Tuesday, May 26, 2015

DSS Self-Inspection for Cleared Contractors-Inspection of Personal Effects


We are continuing our analysis of the DSS’ The Self-Inspection Handbook for NISP Contractors to determine requirements and best practices for meeting them.

Since Section M has multiple inspection points, we have broken them up into individual articles.  This update addresses using warning signs and inspections to ensure authorized introduction and removal of classified information. 

Question 5-103: Are signs posted at all entries and exits warning that anyone entering or departing is subject to an inspection of their personal effects?

 NISPOM 5-103 states “…The fact that persons who enter or depart the facility are subject to an inspection of their personal effects shall be conspicuously posted at all pertinent entries and exits.”

Security through Denial, Deterrence, and Detection

This notification is designed to both serve as a warning or deterrent to unauthorized introduction or removal of classified information. The actual inspection of personal effects serve denial and detection purposes.

These inspections and postings of signs should occur in strategic locations. The FSO should consider using them where they make the most sense, where they support classified contracts, and where they enhance job performance and not become a burden to the enterprise or national industrial security program. For example, the inspections should occur where access to classified material is more likely and not where access to classified material is not likely or remote at the very least. The inspections should occur in such a manner as to not impede traffic flow or classified performance.

Additionally, these inspections should be random and limited to business items and not personal items such as purses, wallets or undergarments. In all cases, coordinate with human resources and seek legal advice before implementing the program.

The Danger

The uncontrolled introduction of classified information can cause security violations and compromise of classified material.

The FSO should create company policy demonstrating how classified material is introduced and removed properly from the company and train cleared employees on the procedures. The intent is to establish an environment where all employees have a clear understanding of policy.

For example, the FSO can ensure that classified deliveries are to be made through the cleared contractor’s security department and not directly to the cleared employees. One trigger point to plan the reception of classified information is upon notification of a classified visit request.

Best Practices


At a minimum, ensure inspection signs are posted at all employee and visitor entries and exits. This broad scope captures the entire building access and egress possibilities where classified information can be introduced or removed.

Next, filter the flow of visitors. A follow on method of controlling the introduction of classified information is to restrict or direct the flow of visitor traffic into and out of the cleared facility. Cleared facilities may have multiple entry points and visitors should have access to only designated entry points. To help with maintaining control of the classified environment, FSO’s can employ information technology or human controls to direct pedestrian traffic into their facility. Access controls with biometric, pin card or data card access provide an excellent opportunity to flow all traffic through an authorized area.

When budget does not permit the purchase or subscription to expensive information technology, high security hardware such as door locks and crash bars are adequate to prevent entry into unauthorized doors.

When controls are in place, pedestrian traffic should file through a reception area where visitors are received warmly and reminded to check in with the security or reception desk for all classified deliveries.

Document Compliance and Best Practices

The VALIDATION should include, but are not limited to corporate policy letters, inventory of where inspection signs are posted, transcripts or slides from security awareness training, attendance rosters from training.

Authorized classified material should flow unimpeded to and from where classified work is performed. Security efforts should facilitate the authorized introduction of classified information, while denying, deterring, and detecting unauthorized attempts at introduction or removal. FSOs should ensure a strong security posture and train the force to work within the required environment.

For more information, see DoD Security Clearance and Contracts Guidebook.
 


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, May 17, 2015

Self Inspection Handbook and The FSO-Classified Storage

This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. We are still addressing Section M, classified storage. This update addresses perimeter controls that deter and detect unauthorized removal and introduction of classified information.

5-103 Is a system of perimeter controls maintained to deter or detect unauthorized introduction or removal of classified information from the facility? If so, when, where, and how are these being implemented?

According to NISPOM 5-103. Perimeter Controls. Contractors authorized to store classified material shall establish and maintain a system to deter and detect unauthorized introduction or removal of classified material from their facility.

Traceability is an important part of protecting classified information. There is plenty of allusion in industry best practices, NISPOM, and training that only TOP SECRET information is to be accountable. There is tremendous direction for application of accountability for TOP SECRET information, including the designation of a TOP SECRET Control Officer or TSCO. This position also has detailed responsibilities of how to receive, account for, trace, destroy, and remove the information that could cause extremely grave damage to national security if disclosed to uncleared and persons without need to know.

