Monday, July 9, 2018

NISPOM Based Certification Questions



These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.

http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
We've updated our manual for NISPOM Change 2. 


Have a go at some new questions. 




Try these questions to see how you do:


1.      In situations of classified information inadvertently released as UNCLASSIFIED, the contractor’s notice shall be classified _____ unless it contains information for higher classification.
a.            UNCLASSIFIED
b.            FOR OFFICIAL USE ONLY
c.             SECRET
d.            TOP SECRET
e.             CONFIDENTIAL

2.      Which of the following contract information requires GCA approval before release to the public?
a.            Release of unclassified information on a classified contract
b.            The fact that a contract has been received
c.             The method of contract
d.            The fact that a contract is negotiated
e.             Whether or not contract requires hiring or terminating of employees


3.      The DD form 1540 is submitted through the _____?
a.            CSA
b.            GCA
c.             Prime Contractor
d.            A and C
e.             B and C


Scroll down for answers






1.      In situations of classified information inadvertently released as UNCLASSIFIED, the contractor’s notice shall be classified _____ unless it contains information for higher classification.
a.            UNCLASSIFIED
b.            FOR OFFICIAL USE ONLY
c.             SECRET
d.            TOP SECRET
e.             CONFIDENTIAL (NISPOM 4-218b)



2.      Which of the following contract information requires GCA approval before release to the public?
a.            Release of unclassified information on a classified contract (NISPOM 5-511)
b.            The fact that a contract has been received
c.             The method of contract
d.            The fact that a contract is negotiated
e.             Whether or not contract requires hiring or terminating of employees


3.      The DD form 1540 is submitted through the _____?
a.            CSA
b.            GCA
c.             Prime Contractor
d.            A and C

e.             B and C (NISPOM 11-202a)



So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training". Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Establishing the Insider Threat Program Plan

This article addresses establishment of the Insider Threat Program Plan. The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):
Has the company developed and implemented an insider threat program plan endorsed by the ITPSO?

Do you have a written program plan that has been self-certified to DSS as current and implemented?

EVIDENCE: Provide the policy, internal guidelines, and procedures.

If you do not have an insider threat program established, do you have an implementation plan, roadmap, or milestones for establishing your program?

EVIDENCE: Provide the implementation plan or milestones way ahead.

NISPOM Reference(s):
1-202a

Discussion:
Once the Insider Threat Program Senior Official (ITPSO) is designated, the Celared Defense Contractor (CDC) enterprise can begin to create an Insider Threat Program (ITP) that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.

The ITPSO should establish the program to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the CDC and their product or contract deliverables.

ITP Guidance

Elements of a successful insider threat program are listed in the NISPOM. NISPOM guidance can be used as measurable criteria to establish and determine ITP effectiveness. The NISPOM has identified the following requirements to establish an Insider Threat Program:

1. Designate an Insider Threat senior official
2. Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
3. Establish an Insider Threat Program group
4. Provide Insider Threat training
· cleared employees (initial security briefing and follow-up briefings)
· cleared employees assigned insider threat program responsibilities
5. Monitor classified network activity
6. Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
7. Conduct self-inspections of Insider Threat Programs

ITP Goals

Insider Threat Program should be levied to develop awareness of and respond to information indicative of potential or actual insider threats. ITP goals should be to:

1. Gather insider threat information-what evidence is available that suggests potential or actual insider threat (actions, observations, direct communication, tampering, etc.)
2. Integrate gathered information-develop a communication channel to report such information for the ITP. The ITP should understand how to gather, respond and report relevant information
3. Report relevant and available insider threat information as required by:
· Executive Order (EO) 13587 - directs the heads of agencies that operate or access classified computer networks
· National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs
· And the catchall; as required by the appropriate CSA (DSS)

CDCs who do not have a ITP at this point should have a strategy or plan outlying how they will achieve compliance. This plan should outline how they will appoint the IPTSO, establish the working group, and apply the guidance. The plan should have milestones and measurable results that DSS can review and understand.

Validation:
1. ITPSO is appointed in writing. Appointment is available for review.
2. Written policy, procedures and / or guideline is available demonstrating how the ITP is applied and measured.
3. Where no policy is in place, a roadmap or “get healthy” plan is available.
4. ITP team members are identified and trained (certificates or memorandums of record)
5. CDC employees have received insider threat training (certificates or memorandums of record)

Insider Threat Programs and appropriate training are required of all CDCs. CDS should appoint an ITPSO in writing and establish the ITP with the goal of gathering, integrating, and reporting insider threat information.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Selecting the Insider Threat Program Senior Official

This article addresses the designation of the Insider Threat Program Senior Official (ITPSO). The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?
EVIDENCE: Name of Senior Official in writing

NISPOM Reference(s):
1-202b, 1-202c, 2-104

Discussion:
The Insider Threat Program (ITP) is established to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the Cleared Defense Contactor (CDC) and their product or contract deliverables. The ITP is also scoped to protect the CDC employees from the insider threat actions. The ITP is a requirement as covered in both the National Industrial Security Program Operating Manual (NISPOM), E.O. 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.

Cleared Defense Contractors (CDC) should designate an employee to manage the Insider Threat Program (ITP). The contractor will designate an employee to establish and execute an insider threat program. The first step is to designate a “Senior Official” with the following qualifications:

1. U.S. citizen

2. Company Employee

3. Senior official within the company

4. Security Clearance at the same level as the facility clearance (FCL) to establish and execute an insider threat program

· If the FCL is TOP SECRET, then the ITPSO must also have a TOP SECRET clearance

5. Could be the FSO is not the designated official, the FSO is an integral member of the program

Some larger corporations may have separate legal entities. If the corporation desires one ITPSO to serve corporate wide, each cleared legal entity should each designate that person as their ITPSO.

Once the ITPSO is designated, the enterprise can begin to create an Insider Threat Program that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.

Validation:

ITPSO is designated in writing and documentation is available for review
Designated ITPSO meets all the qualifications required as demonstrated in training records available for review.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, June 3, 2018

NISPOM Certification Questions (May help with NCMS ISP and DoD SPeD Certification)



These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.

http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
We've updated our manual for NISPOM Change 2. 


Have a go at some new questions. 




Try these questions to see how you do:


1.      Contractors shall conduct formal self-inspections at intervals consistent with:
a.            Risk management principles
b.            DSS inspection dates
c.             FSO determination
d.            Previous results
e.             All of the above


2.      All classified information and material should be marked to clearly convey:
a.            Level of classification
b.            Portions that reveal classified
c.             Portions that contain classified
d.            Period of time protection is required
e.             All the above



3.      NATO has the following levels of security classification EXCEPT:
a.            COSMIC TOP SECRET
b.            NATO SECRET
c.             NATO CONFIDENTIAL
d.            NATO RESTRICTED
e.            NATO TOP SECRET









Scroll Down for Answers









4.      Contractors shall conduct formal self-inspections at intervals consistent with:
a.            Risk management principles (NISPOM 1-206b)
b.            DSS inspection dates
c.             FSO determination
d.            Previous results
e.             All of the above


5.      All classified information and material should be marked to clearly convey:
a.            Level of classification
b.            Portions that reveal classified
c.             Portions that contain classified
d.            Period of time protection is required
e.             All the above (NISPOM 4-200)




6.      NATO has the following levels of security classification EXCEPT:
a.            COSMIC TOP SECRET
b.            NATO SECRET
c.             NATO CONFIDENTIAL
d.            NATO RESTRICTED

e.             NATO TOP SECRET (NISPOM 10-701)






So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Classified Destruction


Cleared Defense Contractors (CDC) should operate security programs designed to protect classified information from receipt to disposition. This article addresses the safe and secure destruction of classified information. The article is based on the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):
Is retention authority requested as required? 5-701, 5-702
Is classified material destroyed as soon as possible after it has served its purpose? 5-704
Is an effective method of destruction employed that meets NISPOM standards? 5-705
Is classified material destroyed by appropriately cleared authorized personnel who fully understand their responsibilities? (may include appropriately cleared subcontractor personnel) 5-706
Is classified waste properly safeguarded until its timely destruction? 5-708

NISPOM Reference(s):

NISPOM 5-701. Retention of Classified Material

5-704. Destruction

5-705. Methods of Destruction

5-706. Witness to Destruction

5-707. Destruction Records

5-708. Classified Waste

Discussion:

Classified Retention NISPOM 5-701
Per NISPOM guidance, contractors may maintain classified information beyond two years provided they have authorization. Though the classified contract may have terminated, there may be relevant work that the contractor must perform and with adequate justification to warrant approval. This approval is not something the contractor can assume, but authority must be pursued by the contractor. This approval is sought through an extension request to the GCA or through the prime contractor. Upon approval, the issuing authority should submit a final DD Form 254 to reflect the change.
Classified Destruction NISPOM 5-704
Where retention is not necessary or not permitted by the GCA, classified information must be destroyed or returned as soon as it has served its purpose. This destruction should be made a priority and executed as soon as possible. The Facility Security Officer is key in developing a system to evaluate the classified information to determine disposition. Where destruction is required, it should only be conducted using approved methods.
Methods of Destruction 5-705
There are many approved methods for destroying classified material based on its composition. For example, paper products can be shredded, burned, pulped or pulverized. Once a method is employed the destroyed material should be evaluated to ensure that nothing legible (visual or otherwise) exists. This means that if classified paper documents are burned in a pit or barrel for example, the ashes should be stirred regularly to ensure all the paper has been burned. One might be surprised how resilient paper can be when grouped in booklet form. Additionally, the shredding of classified information should only be accomplished using NSA equipment approved for the destruction of information by classification level.
Commercial enterprises and vendors also provide destruction services. Burn facilities operate at temperatures hot enough to burn paper in bulk, computers and hard drives and other medial. Shredding services exist that have mobile NSA approved shredders. However, DSS approval should be acquired prior to using such services.
Witness to Destruction 5-706
Two people are required to destroy and document the destruction of TOP SECRET information. Both parties should sign all receipts and personally observe the method of destruction. The destruction of SECRET and CONFIDENTIAL on the other hand only require one person.
Classified Destruction Documentation 5-707
The destruction records for TOP SECRET information should be maintained for two years. Just as TOP SECRET information is introduced in inventory, it should exit the same way. Though not required for SECRET and below, it is a good practice to maintain destruction records for SECRET and CONFIDENTIAL as well. This documentation helps determine the disposition of classified information during inspections and inventories. A good Information Management System such as Sims Software can perform these tracing and accountability tasks.
Classified Waste 5-708
Classified information should be destroyed the same day as it is removed from the cleared facility. When awaiting destruction, it should be treated at the level of classification. Collection boxes, bags and etc. should have classification markings, storage areas should be guarded, and the classified waste should be prepared for transmission by the same methods as all other classified information as described in NISPOM. Wrappings, receipt, escort, and etc. should be employed at all stages of transport from origin to destruction. Everything that cleared employees have learned about safeguarding classified information and other NISPOM training topics should be applied here. For example, where classified information is scheduled for destruction off the cleared contractor facility property, it should be removed from classified holdings, double wrapped and marked properly, escorted while in transport, and the entire journey to the destruction site. The destruction should be observed and destruction receipts / certificates annotated
Steps for destroying classified information:
1. Evaluate the contracts, work products, and DD Form 254s for any disposition instructions.
2. Determine which classified information should be destroyed.
3. Determine destruction method based on format of the classified information.
4. Remove classified information from inventory and prepare for destruction
a. annotate removal in information management systems
b. gather information and wrap and mark packages for removal (double wrap, bag, classified markings, etc.)
5. Develop transportation plan, identify escorts and or destruction personnel
6. Rehearse transportation plan and notify DSS if removing from facility. Ensure DSS approval if destroying classified information at commercial facilities.
7. Provide NISPOM Training such as Derivative Classifier Training, Insider Threat Training, and Security Awareness Training to ensure destruction process is accomplished per NISPOM standards.
6. Complete destruction receipts / certificates as required

Validation:
1. Provide classified holdings review schedule (information management system or other listing)
2. Provide list of classified contract subject matter experts and those who have validated classified disposition decisions (trained by FSO or representative)
3.  Provide DSS approvals for destruction methodologies, transportation plans, and commercial destruction facilities
4.  Provide destruction plan for disposition of classified information by format.

5.  Produce destruction certificates / receipts

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".