Thursday, October 27, 2011

5 Easy Ways to Demonstrate NISP Enhancement Category 2

Category 2 of the NISP Enhancement covers Security Education: Internal Educational Brochures/Products. This focuses on the FSO providing security education to the entire employee population. This is in addition to security awareness training provided to cleared employees (employees with security clearances) required by NISPOM. What is the benefit of training cleared and uncleared employees? Uncleared employees can be the eyes and ears that are needed and add an additional layer of protection.


 
For example, cleared employees can be trained to recognize classified information. If a classified package is unattended, the cleared employee can be trained to recognize the sensitivity and report the incident to the FSO. Otherwise, they may take possession, read it, throw it away or otherwise cause compromise of classified information.

 
Here are some recommendations on how to provide that training:

 
  1. CD/DVD-Defense Security Services, Interagency OPSEC Support Staff and other professional and government organizations have movies available for ordering that apply to both cleared and uncleared employees. The movies are short, but dramatic on varying topics of treason, OPSEC and protecting personal identifiable information.
  2.  Web-based interactive tools-Again, these are available from the same agencies. Defense contractors can also create their own training and upload it for employee use. Red Bike Publishing also provides similar training.
  3.  Newsletters-The FSO can designate, sponsor or assign someone to create a periodic newsletter to provide timely articles. The newsletter can be generic or laser focused on industry topics. There are vendors out there that provide newsletters for a small fee. Or, you can re-use ours and blast it out to your employees or professional organization. Just be sure to give proper credit.
  4.  Security games/contests- FSOs have hosted poster contests where instead of relying on the security department to provide all the talent, other employees contribute. Organically produced posters can also use the company brand and carry on the company mission statement by having the security message reflect the organizational goals and values.
  5. Brochures- There are great resources for delivering pinpointed security messages. Companies can brand their security specifically to the organization or mission. Government agencies have websites with downloadable brochures and posters on many topics.

 
Be sure to create an index or catalog of where brochures, posters or other training items are located so that you can keep them updated, monitor use and make improvements. Most of all, it’s important to document and demonstrate how you use these items to improve your security posture. Become an expert for your training and show DSS how you are making a difference.

For more detailed ideas see pages 225-227 of DOD SECURITY CLEARANCES AND CONTRACTS GUIDEBOOK

 
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, October 20, 2011

National Industrial Security Program-NISP Enhancement

Category 1 of the NISP enhancement involves company sponsored events. This is an opportunity that the FSO can use to demonstrate above and beyond adherence to NISPOM Chapter 3. Some of the suggested ideas include:
·         Security fairs-Security fairs are great ways to demonstrate the added value security provides to the cleared defense contractors. The FSO can set up designated booths that functions to provide security solution and awareness. For some examples include:
·         Document wrapping booth to demonstrate how to properly mark and wrap classified packages. You can take the opportunity to brief courier and other classified transport opportunities.
·         Fingerprint booth-As FSO I ordered children’s finger print cards. When we had a company picnic, I invited all the parents to come by to get their children fingerprinted. I then turned the completed cards back to the parents for safe keeping. This provided a service to the company and helped establish personal and working relationships.
·         Document destruction-You can extend shredding and destruction services to employees. Invite them to bring in personal information such as financial records and shred them on site. If you have a vendor that provides the service for you, they many offer to do so in support of the security fair. While there, you can relay the importance of protecting and properly destroying classified, export controlled and privacy information.
Interactive designated security focused weeks-You can implement great security training by having theme weeks. For example, you can designate one week for information security, one week for personnel security, one week for general security and etc. During the focus weeks, you can provide educational emails, letters, posters or announcements with the relevant security reminders or training.
Security lunch events-I worked with a company that initiated a “lunch with the FSO”. The FSO reserved a conference room, carved out time in his schedule, and invited subject matter security experts to sit on a board. Every employee was extended an invitation to attend the monthly events.  The FSO opened the meeting with any updates or reminders of security policy and invited the attendees to ask questions of the subject matter experts.
Hosting guest speakers on security related topics –There are great resources that the FSO can call on to provide guest speakers. Fellow members of professional organizations may be happy to help. You can enlist fellow professionals to talk about International Traffic in Arms Regulation (ITAR) compliance or how to escort foreign visitors or other subject matter expert to on any topic appropriate for your company. You can contact a vendor to talk about their security related products or bring in a paid speaker or consultant. Also, don’t forget counter intelligence agencies, DSS or the FBI’s domain coordinators who may be available for such occasions. You might even consider inviting an Industrial Security Professional (ISP) certified FSO to talk about the value of hiring employees board certified to protect classified information.
Webinars-More and more training is being conducted on line. Professional organizations have such material available to paid members, DSS has a catalog of tons of training, and there is lots of free training available online. There are also great vendors who provide training software and hosting for company developed online training. Additionally, many vendors offer already developed online NISPOM training perfect for sending to your employees.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Friday, October 14, 2011

