Monday, August 31, 2015

NISPOM Based Questions




Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about. Whether  you are working on NISPOM training, FSO certification, or security awareness training, these questions can help.
 
Problems
1. You are an FSO of a growing defense contractor. One of the executives approaches you about the need for more space to conduct classified work. He is agreeable to implementing your recommendation to use a restricted area and would like you to prepare a security briefing for his team. Prior to your briefing, you conduct the necessary research. Describe the reason for a restricted area and when cleared employees would use a restricted area. Keep in mind access control and storage requirements.

2. You have just sat down to eat lunch and receive a phone call from a cleared employee. She tells you that the security container’s drawers are closed, but the dial on the combination lock has not been engaged. She explains further that according to the SF 702, the container had been locked and checked 20 minutes earlier. She is sure that was “about the time everyone left for lunch.” What would you direct her to do?

3. Your colleagues leave for the day. On their way out, they inform you that you are the last to leave. The facility is authorized to store classified materials. What will you check for prior to leaving?

4. As part of the building project, you are responsible for providing input into the projected classified contracts and the required work space and storage requirements. As you put together a presentation you research the requirements of a much  needed closed area. Describe how a closed area should be constructed.
Who approves the construction requirements?

So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams. 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and "NISPOM/FSO Training".

Friday, August 28, 2015

Storing SECRET Classified Information

http://www.redbikepublishing.com/book/magnet/

This article continues the series on the self-inspection guidance found in the Defense Security Service’s Self-Inspection Handbook for NISP Contractors. This article addressed the storage of information classified as SECRET.

5-303, 307 Is all SECRET and Confidential material being stored in GSA- approved security containers, approved vaults, or closed areas?

RESOURCES: ISL 2012-04 GSA Storage Equipment and SECRET Storage under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html.

GSA Security Container

SECRET material should be stored in a GSA approved security container or as authorized by the Cognizant Security Agency, in open storage or bin storage in an approved closed area or vault. When SECRET information is approved for open bin storage stored in a closed area, supplemental controls or an approved guard force are required. However NISPOM does not require supplemental controls SECRET stored in a GSA approved container.

Open Shelf or Bin Storage.

NISPOM paragraph 5-306b states that “open shelf or bin storage (hereinafter referred to as “open storage”) of SECRET and CONFIDENTIAL documents in closed areas requires Cognizant Security Agency (CSA) approval”. For the Department of Defense, the CSA is the Defense Security Agency (DSS)

So what is the CSA or DSS considering as demonstrations of compliance?

  • DSS reviews the following prior to providing approval: 
  • Size of the material and storage are-The area is large enough and limited to the space required to store the material or operational requirements. Also, the material may be too large for a standard GSA approved storage container. 
  • Since open storage environments enable visual access to classified information, access to the storage area is limited to those with access and need to know to preclude unauthorized access 
  • As with approved GSA Security Containers, the entrance doors to the open storage area should be secured by built-in GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740. 
  • SECRET information should be protected by supplemental controls such as an approved intrusion detection system with a 30-minute response time, and any DSS determined security in depth requirements. 

The DSS determined security in depth is based on the following criteria:
  • Perimeter controls that limit access to open storage those with proper clearance and need to know 
  • Access technology that helps recognize access and need to know in cases where the organization is too large for individual or personal recognition 

Safeguarding the SECRET Information

The FSO should design a policy to maintain strict control over classified material. “The NISPOM requires accountability and control of classified information at the TOP SECRET level. However, all material entering the facility, produced, reproduced or entering the facility in any fashion should be brought into possession for control, audit and inventory purposes. Contractors should consider maintaining an information management system (IMS) to protect and control classified information. This provides visibility over the classified material and allows for preventative measures against unauthorized disclosure or identification of security violations”.-DoD Security Clearance and Contracts Guidebook

The FSO should employ a security training and discipline program to compel cleared employees to act as force multipliers increasing security effectiveness. In that role, cleared employees will know to deliver all newly introduced classified material to the FSO for accountability purposes and into the IMS. When security personnel practice good customer service and enforce procedures, good relationships develop making procedures easy to follow as well as rewarding for all employees.

An accountability record or IMS is an excellent tool for controlling classified information introduced into the defense contractor facility. With the accountability record, documents are managed with additional receipting action. Some accountability records track document status from introduction to dissemination on the same record.

Is a GSA Approved Container Really Enough?

Though the NISPOM only requires a GSA approved storage container for protecting information classified as SECRET, the environment may require additional security in depth based on a risk assessment. This risk management process could consider such factors as threat reports, increased threat activity, high crime area, natural disasters, or temporary events such as business closures, increased construction projects, or any other issues requiring increased levels of security. The point is, the NISPOM is a guide, DSS evaluates security plans, but the holder of the classified information is responsible for protecting classified information based on the operating environment.

However, security should be risk based and not dependent on best practices. For example, a defense contractor sufficiently stores SECRET information in a GSA approved container based on an average level of risk. A sister cleared contractor might implement additional controls and increased security in depth based on unique risks in the working environment. Providing an argument that both cleared contractors should protect the classified information with additional protection measures above what is required in NISPOM would ignore the risk management process. If an alarm or guard force is desired, it should be introduced as the result of a thorough risk assessment according to data provided from crime statistics, threat assessments, as identified in this section or as required by contract. Once the data is in, the FSO can address the issues.

In review, information classified as SECRET, should at a minimum be stored in a GSA approved security container. If approved for open storage, then supplemental protections apply. When a risk assessment calls for or the CSA directs security in-depth, document the actions and ensure self-inspections validate compliance and effectiveness.

VALIDATION: Demonstrate knowledge of where SECRET information is stored, GSA container approval documentation, and where GSA approved containers are located throughout the facility. Where security in-depth is applied, document the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, document the effectiveness of these controls and report any changes affecting those controls to DSS.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, August 20, 2015

Storage of TOP SECRET Information

This article continues the topic of the Self-Inspection Handbook for Defense Contractors. The handbook is a tool provided by Defense Security Services for cleared defense contractors to improve security at cleared facilities throughout the National Industrial Security Program. Facility Security Officers at cleared facilities can use the tool to evaluate their own security programs, make improvements, and prepare for the annual security review.

These articles are written to provide security awareness training and help the FSO interpret and apply the NISPOM requirements and evaluate their programs while using the manual as a checklist.

This topic is Storage of TOP SECRET information. 

The question: 5-302 Is TOP SECRET classified information stored only in GSA- approved security containers, approved vaults, or approved Closed Areas with supplemental controls?

The NISPOM requires cleared contractors to maintain accountability and control of TOP SECRET information. Since the unauthorized disclosure or compromise of TOP SECRET information has the potential to cause exceptionally grave damage to national security, the cleared contractor must designate a Top Secret Control Official (TSCO) to ensure accountability and trace-ability of TOP SECRET information.

Though this article and handbook section is about the storage of TOP SECRET information, this article places emphasis on the trace-ability and accountability of TS. This requirement is for the life cycle of the information and includes reception, transmission, destruction and storage. "Each item of TOP SECRET material shall be numbered in series. The copy number shall be placed on TOP SECRET documents and on all associated transaction documents." (NISPOM 5-201c)

For example, the TSO brings TOP SECRET information into accountability and all transactions traced, receipted and recorded as TS items enter, within, and exiting the facility. This accountability and trace-ability can be accomplished with high tech security information management systems such as SIMS Software or with a pencil and paper depending on budget. Further accountability and trace-ability is required for TS information leaving the facility. 
 (DoD Security Clearance and Contracts GuidebookAny incoming material, copies generated, or faxes transmitted are with accounted for by the TSCO using the numbering and a continuous receipt system. The key is to capture security program practices for self-inspection purposes and DSS annual reviews.

TOP SECRET material is to be stored in a GSA approved security container, closed area, approved vault  and supplemental controls such as intrusion detection or an approved guard force. 

Keep informed by reading upcoming articles concerning construction of closed areas and vaults.

VALIDATION: This accountability and trace-ability is required so the validation simply reflects the requirement. Whatever system the TSCO employs to bring TS into accountability and trace the movement of TS should demonstrate compliance. Maintain this trace-ability and accountability documentation, administration information, and a list of security containers, SCIFs, Closed Areas, and etc., where TS is store in a secure area for inspection


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, July 19, 2015

Correcting How Hollywood Portrays Cleared Contractors

© Mhieronimus | Dreamstime.com - Hollywood Sign Photo


I recently had the fortune of being on a radio talk show for security professionals. This show has an audience of approximately 10,000 listeners with varied corporate and law enforcement security experience. However, very few of the audience members work in the defense contractor industry or under the National Industrial Security Program.  