But what about SECRET and CONFIDENTIAL? Shouldn’t those also be accounted for? 

Technically no.


 Though many FSOs are actively protecting classified information in this manner, practitioners must be specific while communicating the requirements. I learned this lesson early when writing DoD Security Clearance and Contracts Guidebook. I had sent it out for review, editing, and comments from leaders in the industry. In the earlier version I wrote that “all classified information must be accounted for”. After all, I felt it was a safe assumption to write for a book about how to protect classified information. Language in the NISPOM suggests that classified information must be produced in a reasonable amount of time. Also, classified information should be reported if disclosed in an authorized manner, compromised, stolen or lost.

So how could you prove it was lost, stolen or otherwise safe unless you know what you have and how much of it is there? That sounds like accountability to me.

Though the reviewer and expert in the field expressed, rather emphatically, that I could not write such language but that the contractor could use an information management system to keep up with classified information. For the final version of the book, we agreed on using information management instead of accountability, but I still feel that some TS protection measures, accountability and traceability, should be practiced to protect all classified information.

How can TSCO requirements be applied to all classified information?


Without creating a great resource burden to the enterprise, the FSO can manage classified information responsibly and protect classified information by tracking and documenting what is stored on site, in what format, and how many copies there are. Additionally, contractors should discourage the introduction or removal of classified material without proper authority. A best practice includes centrally storing all classified information, receipting classified information, documenting the information in an information management system (IMS) such as SIMSSOFTWARE, and controlling the use of the classified information.

Commercially available IMS uses information technology to create a detailed database that helps FSOs track classified material through many dispositions from receipt, inventory requirements and final disposition. Some produce receipts, tie to a barcode scanner, report statistical data that can help determine use and much more. For example, if an inventory reveals missing classified information, the database can provide valuable information to help reconstruct the classified information’s history.

However, this doesn’t always have to be an expensive software or network endeavor. Some inexpensive and free solutions are available. I once produced my classified document library system on a printed Microsoft Excel spreadsheet to DSS' satisfaction.

Technology also exists to create a classified library or database and associating it with scanner software. Barcodes can be printed and applied to classified items for scanning. If an item is destroyed, shipped, filed, loaned or returned, it can be scanned and the status updated. These databases provide reports identifying when and where the barcode on the classified document was scanned and the last disposition. 

The FSO can use the technology to research dates, methods of receipt, contract number, assigned document number, assigned barcode, title, classification, copy number, location, and name of the receiver. For more information, see our blog post Information Management Systems.  http://dodsecurity.blogspot.com/2011/04/information-management-systems.html#.VVY_k-lFB9A


FSOs should establish perimeter controls to deter or detect unauthorized introduction or removal of classified information from the facility. The NISPOM encourages the use of technology to assist, however, this does not need to be an expensive endeavor. Technology could be as simple as a spreadsheet or an old school library checkout system.

FSOs should document whichever processes used and provide for self-inspections and DSS reviews. Security awareness training, posters, flyers, standard operating procedures, policy, practices and technology should be available for validation.

For more information, see our NISPOM training subjects or DoD Security Clearance and Contract Guidebook.



Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook". See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Monday, March 30, 2015

NISPOM Based Certification Questions.

Try these NISPOM based questions. They could complement your ISP Certification or SPeD certification study. See how you do.

1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA 
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract 
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared




Scroll down for answers:






1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA (NISPOM 10-200)
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above (NISPOM 10-702)

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
(NISPOM 2-102c)
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract (NISPOM 5-509)
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared



FSOs and End of Day Security Checks



This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-102a Is there a system of security checks at the close of each working day to ensure that classified material is secured? 

Security checks help, period. However, they are only as good as the purpose they serve. Many times these checks are just a list of mundane actions forced on an employee to complete before they go home. Many times the checks are performed by employees on a duty roster pulling the job for a week at a time leaving at various times of the day. 

The real intent is to ensure classified information is locked up and inaccessible by uncleared personnel and those without need to know. Desktops, trash bins, printers, copiers are checked to ensure classified information has not been left unsecured.

GSA approved security containers are checked and initialed to ensure they are closed and locked properly. Closed area locks are checked as well as security alarms. The list goes on to ensure all situations where classified information has previously been available  has been secured and compromise has been mitigated. 

