Tuesday, July 22, 2014

Try these NISPOM Based ISP Certification Questions

Try your knowledge of the NISPOM and apply your experience as an industrial security professional with these challenging questions:


1. Recommendations for the downgrading of NATO classified information should be forwarded to:

a. Originating activity

b. CSA
c. GSA
d. CUSR
e. FSCC

2. All of the following require accountability receipts EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIC TOP SECRET
d. NATO CONFIDENTIAL
e. NATO CONFIDENTIAL ATOMAL

3. Which form is used for registration of Scientific and Technical Information Services?
a. DD Form 214
b. DD Form 254
c. DD Form 1540
d. DD Form 2345
e. DD Form 1234

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:
a. CSA
b. GCA
c. FSO
d. ISSM
e. GSA


**************No Peeking-Keep scrolling when ready for answers****************





1. Recommendations for the downgrading of NATO classified information should be forwarded to:

d. CUSR (NISPOM 10-710)


2. All of the following require accountability receipts EXCEPT:

d. NATO CONFIDENTIAL (NISPOM 10-17b)

3. Which form is used for registration of Scientific and Technical Information Services?

c. DD Form 1540 (NISPOM 11-202a)

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:


a. CSA (NISPOM 5-800)




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, July 20, 2014

Thanks NCMS-New ISP Coin

My new NCMS ISP Certification coin came in the mail. Another great reason for ISP Certification; thanks NCMS...






















Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

FSO's and Cleared Consultants

As a recap from the last article, we can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(D) FOCI
(E) Classification

Though not applicable to all cleared contractors, consultant agreements may apply to some. This article will address the requirements of the consultant agreement and how to basically treat consultants as part of the cleared contractor enterprise.

According to the Defense Security Services (DSS) Facility Security Officer (FSO) Toolkit might look as follows (formatting and content can vary, but this is a template that works just fine). See it here: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html


Here are the elements of the template.

A consultant for cleared contractors is an individual who provides professional or technical services requiring access to classified information. According to paragraph 2-212 of the National Industrial Security Program Operating Manual (NISPOM) DoD 5220.2-M, a cleared contractor can process a consultant for a personnel security clearance as if they were a cleared employee of the organization. However, the consultant either outright owns or co-owns the business with family members, but is the only employee requiring a security clearance. If other members of the consultant’s organization are required to access classified information, then the company will need to be sub-contracted and sponsored for a facility security clearance (FCL).

The consultant agreement should ensure that the following apply to the work performed (exceptions exist when connected authorized visits):

In the case of a consultant “treated” as an employee, the DD Form 254 is clear about where classified work is performed. The 254 applies to all work performed by cleared employees. By agreement and NISPOM guidance, the consultant is the cleared employee. As such the FSO should document the following actions and be ready to demonstrate during the self inspection and the DSS review:

a. The consultant shall not possess classified material away from the premises of the using contractor.

b. The using contractor shall not furnish classified material to the consultant at any location other than the premises of the using contractor.

c. The consultant shall accomplish performance of the consulting services only on the premises of the using contractor.

Since the consultant’ clearance is held and processed by the consulted, they should have an initial security briefing and annual security awareness training. This training should include the requirements of the NISPOM:

a. The using contractor shall provide classification guidance to the consultant, and shall brief the consultant as to the security controls and procedures applicable to the consultant’s performance.

b. The consultant shall not disclose classified information to any unauthorized person.


Finally, the consultant agreement should state language to the effect that the consultant is the owner of the consulting firm and is the only official/employee of the consulting firm who may provide consulting services pursuant to this agreement.

Once the memo is written and agreed upon, both parties should sign and records available for self-inspection and DSS review.

Using this article and experience, the FSO should now be able to demonstrate efficiency with following questions:

D.  CONSULTANTS
NISPOM REF:
Question:
YES
NO
N/A
2-212
Have you and your consultants jointly executed a consultant agreement” setting forth your respective security responsibilities?
RESOURCE:  Consultant Agreement under Forms at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html. VALIDATION:



2-212
Does the consultant possess classified material at his/her place of business?
VALIDATION:












Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, July 11, 2014

Justifying a Clearance – Why Need to Know May Become the New Norm



*My article as published @ Clearancejobs.com


http://news.clearancejobs.com/2014/03/28/justifying-clearance-need-know-may-become-new-norm/


Bradley Manning, Eric Snowden and Aaron Alexis.