I had wanted to be a guest on the show since I had heard about it earlier this year. I had found them in a google search and discovered that they had covered the National Industrial Security Program (NISP) with some college students. The conversation, though serious, proved light as the talk show hosts engaged the guests and audience in an entertaining manner. They actually made NISP seem very interesting.

I had to ask myself, "When was the last time a security briefing, training, or seminar was engaging, serious, and comical at the same time?"

That was the question on my mind as I listened to the interview. The students did a great job talking about the security clearance topics. The most entertaining part of the show was listening to assumptions the hosts had about security clearances and protecting classified information. I thought I could help with those concerns and volunteered to be on the show. Like most good security managers, the show vetted Red Bike Publishing, our books, and credentials and decided to invite me on the show.

I went in with the understanding that this was their show and I was a guest. I probably would not get much time to speak as they did have a show to do. I felt my job was to complement the show by engaging their comments, concerns, and issues the best I could from a NISP point of view. I also realized this was a good opportunity to educate a broader security audience.

The concerns they shared showed a fundamental misunderstanding of how government contracting, classified contracts, andsecurity clearances work. This fundamental misunderstanding is often shared by those not in the know and often manifests in the movies and TV shows we watch today. For example, on an episode of Hawaii Five-0, a husband had stolen classified information off his wife's laptop computer at home while she slept. What?

Without fully understanding the NISP, the general public could draw conclusions that cleared employees keep classified information on laptops and bring them home at night. The Hawaii Five-0 character stated words to the effect of, "he broke into her laptop and stole her security clearance". Wait, what?.

You may have noticed similar discrepancies, but that's ok. It's Hollywood where monsters, fairies, and magic exists. Additionally, the nightmarish mishandling of classified information in the hands of incompetent people burdened by an overbearing bureaucrat is also wrongly portrayed. Not to forget also, most Hollywood movies feature defense contractors as evil and villainous, but we know different.

In spite of the Hollywood nightmare, cleared employees are trained to understand how the NISP works and how classified information is really protected.

Similar misunderstandings revealed themselves during the radio show. Here are some question topics that arose and that many FSOs and security managers may face. How would you have responded?

1. Wouldn't it make more sense to clear everyone to the TOP SECRET level and protect everything at TOP SECRET? 

This is the assumption that all classified information CONFIDENTIAL through TOP SECRET should be treated as TOP SECRET.

2. When private companies are working on their classified products, who knows how it is protected and if there is enough protection? 

This is the assumption that classified information is generated by everyone and there is on oversight by anyone. This also discounts the government contracting process.

3. Bad guys are constantly attacking our computers and taking our classified information

This assumes that classified information is processed on open computers and networks and takes us back to the Hawaii Five-0 scenario.

4. People with security clearances are doing what they want with no oversight

This assumes that the security clearance investigation, whole person concept adjudication, and continuous evaluation process do not exist.

There were so many other issues, too many to cover for this article.

As I encountered each of the obstacles, I began to weave a story of how the NISP worked as the hero to ease their fight the monsters of bad security management and our "endangered" secrets. I began by explaining the following: government contracts, six step OCA process, security classification level assignment and notification, markings, DD Forms 254, required initial security briefings, SF312 training, annual security awareness training, NISPOM guidance, derivative classifier training, OPM security clearance investigation process, continuous evaluation, periodic re-investigations, and Defense Security Services education, partnerships, and reviews.  There was not enough time to go into everything, but I used the allotted time to educate and correct their misguided assumptions.

However, these mistaken beliefs are not only shared by Hollywood and the general American public; newly cleared employees may share similar beliefs.

So, how should a facility security officer and cleared employees respond? Would they lambaste the less knowledgeable person, take time to train them, or become frustrated and walk away. 

I've had the opportunity to see all three approaches. The correct and most effective approach is to take the time to train and correct the problem. Next time you engage employees, perform training, or advise a program, be ready for anything, treat the topic with respect and correct the situation.


Tuesday, July 14, 2015

NISPOM Based Questions

Looking for study information for your next SPeD or ISP Certification studies?


Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about.

Problems
1. You are an FSO of a growing defense contractor. One of the executives approaches you about the need for more space to conduct classified work. He is agreeable to implementing your recommendation to use a restricted area and would like you to prepare a security briefing for his team. Prior to your briefing, you conduct the necessary research. Describe the reason for a restricted area and when cleared employees would use a restricted area. Keep in mind access control and storage requirements.