What is a National Industrial Security Program Enhancement Category


Defense Security Services are training their agents to apply the new Security Rating Calculation tool. This tool is used to standardize and is based on a numerical scale that allows graded results while accounting for a cleared facility’s involvement in the National Industrial Security Program. However DSS is training their agents to ensure they understand the process before implementing it.
This provides a great opportunity for cleared contractors and FSOs to prepare for the changes to come. One of the most prominent features is the addition of a method to grade the ability of a cleared contractor to go above and beyond National Industrial Security Operating Manual (NISPOM) requirements. At one time the ability to go above and beyond seemed objective, requiring the FSO to demonstrate how they went above and beyond during the review or other interaction with DSS. Now, DSS has included a proactive measurement called the NISP Enhancement. According to the DSS website, “…directly relates to and enhances the protection of classified information beyond baseline NISPOM Standards.”
DSS has identified 13 categories that they will evaluate the cleared contractor for “above and beyond” capabilities. During the review the DSS special agent will interview employees and review processes and procedures to evaluate impact on the security program.
The 13 criteria follow:
Category 1-4 Security Education
Category 5 Self inspection
Category 6 Classified Material Controls/Physical Security
Category 7 CI integrations/Cyber Security
Category 8 Information Systems
Category 9 FOCI
Category 10 International
Category 11 Membership/Attendance in Security Community Events
Category 12 Active Communication in the Security Community
Category 13 Personnel Security

Future articles will include ways to implement each of the13 categories. I hope you’ll continue to visit our blog and newsletter for more information on “going above and beyond baseline NISPOM Standards.”


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Thursday, October 13, 2011

Who will be the next FSO

For those defense contractors who what to perform on classified contracts, there are a few considerations to address. Under the National Industrial Security Program (NISP), a cleared contractor should appoint an FSO to take on this responsibility of directing a security program to protect our classified information. This FSO is the link between the government contractor and the cognizant security agency (CSA).

When considering who to appoint as an FSO, the cleared contractor has a few choices:
1.      The senior officer can assume the role.
2.      The cleared contractor can designate an existing employee
3.      The cleared contractor can hire an new employee

Whoever assumes the role of FSO must meet two requirements:
1.      Be a United States citizen. Both the facility and the FSO have to be U.S. Entities and must have a history of integrity and conduct that prevents or limits exploitation or coercion to release classified material in an unauthorized manner.
2.      Possess a security clearance according to the company’s facility clearance level (FCL).  A facility clearance is awarded to businesses that meet strict requirements and have a need to work with classified information. The personnel security clearance is awarded based on the need and the approval of a facility clearance.

Depending on mission and size of company it’s not unusual for the cleared contractor to appoint  an assistant, engineer, program manager, human resources specialist or other capable employee with the additional responsibility. Larger companies may have the luxury of hiring additional personnel for specific and defined security responsibilities.

When assigning an FSO, shareholders should look for demonstrated leadership and team playing traits that complement the minimum requirements found in the NISPOM. The FSO’s primary purpose is to prevent the unauthorized disclosure and release of classified information and help the organization maintain security clearance eligibility. Any unauthorized release can cause problems such as but not limited to: loss of reputation, loss of contracts, jail time or disciplinary actions against the employee, and loss of clearance for the employee and/or the business. The FSO has a tough task that they can’t possibly do alone (for training resources visit our website).


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Monday, October 10, 2011

5 Steps to Protecting Technical Data on International Travel

Prior to travel, a cleared employee should have a good understanding of their responsibilities to protect sensitive information. This can include classified or unclassified information and military or dual use information. For defense contractors, protection of classified information is addressed in the National Industrial Security Program Operating Manual (NISPOM), military technical data is covered by the International Traffic in Arms Regulation (ITAR) and dual use technical data is protected under the Export Administration Regulation (EAR).


Facility Security Officers (FSOs) and Exports Compliance Officers can train their travelling employees to protect technical and help them accept the responsibly to protect themselves, classified information, and technical information. Preparation for travel can be covered in 5 steps:

1. Ensure cleared employees notify their security office of all foreign business well in advance of a proposed travel date. This will prepare the employee and the supporting staff to adequately support the visit. If technical exchange is necessary, a year’s notice may be necessary to acquire the appropriate licenses and TAAs.

2. Travelers should understand how technical data can be transferred inadvertently or purposefully through a written note, viewing a computer screen, conducting seminars and etc. Make sure employees know they are only authorized to communicate technical data through a license and or TAA.

3. Employees should know the boundaries in advance before sharing any technical information with non US persons. Help them understand the provisos of licenses and TAAs and exactly what they are allowed to disclose.

4. Coordinate with the IT department (or someone offering these services) provides a computer only equipped with permitted information (according to licenses and TAAs). A sanitized computer reduces the threat of exports violations or theft of economic or corporate data. Keep all products and information that could lead to export violations or the release of proprietary data close at hand.

