Wednesday, August 20, 2014

NISPOM Study Questions

Some NISPOM based questions that might augment your study for the ISP Certification exam.


1. In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:

a. NSA
b. GCA
c. DNI
d. CSA
e. GSA

2. Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.

a. SECRET, TOP SECRET
b. TOP SECRET, CONFIDENTIAL
c. CONFIDENTIAL, FOUO
d. SECRET, FOUO
e. CONFIDENTIAL, SECRET

3. The COR establishes the COMSEC account and notifies the _____:

a. CSA 

b. GCA
c. FSO
d. NSA
e. DIA

4. Contractors maintain TOP SECRET reproduction records for _____ years.

a. Two years
b. One year
c. Five years
d. Ten years
e. None of the above









Scroll Down for Answer









1.      In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:
a.            NSA
b.            GCA
c.             DNI (NISPOM 9-302b)
d.            CSA
e.             GSA
2.      Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.
a.            SECRET, TOP SECRET
b.            TOP SECRET, CONFIDENTIAL
c.             CONFIDENTIAL, FOUO
d.            SECRET, FOUO
e.             CONFIDENTIAL, SECRET (NISPOM 9-402c)
3.      The COR establishes the COMSEC account and notifies the _____:
a.            CSA (NISPOM 9-403b)
b.            GCA
c.             FSO
d.            NSA
e.             DIA
4.      Contractors maintain TOP SECRET reproduction records for _____ years.
a.            Two years (NISPOM 5-603)
b.            One year
c.             Five years
d.            Ten years
e.             None of the above

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

The FSO, Sub-Contracts and NISPOM

As we continue the series of articles on the self-inspection, we should understand that FSOs or designated inspecting officers may find themselves addressing “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. Still, there are other topics that do not apply, but the opportunity to learn something new applies. There are a few more elements that might be applied at unique cleared facilities, but FSOs  in those situations can adapt these articles to those specific needs. As a recap, according to DSS’  The Self-Inspection Handbook for NISP Contractors, the five elements that pertain to ALL cleared defense contractors are:
(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(D) FOCI
(E) Classification

 Though not applicable to all cleared contractors, subcontracting is covered in NISPOM. This article will address the requirements of the subcontracting and how to set up both the prime and sub for success.  The following are questions from the self-inspection handbook and how to address them.
Are all required actions completed prior to release or disclosure of classified information to sub-contractors?
An FSO might get direction by referring directly to the DD Form 254. Since it’s called the Contract Security Classification Specification, it should be used for the prime to direct classified work requirements and the sub to prepare their cleared employee and facility to perform. Items 10 and 11 provide performance and access information required of the subcontractor. These yes or no questions will outline expectations. Will the sub-contractor be expected to use COMSEC equipment, operate a SCIF, or create classified documents? If so, there are some subtasks required during preparation. For example, if the prime expects the sub to perform classified work on site, appropriate storage space, designated or dedicated work areas, information systems, and etc. should be approved, certified and accredited in time to meet performance requirements.
Are the clearance status and safeguarding capability of all subcontractors determined as required?
The cleared contractor should identify work requirements in the DD Form 254 to include storage level, where classified work will be performed, access requirements, and security guidance expected to be flowed down to the subcontractor. The DD Form 254 should be provided with the statement of work, contract, request for quote and etc. Iis the nexus of work, preparation, and expectations required of the sub and it allows the sub to cost the work performance. This documented performance requirement ranges from simply requiring a facility clearance with no storage capability to provide cleared employees to perform off site to classified storage capability to receive and generate classified information on site.
The DD Form 254 should trigger some actions by the prime contractor. For example, in block 11, the prime informs the subcontractor whether or not they will need to access classified information on-site.  Prior to the subcontracting effort, the prime contractor should make that determination and flow requirements to the sub-contractor. The prime contractor should show due diligence that they vetted and awarded the classified contract to a subcontractor who is able or will be able to protect classified information or otherwise perform on classified contracts per NISPOM when the performance requirements begin.
Do requests for facility clearance or safeguarding include the required information?
If the winning subcontractor is not currently cleared, the prime will have to jump into action to sponsor them (see how this is done) for a facility security clearance (FCL). This requires the prime to be proactive as they must solicit the cognizant security agency (usually Defense Security Services (DSS) for the Department of Defense) on behalf of the sub-contractor and provide rationale for the FCL. This rationale should include any safeguarding requirements and description of classified work required in the contract. The rationale should also include all factors to help DSS determine whether or not the subcontractor meets NISPOM requirements.  Though the sub can prepare administrative actions such as compiling and completing required documents and certificates, the sub-contractor cannot request their own clearance.
If your company is a prime contractor, have you incorporated adequate security classification guidance into each classified subcontract?
This is where blocks 13 and 14 really count. According to the DSS’s Guide For Preparing a  DD Form 254, block 13 should not just be a list of requirements documentation. Prime contractors should not just write, “protect all classified information according to NISPOM” or similar vague instruction. This area should be used to provide explicit information to help the subcontractor understand the nuances of protecting classified information according to the contract. To be specific, exact protection language should be incorporated here. If reference documents are used, such as security classification guides, statements of work, or other requirements items, the prime should list the document name, page number and exact language. This also includes any source documents as attachments to the DD Form 254 or delivered separately. The point is that blocks 13 should include specific security language to protect contract specific classified information.
If there are any security requirements that go above and beyond the NISPOM, these should be listed in Block 14. These also require prior approval from the government contracting activity.
Are original Contract Security Classification Specifications (DD 254) included with each classified solicitation?
This is a fair and accurate way to get the message across that any contractor that bids on the classified contract understands the requirements to protect the classified information. The DD Form 254 is a legally binding contractual document and the subcontractor will be required to perform to the contract specification. This requires the prime contractor to present the expected work outright in the statement of work and the DD Form 254.
If your company is a prime contractor, have you obtained approval from the GCA for subcontractor retention of classified information associated with a completed contract?

If the prime contractor expects to deliver 2000 classified documents or expects the sub-contractor to generate and or store classified information on site, the prime will need to secure approval from the Government Contracting Activity. Then the prime will flow approval and protection requirements down to the sub-contractor. Among other uses, this approval provides the GCA with assurance that the classified information is offered the same level of protection as required at the prime contractor cleared facility. The sub in return will receive the protection specifications and prepare the storage and work performance compliance and prepare to receive them. 
The FSO or self-inspecting official should look at all DD Form 254s generated by the cleared facility. They should validate that each is issued properly while seeking a demonstration of answers to each question. 


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, August 16, 2014

Writing the Standard Practice Procedure (SPP)

What is A Standard Practice Procedure (SPP)?

According to NISPOM,  Appendix C an SPP is a "document prepared by a contractor that implements the applicable requirements of this manual for the contractor's operations and involvement with classified information at the contractor's facility." 

In other words it's your process for applying the NISPOM as you conduct classified work as it applies to your unique operation. The SPP should be tailored to your specific organization. To be effective, it should reflect performance requirements on classified contracts as reflected in the statement of work, DD Forms 254 and security classification guides.

Who should have an SPP?
NISPOM 1-202 states that, "The contractor shall implement all applicable terms of this Manual at each of its cleared facilities. Written procedures shall be prepared when the FSO believes them to be necessary for effective implementation of this Manual or when the CSA determines them to be necessary to reasonably exclude the possibility of loss or compromise of classified information."

The NISPOM is clear that the SPP can be directed by Defense Security Services (DSS) to reasonably exclude possibility of loss or compromise. Perhaps an annual DSS review has determined vulnerabilities exist that must be mitigated to adequately protect classified information. In that case, DSS may direct an analysis and additional countermeasures. They could also direct development of security procedures and documenting them in an SPP. Another reason DSS could require an SPP is if the cleared facility is needs to upgrade clearance level or storage approval in execution of new classified contracts. The SPP would address new procedures implemented to protect a higher classification of information.