2. You have just sat down to eat lunch and receive a phone call from a cleared employee. She tells you that the security container’s drawers are closed, but the dial on the combination lock has not been engaged. She explains further that according to the SF 702, the container had been locked and checked 20 minutes earlier. She is sure that was “about the time everyone left for lunch.” What would you direct her to do?

3. Your colleagues leave for the day. On their way out, they inform you that you are the last to leave. The facility is authorized to store classified materials. What will you check for prior to leaving?

4. As part of the building project, you are responsible for providing input into the projected classified contracts and the required work space and storage requirements. As you put together a presentation you research the requirements of a much needed closed area. Describe how a closed area should be constructed. Who approves the construction requirements?

So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams. 


Saturday, June 27, 2015

FSOs and Emergency Procedures

We are continuing our analysis of the DSS’ The Self-Inspection Handbook for NISP Contractors to determine requirements and best practices for meeting them.

Since Section M has multiple inspection points, we have broken them up into individual articles.  This update addresses classified information and emergence procedures. 


5-104 Are procedures developed for the safeguarding of classified material during an emergency?

According to NISPOM Paragraph 5-104. Emergency Procedures, 
“Contractors shall develop procedures for safeguarding classified material in emergency situations. The procedures shall be as simple and practical as possible and should be adaptable to any type of emergency that may reasonably arise. Contractors shall promptly report to the CSA any emergency situation that renders the facility incapable of safeguarding classified material.”

An essential element to creating a security program to protect classified information involves not only thwarting spies, thieves, and insiders, but also inadvertent disclosure. This accidental disclosure can cause just as much damage as malicious intent. This, FSOs and cleared defense contractors should be prepared to protect classified information by format and location in the event of an emergency. Emergencies should also be considered by probability and on risk based decision processes.

The facility security officer should conduct an assessment of classified holdings to determine vulnerabilities, threats, and risk to classified information above and beyond what has been determined by the original classification authority and as applies to the National Industrial Security Program Operating Manual (NISPOM).

Since the NISPOM, SCG, Statement of Work, DDForm254 and other guidance dictates how to protect classified information, the FSO should consider forming a team to help determine emergency scenarios that could increase risk to classified information at the enterprise location(s).

It’s important that threats include natural disasters. Next, the threats should be mitigated to ensure that classified information is protected and not compromised, regardless of the emergency event. But remember, human lives come first. So the earlier and better the FSO prepares, the more successful they will be.

Here is an example of how an FSO might conduct a risk assessment. For this example, the following information only applies to emergency situations for information purposes. A genuine risk assessment should consider all scenarios. More scenarios can be found in DoD Security Clearance and Contracts Guidebook.

The 6 step risk assessment process should be used to determine and address risks to classified information. The following is an example of a risk assessment with emergency situations as the focus:

1. Determine assets to be protected.

In this case it’s classified information and controlled unclassified information stored on site. However, for the analysis, consider the classified information by format (hardcopy, softcopy, end item, information in a person’s head, ect.) and location (high bay, closed area, security contain, open storage, SCIF, and etc.)

2. Determine threats to the classified information.

For this situation, FSOs should determine disasters and emergencies that could cause unauthorized disclosure of classified information. Threats should be considered specific to the facility to the assets by format and location. Somethings to consider are workplace injuries, heart attacks, strokes, fire, severe weather, earthquakes, flood, explosions, and anything else that could lead to exposed or lost assets.

3. Assess Vulnerabilities or what can be exploited to get to the classified information specific to your facility.

Vulnerabilities could building set up in low areas, poor construction, location of classified material to emergency services traffic, or things that contribute to emergency situations.

4. Assess Risk to determine threat to vulnerability and determine whether or not baseline countermeasures are effective.

For example, an area approved for open storage has the required alarms and facility construction. However, how effective are these security measures in the event of an emergency. For example, when an employee experiences a heart attack how will that employee be rescued? What happens to classified information that is properly stored on shelves or are on desks, computer screens, or lab tables?

5. Assign countermeasures.

If the security program designed to protect classified information does not protect classified information appropriately, assign additional countermeasures. In the above example, the open storage approved area container is adequate for protecting classified information from intruders, but not authorized entry by uncleared personnel. Additional countermeasures could include assigning escorts for emergency situations, selecting ingress and exit routes, providing emergency situation throw blanket to hide classified information.

6. Determine Residual Risk.

Inspect the countermeasures to see if they truly mitigate the risk. One might have time to cover classified information during a medical emergency, but those countermeasures may not be effective when there is no reaction time. Always consider assigning the countermeasures by situation and asset format and location.

One universal tool that FSOs might find useful is providing an emergency kit back at each location. These kit bags can be assigned to responsible and adequately cleared employees to deploy in emergency situations. However, not at all costs. Human lives should always come first.

Emergency Kit Bags

· Marking supplies (Pen, stamp, preprinted labels, etc)

· Opaque bag or wrapping paper

· Opaque security tape

· Cleared personnel roster

· Classification level coversheets

· Light source

*Suggested contents of emergency kit bags. These bags should be kept up to date and readily available during emergency evacuations.


An FSO should form a team to conduct the risk assessment process. The team should include emergency scenarios among the possibilities of unauthorized disclosure of classified information. The more subject matter expertise, the better. The FSO might enlist the help of cleared employees working in each unique environment, the safety officer, facilities manager, and others to more provide a more complete picture of the environment.

VALIDATION:

Document all actions and make available during annual security review. Actions might include:

· risk assessment process describing each of the six steps

· locations of emergency kit bags

· security training provided to cleared employees

· training provided to designated emergency escorts

· list of approved emergency escorts

· plan to protect classified information during an emergency event

An essential element to creating a security program to protect classified information involves not only thwarting spies, thieves, and insiders, but also inadvertent disclosure. This accidental disclosure can cause just as much damage as malicious intent. This, FSOs and cleared defense contractors should be prepared to protect classified information by format and location in the event of an emergency. Emergencies should also be considered by probability and on risk based decision processes.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

The Six Step Risk Assessment Process for Cleared Defense Contractors and FSOs

The facility security officer should conduct an assessment of classified holdings to determine vulnerabilities, threats, and risk to classified information. This risk assessment is above and beyond what has been determined by the original classification authority (OCA) and as applies to the National Industrial Security Program Operating Manual (NISPOM). Where the OCA has determined classification level, the NISPOM provides guidance on how to protect the classified information. 


The mission piece is the defense contractor and how they protect the classified information by format and location. It's not always good enough to rely on NISPOM requirements as the environment may dictate additional countermeasures. For example, SECRET and CONFIDENTIAL information can be approved for storage in a GSA approved container. However, if the defense contractor is in a high crime area, additional physical security measures may be necessary. 

That's where the 6 step risk management process comes in handy. The NISPOM, SCG, Statement of Work, DDForm254 and other guidance recommends minimum protection measures, the FSO should consider forming a team to help determine risk to classified information at the enterprise location(s). The process can be laid out in six steps:

  1. Determine Assets to be Protected-In this case it’s classified information. The FSO might consider expanding the scope to include controlled unclassified information stored on site. However, for the analysis, consider the classified information by format (hardcopy, softcopy, end item, information in a person’s head, ect.) and location (high bay, closed area, security contain, open storage, SCIF, and etc.)
  2. Determine Threats-Threats can include: emergency situations, spies, break ins, insiders, and other environment issues specific to the contractor location.
  3. Assess Vulnerabilities-Understand what can be exploited to get to the classified information specific to your facility. Vulnerabilities could include traffic patterns, limited security staff, lack of seasoned cleared employees, or other weaknesses in the infrastructure or environment.
  4. Assess Risk-Match the threats to the vulnerabilities and determine whether or not baseline security measures are enough. For example, even though classified information is stored in an approved GSA security container, new employees forget to lock the container before leaving the area. In the example, the NISPOM requirements are met to store classified information, but the environment requires more protection.
  5. Assign Countermeasures-If the security program designed to protect classified information does not protect classified information appropriately, assign additional countermeasures. In the above example, the GSA approved container is adequate for protecting classified information, but employees have been forgetting to lock the container while taking short breaks. Additional countermeasures could include; multiple checks from supervisors, conducting additional security awareness training, discipline, and other actions to ensure the risk to classified information is mitigated.
  6. Determine Residual Risk-Inspect the countermeasures to see if they truly mitigate the risk. If the supervisor checks can’t be sustained, then additional countermeasures will have to be implemented. Keep checking until behavior is corrected and risk is mitigated.

The OCA provides the classification level and the contractor is required to protect the classified information assigned. The NISPOM provides the guidance, but that may not be enough. The FSO might consider enterprise specific issues that could require additional countermeasures, conduct risk assessments, and document the effort.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".