Now, security checks are important and so is the responsible party doing the checking. Often, any employee with a clearance is given the "duty". However, diligence should be made to ensure the checks are made at the right time. 

Here's a little hint at inherent, but rarely pondered danger. 

The end of day checks should be performed at the end of the duty day and not the end of the day for the employee on duty.

Did you get the play on words? 

The danger with a duty roster in many cases is that some employees performing the end of the day checks may not normally stay until the end of the duty day. Where the employee might leave at 3 pm, other employees might not leave until 5 pm. The two hour time difference is simply not providing the proper mitigation.

Within that two hours, an employee could reenter a closed area, open a security container, have a classified meeting, and etc. Life goes on after the designated end of day checker goes home.

Out side the box ideas: 

1. Have employees performing the duty alter their work schedule accordingly. Make sure that someone is covering down on the end of day checks at the end of the day.
Some even go so far as to put safety and housekeeping information as well.

2. Have a last call for classified information. If the normal duty day ends at 5 pm, ensure all classified information is secured by 4:45. Of course there are emergencies and case by case issues that can be dealt with upon request.

3. Assign end of day checks to only employees who leave at the end of the day. Build in additional "beginning of the day" performance measures for employees who arrive earlier in the day.

Another common problem is using the end of day check for safety and house cleaning. Re-think a separate check list for those issues. Employees should be focusing efforts on securing classified information, not ensuring the coffee pot is turned off.

Hang on to those end of day check lists. DSS will want to see them during the review. Be sure to check for them during your self-inspection.

We've covered this discussion in depth in 2012 and 2013 posts.  As a reminder here are the links for further discussion of this important issue:

http://dodsecurity.blogspot.com/2013/03/traditional-security-tools-in-unique.html

http://dodsecurity.blogspot.com/2010/11/storing-classified-information-keeps.html#links

Though not required by NISPOM, government forms are available on line for use or just to serve as model in the strengthening of security programs. Companies are free to use these forms or create their own. The government forms are available online. One such form is the Activity Security Check List, Standard Form 701. Again, unless the contract or Government agency requires the use of a specific format, the company is free to adapt their own version.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


GSA Security Container Magnets
http://www.redbikepublishing.com/book/magnet/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


Sunday, March 15, 2015

Defense Contractor Self Inspection Handbook and Classified Discussions

This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-101 Do your cleared employees know where they can and can't hold classified discussions?

According to NISPOM 5-101. Safeguarding Oral Discussions. Contractors shall ensure that all cleared personnel are aware of the prohibition against discussing classified information over unsecured telephones, in public conveyances or places, or in any other manner that permits interception by unauthorized persons.

There are at least two points that the FSO should address. The first is to ensure all cleared employees are aware of when and where classified discussions are and are not permitted. This awareness can be presented in any of the following formats. If possible, the FSO should implement as many as apply:
  • New employee orientation/Initial Security Briefing/Annualsecurity awareness training-FSO's should incorporate contractor specific training to ensure the cleared employees understand where and when classified contractors are allowed and the circumstances that must be met prior to the discussions being allowed.  This training should include designated areas, rooms, sections or other locations where conversations, presentations, telephones, and any other discussions should take place. The training should also include how to prepare the areas for the proper level of discussion to include any necessary VARs, COMSEC, or necessary information system support.
  • Posters-Posters serve as reminders to reserve classified conversations for designated or dedicated locations.
  • Pamphlets or flyers-Post these in obvious places as part of continuing security training and education. These flyers and pamphlets can convey a lot of significant information that will support your annual security awareness training.
  • Multi-media-broadcast your security message to the cleared employees through ocial media, websites, internal television channel, etc.


VALIDATION: The best way to demonstrate compliance to NISPOM requirements is to document actions and show examples. This can be done with:
  • cleared employee signature

  •  facility maps identifying designated and dedicated classified discussion areas

  • locations where pamphlets and flyers are posted
  • how many were posted, 
  • copies of presentations and training 

Presenting and documenting  topics, signatures and copies of any method of presenting the message are great metrics to demonstrate validation.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, February 17, 2015

NISPOM Based Study Questions for Security Certification



The following NISPOM Training is meant to augment your NCMS ISP Certification education, not replace it. Download NISPOM to your computer and try your experience against this open book practice test. So, here are some NISPOM based practice questions to help you prepare: 

