Thursday, January 24, 2013

Test Questions from Red Bike Publishing's Unofficial Study Guide for ISP Certification

ISP Certification


1. The _____ or _____ may inspect and monitor contractor, licensee, grantee, and certificate holder programs and facilities.
a. Secretary of Defense, NRC
b. Secretary of Energy, Secretary of Defense
c. Secretary of Energy, FBI
d. Secretary of Defense, DSS
e. Secretary of Energy, Chairman of NRC











2. The requirement for heads of agencies to enter into agreement with the Secretary of Defense as
the Executive agent for the NISP is:
a. Reference a
b. Executive order 12958
c. NISPOM
d. Reference c
e. Reference d

3. The CSA shall forward the names of cleared and briefed employees who shall serve as FSO,
COMSEC and alternate COMSEC custodians to the:
a. COR, GCA 
b. NSA
c. DoD
d. DIA
e. DOE

4. “The transfer of articles and _____ and related technical data to a foreign person…constitutes an
export”.
a. Services 
b. Books
c. Tools
d. Weapons
e. Aircraft



The Answers (scroll down when you're ready)




1. The _____ or _____ may inspect and monitor contractor, licensee, grantee, and certificate holder
programs and facilities.
e. Secretary of Energy, Chairman of NRC (NISPOM 1-101b)

2. The requirement for heads of agencies to enter into agreement with the Secretary of Defense as
the Executive agent for the NISP is:
a. Reference a (NISPOM 1-103a)

3. The CSA shall forward the names of cleared and briefed employees who shall serve as FSO, COMSEC and alternate COMSEC custodians to the:
a. COR, GCA (NISPOM 9-403a)

4. “The transfer of articles and _____ and related technical data to a foreign person…constitutes an
export”.
a. Services (NISPOM 10-101)





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, January 17, 2013

Determining ITAR License Requirements and the Effective Use of Exemptions




Interview with Jennifer Maki, Counsel Government Group at FLUOR

In August 2009, President Obama directed a broad-based interagency review of the U.S. export control system, with the goal of strengthening national security and competitiveness of key U.S. manufacturing and technology sectors. As a result, the Administration launched the Export Control Reform Initiative (ECR Initiative), which will fundamentally reform the U.S. export control system.  Understanding requirements and implementing best practices for export compliance is essential for avoiding International Traffic in Arms Regulations (ITAR) violations.

marcus evans spoke to Jennifer before the upcoming 3rd Annual Advanced ITAR Compliance Conference. In her presentation, Ms. Maki will discuss global agreements and advancements surrounding technical assessment agreements (TAA). She will also explain the impact of the ECR initiative on TAAs and the implications for the international trade industry.

Jennifer Maki works as counsel in the areas of export controls and economic sanctions, including the Office of Foreign Assets Control (OFAC), Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), Foreign Corrupt Practices Act (FCPA), Foreign Trade Regulations (FTR), and the National Industrial Security Program (NISP).

How did you get your start with ITAR compliance and how has the industry evolved since that time?

Jennifer Maki: I began working in the area of export controls and economic sanctions when I was a second year associate at a large law firm. I really enjoyed the tie between foreign policy initiatives and the regulations. As an associate, I was responsible for understanding the facts and details of large segments of investigations and business development matters for our clients.

The biggest evolution over the last few years has really been the increased awareness of the ITAR and related export control regulations. Big and small companies are becoming increasingly aware of the importance for export compliance. Small companies will receive export compliance certifications and reach out to large business partners or outside counsel for advice on the application of these regulations to their business. Medium sized companies will engage in classification exercises to expand sales of their products to new overseas markets. Large corporations are increasing their export compliance ranks to ensure their diverse business lines are compliant with the regulations, and to manage their global business networks.

What recent changes to export controls have created the biggest challenge for you and are there any changes on the horizon that you would like to know more about? (Second point is a 
stretch for this question, but it is one of the challenges we are facing)

JM: The ITAR Section 126.18 exemption has directly impacted our management of foreign persons on large overseas projects. Specifically, Section 126.18 was amended to modify the requirements for giving foreign persons access to technical data and defense articles. This exemption has changed our management of the foreign persons and their subcontractors working on large overseas contracts. 
Additionally, with the issuance of new consent agreements by DDTC, companies are constantly working to read and interpret the agreements to identify areas of concern that the regulators are focusing on. The constant challenge of addressing soft areas in a company’s compliance program can be difficult.  Each problem needs a different solution. As a result, companies use the information in the consent agreements published each year to make adjustments and improvements to their systems. 

Why should professionals be interested in knowing more about TAAs and what do you believe is the main challenge organizations face when going through the application process?

JM: Every company is different and every project, contract, or business line within a company can be different. As a result, each technical assistance agreement that a company uses is different.  The challenge for a company may be to address new and changing needs as the business or project evolves.  One project may involve a large host country national work force that will receive and have access to defense articles and the foreign persons will be trained to maintain and repair the defense articles. Another project, and separate TAA, may need certain authorization to exchange technical data for assembly and production that will be completed by foreign persons, and involve few, specialized other country nationals working in the U.S.

Each situation presents new and different regulatory concerns. As a result, one of the biggest challenges is ensuring that your TAA is not an off-the-shelf item. Rather, the creation of your TAA will require close cooperation between business management, controls, human resources, subcontractors and third parties, and experienced export compliance counsel.

How is the role of technology expanding within ITAR Compliance? Why should organizations be concerned with knowing more about the current status of Technology Controls and Electronic Data Transfers?

JM: The oversight and control of technical data in a corporation is challenging. For global companies with multinational work forces, this challenge is even greater when trying to manage access to export-controlled technical data. Sophisticated companies have robust systems and controls with capabilities to isolate the export-controlled technical data on the physical company networks.
For companies that are new to export compliance, or are in the process of developing systems that are capable of managing access to export-controlled technical data, technology transfers and electronic data transfers are a concern. These companies may have a system with limited access controls and are working to develop solutions for the prevention of deemed exports to a multinational workforce. The development of a system capable of managing access to export-controlled technical data, technology transfers and electronic data transfers is a key component of a company’s export compliance program. 

What do you believe attendees can gain most from attending this event?

JM: Conferences are a fantastic resource for any professional working in the area of export compliance. The opportunities that are presented at the marcus evans conferences are limitless. Attendees will learn from their industry peers, while sharing and exchanging ideas about achieving export compliance management within their companies. Regardless of your role in a company’s export compliance system, no one person can be aware of all export compliance regulatory updates, challenges or advances at a given time. This event is an opportunity to benchmark with your colleagues and hear how others are navigating the obstacles associated with export compliance.
For more information please contact Michele Westergaard, Senior Marketing Manager, Media & PR, Marcus Evans at 312-540-3000 ext. 6625 or Michelew@marcusevansch.com.

About marcus evans

marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Real OPSEC, Real Training-A Lesson From the Cold War


Operations Security (OPSEC) is a great tool to help protect sensitive information. The five step process is an outstanding resource and exercise to determine exactly what should be protected and how to do it. Understanding OPSEC and its application to a program, event or activity empowers the user to control information.

Having said that, many organizations miss the mark on OPSEC and security training. Too many times OPSEC is nothing more than a “bumper sticker” slogan. Meaning, if we invoke the magic words, we’ll be fully protected. However, nothing could more harmful.

Here’s a few examples of misguided OPSEC training from various security and OPSEC seminar and training venues. The word OPSEC was used many times, but the application and relevance never connected. In one event OPSEC meant to not throw away your plane tickets because a dumpster diver at going through your home garbage would know that you had recently traveled  At another venue, attendees were told not to use family stickers or names on their cars because kidnappers would take their children.  At another event others were taught to never, ever, EVER have a Facebook account because it would jeopardize national security.  There are many more examples not including the many posters with other irrelevant OPSEC slogans.

Though there is nothing inherently wrong with helping employees protect their families and homes, it has nothing to do with protecting sensitive parts of a program or mission. Such training could result in employees losing focus on what is important.

Okay, before you get upset with me for raining on the OPSEC parade, a little background is necessary. I’m a cold warrior. I served in Germany in the 80s when a threat was just behind the Iron Curtain. At the time we were well trained in what we could write home about, what we could say on the phone, and how to communicate our mission when we went on training exercises.

At the time OPSEC practitioners understood that soldiers traveled, communicated, and performed their duties in very public settings. However, they knew to focus protection efforts on what was not so visible. It was well worth the effort to train on how to determine what was sensitive and how to communicate effectively without giving the sensitive information away. So, they applied the Five Step OPSEC Process:

  • Identify Information You Want to Protect-Testing a big Cold War Antenna
  • Analyze the Threat-Cold War Bad Guys Looking at Our Capabilities
  • Analyze Vulnerabilities-Antenna Can Be Seen From Several Miles Away
  • Assess Risk-If Cold War Bad Guys See Our Antenna, They’ll Understand Our Capabilities
  • Apply Countermeasures-Erect Antenna Only On A Military Base And At Night, Don’t Discuss Antenna Or Mission Parameters Outside Of The Office, Etc.


This OPSEC asssessment might be a little oversimplified, but hopefully relays the intent of good OPSEC training. In many venues, OPSEC seems to teach risk avoidance, seemingly ignoring the first step of the OPSEC process. Instead of identifying information to protect (critical information) we ask everyone to stay off the internet or we direct training to protecting our homes and families. We never hit the essence.

These lessons also propose that security and OPSEC professionals to go against enterprise policy. For example, I attended training where the instructors made comments such as “I hope you are not still using a mailbox” and “You and your cleared employees should NEVER use (insert your favorite social network: Facebook, LinkedIn, Twitter, etc.).” However, this is conflicting advice as almost every government agency and defense contractor has a social network page. Enforcing such policy would go against existing enterprise practices. A security practitioner could never enforce it and would instantly lose credibility.

So, why not take a lesson from the Cold War and get back to basics. It’s better to understand what OPSEC is and identify and mitigate risks. Otherwise we lose focus and credibility by not assessing and protecting what is important.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM