Monday, March 30, 2015

NISPOM Based Certification Questions.

Try these NISPOM based questions. They could complement your ISP Certification or SPeD certification study. See how you do.

1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA 
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract 
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared




Scroll down for answers:






1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA (NISPOM 10-200)
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above (NISPOM 10-702)

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
(NISPOM 2-102c)
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract (NISPOM 5-509)
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared



FSOs and End of Day Security Checks



This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-102a Is there a system of security checks at the close of each working day to ensure that classified material is secured? 

Security checks help, period. However, they are only as good as the purpose they serve. Many times these checks are just a list of mundane actions forced on an employee to complete before they go home. Many times the checks are performed by employees on a duty roster pulling the job for a week at a time leaving at various times of the day. 

The real intent is to ensure classified information is locked up and inaccessible by uncleared personnel and those without need to know. Desktops, trash bins, printers, copiers are checked to ensure classified information has not been left unsecured.

GSA approved security containers are checked and initialed to ensure they are closed and locked properly. Closed area locks are checked as well as security alarms. The list goes on to ensure all situations where classified information has previously been available  has been secured and compromise has been mitigated. 

Now, security checks are important and so is the responsible party doing the checking. Often, any employee with a clearance is given the "duty". However, diligence should be made to ensure the checks are made at the right time. 

Here's a little hint at inherent, but rarely pondered danger. 

The end of day checks should be performed at the end of the duty day and not the end of the day for the employee on duty.

Did you get the play on words? 

The danger with a duty roster in many cases is that some employees performing the end of the day checks may not normally stay until the end of the duty day. Where the employee might leave at 3 pm, other employees might not leave until 5 pm. The two hour time difference is simply not providing the proper mitigation.

Within that two hours, an employee could reenter a closed area, open a security container, have a classified meeting, and etc. Life goes on after the designated end of day checker goes home.

Out side the box ideas: 

1. Have employees performing the duty alter their work schedule accordingly. Make sure that someone is covering down on the end of day checks at the end of the day.
Some even go so far as to put safety and housekeeping information as well.

2. Have a last call for classified information. If the normal duty day ends at 5 pm, ensure all classified information is secured by 4:45. Of course there are emergencies and case by case issues that can be dealt with upon request.

3. Assign end of day checks to only employees who leave at the end of the day. Build in additional "beginning of the day" performance measures for employees who arrive earlier in the day.

Another common problem is using the end of day check for safety and house cleaning. Re-think a separate check list for those issues. Employees should be focusing efforts on securing classified information, not ensuring the coffee pot is turned off.

Hang on to those end of day check lists. DSS will want to see them during the review. Be sure to check for them during your self-inspection.

We've covered this discussion in depth in 2012 and 2013 posts.  As a reminder here are the links for further discussion of this important issue:

http://dodsecurity.blogspot.com/2013/03/traditional-security-tools-in-unique.html

http://dodsecurity.blogspot.com/2010/11/storing-classified-information-keeps.html#links

Though not required by NISPOM, government forms are available on line for use or just to serve as model in the strengthening of security programs. Companies are free to use these forms or create their own. The government forms are available online. One such form is the Activity Security Check List, Standard Form 701. Again, unless the contract or Government agency requires the use of a specific format, the company is free to adapt their own version.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


GSA Security Container Magnets
http://www.redbikepublishing.com/book/magnet/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


Sunday, March 15, 2015

Defense Contractor Self Inspection Handbook and Classified Discussions

This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-101 Do your cleared employees know where they can and can't hold classified discussions?

According to NISPOM 5-101. Safeguarding Oral Discussions. Contractors shall ensure that all cleared personnel are aware of the prohibition against discussing classified information over unsecured telephones, in public conveyances or places, or in any other manner that permits interception by unauthorized persons.

There are at least two points that the FSO should address. The first is to ensure all cleared employees are aware of when and where classified discussions are and are not permitted. This awareness can be presented in any of the following formats. If possible, the FSO should implement as many as apply:
  • New employee orientation/Initial Security Briefing/Annualsecurity awareness training-FSO's should incorporate contractor specific training to ensure the cleared employees understand where and when classified contractors are allowed and the circumstances that must be met prior to the discussions being allowed.  This training should include designated areas, rooms, sections or other locations where conversations, presentations, telephones, and any other discussions should take place. The training should also include how to prepare the areas for the proper level of discussion to include any necessary VARs, COMSEC, or necessary information system support.
  • Posters-Posters serve as reminders to reserve classified conversations for designated or dedicated locations.
  • Pamphlets or flyers-Post these in obvious places as part of continuing security training and education. These flyers and pamphlets can convey a lot of significant information that will support your annual security awareness training.
  • Multi-media-broadcast your security message to the cleared employees through ocial media, websites, internal television channel, etc.


VALIDATION: The best way to demonstrate compliance to NISPOM requirements is to document actions and show examples. This can be done with:
  • cleared employee signature

  •  facility maps identifying designated and dedicated classified discussion areas

  • locations where pamphlets and flyers are posted
  • how many were posted, 
  • copies of presentations and training 

Presenting and documenting  topics, signatures and copies of any method of presenting the message are great metrics to demonstrate validation.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, February 17, 2015

NISPOM Based Study Questions for Security Certification



The following NISPOM Training is meant to augment your NCMS ISP Certification education, not replace it. Download NISPOM to your computer and try your experience against this open book practice test. So, here are some NISPOM based practice questions to help you prepare: 

1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA
c. CSA
d. FSO
e. None of the above







Scroll down for answers:






1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above (NISPOM 9-402a)
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above (NISPOM 10-200)

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number (NISPOM 6-104)
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone (NISPOM 8-303c)
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA (NISPOM 10-201)
c. CSA
d. FSO
e. None of the above

If you want more, see our book Red Bike Publishing's Unofficial Guide to ISP Certification only at http://www.redbikepublishing.com





Most Helpful Customer Reviews

5 of 5 people found the following review helpful
By Lisa M. Doman on November 18, 2008
Format: Paperback
Like many seasoned industrial security representatives, I feel like I know it all. I have been in this industry almost 25 years; I know where to look for answers, and I have my contacts. But one day it occurred to me just how much has changed during my career - enter the Internet, enter computer based training, enter instant security clearances (Interims), enter the JPAS/e-QIP interface, enter diminished contact with my cleared employees and visitors. Admitting that the contact with my cleared employees is not as intimate as it used to have to be, somehow I felt that I was loosing touch with my own skill set because of it. Jeffrey Bennett's book is very insightful into our industry, for he works with and supports, and motivates, this industry. You should consider buying the ISP Certification - The Industrial Security Professional Exam Manual, and spend 30 minutes with it each evening after work. Reinvigorate yourself. Give your imagination and professional growth some quiet stimulation. Remember. Refresh yourself. The best security education dollar you can spend, and not even leave home.
1 Comment  Was this review helpful to you?  YesNo
2 of 2 people found the following review helpful
By Jasmine C. on September 15, 2011
Format: Paperback
After receiving this book, I quickly skimmed through it prior to sitting down for a close study. My initial reaction was to wonder just how much information I could learn based on the fact that most of the book was dedicated to practice tests. When I finally took the time to sit down and read it, I was surprised at just how much information it contains. The book tells you how to prepare, to include learning all security disciplines, how to manage your time, and how to study the NISPOM. The practice tests are a great opportunity to time yourself, and help to identify areas of weakness. I truly recommend this book for anyone considering the ISP Certification... it is a great tool to have!
1 Comment  Was this review helpful to you?  YesNo
Format: Paperback
Written by a security consult of twenty-two years of experience in military intelligence, contracting and security, ISP Certification: The Industrial Security Professional Exam Manual is a instructional resource created to provide career security specialists with what they need to know to protect our nation's secrets. The text offers practical advice for security professionals and a working understanding of the NISPOM and Presidential Executive Orders implementing the National Industrial Security Program, but the heart of ISP Certification is its four practice tests designed to probe the depths of one's knowledge. An absolute "must-have" for anyone in federal positions requiring a thorough knowledge of security procedures, and highly recommended for the libraries of federal agencies.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Fred Twitty on May 8, 2010
Format: Paperback
As a retired US Army, Chief Warrant Officer Five (CW5), Counteringelligence Officer; former Special Agent, Defense Investigative Service (DIS); former Special Agent Defense Secuirty Service (DSS); former US Army Liaison Officer to Headquarters, Department of Defense (DoD), Alexandria, VA, Counterintelligence Division for Counterintelligence Issues, and former owner of a Small Veteran's Business, under a DoD contract to conduct Background Investigations for DoD Personnel Security Clearances, I consider this book to be brief and it makes the complex simple. This ISP Manual is a must for those preparing to take the ISP Certification Exam.
1 Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By S. Koryta on June 8, 2010
Format: Paperback
Mr. Bennett once again has assisted me in my endeavors as a security and protection professional. His book not only assists in helping you prepare for the ISP certification, it provides first hand insight and mentoring on how to advance your career goals in this complex field. In using his study guide, one can get a real understanding of how the certification process is and study to overcome the challenges of taking the exam. The one recommendation I can say is to combine it with the pocket edition, so you can take and read while on the metro to work.
Comment  Was this review helpful to you?  YesNo
1 of 1 people found the following review helpful
By Diane Griffin on January 9, 2009
Format: Paperback
As a seasoned security professional, I found the Industrial Security Professional Exam Manual to be very clear, brief and consise.

The ISP manual is a must read for anyone anticipating taking the ISP exam. Whether you are a seasoned security professional or a newbie to the world of security, this book is a keeper.

Thank you for putting out such a Great Book

Diane Griffin
President/CEO
Security First & Associates LLC


 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Security Bad Habits #1

Let's take a look at bad security habits and how to avoid them. We'll take on one at a time.
# 1. Not marking working papers. 

You might think it's okay to mark them later. You might be on a roll and can't stop for details. Whatever, stop making excuses and mark them immediately. You'll be glad you did.

Here's how to do it right

Working papers containing classified information shall be:

  • dated when created-Do this immediately, don't wait. Pretty soon you may find your security container filled with working papers and you have no idea of classification level or how old they are, and you've run out of time to mark them properly before you have to explain to DSS.
  • marked with the highest classification of any information contained in them-if the working papers are a result of classified experiments, research, or some other data, refer to the appropriate classification guidance, DD Form 254, contract or source and find out the classification level, what is classified, and why.
  • protected at that level-lock it up in the appropriate container, set alarms, put on cover sheet, enforce security clearance and need to know.
  •  destroyed when no longer needed - if you don't need it, get rid of it. Clear out that GSA Approved Container, open storage shelf, or vault. There is no reason to keep classified information once its usefulness is over.

No longer working papers when:

Your own decision

If you decide to keep the working papers, mark and protect them as you would a finished classified document. Deciding to keep a working paper is easy to figure out, just identify it as something needed in permanent storage and mark it accordingly. 

Overcome by events

Some events may take over that decision requiring automatic treatment of working papers as a classified document. In this case, they have just become overcome by events (OBE). Whether deliberate decisions to keep or just plain OBE, there are additional classification marking considerations in the NISPOM

Such OBE cases include when working papers are:

  • released outside of the facility-If this classified information is needed at another organization for a meeting or other reason, mark and treat it as permanent classified document.
  •  retained for more than 180 days from the date of the origin-You might not want to keep it forever, but if you keep it more than 180 days it's OBE; mark it as a permanent document. 
  • e-mailed within or  released outside the originating activity. Email = OBE. If it leaves the information system it resides on via email, then mark it as a permanent document.


Bottom line; If you need it, keep it. Just make sure that it officially becomes part of your classified inventory. If OBE, treat it as a permanent document.

More bad habit fighting examples coming. If you would like to contribute example bad habits for this blog or newsletter, send it over.

For more ways to overcome bad habits, see our book: DOD Security Clearance and Contracts Guidebook.



                                                                 

Monday, February 2, 2015

Public Disclosure of Information Pertinent to a Classified Contract

By applying the five “Elements of Inspection” that are common to ALL cleared companies participating in the NISP, and the additional elements that might be applied at unique cleared facilities, facility security officers can control the opportunity a bit better. As a reminder, the DSS’ The Self-Inspection Handbook for NISP Contractors identifies five elements common to all cleared facilities are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education
(D) FOCI
(E) Classification

Using the DSS publication as the intended guidebook, FSOs can glean important information and ideas for applying the elements to their own facilities. This guidance just doesn’t get the cleared contractor ready for the inspection, but when applied, it solidifies a sound and proven security program.

The following article covers public disclosure of information pertinent to a classified contract. This is one area where a contractor can get jammed up unless addressed properly. Understanding how to request permission for public disclosure of this information is as important as protecting the information itself.

So, let’s begin with the topic in the self-inspection handbook.

Was approval of the Government Contracting Activity obtained prior to public disclosure of information pertaining to a classified contract?

I was advising a public relations unit for a small cleared defense contractor. This was a crack team that worked relentlessly on business development to keep the company profitable and employees at work. However, what they did not understand was the nuances of disclosing information pertinent to a classified contract. What they were good at is explaining how well the company performed on contracts. What they did not understand is that some of the information should not be disclosed without prior approval of the government customer. The government customer was very frustrated with the cleared defense contractor when the issue was raised.

Some information is good for both contractor and government agencies. Unless otherwise specified by the government customer, the contractor can freely publish the fact that a contract has been received, the subject matter of the contract, the method or type of contract, and total dollar amount of the contract unless that information reveals classified information. Additional information includes publishing decisions to hire additional employees or terminate existing employees.

This is all very general information and does not include intimate details about program efforts and capabilities. This general information is usually shared on websites, brochures, briefings, radio announcements and other media. Again, it’s good for business and there is no issue with disclosing the information. Keep in mind that information released specifically for a presentation, briefing, or conference must be considered open disclosure unless a classified setting or limited audience (export controls in place) is approved. Otherwise, if the information is considered too sensitive to put on a website, it should not be shared without approval.

In those situations where public disclosure is desired and approval necessary, it is important to document any GCA approval for public disclosure of unclassified information pertaining to a classified contract. The specific requirements should be found in the DD Form 254 and any directed specifications by the GCA.

According to NISPOM 5-511, the following should be implemented:

· Submit requests through the activity specified in the DD Form 254.

· Each request shall indicate the approximate date the contractor intends to release the information for public disclosure and identify the media to be used for the initial release.

· A copy of each approved request for release shall be retained for a period of one inspection cycle for review by DSS.

· All information developed subsequent to the initial approval shall also be cleared by the appropriate office prior to public disclosure.

A good practice is to use the above bullets as a checklist. Gain approval and document the approval ensuring the above requirements are met. File the approval with the required information and be prepared to demonstrate approval during the next DSS review.


For more information about meeting NISPOM and DSS requirements, see DoD Security Clearance and Contracts Guidebook.