Tuesday, April 15, 2014

Social Media and Security Clearances

Can social media posts impact your security clearance?
It’s great to have family reunions or go out with friends and take pictures of events and the good times. We all want our friends to know how well we are doing and maybe we want to make some co-workers jealous while on vacation. Facebook, Instagram and Twitter make it possible to post your fun immediately.

Social media is a great invention and used for good, can be a rather fun way to keep up with others and allow them to keep up with you. However, such opportunities also provide epic fail situations where the poster gets in trouble at home and at work.

You may have read where school students have been suspended, military personnel have been punished and employees fired for events captured on social media. Some irresponsible postings have had reputation ruining consequences based upon perception as in the case of DeSean Jackson missing practice while posting vacation photos. Even though he had probably preplanned the event, football fans everywhere decried his bold and audacious move to vacation rather than practice.

The next time you post something negative about your work environment, the many photos with you posed with a drink in your hand, or update your relationship status for the 5th time in a week, think about this question; What happens when the security clearance investigation digs into social media?

Currently, this is an issue being discussed in shadows and whispers. The possibility of adding social media to the investigation docket may be coming. Per a study into the Navy Shipyard shooting[1], one DoD agency piloted a study and determined that at least 20 percent of the 3300 individuals subject to the pilot have been identified as having information relevant to adjudication.

Remembering the 13 adjudication criteria, there are several ways we can get into trouble through our real or perceived postings. If investigators (or even co-workers) discover information relative to adjudication, you may find your clearance delayed while explaining behavior that could be perceived as reportable or derogatory information.

So, live it up, enjoy the good life that your job has provided. But think seriously about what you want to post about yourself and how you want to world to perceive you. A little good judgment keeps you out of hot water. Bad decisions could possibly hold up or deny your chances of a security clearance.

Foot note: 

[1] SECURITY FROM WITHIN, Independent Review of the Washington Navy Yard Shooting, NOVEMBER 2013


Access Authorizations

We can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(D) FOCI
(E) Classification

This third article in the series will address how to integrate the access authorizations into the overall security program designed to protect classified information.

Here are some questions from the handbook and ways to address the topics:

Are the numbers of clearances held to a minimum consistent with contractual requirements?

The facility security clearance is tied to a contract. Typically this tie-in is carried down to the cleared employee. However tying in a personnel security clearance to ONLY a contract might not be the right answer. For example, where a DD Form 254 and classified contract statement of work demonstrate that classified work is to be performed, these references do not dictate how many cleared employees are needed to conduct the work.

The best way to do measure “minimum consistent” is to tie the personnel security clearances (PCL) with the contract and establish need to know (there is a great article in clearancejobs.com that covers need to know as a justification for security clearances). Many people are required to make a contract successful, but don’t need a clearance. These might include buyers, assistants, engineers, program analysts and others support the contract, but may not actually perform on classified work.

For example, suppose 20 employees support a government contract which includes performing in a classified environment. The actual classified work is off site and involves five employees conducting testing on a new missile. The test results are classified and the five employees are the only ones to ever engage with the classified product.

In this situation, the easy course would be to just provide clearances for all employees and tie the justification to the contract number. However, the end result would be committing enterprise, industry and national security resources to supporting an unjustifiable additional 15 cleared persons. Though the contract involves classified work, the justification should be on the need to know and not necessarily the classified contract.

Here is a link to an earlier post about how to justify clearances. It even includes a sample form that can be duplicated, used and presented to DSS.

http://dodsecurity.blogspot.com/2011/07/security-clearances-and-real-deal.html

Are employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company?

This is an administrative task that can be demonstrated with a signed memo. Write up the requirement and agreement of the SF 86 purpose, have the employee sign it and file it away to demonstrate not only compliance, but a workable process.

Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified information has been granted or denied, and then destroyed?

This is an important question. Many years ago (2006-2007), groaning resonated from the facility security officer (FSO) community about the arduous task of removing all the files and the loss of “valuable” information upon the destruction of such a massive record base. NISPOM, Industrial Security Letters, DSS reviews, JPAS, and personal identifiable information protection requirements have provided guidance and helped build a new standard of releasing that information for tightly gripped fists.

Now, all contractors should now have a process in place to ensure that the SF-86 is destroyed as soon as a final determination of the employee's eligibility for access to classified information has been made.

Are all pre-employment offers based on acceptance to begin employment within 30 days of granting eligibility for a Personnel Clearance (PCL)?

For this, you can go directly to ISL 2009-02, #2 Pre-employment Clearance Action under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html

According to the NISPOM 2-205 a cleared company can submit a PCL request on an prospective employee as long as there is a written agreement that the employee will begin work within 30 days of the clearance being granted. This requirement can be met with human resources or the FSO filing a signed memo offering the prospective employee a job and their commitment to begin work once the clearance is granted.

Has citizenship been verified for each initial PCL applicant? RESOURCE: ISL 2011-02 Acceptable Proof of Citizenship under Industrial Security Letters at:

http://www.cdse.edu/toolkits/fsos/personnel-clearances.html

Citizenship can be verified by any means listed in NISPOM 2-208. Primarily, certified U.S. birth certificates; certificate of naturalization, U.S. State Department certificates of citizenship and etc. This is an easy question to answer, but unless you are willing to make photocopies of all the citizenship verification documents, it’s hard to demonstrate. The best thing to do is document this requirement somewhere in company policy and be prepared to address how you meet the requirement during the DSS review. Be prepared to identify the documents and what you would check to ensure they were certified.

Preparing for the annual review can only strengthen your security program. Take the topics from The Self-Inspection Handbook for NISP Contractors and see where yours can be improved. 


For more ideas, see our books, "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training". 

Tuesday, March 18, 2014

NISPOM Training Questions. For ISP Certification Practice

1.      In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:
a.            NSA
b.            GCA
c.             DNI 
d.            CSA
e.             GSA

2.      Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.
a.            SECRET, TOP SECRET
b.            TOP SECRET, CONFIDENTIAL
c.             CONFIDENTIAL, FOUO
d.            SECRET, FOUO
e.             CONFIDENTIAL, SECRET 

3.      The COR establishes the COMSEC account and notifies the _____:
a.            CSA 
b.            GCA
c.             FSO
d.            NSA
e.             DIA


4.      Contractors maintain TOP SECRET reproduction records for _____ years.
a.            Two years 
b.            One year
c.             Five years
d.            Ten years
e.             None of the above
5.      Contractors are authorized to retain classified material received under contract for a period of _____ after completion of contract.
a.            One year
b.            Two years 
c.             Five years
d.            180 days
e.             90 days

Scroll down for answers....




1.      In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:
           c.  DNI (NISPOM 9-302b)

2.      Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.
e.             CONFIDENTIAL, SECRET (NISPOM 9-402c)

3.      The COR establishes the COMSEC account and notifies the _____:
a.            CSA (NISPOM 9-403b)

4.      Contractors maintain TOP SECRET reproduction records for _____ years.
a.            Two years (NISPOM 5-603)

5.      Contractors are authorized to retain classified material received under contract for a period of _____ after completion of contract.
b.            Two years (NISPOM 5-701)

Find way more questions in Red Bike Publishing's Unofficial Guide to ISP Certification


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Facility Security Clearance Element

As a recap from the last article, we can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education

(D) FOCI

(E) Classification

A good place to start is the very beginning. This second article in the series will address how to integrate the Facility Security Clearance (FCL) into the overall security program designed to protect classified information.

Documentation is key.

Once a government contracting activity and/or prime contractor awards a contract, the defense contractor can begin preparing documentation to begin the facility security clearance (FCL) process. Proper documentation is required to get the FCL process started and must be maintained the entire time the defense contractor maintains their clearance. Defense Security Services is part of the clearance process and assist the defense contractor through the FCL process. As part of the FCL process, DSS works with the contractor to complete the required documents. Once the FCL is granted, DSS performs a vulnerability assessment and inspects NISPOM compliance (including required document maintenance).