1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA
c. CSA
d. FSO
e. None of the above







Scroll down for answers:






1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above (NISPOM 9-402a)
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above (NISPOM 10-200)

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number (NISPOM 6-104)
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone (NISPOM 8-303c)
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA (NISPOM 10-201)
c. CSA
d. FSO
e. None of the above

If you want more, see our book Red Bike Publishing's Unofficial Guide to ISP Certification only at http://www.redbikepublishing.com





Most Helpful Customer Reviews

5 of 5 people found the following review helpful
By Lisa M. Doman on November 18, 2008
Format: Paperback
Like many seasoned industrial security representatives, I feel like I know it all. I have been in this industry almost 25 years; I know where to look for answers, and I have my contacts. But one day it occurred to me just how much has changed during my career - enter the Internet, enter computer based training, enter instant security clearances (Interims), enter the JPAS/e-QIP interface, enter diminished contact with my cleared employees and visitors. Admitting that the contact with my cleared employees is not as intimate as it used to have to be, somehow I felt that I was loosing touch with my own skill set because of it. Jeffrey Bennett's book is very insightful into our industry, for he works with and supports, and motivates, this industry. You should consider buying the ISP Certification - The Industrial Security Professional Exam Manual, and spend 30 minutes with it each evening after work. Reinvigorate yourself. Give your imagination and professional growth some quiet stimulation. Remember. Refresh yourself. The best security education dollar you can spend, and not even leave home.
1 Comment  Was this review helpful to you?  YesNo
2 of 2 people found the following review helpful
By Jasmine C. on September 15, 2011
Format: Paperback
After receiving this book, I quickly skimmed through it prior to sitting down for a close study. My initial reaction was to wonder just how much information I could learn based on the fact that most of the book was dedicated to practice tests. When I finally took the time to sit down and read it, I was surprised at just how much information it contains. The book tells you how to prepare, to include learning all security disciplines, how to manage your time, and how to study the NISPOM. The practice tests are a great opportunity to time yourself, and help to identify areas of weakness. I truly recommend this book for anyone considering the ISP Certification... it is a great tool to have!
1 Comment  Was this review helpful to you?  YesNo
Format: Paperback
Written by a security consult of twenty-two years of experience in military intelligence, contracting and security, ISP Certification: The Industrial Security Professional Exam Manual is a instructional resource created to provide career security specialists with what they need to know to protect our nation's secrets. The text offers practical advice for security professionals and a working understanding of the NISPOM and Presidential Executive Orders implementing the National Industrial Security Program, but the heart of ISP Certification is its four practice tests designed to probe the depths of one's knowledge. An absolute "must-have" for anyone in federal positions requiring a thorough knowledge of security procedures, and highly recommended for the libraries of federal agencies.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Fred Twitty on May 8, 2010
Format: Paperback
As a retired US Army, Chief Warrant Officer Five (CW5), Counteringelligence Officer; former Special Agent, Defense Investigative Service (DIS); former Special Agent Defense Secuirty Service (DSS); former US Army Liaison Officer to Headquarters, Department of Defense (DoD), Alexandria, VA, Counterintelligence Division for Counterintelligence Issues, and former owner of a Small Veteran's Business, under a DoD contract to conduct Background Investigations for DoD Personnel Security Clearances, I consider this book to be brief and it makes the complex simple. This ISP Manual is a must for those preparing to take the ISP Certification Exam.
1 Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By S. Koryta on June 8, 2010
Format: Paperback
Mr. Bennett once again has assisted me in my endeavors as a security and protection professional. His book not only assists in helping you prepare for the ISP certification, it provides first hand insight and mentoring on how to advance your career goals in this complex field. In using his study guide, one can get a real understanding of how the certification process is and study to overcome the challenges of taking the exam. The one recommendation I can say is to combine it with the pocket edition, so you can take and read while on the metro to work.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Diane Griffin on January 9, 2009
Format: Paperback
As a seasoned security professional, I found the Industrial Security Professional Exam Manual to be very clear, brief and consise.

The ISP manual is a must read for anyone anticipating taking the ISP exam. Whether you are a seasoned security professional or a newbie to the world of security, this book is a keeper.

Thank you for putting out such a Great Book

Diane Griffin
President/CEO
Security First & Associates LLC


 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".