Additionally, the FSO can use the same rationale as a basis for creating a new or updating an existent SPP. A self-inspection, sudden growth in cleared employees, new and growing classified holding locations, new work requirements, corporate policy and other factors may drive the decision to develop and implement an SPP

The first step is to determine what parts of the NISPOM apply to your facility. Chapters 1-3 and parts of Chapter 6 apply to all cleared contractor facilities. Therefore, fundamentally, the SPP should cover the organization's mission, applicability of the NISPOM, facility and personnel security clearances, security education and general security procedures. For facilities with storage capability, the SPP would expand to protecting classified information, storage of classified information, closed areas, security containers and etc. The point is to provide a tangible standardized process for cleared employees on the requirements of protecting classified information while performing on classified contracts.

There are a few source documents FSOs can refer when determining what should be covered in the SPP. These sources include but are not limited to:

DD Forms 254-provides security requirements and expectations of the government contracting activity or prime contractor. Specific requirements will be found in blocks 10, 13 and any additional pages. FSOs should include these requirements in the SPP. FSOs might consider either a separate SPP or annexes to a single SPP to distinguish between unique requirements by program, project or contract.

Security Classification Guides (SCG)-SCGs provide classification levels and reasons for classification. These are the expectations of what to protect and at what level. SCGs might be included in the SPP language or at least used as a reference document.

Statements of Work-SOWs can provide explicit requirements and expectations made by the customer. Incorporating SOW language will help develop the right positive for the desired performance.

FSOs should lead a team of contractual, program, project and other internal employees who are subject matter experts. The team should review requirements and work together to develop procedures that help enforce and execute work based on those requirements. The FSO keeps focus by transposing requirements into procedures that support protecting classified information according to the NISPOM.

Once complete the SPP should be staffed throughout the organization for additional input or to see how the SPP would impact other business units. This input is necessary to gain support of the organization and leadership and to determine where or if there is conflicting policy. Once staffed and approved, the SPP should be adopted as corporate policy. Once adopted by the enterprise, leadership backing will provide credibility and ensure that security procedures will be followed.


Creating Your SPP
According to the DSS website, the following is a list of possible topics:

  • Facility Information
  • General Security
  • Security Clearances
  • Security Education
  • Self-Inspections / Vulnerability Assessments Individual 
  • Reporting Responsibilities 
  • Graduated Scale of Disciplinary Actions 
  • Visit Procedures 
  • Public Release/Disclosure 
  • Classification 
  • Security Forms 
  • Definitions and Acronyms 
  • Safeguarding Classified Information 
    • End-of-Day Security Checks
    • Perimeter Controls
    • Information Mgmt. System 
    • Transmission 
    • Reproduction 
    •  Destruction Information Systems Security


FSOs can use the above list as a table of contents where appropriate while constructing or building upon their SPPs. Use it as the foundation, form a team and fill in the applicable sections. 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, July 22, 2014

Try these NISPOM Based ISP Certification Questions

Try your knowledge of the NISPOM and apply your experience as an industrial security professional with these challenging questions:


1. Recommendations for the downgrading of NATO classified information should be forwarded to:

a. Originating activity

b. CSA
c. GSA
d. CUSR
e. FSCC

2. All of the following require accountability receipts EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIC TOP SECRET
d. NATO CONFIDENTIAL
e. NATO CONFIDENTIAL ATOMAL

3. Which form is used for registration of Scientific and Technical Information Services?
a. DD Form 214
b. DD Form 254
c. DD Form 1540
d. DD Form 2345
e. DD Form 1234

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:
a. CSA
b. GCA
c. FSO
d. ISSM
e. GSA


**************No Peeking-Keep scrolling when ready for answers****************





1. Recommendations for the downgrading of NATO classified information should be forwarded to:

d. CUSR (NISPOM 10-710)


2. All of the following require accountability receipts EXCEPT:

d. NATO CONFIDENTIAL (NISPOM 10-17b)

3. Which form is used for registration of Scientific and Technical Information Services?

c. DD Form 1540 (NISPOM 11-202a)

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:


a. CSA (NISPOM 5-800)




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, July 20, 2014

Thanks NCMS-New ISP Coin

My new NCMS ISP Certification coin came in the mail. Another great reason for ISP Certification; thanks NCMS...






















Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

FSO's and Cleared Consultants

As a recap from the last article, we can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(D) FOCI
(E) Classification

Though not applicable to all cleared contractors, consultant agreements may apply to some. This article will address the requirements of the consultant agreement and how to basically treat consultants as part of the cleared contractor enterprise.

According to the Defense Security Services (DSS) Facility Security Officer (FSO) Toolkit might look as follows (formatting and content can vary, but this is a template that works just fine). See it here: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html


Here are the elements of the template.

A consultant for cleared contractors is an individual who provides professional or technical services requiring access to classified information. According to paragraph 2-212 of the National Industrial Security Program Operating Manual (NISPOM) DoD 5220.2-M, a cleared contractor can process a consultant for a personnel security clearance as if they were a cleared employee of the organization. However, the consultant either outright owns or co-owns the business with family members, but is the only employee requiring a security clearance. If other members of the consultant’s organization are required to access classified information, then the company will need to be sub-contracted and sponsored for a facility security clearance (FCL).

The consultant agreement should ensure that the following apply to the work performed (exceptions exist when connected authorized visits):

In the case of a consultant “treated” as an employee, the DD Form 254 is clear about where classified work is performed. The 254 applies to all work performed by cleared employees. By agreement and NISPOM guidance, the consultant is the cleared employee. As such the FSO should document the following actions and be ready to demonstrate during the self inspection and the DSS review:

a. The consultant shall not possess classified material away from the premises of the using contractor.

b. The using contractor shall not furnish classified material to the consultant at any location other than the premises of the using contractor.

c. The consultant shall accomplish performance of the consulting services only on the premises of the using contractor.

Since the consultant’ clearance is held and processed by the consulted, they should have an initial security briefing and annual security awareness training. This training should include the requirements of the NISPOM:

a. The using contractor shall provide classification guidance to the consultant, and shall brief the consultant as to the security controls and procedures applicable to the consultant’s performance.

b. The consultant shall not disclose classified information to any unauthorized person.


Finally, the consultant agreement should state language to the effect that the consultant is the owner of the consulting firm and is the only official/employee of the consulting firm who may provide consulting services pursuant to this agreement.

Once the memo is written and agreed upon, both parties should sign and records available for self-inspection and DSS review.

Using this article and experience, the FSO should now be able to demonstrate efficiency with following questions:

D.  CONSULTANTS
NISPOM REF:
Question:
YES
NO
N/A
2-212
Have you and your consultants jointly executed a consultant agreement” setting forth your respective security responsibilities?
RESOURCE:  Consultant Agreement under Forms at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html. VALIDATION:



2-212
Does the consultant possess classified material at his/her place of business?
VALIDATION:












Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, July 11, 2014

Justifying a Clearance – Why Need to Know May Become the New Norm



*My article as published @ Clearancejobs.com


http://news.clearancejobs.com/2014/03/28/justifying-clearance-need-know-may-become-new-norm/


Bradley Manning, Eric Snowden and Aaron Alexis.


These are names of co-workers and fellow employees with security clearance who violated trust. After each incident reviews were established to discover: How did they get security clearances? How, in the case of the spies, did classified information get taken? In the case of work place violence, how did such untrustworthy and threatening persons get security clearances?


A Pentagon report released last week provided an independent review of the Navy Yard Shooting, and asked the critical question – are there currently too many individuals with access to classified information?
CURRENT PRACTICE; DEFEND THE PERIMETER


Proscribed security measures to protect classified information are in found in government agency security classification guides, policies, instructions and procedures. Where classified information exists, there are countermeasures required to protect that information. Depending on the classification level, these protection efforts include proper classification markings; storing classified information in General Service Administration (GSA) approved security containers and vaults; using alarms, sensors, a guard force, or a combination.


Current security measures are deemed adequate to protect classified information from falling into the wrong hands. After all, a thief or spy would have to go through several layers of security to get their hands on national security information at significant risk to themselves; or would they? These days, sometimes all they have to do is ask nicely and an otherwise authorized employee might just bring it to them.


Protection measures only go so far to deny unauthorized persons access sensitive information. In a time where the biggest threats to national security are the Bradley Mannings and Eric Snowdens, trusted employees walking out with the goods; physical security measures are just not enough as they keep bad guys out, but do little to prevent the insider threat.


This is not limited to the federal government and contractors, but also occurs elsewhere. Theft of proprietary information, personally identifiable information, intellectual property, workplace violence and more are perpetrated by the co-worker who was so quiet and hardworking.
FINDINGS


The Washington Navy shooter, Aaron Alexis held a SECRET clearance. According to the report, he was awarded his security clearance while in the Navy, but this was a “just in case” measure and not based on need to know. The result is the ability to maintain the security clearance for 10 years as long as he didn’t have too long of a break between jobs requiring a secret clearance. Once hired by The Experts, Inc., he was back in the system. His eligibility would depend on self-reporting any adverse information, and the periodic review due at the 10 year mark. Couple that with the rapid growth of cleared personnel, and we see how an insider threat can grow unchecked. The risk was the inability to connect police records and other historical data that might have indicated that he was ineligible for a security clearance.
A NEW PARADIGM

Some of the findings of the Pentagon’s review break the paradigm of relying on “defending the perimeter” to focus on the challenges of protecting National Security from those within our own ranks.

The first recommendation is to: “Cut the number of Department of Defense employees and contractors holding Secret clearances, and adopt a “just in time” clearance system more tightly linked to need to know.”

This solution may appear extreme and many reading this may take issue with such cuts. After all, many cleared defense contractors rely on having the adequate pool of cleared contractors and offer salaries and benefits tied to security clearance levels. Those holding security clearances may feel the pressure of such cuts as career ending.

These cuts are recommended as a countermeasure to free the workload of investigators and focus on more efficient and effective adjudication. As such, this could be just the countermeasure needed to protect national security. Further study demonstrates the intent is not to cut positions, but to determine whether or not existing positions require a security clearance. Validating the need for a clearance early is a determining factor. The cuts are simply requiring better stewardship and oversight of the security clearance process. Jobs do not need to be cut, but justification for requesting security clearance investigations and follow-on security clearances needs to be better defined and controlled.
BRING BACK NEED TO KNOW

Many cleared employees may concede that access to classified information is based on a security clearance level AND the need to know classified information. Many times the need to know is not fully understood nor properly identified for security clearance requests. Defense contractors are granted facility security clearances based on a contractual need. After being granted a facility security clearance they then request personnel security clearances for employees who will need access to perform on the classified contract. In many cases this breaks down occurs when the cleared defense contractor or government agency requests security clearances using a standardized tool based on position or to form a pool of classified personnel in case they are needed.

This review recognized that the current state of security clearance process was flawed. That made sensitive information and the workplace vulnerable to the insider threat. The report makes recommendations to exercise more control of the security clearance process, making a greater argument for resting justification on need to know.
INTERNAL CONTROLS

One clearance justification practice used by cleared defense contractors is to have management provide rationale in a statement or security clearance request form of the need to request a clearance on a particular employee. Another practice is to directly link the new-hire employee to an employment opportunity requiring access to classified information to perform the job. However, these successes are based on internal controls and policies of the responsible cleared contractor, and not strictly enforced by government oversight.

The review made many other recommendations to streamline and improve oversight of the security clearance process for contractors. Whether or not the recommendations are acted upon remain to be seen. However, industry can become part of the solution by properly justifying the need for a clearance.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".