Cleared defense contractors should keep all FCL related documents readily available both for reference and for future security audits. In an article on how to get an FCL, I outlined the requirements and explained the role of the following documents and actions the process follows in a very simplistic representation):
  • The GCA or prime contractor provides a sponsorship memo
  • The subject contractor applies for the clearance
  • DSS, GCA or Prime Contractor and subject contractor address security clearance request documentation:
    • Verify/Apply for CAGE Code
    • Sign Department of Defense Security Agreement (DD Form 441)
    • Complete a Certificate Pertaining to Foreign Interests (SF 328)
    • Provide Organization Credentials (type of business, business structure, list of officer, etc)
    • Identify Key Management Personnel for clearances

Just understanding what it takes to get the FCL process started lends to the importance of maintaining all original documents and updating as necessary. Some best practices include keeping these documents in a binder, folder or file for easy access and safe keeping. This administrative practice allows quick reference during security and certification reviews and protects the information for privacy and document configuration.

The following table is right out of The Self-Inspection Handbook for NISP Contractors:

A.  FACILITY CLEARANCE
NISPOM REF:
Question:
YES
NO
N/A
1-302g(3)
Have all changes (e.g. changes in ownership, operating name or address, Key Management Personnel (KMP) information, previously reported FOCI information, or action to terminate business)
affecting the condition of the FCL been reported to your DSS IS Rep?
VALIDATION:






2-100c
Has the companys FCL been used for advertising or promotional
purpose?
VALIDATION:



2-104
Are the senior management official, the FSO, and other KMP cleared as required in connection with the FCL? VALIDATION:



2-106a-b
Have the proper exclusion actions been conducted for uncleared company officials?
RESOURCE:  Temporary Exclusion Resolution for KMP Template under Key Management Personnel at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html VALIDATION:



2-108
2-109
Are you familiar with the way your facility is organized and structured?
RESOURCE Business Structure Job Aid under Facility Clearance at:  http://www.cdse.edu/toolkits/fsos/facility- clearance.html
VALIDATION:





There are seven discussion areas in the, The Self-Inspection Handbook for NISP Contractors that address the FCL. These can all be verified based on maintaining the above documentation. Having the original FCL package and updating as necessary is the requirement. FSOs are expected to use the self-inspection handbook to verify that the enterprise is in compliance.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, March 12, 2014

NISPOM Security Programs Improved With 5 Elements

NISPOM
Good things happen where preparation and opportunity meet. Of course you can’t control the opportunity part, but you can always be ready when it does come knocking. In this case, the opportunity is the chance to get a SATISFACTORY or higher rating from Defense Security Services (DSS). Preparation is what you do to meet the minim standard, apply enhancements for higher ratings and demonstrate the implementation. The opportunity knocks on your door during the annual DSS review.

By applying the five “Elements of Inspection” that are common to ALL cleared companies participating in theNISP, and the additional elements that might be applied at unique cleared facilities, facility security officers can control the opportunity a bit better. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education

(D) FOCI

(E) Classification


Using the DSS publication as the intended guidebook, FSOs can glean important information and ideas for applying the elements to their own facilities. This guidance just doesn’t get the cleared contractor ready for the inspection, but when applied, it solidifies a sound and proven security program.


A goal is not usually a plan, it’s just a target. A goal might be to win the coveted DSS Cogswell Award, but without preparation, it’s just a hope; and hope’s no strategy. A driver just can’t just claim that they will travel to California from Washington, DC. They don’t just walk out to their car, point it toward the setting sun and say, “I declare I will be in LA by next Tuesday.” Without some sort of map or GPS, that western route will be fraught with obstacles and failure. A good plan will help them navigate those way points.


A strategy focused on the five elements is a great place to start. Each element is a way point that lets FSOs know where they are and what is needed to get to the next way point. Additionally, DSS will be following the same logic as they perform a vulnerability assessment on the cleared facilities. They will follow the same road map to determine the state of security as related to those elements.


Understanding the requirements of protecting classified information and applying the elements to the cleared facility is fundamental. In past, I’ve written articles about using these elements to determine cleared facility type, how to conduct targeted security training, how to use elements to build an ISP Certification exam study program and more. This next series of articles will address each element individually and give application that most FSOs can adopt.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, February 24, 2014

How to study for the ISP Certification using the Self-Inspection Handbook for NISP Contractors.


In our security community, I see a lot of questions about studying for the ISP Certification. Some ask for additional ideas to augment good study groups formed in NCMS (Society of Industrial Security Professionals). These questions facilitate great response from ISPs to help the student prepare for their certification exam.

Of the many reasons candidate testers might have for requesting additional study is to gain more experience and practice what they already know. It’s true that one of the testing pre-requisites is five years of experience protecting classified information or otherwise working in the national industrial security program (NISP) environment. However the five years of experience doesn’t necessarily mean that the candidate is executing all National Industrial Security Program Operating Manual (NISPOM) tasks. The tester is responsible for answering questions from the entire NISPOM though they may only personally touch small portions of NISPOM in all of those five years.

Additional study, test practice and rehearsal help build confidence. Some ideas I have already recommended is to broaden the scope of security tasks by taking on additional jobs, developing study questions based on NISPOM, or for mentors to get permission to allow outside NISP contractors to train in their facility (for example, an FSO of a non-possessing facility training with an FSO in their possessing facility).

Another idea I would like to recommend is to use Defense Security Services (DSS) produced Self-Inspection Handbook for NISP Contractors as a training guide.  The handbook requires demonstration of tasks involving the entire NISPOM. Where DSS recommends FSOs to inspect only items appropriate for their own facilities, I recommend just the opposite.  FSOs can now focus study efforts to areas of the NISPOM outside of their scope. 

The following exercise will help candidates research NISPOM and provide examples of demonstrated performance:



1. Download Self-Inspection Handbook for NISP Contractors

2. Save the PDF file as a word document

3. Delete all NISPOM reference

4. Review all tasks appropriate to your facility. Research NISPOM and validate whether or not your facility is compliant. This exercise will help enforce what you already know.

5. Study tasks listed outside of your focus. For a non-possessing FSO, this might mean all chapters other than 1-

6. Read the task, attempt to find the reference in NISPOM and document the NISPOM requirements. Next, write down your ideas of how you would interpret the requirements. This exercise helps you learn which NISPOM chapters are associated with certain NISP tasks. With enough practice, you can quickly find NISPOM references and answer questions with the speed required on test day.


Use the Self-Inspection Handbook for NISP Contractors help guide additional study to augment the great training you are already getting. For more helpful hints and study resources, see Red Bike Publishing’s Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, and NISPOM Training topics.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, February 21, 2014

What Kind of Security Training Should FSOs Give to Uncleared Employees?

It’s true, cleared defense contractors have uncleared employees. In larger organizations, these employees may work in shipping and receiving, maintenance, human resources and other non-program development areas. The organization should develop policy and training to incorporated into the procedures to protect classified information.

How would an uncleared employee have access to classified information?

Hopefully never, but mistakes happen when such instances are not identified. Cleared employees could possibly find unattended classified information, unlocked security containers or stumble into classified conversations.

Sometimes classified information is delivered to the wrong recipient, absent minded cleared employees might leave classified information on a printer or in the common areas and cleared employees may have approved classified meetings but forget to verify clearance and need to know. Things happen and damage control as a last resort is all too prevalent in these situations. An FSO with properly trained uncleared employees may have an easier time investigating whether or not classified information is compromised when everyone reacts properly.

This NISPOM training may include:

What national security information is-an uncleared employee should understand that unauthorized distribution of classified information effects national security. A properly trained uncleared employee would therefor alert the FSO or other responsible person if they discover unattended classified information. They will also understand not to read unattended classified documents or identify themselves as uncleared before cleared employees begin classified conversations.

What classified information looks like-coversheets, proper markings and other information identifies that an item is classified. The uncleared employee can be trained to easily recognize classified information and know what to do when they come across it.

What to do if coming across classified information-classification markings help identify classified information, the level of classification and who classified it. The internal controls would identify what the uncleared employee should do if coming across an unidentified document or other classified item.

Using the above training tips can help prepare for the self-inspection process as training and interviewing uncleared employees is part of the self-inspection. DSS has provided sample questions that you can ask when interviewing uncleared employees:

What is classified information?

How would you know if something was classified?

If you found unprotected, classified information, what would you do?

Have you ever heard classified information being discussed?

Have you ever come into possession of classified materials? How?




So, as you build your security program to protect classified information, don’t forget your uncleared employees. They can be the missing link to preventing unauthorized disclosure.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".