These are names of co-workers and fellow employees with security clearance who violated trust. After each incident reviews were established to discover: How did they get security clearances? How, in the case of the spies, did classified information get taken? In the case of work place violence, how did such untrustworthy and threatening persons get security clearances?


A Pentagon report released last week provided an independent review of the Navy Yard Shooting, and asked the critical question – are there currently too many individuals with access to classified information?
CURRENT PRACTICE; DEFEND THE PERIMETER


Proscribed security measures to protect classified information are in found in government agency security classification guides, policies, instructions and procedures. Where classified information exists, there are countermeasures required to protect that information. Depending on the classification level, these protection efforts include proper classification markings; storing classified information in General Service Administration (GSA) approved security containers and vaults; using alarms, sensors, a guard force, or a combination.


Current security measures are deemed adequate to protect classified information from falling into the wrong hands. After all, a thief or spy would have to go through several layers of security to get their hands on national security information at significant risk to themselves; or would they? These days, sometimes all they have to do is ask nicely and an otherwise authorized employee might just bring it to them.


Protection measures only go so far to deny unauthorized persons access sensitive information. In a time where the biggest threats to national security are the Bradley Mannings and Eric Snowdens, trusted employees walking out with the goods; physical security measures are just not enough as they keep bad guys out, but do little to prevent the insider threat.


This is not limited to the federal government and contractors, but also occurs elsewhere. Theft of proprietary information, personally identifiable information, intellectual property, workplace violence and more are perpetrated by the co-worker who was so quiet and hardworking.
FINDINGS


The Washington Navy shooter, Aaron Alexis held a SECRET clearance. According to the report, he was awarded his security clearance while in the Navy, but this was a “just in case” measure and not based on need to know. The result is the ability to maintain the security clearance for 10 years as long as he didn’t have too long of a break between jobs requiring a secret clearance. Once hired by The Experts, Inc., he was back in the system. His eligibility would depend on self-reporting any adverse information, and the periodic review due at the 10 year mark. Couple that with the rapid growth of cleared personnel, and we see how an insider threat can grow unchecked. The risk was the inability to connect police records and other historical data that might have indicated that he was ineligible for a security clearance.
A NEW PARADIGM

Some of the findings of the Pentagon’s review break the paradigm of relying on “defending the perimeter” to focus on the challenges of protecting National Security from those within our own ranks.

The first recommendation is to: “Cut the number of Department of Defense employees and contractors holding Secret clearances, and adopt a “just in time” clearance system more tightly linked to need to know.”

This solution may appear extreme and many reading this may take issue with such cuts. After all, many cleared defense contractors rely on having the adequate pool of cleared contractors and offer salaries and benefits tied to security clearance levels. Those holding security clearances may feel the pressure of such cuts as career ending.

These cuts are recommended as a countermeasure to free the workload of investigators and focus on more efficient and effective adjudication. As such, this could be just the countermeasure needed to protect national security. Further study demonstrates the intent is not to cut positions, but to determine whether or not existing positions require a security clearance. Validating the need for a clearance early is a determining factor. The cuts are simply requiring better stewardship and oversight of the security clearance process. Jobs do not need to be cut, but justification for requesting security clearance investigations and follow-on security clearances needs to be better defined and controlled.
BRING BACK NEED TO KNOW

Many cleared employees may concede that access to classified information is based on a security clearance level AND the need to know classified information. Many times the need to know is not fully understood nor properly identified for security clearance requests. Defense contractors are granted facility security clearances based on a contractual need. After being granted a facility security clearance they then request personnel security clearances for employees who will need access to perform on the classified contract. In many cases this breaks down occurs when the cleared defense contractor or government agency requests security clearances using a standardized tool based on position or to form a pool of classified personnel in case they are needed.

This review recognized that the current state of security clearance process was flawed. That made sensitive information and the workplace vulnerable to the insider threat. The report makes recommendations to exercise more control of the security clearance process, making a greater argument for resting justification on need to know.
INTERNAL CONTROLS

One clearance justification practice used by cleared defense contractors is to have management provide rationale in a statement or security clearance request form of the need to request a clearance on a particular employee. Another practice is to directly link the new-hire employee to an employment opportunity requiring access to classified information to perform the job. However, these successes are based on internal controls and policies of the responsible cleared contractor, and not strictly enforced by government oversight.

The review made many other recommendations to streamline and improve oversight of the security clearance process for contractors. Whether or not the recommendations are acted upon remain to be seen. However, industry can become part of the solution by properly justifying the need for a clearance.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, June 24, 2014

ISP Certification and NISPOM Study Questions


Try your knowledge of the NISPOM and apply your experience as an industrial security professional with these challenging questions:

1.      The minimum investigation requirement for SECRET FRD is:
a.            NACLC
b.            XNAC
c.             SSBI
d.            NAC
e.             Polygraph
2.      Only contractors with access to RD and FRD can be designated as _____ employees as:
a.            FRD Classifiers
b.            RD Classifiers
c.             NRC Classifiers
d.            DOE Classifiers
e.             DoD Classifiers
3.      Cleared contractor employees must be briefed by the _____ prior to having access to CNWDI.
a.            CSA
b.            GCA
c.             DOE
d.            NRC
e.             FSO
4.      Accountability records for COSMIC TOP SECRET ATOMAL must be maintained for:
a.            10 years
b.            2 years
c.             5 years
d.            3 years
e.             4 years




**************No Peeking-Keep scrolling when ready for answers****************




1.      The minimum investigation requirement for SECRET FRD is:
a.            NACLC (NISPOM 9-104e)
2.      Only contractors with access to RD and FRD can be designated as _____ employees as:
b.            RD Classifiers (NISPOM 9-105b)
3.      Cleared contractor employees must be briefed by the _____ prior to having access to CNWDI.
e.             FSO (NISPOM 9-202)
4.      Accountability records for COSMIC TOP SECRET ATOMAL must be maintained for:
a.            10 years (NISPOM 10-717d)
 For more helpful hints and study resources, see Red Bike Publishing’s Unofficial Guide to ISP Certification and NISPOM Training ideas.


  

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, June 21, 2014

Self-Inspection of the Enterprise

As a continuation from the last article, let’s look at a few more security education questions. The last article discussed some time-proven practices to present and document NISPOM training for cleared employees. This article will look at required reports as security education will be reviewed during the scheduled DSS visit.

While answering these self-inspection questions, FSOs might consider interviewing cleared employees to gauge 
their 
understanding of requirements. The interview should also include opportunities for the employees to demonstrate how they execute policy. Knowledge of policy is not enough. FSOs should document a cleared employee’s response of what to do and how to perform when required as a means to demonstrate that knowledge. 

The following are some questions from the self-inspection handbook:

Are cleared employees debriefed at the time of a PCL’s termination, suspension, revocation, or upon termination of the FCL?

Just because a cleared employee is no longer provided access to classified information doesn’t mean all of their knowledge and experience is sanitized from their brains. It also doesn’t mean that they will completely understand what to do with that knowledge if challenged to reveal it. 

Knowledge is hard to control and even harder when the former employee is outside of the defense network. They are no longer under continuous evaluation and we don't know what the employee will do with all the great stuff stored in their head. The best thing an FSO can do is to debrief them, have them understand their continued responsibility to not disclose classified information and have them sign acknowledgement stating their understanding. FSOs should not leave this to chance. When at all possible, a face to face briefing is the best method.

Terminated employees can be a challenge. It’s very difficult to conduct a debrief interview with a person who feels wronged by the organization. But, it’s national security and classified information is at stake. FSOs should not be satisfied with an administrative actions, meaning, allowing an employee to leave without the actual face to face debriefing. This requires coordination with Human Resources and having them comprehend the importance of keeping the FSO abreast of hiring and firing actions. 

Document the debriefings with signatures and dates. This can be easily done by reminding them of their continued responsibility to protect classified information and having them sign and date.

Is there an effective procedure for submission of required reports to the FBI and to DSS? 

There are reports required of each office. However, the employees should understand that the first stop is the FSO. Not that the FSO should attempt to arbitrate issues, but many employers have policy stating that employees should not report company issues without the enterprise’s knowledge unless as a last resort. Many companies have policy dictating how to report information outside of the organization. There is no reason to violate this policy in most circumstances.

This reporting method should also be enforced for instances of:

Instances of fraud through the DoD Hotline-DSS inspects on the availability of posters in obvious areas. Bulletin boards make a great location as announcements are usually posted there. FSOs might also post them where required OSHA posters exist. Write up a map with all posters, flyers, pamphlets and other security education tools are available. Document their presence and show them to DSS during the review.

Cyber Intrusions-monitor and report all intrusions. Work out the analysis and reporting details with the IT and cyber professionals and ensure they know to report these intrusions. Document the events as well as when and what is reported.

