Thursday, November 24, 2016

Preparing Classified Information For Shipment

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The transmission of classified information is an important concern. Classified information should be controlled as it enters and leaves each facility. Each facility that has a CAGE Code should have it’s own transmission process meeting NISPOM requirements. How is yours doing? Lets find out.

Question:


5-401 Is classified information properly prepared for transmission outside the facility?

Here’s what NISPOM says on the subject. Our narrative follows:

5-401. Preparation and Receipting
a. Classified information to be transmitted outside of a facility shall be enclosed in opaque inner and outer covers. The inner cover shall be a sealed wrapper or envelope plainly marked with the assigned classification and addresses of both sender and addressee. The outer cover shall be sealed and addressed with no identification of the classification of its contents. A receipt shall be attached to or enclosed in the inner cover, except that CONFIDENTIAL information shall require a receipt only if the sender deems it necessary. The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.
c. When the material is of a size, weight, or nature that precludes the use of envelopes, the materials used for packaging shall be of such strength and durability to ensure the necessary protection while the material is in transit.

The classification level should be the first consideration when determining how to disseminate classified information. Dissemination of TOP SECRET has more restrictions than does SECRET and CONFIDENTIAL. Likewise SECRET has more restrictions than CONFIDENTIAL. According to the NISPOM, classified information should be wrapped with opaque durable material such as cardboard, envelopes, or boxes. It should be transmitted in a way to prevent accidental and unauthorized disclosure and detect tamper.

Inner Layer

The NISPOM does not discuss whether or not seams of packages should be reinforced. A good practice is to cover seams with rip-proof opaque tape or other similar material.
Next, the preparer should mark the package on the top and bottom of all sides with the proper classification level.

Then they should add the “to” and “from” addresses with two copies of receipts either attached to the first layer or inside the first layer. The preparer should always coordinate with the intended receiver to notify of delivery and verify mailing addresses. If the package is being sent to a cleared DoD contractor, the address could be verified online through the Industrial Security Facilities Database (ISFD) available through the Defense Security Service (DSS) website.
DSS recommends hat the address on all inner wrappers contain the name and office symbol of the intended recipient to expedite accurate delivery.

Internal contents that come in contact with the wrapper could be imaged or observed in certain situations. To prevent this, the preparer can place wrapping paper, patterned paper, receipts or fold the documents in such a way that they cannot be read through the wrapping. DSS recommends using classification level cover sheets such as the Standard Form 703 (TOP SECRET), 704 (SECRET), or 705 (CONFIDENTIAL) can be used to prevent and adversary from reading or imaging the information during technical scanning.  However, though protecting the actual information being scanned, this could disclose the information as classified. If using cover sheets, be sure to use the SF appropriate for the classification level of information inside.

Outer Layer

The outer wrapper is the second line of defense for the classified information.
Once the classified information leaves the cleared facility, the level of protection is severely reduced. The wrapping requirements are similar to those of the inner wrapper and should be the same size to prevent looseness or movement that could fray or damage the inner wrapping’s seams. The outside label should not identify the recipient by name. Office numbers or symbols should be used to prevent associating a classified package with a particular person. When addressing shipment labels to contractors, the outer label should be addressed to “FSO” or “Security”. When addressing shipment labels to military agencies, the outer package labels should be “Commander”.

Additionally, addressing deliveries to an authorized department ensures the package is received by authorized persons. Providing a person’s name on the outside label could cause problems if they are not around to receive it and could result in returned packages.


Alternate wrappings

Large sizes, bulk, weight, mission requirements or other structural make up could prevent transmission of items by traditional means. These could be machines, vehicles, aircraft, missiles, or other cumbersome, odd shaped, heavy or odd sized items. Brief cases, canvas courier bags, hard cases, shipping crates, large tarps and other types of containers can serve as proper wrapping provided they are approved by DSS. The containers are a part of the process to provide multiple layers of protection, deny accidental access, detect tampering and ensure expedited transport.

VALIDATION:
·         Chose a designated location to prepare classified information for shipment
·         Publish comprehensive instructions, processes, and policies for sound security practices
·         Post reminders and instructions in designated areas
·         Use information management system or similar technology to keep pedigree of transmittal receipts

·         Demonstrate that processes are taught to authorized employees in security awareness training or refresher training


Thursday, October 27, 2016

NISPOM Chapter 5, physical protection of classified material at cleared contractor locations

In our continuing effort to bring you the latest in protecting national security, we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Our intent is to address major changes, excluding admin updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

The first topic in this article is NISPOM Chapter 5, physical protection of classified material at cleared contractor locations.

This begins where paragraph 5-303 is completely obliterated. No comment here except to say they drew the line in the sand in 2006 and finally erased it in 2016. Hopefully, four years to the month after expiration date these steel cabinets and sub-par containers are no longer an issue.


5-303. SECRET Storage. SECRET material shall be stored in a GSA-approved security container, an approved vault, or closed area. Supplemental controls are required for storage in closed areas. The following additional storage methods may be used until October 1, 2012:
a. A safe, steel file cabinet, or safe-type steel file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours.
b. Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock. The keepers of the rigid metal lock bar shall be secured to the cabinet by welding, rivets, or bolts so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container shall be held securely so their contents cannot be removed without forcing open the drawer. This type of cabinet will be accorded supplemental protection during non-working hours.

Paragraph 5-311 also removes reference to the era by-gone and rearranges sub paragraph structure.


The second topic is Chapter 9 Special Requirements.

Chapter 9 section 1 is completely removed and language concerning RD and FRD is re-written guidance in a new Appendix D. We will cover the specific changes when we write about appendix updates at a later date.

Similarly, Chapter 9 section 3 is completely removed and a new paragraph is added:

Paragraph 9-300. Background General. This section was prepared by CIA in accordance with reference (a) and is provided for information purposes only. It contains general information on safeguarding intelligence information. Intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes. General. National intelligence is under the jurisdiction and control of the DNI, who establishes security policy for the protection of national intelligence and intelligence sources, methods, and activities. In addition to the guidance in this Manual, contractors shall follow IC directives, policy guidance, standards, and specifications for the protection of classified national intelligence and SCI. Contractors are not authorized to further disclose or release classified national intelligence and SCI (including to a subcontractor) without prior written authorization of the originating IC element.

The NISPOM provides much less guidance on protecting national intelligence than previously provided. In this latest change, NISPOM recognizes the jurisdiction of the Director of National Intelligence and defers to DNI’s requirements. All definitions and guidance is removed and contractors are advised to follow Intelligence Community guidance and instructions concerning working with intelligence information. Contractors should also request guidance from the originating Intelligence Community element and receive it in writing prior to disclosing or releasing classified intelligence and SCI.

Contractors should closely work with the government contracting agency issuing the contract, the government program office, DNI guidance and instructions, DD Form 254, and security classification guidance to ensure proper handling and protection while working with national intelligence.

This completes the major updates to safeguarding classified information given through the NISPOM Conforming Change 2.

Cleared contractors who need assistance with NISPOM requirements can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, take a look at our print version of the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, October 21, 2016

Summary of Changes in NISPOM Conforming Change 2, Marking Classified Material

In our continuing effort to bring you the latest to National Industrial Security Contractors (NISPOM) we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

As a reminder, our intent is to address major changes vice administrative updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to how classification markings are applied. Throughout the article we write in actual verbiage from the “Summary of Changes” in its original format and edits.

Text in blue represents NISPOM Conforming Change 1 material and text in red is Change 2 material.

This brings us to NISPOM Paragraph 4-208. Markings for Derivatively Classified Documents.

a. CLASSIFIED BY Line. The purpose of the “Classified By” line is to identify the person who applies derivative classification markings for the document. If not otherwise evident, the line will include the agency contractor and, where available, the office of origin will be identified and follow the name and position or personal identifier of the derivative classifier.

This clarifies that the contractor performing derivative classification is identified and not the government agency the contractor supports. This further identification implies a few required steps. 1. The derivative classifier is indeed trained to make such a decision
2. The derivative classifier is responsible for proper classification markings
3. The derivative classifier can be held responsible for content
4. The derivative classifier can be later contacted for further information

The previous NISPOM Conforming Change 1 separated the two topics in subparagraph d and assigned the “CLASSIFICATION BY” Line to subparagraph a and “REASON CLASSIFIED” to subparagraph b. This clarification and separation of requirements further stress the importance of the contractor’s responsibility to understand classification instructions and responsibilities. The instructions should be specifically outlined in the DD From 254 and the accompanying security classification guide.

Additionally, the persons providing the derivative classification should be authorized to do so. The FSO should document derivative classifier training, those authorized to perform derivative classification, and ensure that cleared employees understand the classified work as required in contracting, programmatic, NISPOM, DD Form 254 and SCG documentation.

d. e. "CLASSIFIED BY" Line and "REASON CLASSIFIED" Line. As a general rule, a "Classified By" line and a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a "Classified By"line to identify the derivative classifier and a "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

e. "REASON CLASSIFIED" Line. As a general rule, a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

REASON CLASSIFIED should only be applied to originally classified documents. As a rule, cleared defense contractors perform derivative classification when they generate classified material. However, there may be cases where cleared contractors produce originally classified documents. Where derivative classification occurs, contractors should not mark classified information with REASON CLASSIFIED unless required in the SCG.

This administrative update separates the once combined CLASSIFIED BY and REASON CLASSIFIED lines. For clarity, these lines have been provided new sub-paragraph numbers. Though an administrative and clarification update, we will cover this as it supports a major change to Paragraph 4-210b.

Paragraph 4-210b: b. E-mail and other Electronic Messages.
Electronically transmitted messages shall be marked in the same manner required for other documents except as noted. The overall classification of the message shall be the first item of information in the text and shall be displayed at the top and bottom of each message. A “Classified By” line, a "Derived From" line, a “Declassify On” line, is and portion markings are required on messages. Certain agencies may also require that messages contain a "Reason Classified" line in order to identify the specific reason for classification, which is carried over from the source document(s) or classification guide. Instructions for the use of such lines will be included in the security classification guidance provided with the contract documents.
4-210b removes the above crossed out verbiage to make it clear that REASON CLASSIFIED only applies to originally classified materially unless otherwise instructed to include on e-mail and electronic messages that represent derivative classification. The REASON CLASSIFIED is already addressed in 4-208e.

Paragraph 4-213. Marking Compilations. In some instances, certain information that would otherwise be unclassified when standing alone may require classification when combined or associated with other unclassified information. The determination that information requires classification by compilation will be based on specific guidance regarding compilation provided in a Contract Security Classification Specification or a security classification guide. If specific guidance is absent, the contractor will obtain written guidance from the applicable GCA.
When classification is required to protect a compilation of such information, the overall classification assigned to the compilation shall be conspicuously affixed. The reason for classifying the compilation shall be stated at an appropriate location at or near the beginning of the compilation.

The NISPOM Conforming Change 2 addition to paragraph 4-213 requires a specific source for determining the classification of the compilation. This information should be found in the SCG. For example, the top speed of a vehicle may be unclassified and the fact that the vehicle has good traction in mud may be unclassified. However, providing the top speed through mud might be classified and should be addressed in the SCG. If there is insufficient guidance, the contractor should contact the government program office and get clarification in writing. The contractor should also get guidance on how to treat the information until the program office provides the written guidance.

This completes the major updates to marking classified information given through the NISPOM Conforming Change 2. Next time we will cover safeguarding classified information.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, try the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, October 10, 2016

NISPOM Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.