5. Teach employees to practice good physical safety and security. A good practice is for employees to conduct themselves as professionals at all times and know they represent the company. For safety, they might consider coordinating closely with their hosts to find the best places to eat and shop. The state department has a great website employees can visit to prepare for travel (www.state.gove). Anyone traveling abroad should familiarize themselves with the site and use it to become an informed international traveler.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Monday, October 3, 2011

3 Important Uses of the DD Form 254

In addition to the NISPOM, there is another critical piece of information for creating a lasting and significant security program and good classification management; the DD Form 254.
The Contract Security Classification Specification (DD Form 254) authorizes classified work performance and conveys the security classification specifications and guidelines for classification in the performance of a classified contract.

The DD Form 254 is provided to both the contractor and cognizant security offices when work is subcontracted to a supplier/vendor requiring access to or generation of classified material.
So why is this important to you?

 It provides authorization for a contractor company to hold and or perform on classified contracts. The DD 254 justifies the need to access classified information and how and where the contractor is expected to perform. This justification also addresses the level of clearance at which the facility and employees should be approved.

 It also provides the following information:
• The classification level the work will be performed.
• Any caveat access or any special briefing needed.
• Whether we can receive or generate classified information at our facility.
• Whether or not AIS processing is allowed.
• Exchange classified information/or visit another facility.
• Classify/declassify information and what Security Classification Guides will be used.
• Disposition of classified material involved with the contract
• Whether or subcontracting is authorized
• Any other requirements as set forth by the User Agency.

The 254 cuts through the fog of classification management, provides control and accountability of classified work and can be a foundation for security refresher training. It also serves as a basis for constructing a detailed and efficient security awareness program.

FSOs can better implement requirements of the 254 through the following steps.
1.  Become familiar with the classified contract(s) and the requirements of the 254.
2.  Know the contract numbers as well as what is allowed since each contract is unique.
3.  Use contract or subcontract numbers in the Information Management System, while logging in classified documents, processing clearances, and preparing visit requests. Better yet, use this tool to become an expert on building and implementing a security program to protect classified information


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Networking Skills

Experience, commitment and practice are the best qualities to prepare the professional for the necessity of good old fashion networking. Networking is especially necessary in high trust and vulnerability industries like security where peers, colleagues and co-workers closely guard information.

A career in security is rewarding and challenging. The work is important, cleared contractor employers count on FSO skills to maintain classified contracts and national security depends on proper protection of classified information. The security professional requires a high degree of interaction as paths cross in training, collaboration or through contractual execution. Security professionals are traditionally somewhat guarded discussing business with new or otherwise unknown persons. Security professionals require time to develop trusting working relationships and getting to know important connections in a timely manner is important.

So, how do we accelerate this networking curve?

1. Foster relationships on the job. Get to know other employees and business unit managers in your organization. Develop trusting relationships that allow exchange of information. Other employees can help broadcast the security vision as you assist them with their individual and program needs.

2. Become active in professional organizations such as NCMS or ASIS. Security professionals have a lot of experience that is definitely worth sharing. There may be other FSOs having similar challenges and may be able to give fresh insight. You may find yourself helping others as well.

3. Become known by writing articles or teaching classes. Publishing in professional journals or teaching a “how to” seminar will get you recognized as an expert and trusted person.

4. Look for opportunities to network with each business leaders, police, firefighters, public safety, local and national government agencies and any other members of the community. The best way to protect our industry and our national resources is to use our force multipliers.

5. Consider joining committees, volunteering in the community, or sharing your expertise outside of your organization or career. For example, you could demonstrate how a non-profit organization can protect sensitive data.

It doesn't take much to network; just willingness to both help and to learn. What you contribute is invaluable and you are never too old to learn from others.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM
Experience, commitment and practice are the best qualities to prepare the professional for the necessity of good old fashion networking. Networking is especially necessary in high trust and vulnerability industries like security where peers, colleagues and co-workers closely guard information.

A career in security is rewarding and challenging. The work is important, cleared contractor employers count on FSO skills to maintain classified contracts and national security depends on proper protection of classified information. The security professional requires a high degree of interaction as paths cross in training, collaboration or through contractual execution. Security professionals are traditionally somewhat guarded discussing business with new or otherwise unknown persons. Security professionals require time to develop trusting working relationships and getting to know important connections in a timely manner is important.

So, how do we accelerate this networking curve?

1. Foster relationships on the job. Get to know other employees and business unit managers in your organization. Develop trusting relationships that allow exchange of information. Other employees can help broadcast the security vision as you assist them with their individual and program needs.

2. Become active in professional organizations such as NCMS or ASIS. Security professionals have a lot of experience that is definitely worth sharing. There may be other FSOs having similar challenges and may be able to give fresh insight. You may find yourself helping others as well.

3. Become known by writing articles or teaching classes. Publishing in professional journals or teaching a “how to” seminar will get you recognized as an expert and trusted person.

4. Look for opportunities to network with each business leaders, police, firefighters, public safety, local and national government agencies and any other members of the community. The best way to protect our industry and our national resources is to use our force multipliers.

5. Consider joining committees, volunteering in the community, or sharing your expertise outside of your organization or career. For example, you could demonstrate how a non-profit organization can protect sensitive data.

It doesn't take much to network; just willingness to both help and to learn. What you contribute is invaluable and you are never too old to learn from others.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM