Tuesday, February 17, 2015

NISPOM Based Study Questions for Security Certification



The following NISPOM Training is meant to augment your NCMS ISP Certification education, not replace it. Download NISPOM to your computer and try your experience against this open book practice test. So, here are some NISPOM based practice questions to help you prepare: 

1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA
c. CSA
d. FSO
e. None of the above







Scroll down for answers:






1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above (NISPOM 9-402a)
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above (NISPOM 10-200)

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number (NISPOM 6-104)
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone (NISPOM 8-303c)
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA (NISPOM 10-201)
c. CSA
d. FSO
e. None of the above

If you want more, see our book Red Bike Publishing's Unofficial Guide to ISP Certification only at http://www.redbikepublishing.com





Most Helpful Customer Reviews

5 of 5 people found the following review helpful
By Lisa M. Doman on November 18, 2008
Format: Paperback
Like many seasoned industrial security representatives, I feel like I know it all. I have been in this industry almost 25 years; I know where to look for answers, and I have my contacts. But one day it occurred to me just how much has changed during my career - enter the Internet, enter computer based training, enter instant security clearances (Interims), enter the JPAS/e-QIP interface, enter diminished contact with my cleared employees and visitors. Admitting that the contact with my cleared employees is not as intimate as it used to have to be, somehow I felt that I was loosing touch with my own skill set because of it. Jeffrey Bennett's book is very insightful into our industry, for he works with and supports, and motivates, this industry. You should consider buying the ISP Certification - The Industrial Security Professional Exam Manual, and spend 30 minutes with it each evening after work. Reinvigorate yourself. Give your imagination and professional growth some quiet stimulation. Remember. Refresh yourself. The best security education dollar you can spend, and not even leave home.
1 Comment  Was this review helpful to you?  YesNo
2 of 2 people found the following review helpful
By Jasmine C. on September 15, 2011
Format: Paperback
After receiving this book, I quickly skimmed through it prior to sitting down for a close study. My initial reaction was to wonder just how much information I could learn based on the fact that most of the book was dedicated to practice tests. When I finally took the time to sit down and read it, I was surprised at just how much information it contains. The book tells you how to prepare, to include learning all security disciplines, how to manage your time, and how to study the NISPOM. The practice tests are a great opportunity to time yourself, and help to identify areas of weakness. I truly recommend this book for anyone considering the ISP Certification... it is a great tool to have!
1 Comment  Was this review helpful to you?  YesNo
Format: Paperback
Written by a security consult of twenty-two years of experience in military intelligence, contracting and security, ISP Certification: The Industrial Security Professional Exam Manual is a instructional resource created to provide career security specialists with what they need to know to protect our nation's secrets. The text offers practical advice for security professionals and a working understanding of the NISPOM and Presidential Executive Orders implementing the National Industrial Security Program, but the heart of ISP Certification is its four practice tests designed to probe the depths of one's knowledge. An absolute "must-have" for anyone in federal positions requiring a thorough knowledge of security procedures, and highly recommended for the libraries of federal agencies.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Fred Twitty on May 8, 2010
Format: Paperback
As a retired US Army, Chief Warrant Officer Five (CW5), Counteringelligence Officer; former Special Agent, Defense Investigative Service (DIS); former Special Agent Defense Secuirty Service (DSS); former US Army Liaison Officer to Headquarters, Department of Defense (DoD), Alexandria, VA, Counterintelligence Division for Counterintelligence Issues, and former owner of a Small Veteran's Business, under a DoD contract to conduct Background Investigations for DoD Personnel Security Clearances, I consider this book to be brief and it makes the complex simple. This ISP Manual is a must for those preparing to take the ISP Certification Exam.
1 Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By S. Koryta on June 8, 2010
Format: Paperback
Mr. Bennett once again has assisted me in my endeavors as a security and protection professional. His book not only assists in helping you prepare for the ISP certification, it provides first hand insight and mentoring on how to advance your career goals in this complex field. In using his study guide, one can get a real understanding of how the certification process is and study to overcome the challenges of taking the exam. The one recommendation I can say is to combine it with the pocket edition, so you can take and read while on the metro to work.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Diane Griffin on January 9, 2009
Format: Paperback
As a seasoned security professional, I found the Industrial Security Professional Exam Manual to be very clear, brief and consise.

The ISP manual is a must read for anyone anticipating taking the ISP exam. Whether you are a seasoned security professional or a newbie to the world of security, this book is a keeper.