Try these questions to see how you do:




1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary
b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL 
e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA 
c. ISSM
d. FSO
e. DIA

4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO 
c. CSA
d. FBI
e. NSA






Scroll down for answers:






1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary (NISPOM 5-304)
b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL (NISPOM 10-713)
e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA (NISPOM 11-101)
c. ISSM
d. FSO
e. DIA


4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO (NISPOM 5-312)
c. CSA
d. FBI
e. NSA

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP CertificationDoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

Friday, September 30, 2016

NISPOM Summary Of Changes-Training


Red Bike Publishing authors are continuously searching for topics of interest for the facility security officer (FSO). Many articles have been free flow while more have reflected how to employ the Self-Inspection Handbook for NISP Contractors. We are about to introduce a new limited series of articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. This series of articles will filter and prioritize topics to be address. Topics that have already been covered in previous articles and simple administrative changes are filtered out and not addressed. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to the Initial Security Briefings and Refresher Training. Pasted below is the actual verbiage in its original format and edits, taken from the Summary of Changes.

Paragraph 3-106 3-107. Initial Security Briefings.

 Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a.      A threat awareness security briefing, including insider threat awareness in accordance with paragraph 3-103b of this Manual.

b.      A defensive security counterintelligence awareness briefing.

c.       An overview of the security classification system.

d.      Employee reporting obligations and requirements, including insider threat.

e.      Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual).

f.        Security procedures and duties applicable to the employee's job.

3-107 Summary:
This section is now moved to paragraph 3-107 and changes the names of briefings and adds new briefing and training requirements. The FSO should be prepared to conduct a gap analysis of current practices as compared to what is now required.  Once analyzed, the FSO should develop a plan to update policies, training, memorandums, and practices to ensure compliance.

3-107 Specifics
3-107a. The threat awareness briefing is now called the threat awareness security briefing. The name change is noted with the additional of insider threat awareness. This information is covered in an earlier article that you can read here. All corporate references to threat awareness briefings should be updated to reflect the change and insider threat awareness should be developed and incorporated into the training or provided as stand-alone training.

3-107b. The defensive security briefing is now called the counterintelligence awareness briefing. The name has changed, but no new training requirement is detailed other than the administrative name change.

3-107c. No change

3-107d. This sub paragraph adds insider threat reporting requirement as addressed in the earlier article.  Insider threat reporting is required for the insider threat program and as a sub element to insider threat awareness.

3-107e. This is a new sub paragraph that requires initial and annual refresher cybersecurity awareness training for all authorized IS users (whether or not classified systems). According to 8-101c, the cybersecurity awareness requirement is:

…all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP. The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access.

The contractor can design and determine the content. The content should include the topics of protecting access to the IS, protecting the content of the IS, recognizing attempts to gain unauthorized access to the IS, phishing, hacking, and other known adversary methods, countermeasures to protect the IS, and etc.

Many training resources address the following IS user responsibilities as described in NISPOM Paragraph 8-103c:

Employee users with access to IS should be trained to comply with the following requirements:
 (1) Comply with the ISs security program requirements as part of their responsibilities for the protection of ISs and classified information.
(2) Be accountable for their actions on an IS.
(3) Not share any authentication mechanisms (including passwords) issued for the control of their access to an IS.
(4) Protect authentication mechanisms at the highest classification level and most restrictive classification category of information to which the mechanisms permit access.
(5) Be subject to monitoring of their activity on any classified network and the results of such monitoring could be used against them in a criminal, security, or administrative proceeding.

Additionally, there are many resources available for those who do not have the means to develop their own cyber security training. The DoD has an excellent training site available for CAC and non CAC users at https://ia.signal.army.mil/login.asp.


3-107f. is formerly sub paragraph e and there are no new requirements.

Paragraph 3-107 3-108. Refresher Training. The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. See paragraph 8-103c of chapter 8 of this Manual for the requirement for IS security refresher training. Training methods may include group briefings, interactive videos, dissemination of instructional materials, or other media and methods. Contractors shall maintain records about the programs offered and employee participation in them. This requirement may be satisfied by use of distribution lists, facility/department-wide newsletters, or other means acceptable to the FSO.

3-108 Summary: This paragraph is renumbered to 3-108 and adds the IS Security Refresher Training requirement to the refresher training.

3-108 Specifics: A quick look at the manual reveals 8-103c does not describe IS Security Refresher training, but it does address user responsibilities. We feel that paragraph 3-107e describes to initial training and should be sufficient for refresher training. The refresher training can also consist of topics found in 8-103c to ensure coverage of employee responsibilities while using IS. The same resources cited earlier can be used for the cybersecurity refresher training.

Application
As written earlier, the FSO should perform a gap analysis of current practices vs. required practices. Once analyzed, the FSO should develop a plan to update policies, training, memorandums, practices and reference materials to ensure compliance.

Administrative Changes: This analysis should involve not only processes and procedures, but also referencing materials. For example, if training reflects a Refresher training requirement as Paragraph 3-107 and it is now 3-108, the reference material should be updated. Though this article does not address the administrative changes and paragraph realignments, the FSO should updated policies, procedures, instructions, training, and etc that makes specific references to the NISPOM. Where the references now differ (i.e. paragraph 3-107 is now 3-108) the referring materiel should be updated to reflect the changes.

New requirements: Where new training, policies or procedures are required, the FSO should ensure these are integrated into current practices. If processes and procedures are no longer required, they should be removed.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more that they can purchase, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization. 

Friday, September 23, 2016

Appointing the Threat Program Senior Official (ITPSO)


This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

Question:

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?

NISPOM Reference: 1-202b, 1-202c, 2-104

 1-202b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. This Insider Threat Program Senior Official may also serve as the FSO. If the designated senior official is not also the FSO, the contractor’s Insider Threat Program Senior Official will assure that the FSO is an integral member of the contractor’s implementation program for an insider threat program.

 1-202c. A corporate family may choose to establish a corporate-wide insider threat program with one senior official designated to establish and execute the program. Each cleared legal entity using the corporate-wide Insider Threat Program Senior Official must separately designate that person as the Insider Threat Program Senior Official for that legal entity.

 2-104 PCLs Required in Connection with the FCL. The senior management official, the FSO and the Insider Threat Program Senior Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106.

Discussion:


The best method for ensuring compliance is to begin the Insider Threat Program with the appointment in of an Insider Threat Program Senior Official. This appointment can be executed on corporate letterhead and signed by the authority responsible for approving such actions.

 The appointed individual could be the FSO, but if not the FSO, should include the FSO as the primary purpose of the ITP is to address the threat to national security. Who better to include than the person responsible for the security program to protect national security information.


 
The qualifications of the ITPSO follow:
  • U.S. citizen
  • Employee
  • Senior official
  • Security Clearance at the same level as the facility clearance to establish and execute an insider threat program
 
If FSO is not the designated official, the FSO is an integral member of the program
 

 The appointment letter can be a simple paragraph stating the following as provided by the CDSE in their Sample Insider Threat Program Plan:

 _(ITPSO Name)_______ is designated as the Insider Threat Program Senior Official (ITPSO) for __(Company Name)_.  As such, the ITPSO will lead the effort to establish policy and assign responsibilities for the Insider Threat Program (ITP). The ITPSO will lead the ITP as they seek to establish a secure operating environment for personnel, facilities, information, equipment, networks, or systems from insider threats.

The ITP applies to all staff offices, regions, and personnel with access to any government or contractor resources to include personnel, facilities, information, equipment, networks, or systems.

The ITPSO is responsible for daily operations, management, and ensuring compliance with the minimum standards derived from Change 2 to DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM).”

Cleared contractors under the NISP should time to review the NISPOM and the questions in The Handbook for further guidance on the ITP. The ultimate goal is to assign a ITPSO who will lead a team of trained ITP personnel to implement an effective insider threat program. The program begins with a plan and that plan begins with the designation of the ITPSO adn documenting the activity in writing.

EVIDENCE: Name of Senior Official in writing

 
Validation:
Provide a copy of the ITPSO appointment memorandum.

For insider threat awareness training and security awareness training, visit our page @:
http://www.redbikepublishing.com/training/

Monday, September 12, 2016

ISP Certification Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
Try these questions to see how you do:

1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees 
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor 
d. Host installation





Scroll down for answers:








1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees (NISPOM 5-906d)
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship (NISPOM 6-102)
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor (NISPOM 6-105c)
d. Host installation


According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP CertificationDoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.