required to have a control plan that identified the individuals responsible for the system, the configuration of the system including both computing hardware and physical controls, and the process for operating the system with classified information. The document was approved by the government, by agents who came to inspect all systems at least annually.
Some of the company managers and custodians for these systems viewed me as an adversary, since the regulations imposed limitations and extra effort not required for normal company use of the systems. But in all cases I endeavored to help them understand that the requirements were simply one of the many requirements associated with the contract their organization had with the government. My role was to provide experience and common practices to enable them to perform in a compliant manner as efficiently as possible. Some systems, particularly computerized text equipment, required creativity to allow tests to be performed while complying with requirements.
I visited each system whenever there were changes requiring approval by the regulator. Many systems required lots of collaboration in developing processes that complied with the intent of the requirements, which paid off with first-time approvals in nearly every situation. I also facilitated a self-inspection to ensure readiness for the government inspection. During inspections by a regulator, I was present in part to put the custodian at ease and in some instances to help ensure that the regulator and custodian were understanding each other. When issues arose, I made note of each item to ensure timely resolution.
Later in my career as I was involved in shaping the organization’s unclassified computing security program, I came to appreciate many elements of the government’s program for protecting classified information.