Thank you for putting out such a Great Book

Diane Griffin
President/CEO
Security First & Associates LLC


 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Security Bad Habits #1

Let's take a look at bad security habits and how to avoid them. We'll take on one at a time.
# 1. Not marking working papers. 

You might think it's okay to mark them later. You might be on a roll and can't stop for details. Whatever, stop making excuses and mark them immediately. You'll be glad you did.

Here's how to do it right

Working papers containing classified information shall be:

  • dated when created-Do this immediately, don't wait. Pretty soon you may find your security container filled with working papers and you have no idea of classification level or how old they are, and you've run out of time to mark them properly before you have to explain to DSS.
  • marked with the highest classification of any information contained in them-if the working papers are a result of classified experiments, research, or some other data, refer to the appropriate classification guidance, DD Form 254, contract or source and find out the classification level, what is classified, and why.
  • protected at that level-lock it up in the appropriate container, set alarms, put on cover sheet, enforce security clearance and need to know.
  •  destroyed when no longer needed - if you don't need it, get rid of it. Clear out that GSA Approved Container, open storage shelf, or vault. There is no reason to keep classified information once its usefulness is over.

No longer working papers when:

Your own decision

If you decide to keep the working papers, mark and protect them as you would a finished classified document. Deciding to keep a working paper is easy to figure out, just identify it as something needed in permanent storage and mark it accordingly. 

Overcome by events

Some events may take over that decision requiring automatic treatment of working papers as a classified document. In this case, they have just become overcome by events (OBE). Whether deliberate decisions to keep or just plain OBE, there are additional classification marking considerations in the NISPOM

Such OBE cases include when working papers are:

  • released outside of the facility-If this classified information is needed at another organization for a meeting or other reason, mark and treat it as permanent classified document.
  •  retained for more than 180 days from the date of the origin-You might not want to keep it forever, but if you keep it more than 180 days it's OBE; mark it as a permanent document. 
  • e-mailed within or  released outside the originating activity. Email = OBE. If it leaves the information system it resides on via email, then mark it as a permanent document.


Bottom line; If you need it, keep it. Just make sure that it officially becomes part of your classified inventory. If OBE, treat it as a permanent document.

More bad habit fighting examples coming. If you would like to contribute example bad habits for this blog or newsletter, send it over.

For more ways to overcome bad habits, see our book: DOD Security Clearance and Contracts Guidebook.



                                                                 

Monday, February 2, 2015

Public Disclosure of Information Pertinent to a Classified Contract

By applying the five “Elements of Inspection” that are common to ALL cleared companies participating in the NISP, and the additional elements that might be applied at unique cleared facilities, facility security officers can control the opportunity a bit better. As a reminder, the DSS’ The Self-Inspection Handbook for NISP Contractors identifies five elements common to all cleared facilities are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education
(D) FOCI
(E) Classification

Using the DSS publication as the intended guidebook, FSOs can glean important information and ideas for applying the elements to their own facilities. This guidance just doesn’t get the cleared contractor ready for the inspection, but when applied, it solidifies a sound and proven security program.

The following article covers public disclosure of information pertinent to a classified contract. This is one area where a contractor can get jammed up unless addressed properly. Understanding how to request permission for public disclosure of this information is as important as protecting the information itself.

So, let’s begin with the topic in the self-inspection handbook.

Was approval of the Government Contracting Activity obtained prior to public disclosure of information pertaining to a classified contract?

I was advising a public relations unit for a small cleared defense contractor. This was a crack team that worked relentlessly on business development to keep the company profitable and employees at work. However, what they did not understand was the nuances of disclosing information pertinent to a classified contract. What they were good at is explaining how well the company performed on contracts. What they did not understand is that some of the information should not be disclosed without prior approval of the government customer. The government customer was very frustrated with the cleared defense contractor when the issue was raised.

Some information is good for both contractor and government agencies. Unless otherwise specified by the government customer, the contractor can freely publish the fact that a contract has been received, the subject matter of the contract, the method or type of contract, and total dollar amount of the contract unless that information reveals classified information. Additional information includes publishing decisions to hire additional employees or terminate existing employees.

This is all very general information and does not include intimate details about program efforts and capabilities. This general information is usually shared on websites, brochures, briefings, radio announcements and other media. Again, it’s good for business and there is no issue with disclosing the information. Keep in mind that information released specifically for a presentation, briefing, or conference must be considered open disclosure unless a classified setting or limited audience (export controls in place) is approved. Otherwise, if the information is considered too sensitive to put on a website, it should not be shared without approval.

In those situations where public disclosure is desired and approval necessary, it is important to document any GCA approval for public disclosure of unclassified information pertaining to a classified contract. The specific requirements should be found in the DD Form 254 and any directed specifications by the GCA.

According to NISPOM 5-511, the following should be implemented:

· Submit requests through the activity specified in the DD Form 254.

· Each request shall indicate the approximate date the contractor intends to release the information for public disclosure and identify the media to be used for the initial release.

· A copy of each approved request for release shall be retained for a period of one inspection cycle for review by DSS.

· All information developed subsequent to the initial approval shall also be cleared by the appropriate office prior to public disclosure.

A good practice is to use the above bullets as a checklist. Gain approval and document the approval ensuring the above requirements are met. File the approval with the required information and be prepared to demonstrate approval during the next DSS review.


For more information about meeting NISPOM and DSS requirements, see DoD Security Clearance and Contracts Guidebook.





Monday, December 29, 2014

Insider Threat Training Tips for Security Officers and Employers

Consider the Insider Threat. It’s a great bumper sticker and we’ve heard it a million times, but what does it mean? The thought should bear more weight to the practice of preventing the insider threat than to serve as a slogan. It is tempting to pay homage to the thought of insider threats, but those who successfully deter insider threats realize these thoughts take critical analysis to put them into action. Consider the fortresses many defense contractor organizations have become. Best practices to protect organizational, employee, materiel and cyber assets from outside actors are evident. Such careful contemplation must be made to counter the harmful accidental and deliberate actions of a trusted employee.


INSIDER THREAT DEFINED

The insider is any trusted person who has any access to assets. For this article’s purpose, we’ll define the insider threat trusted person who deliberately or accidentally causes damage to national security. This article address requirements found in Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Threats include acts of sabotage, theft, terrorism, unauthorized disclosure of classified information, and espionage.

While contemplating the insider threat, the analyst should be aware that anyone can exploit any level of permissions to steal, damage, or manipulate whatever they can affect. This includes the full and part time employees, vendors, consultants or others with the ability to touch or impact assets. The insider could have full range of motion throughout the organization or limited by technical or physical restrictions. These permissions give them some motion to negatively impact the organization. An example would be a trusted employee with access and need to know going through the proper permissions to accessing classified information. That same employee then takes advantage of privileges and removes the classified items unhindered and provides them to unauthorized persons.

The same opportunities exist for those accidental harmful occurrences, incidents or events that can harm an organization or their reputation. They could accidentally bypass safety, security and other countermeasures and cause major damage. For example, an employee introduces a harmful computer virus to the network by clicking on an email hyperlink. Also, consider a situation where an organization gives a tour of their production facility. A visitor ignores the rules and damages a sensitive electronic device while the overwhelmed escort is distracted answering questions from the other visitors. These unintentional events will harm the organization just as real as a deliberate threat would.
EVALUATE YOUR INSIDER THREAT POLICY AND PREPARE NOW

Now that we have identified ways an insider could harm an organization, let’s take a look at what the organization can do to deter, detect and prevent incidents. EO 13587 directs government agencies and task forces to evaluate and protect classified information from the influences of an insider threat. Though not yet a requirement on industry, policies and regulations may soon follow directing cleared contractors to take the appropriate steps to address the insider threat. These requirements may soon manifest in updates to DoD 5220.22-M, The National Industrial Security Program Operating Manual (NISPOM) or other policies.

Now is the time for cleared defense contractors to prepare for those directives by instituting policy addressing the insider threat. The Presidential Memorandum’s, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs spells out requirements that can be adapted for cleared defense contractor use. The memorandum states these requirements as the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.
ADDRESSING INSIDER THREAT: TWO EASY STEPS

Cleared defense contractors can easily incorporate two of these requirements and meet the intent of future NISPOM guidance. These two efforts include:

Monitor employee use of classified networks.

This requirement can also be applied to unclassified networks hosting FOUO, technical data, proprietary, intellectual property, personally identifiable information, and other sensitive unclassified information. The first step is to understand what sensitive information (classified and unclassified) exists and develop controls that facilitate monitoring. For example, an unclassified network may host proprietary information critical to the organization’s product success. This information could be tagged in the information system and appropriately monitored. This effort is similar to document and inventory control. Authorized users would then be given access and controls set in place to limit viewing, printing, downloading, copying, and etc. What would be monitored? Access. The second step would be to identify those with need to know and allow their access to the information. Monitoring would then include ensuring only those with need to know are able to access the information.

Access is now limited to a specific group of insiders. Monitoring would now include how insiders are accessing and what they are doing with the information. An authorized insider with malicious intent could be easily recognized and stopped by a system audit to see who accessed, how they accessed and what they did with it (printed, downloaded, manipulated or viewed it). Flags could easily be raised when controls are bypassed. If information is missing or unaccounted for, an audit would provide the answer.

Threat awareness training.

Employees would be educated concerning what needs protection (assets), who an insider is, what the impact of damage could be, how to prevent it, and how to report incidents. Employees would be briefed on access and need to know privileges and limitations as well as how to operate within their allowances.

Cleared Defense Contractors should be aware of the insider threat and make the concept more than a bumper sticker. Real analysis is required to go above the gates and guards approach to keeping out the malicious actor. With the insider threat comes the question of how to limit access to those with need to know and protect sensitive information from exploitation by authorized personnel. The President has issued EOs and memorandums to address this issue as applied to government agencies. Cleared defense contractors can be proactive and protect their organizations from the insider threat by analyzing the requirements and creating a system to meet those requirements.

As published by clearancejobs.com.  http://news.clearancejobs.com/2014/10/01/insider-threat-training-tips-security-officers-employers/


                                          



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, December 17, 2014

ISP Certification, FSOs, and New Year's Resolutions

Wow, New Year’s Eve is just around the corner and many of us have already set goals. It’s traditional to plan events as the calendar rolls over to a new year. It’s great to dream big and visualize these goals, it’s quite another to actually reach them. So let’s talk professional goals, the NCMS’ ISP Certification is a great one to strive for.

It’s one thing to dream and another to plan. The difference is what you do from the vision to make it a reality. Here are some deliberate actions you can use to help develop a plan to become ISP Certified.

1.  Begin at the NCMS, ISP Certification information website @ http://www.ncms-isp.org/ISP_Certification/index.asp. There you can find ISP Certification testimonials, brochures, application and other information about the certification. When you review the qualification, study and application information, begin with the end in mind. If your goal is to become ISP Certified in 2015, gather all the data needed and determine the possibility. If the application, approval and study timeline is too timely, consider changing your goal to “Prepare for ISP Certification in 2016” or “Study for ISP Certification”. The goal is to study the requirements and build a realistic plan to achieve your goal. Let preparation set the way and not a calendar date. Once you determine how long it will take to get prepared (6 months, 1 year, etc.) build a plan based on the date and work backward.

2. Understand the application process. There are minimum experience requirements that applicants must meet as well as administrative tasks built into the process. If an applicant does not meet minimum requirements, they can begin study, but will have to wait to meet those requirements before applying. This should be built into the timeline. Applicants who meet the minimum, should build in the administrative tasks into the timeline. This includes filling out applications, payment, getting approval to take the exam and setting up a test date.

3. Understand the testable topics. Gather the relevant test information from the website. Understand the requirements and get a feel of where you are professionally and any gaps you need to breach to bring your knowledge of NISPOM and ISP Certification categories to where it needs to be. It’s not necessary to be an expert in all areas or to be able to quote regulations and requirements. What’s important is a knowledge of where to find information in source documents and apply that knowledge to question based scenarios. In other words, understand where the information can be found and applied to the situation in a quick manner. For example, a person appointed as FSO may have substantial experience with personnel and contract security after working those areas exclusively for many years. However, they are still responsible for understanding information security as outlined in the NISPOM. This means that they will need to spend some time understanding where to find topic related information and answer questions in context.

4. The following are some things that you can do to prepare to fill those knowledge gaps:

a. Study the NISPOM and other reference document structure and understand where to find topic related information. Also, become familiar with key industry standard words found in the source documents. Some of these words are original classification authority, government contracting agency, DSS, security clearance, cognizant security agency, and etc. The NISPOM and source documents are available in print and electrons and can be used in the exam. Understand where certain information can be found or how to search an electronic copy is a very good technique for real life and test based scenarios.

b. Join the NCMS study group. There you can study their material, ask questions and get feedback.

c. Find an ISP certified professional mentor. They understand the stress of working full time and studying for a professional level exam. Mentors can calm fears, answer questions, put rumors to rest, and put the right perspective on stress, studying and life in general.

5. Set a date. Just like getting married, sometimes you just have to put a date down. Once that date is set and approved, you have a certain amount of to take the test before having to reapply. Setting the date will keep you motivated to study and stay focused.

Dreaming is one this, but achieving is another. The best way to ensure success is to build a plan and follow it. Begin with the end in mind, understand the limitations, meet those limitation, set a date and stay focused. Let 2015 be the start of a new professional achievement.






Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, November 24, 2014

Facility Security Officers, NISPOM Training and What We Really Do


NO, I will not move your office furniture.


The misunderstanding.


Not because I’m not a nice guy or a helpful employee, but you just came to the wrong office.

Ever have one of those days?

A few years ago while serving diligently as an FSO an employee came by my office. She shot the breeze for a few moments, then floored me with a question.

“Could you help me move my desk out of my office? I’m getting it replaced.”

I thought it a strange request as I was still kind of new and we hadn't built up the kind of relationship where she should ask for those kind of involved favors.

Sure, I could grab someone and we  can come over and move it.

“That would be great,” she responded.

“But, better yet,” I said on second thought, trying to protect my back from sure injury. “Why don’t I call the facilities manager and we can get someone with the right equipment.”

“That’s what I meant,” she responded. “You are the facilities guy…”

Oooooh, now I know what’s going on.


After a brief exchange, I educated her on the role of a Facility Security Officer, which is to develop and implement a security program to protect classified information. She apologized for the misunderstanding and quickly moved on.

Confined to a small box.


It’s possible that you or someone you know has or is currently having same experience. This stems with fellow employees not understanding the FSO's role or responsibility. This misunderstanding could not only have people assuming FSOs control furniture and building use, but could lead to effectively undercutting potential leadership roles.

FSOs should have the ability to influence business and vision making decisions. Without such input, the enterprise may not reach its full potential.

FSOs should be regularly consulted for and be involved in business, statement of work, request for proposals, capabilities statements and areas of increasing value while working classified contracts. After all, FSO tasks encompass so much more than requesting security clearance investigations, sending visit authorization requests, or other general administrative tasks .

Breaking out of the box.

Nobody will ever understand what you can do unless you tell them in words they can understand and in the language they speak. What might be useful is a quick elevator speech of about 30 seconds. One that FSOs can relate in real time and highlights their capabilities and how they impact the company’s ability to work on classified contracts. A good place to start is reviewing contractual requirements and comparing them the already established security program.

Reference Documents

The first step is to review DD Forms 254 and look for specific security requirements as outlined in blocks 10 and 11 and those additional ones mentioned in blocks 13 and 14.  Additionally, statements of work may list some opportunities the FSO can take advantage of to demonstrate value to the enterprise.

With this information FSOs can share with the enterprise not only the popular security clearance issues, but also:

  1. Training requirements for employees to work with classified information (NISPOM training, initial security training, annual security awareness training, SF3-12 briefings, derivative classifier training)
  2. Additional storage space required to include GSA approved containers, shelving, closed areas, classified discussions
  3. Vision statement to include areas for business growth, business opportunities or hiring of additional security employees. 
An elevator speech might look like: “As FSO I create, implement and lead security programs that protect classified information. To do this I help the enterprise make risk based decisions and implement countermeasures to ensure classified work performance is conducted as required, ahead of schedule and within budget.”

This proactive effort leads the FSO from bolting on security at the end of the product to weaving it in throughout the acquisition life-cycle.

The Setup

Consider two possible responses to a security opportunity:
Someone would notify the FSO with the good news of the contract award believing that everything is in place to proceed. A new DD Form 254 requires not only a product demonstration, but a classified research paper demonstrating how the product will meet the customer’s requirements. The contract also comes with the delivery of 300-400 classified documents.  

1.        A misunderstood FSO’s role might lead to a disaster as such:

The FSO is not directly involved with the acquisition and contracts process. They are just there to react to emerging contractual opportunities. As such, the organization could be left with reacting on short notice tasks  with long lead times. 

This might involve security briefings, training new or existing employees, determining where the classified work would take place, and where the product and 300-400 documents would be stored. This would be a large task for someone just discovering the requirements only after the contract is awarded. 

Such a position of reaction could lead to delays in work as clearances would need to be requested, security containers ordered and restricted areas imposed please keep in mind that this is a made up scenario based on any level of classified work experience.)

2.       A well-integrated FSO’s role might lead to success: Given advance notice the FSO can deliver sound advice as soon as rumors of new work whispers through the corridors. From the beginning the FSO could help determine how many cleared employees are needed vs. what is available, whether or not additional security training is required, whether or not existing storage space is adequate for documents and work performance and on and on. The FSO would inform business making process before decisions are made.

FSOs should be prepared to lead the organization through the requirements of performing on classified contracts. This opportunity can be clouded by misconceptions and misunderstanding. A difficult, but vital responsibility includes informing the enterprise of roles, responsibilities and capabilities. The FSO should research requirements and present a sound solution.





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".