Adverse information-Develop a culture where employees can report credible information about a cleared employee’s (including themselves) ability to protect classified information. Report and document all reports to demonstrate during the DSS audit.

Security Violations-save all reports of security violations and the results of investigations. For security violations that include loss, compromise or suspected compromise, these could include preliminary, initial, follow-up, final and culpability reports. Keep reports on file and any records of submissions to the cognizant security activity.

Suspicious contacts-cleared employees should understand to report any efforts to obtain illegal or unauthorized access to classified information or to compromise a cleared employee, contacts by a foreign intelligence officer from any country or information that a cleared employee may be targeted. Document training and any submitted reports.

Security awareness training includes checking on how the employees implement training as required by NISPOM. It’s one thing to show a presentation of required reports and debriefing employees. It’s another to have requirements woven into corporate policy and work instructions. Asking cleared employees to demonstrate their responsibilities or employing scenarios are great ways to check on knowledge. If actual events are reported to the FSO, they should be documented for review during the DSS visits.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, June 15, 2014

Security Education for FSOs and Cleared Employees

As a recap from the last article, we can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education
(D) FOCI
(E) Classification

As in all cases, documentation is key. Here is an explanation of the requirements, what to look for and how to document.

FSO Training-As with all things leadership, the first place to start is at the top. The FSO should lead the way by ensuring their education is completed and documented as soon as possible. DSS provides FSO training and certification which can be found @ http://www.cdse.edu/toolkits/fsos/security-education.html

According to NISPOM paragraph 3-102 Training requirements shall be based on the facility's involvement with classified information and may include an FSO orientation course and for FSOs at facilities with safeguarding capability, an FSO Program Management Course. Training, if required, should be completed within 1 year of appointment to the position of FSO.

For many FSO’s assigned to larger defense contractors or are otherwise career security specialists, this requirement is not difficult. However, an FSO of a smaller organization being newly appointed to the position will have to consider time and resources necessary to free themselves up for the training.

Documentation: Keep all DSS certificates and transcripts.

Special Security Briefings/Debriefings-Again, starting at the top, the FSO should receive the initial required briefings from the Cognizant Security Office (CSO) (most cases Defense Security Services (DSS)). This initial briefing requirement carries with the authorization to flow down the briefings to authorized cleared contractors.

Documentation: Keep FSO and briefer signatures in a training file to present to DSS during the review.

Cleared Employees at other work locations-If cleared employees perform classified work at other locations, who will fulfill the security requirements? Some locations require residing cleared employees to take training at their worksites. Others require home organizations to provide the training. In some cased cleared employees must attend training provided by both host and home organization. Agreements should be in place to address the question and documentation available for proof of the training.

Documentation: Keep signature sheets, certificates or other items documenting who was trained, the date and type of training.

SF-312-Cleared employees should only sign the SF-312 when they are first awarded security clearances. FSOs should educate the employee with SF-312 training and ensure they understand what they are agreeing to. It’s not necessary to file fresh signatures each time a periodic reinvestigation is conducted or when an already cleared employee is hired by a new employer. However, these first signed SF-312s should be provided back to the cognizant security agency (CSA) signed by both subject and a witness.

If a subject refuses to sign the SF-312, this should be both documented on the 312 and reported to the CSA.

Documentation: Forward SF-312s and keep a record of when forwarded. Keep copy of SF-312 for records.

Initial Security Training-If an employee signs an SF-312, initial security training should be provided. This is different than what is provided in SF-312 training. Initial security training requires education in the following topics:

a. A threat awareness briefing.
b. A defensive security briefing.
c. An overview of the security classification system.
d. Employee reporting obligations and requirements.
e. Security procedures and duties applicable to the employee's job.

Documentation: Keep signature sheets, certificates or other items documenting who was trained, the date and type of training.

Security Refresher Training-FSOs should provide this training to cleared employees every year. The same initial security training topics are covered with the inclusion of any changes in security regulations since the last briefing. For newly cleared employees, this occurs after the first year of employment and is provided annually as long as the employee remains cleared.

Documentation: Keep signature sheets, certificates or other items documenting who was trained, the date and type of training.

As FSOs develop a self-inspection program, they should use the checklist as provided in The Self-Inspection Handbook for NISP Contractors. The checklist provides thought provoking questions that, when addressed, can better prepare the organization for the DSS annual review. Look for the next article featuring sample questions to ask cleared employees. These will make sure the enterprise understands and implements requirements in support of the security program.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".