Saturday, August 18, 2018

Security Clearances and Information Technology


Remember the old saying? “Rank has its privilege”? It’s not always prudent to assume certain privileges just because you have means and intent. It’s not safe to assume just because you have access to government Information Technology (IT) systems as a manager or system administrator, for example, that you have the authority to do so anytime and for any reason. Use of government IT systems takes into consideration how an applicant has used technology on the job. Viewing pornography, working non-mission related tasks, hiding evidence, and harassing fellow employees while using employer computers are some indicators that an applicant could bring risk to sensitive information residing on information technology.

Guideline M: Use Of Information Technology is a very important criteria since cleared employees must demonstrate the ability to follow rules and regulations. This is especially critical as more and more sensitive information resides on computers. Gaining unauthorized access, downloading malware, manipulating data, or otherwise misusing information technology could increase risk to sensitive and classified information. An applicant’s history and pattern of use can provide indicators of their ability to protect what resides on information systems. The following are case studies where Guideline M concerns were either mitigated or clearance was denied:

CYBER POWERED SEX ADDICT

An applicant installed an email program on the company’s computer to allow him to access anonymous email accounts. He also logged onto pornographic sites, downloaded pornographic materials, wrote and posted 30 sexually explicit stories, doctored a photograph of a female former coworker in a sexually explicit manner and posted it, sought sexual partners and engaged in sexual activity as a result of people answering the posted requests. The applicant was eventually fired for the activity.

The applicant did seek help and engaged in group therapy including a sexual compulsive addicts’ group. Sponsors, group participants and counselors made statements that the applicant was indeed recovering and demonstrates remorse for his activities. Both he and his wife are continuing to get marriage counseling.

The judge ruled favorably in that the applicant mitigated the risk to national security for the concern Use of Information Systems. However, he was not able to mitigate other concerns such as those that arose from his Personal Conduct and Sexual Behavior.


I WAS GOING TO PUT THEM BACK

After a female employee accused him of sexual harassment, the applicant decided to take matters into his own hands. His plan was to temporarily hide incriminating emails so that his coworkers would not find the files. The applicant followed through and took advantage of his position to move the implicating emails to a separate location, with the intent of moving them back.

Unfortunately for him, he was unable to restore the files following a software upgrade. The messages were lost and could not be restored. His deeds were discovered, and Guideline M concerns had to be addressed in a hearing.

Surprisingly, the judge ruled in favor of the applicant. The judge determined that the applicant did not intend to delete the files. Government counsel was concerned that he was granted a security clearance although he gained authorized access to her computer to get rid of evidence.

HAD I KNOWN YOU WERE LOOKING…

An applicant used his government computer to download pornography; clearly violating policies, rules, and regulations to misuse his computer. Further, when interviewed by Defense Security Services (DSS), he lied about the incident.
He responded in the hearing the he was very sorry and that he did not mean to break rules. He also stated that had he known that the pornographic files existed on his computer, he would not have lied about accessing the porn. He also offered that the incident happened a few years prior and that he has been given increasing responsibilities and positions of trust since then.

Unfortunately, saying sorry is not enough. While a good first step, it does not mitigate the activity. Additionally, whether records of adverse behavior exist, he has no excuse for falsifying his statement to DSS. As a result, his clearance was denied.

Because of the increasing reliance on information systems, a cleared employee must be able to demonstrate that they can be trusted to not abuse privileges, information systems, and responsibilities. Past performance that demonstrates breaking information system policies, procedures, rules and regulations indicate potential risk to information residing on the systems. Employees who use computers as intended and only for authorized and work-related projects should have no problems demonstrating compliance with Guideline M.

Adjudicative Guideline L: Outside Activities

Outside activities are those jobs or relationships occurring outside of the United States and involving relationships with foreign countries, persons and businesses. With the internet, social media, and connectivity, there are great opportunities to meet other like-minded business people. The world seems to be getting smaller, while opportunities are increasing. Forming businesses with foreign people and companies can create new jobs, products, and services. These opportunities can also elevate partners to senior management levels and with high value stocks. However, they could come with a cost to those who might seek a government security clearance. Let’s look at a few examples:

It’s Complicated

An applicant is the president and CEO of a company incorporated in Singapore. Key management employees and decision makers are foreign citizens and almost half of his income is from the company. He spends time oversees, with foreign citizens, and other foreign companies related to his business.

His ability to safeguard classified and sensitive information could be influenced by his business interests, foreign relationships, or financial portfolio. Pressure from his outside activities could cause him to disclose classified or sensitive information to unauthorized persons through coercion or exploitation. Therefore, the decision to deny the applicant a security is made in favor of the national security.

Hail Britannia

The applicant is the president of an American subsidiary of a British-based company that does business with the Department of Defense. Prior to the promotion, he was an employee at the same foreign company. He has a substantial financial stake with the company by virtue of his high valued stock. Because of his employment in the foreign organization and serving as a representative of the foreign country, his clearance was denied. His high position in the company, share of stocks, and possible relationships with foreign partners could cause him to be vulnerable to coercion or exploitation.

Risk Mitigated

An applicant worked as vice president of business development for a wholly-owned subsidiary of an Israeli company. In his position, he marketed computer hardware and software to U.S. companies. He was hired for the job after meeting the owner at a trade show, but had very infrequent interaction with the owner.

The applicant has not worked for the company in a few years. Also he no longer has ties with the company neither by positions, finances, relationships, or shares. His relationship and interaction with his former employer and employees is infrequent if ever. The applicant has mitigated concerns raised by Guideline L by completely separation himself from the business. This demonstrated separation has greatly reduced the likelihood of any potential security incident and therefor has been granted a security clearance.

Outside activities where U.S. persons enjoy foreign positions, relationships, and financial benefits can be rewarding but do come with a cost. Though these are great opportunities, they can be detrimental to those who are or wish to eventually pursue jobs requiring U.S. government security clearances. Security clearance applicants should demonstrate that they are not bringing additional risk to classified or sensitive information through their outside activities. The concern for Guideline L is that certain types of outside employment or activities is of security concern if it poses a conflict of interest with an individual's security responsibilities and could create an increased risk of unauthorized disclosure of
 classified or sensitive information.

Monday, July 9, 2018

NISPOM Based Certification Questions



These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.

http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
We've updated our manual for NISPOM Change 2. 


Have a go at some new questions. 




Try these questions to see how you do:


1.      In situations of classified information inadvertently released as UNCLASSIFIED, the contractor’s notice shall be classified _____ unless it contains information for higher classification.
a.            UNCLASSIFIED
b.            FOR OFFICIAL USE ONLY
c.             SECRET
d.            TOP SECRET
e.             CONFIDENTIAL

2.      Which of the following contract information requires GCA approval before release to the public?
a.            Release of unclassified information on a classified contract
b.            The fact that a contract has been received
c.             The method of contract
d.            The fact that a contract is negotiated
e.             Whether or not contract requires hiring or terminating of employees


3.      The DD form 1540 is submitted through the _____?
a.            CSA
b.            GCA
c.             Prime Contractor
d.            A and C
e.             B and C


Scroll down for answers






1.      In situations of classified information inadvertently released as UNCLASSIFIED, the contractor’s notice shall be classified _____ unless it contains information for higher classification.
a.            UNCLASSIFIED
b.            FOR OFFICIAL USE ONLY
c.             SECRET
d.            TOP SECRET
e.             CONFIDENTIAL (NISPOM 4-218b)



2.      Which of the following contract information requires GCA approval before release to the public?
a.            Release of unclassified information on a classified contract (NISPOM 5-511)
b.            The fact that a contract has been received
c.             The method of contract
d.            The fact that a contract is negotiated
e.             Whether or not contract requires hiring or terminating of employees


3.      The DD form 1540 is submitted through the _____?
a.            CSA
b.            GCA
c.             Prime Contractor
d.            A and C

e.             B and C (NISPOM 11-202a)



So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training". Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Establishing the Insider Threat Program Plan

This article addresses establishment of the Insider Threat Program Plan. The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):
Has the company developed and implemented an insider threat program plan endorsed by the ITPSO?

Do you have a written program plan that has been self-certified to DSS as current and implemented?

EVIDENCE: Provide the policy, internal guidelines, and procedures.

If you do not have an insider threat program established, do you have an implementation plan, roadmap, or milestones for establishing your program?

EVIDENCE: Provide the implementation plan or milestones way ahead.

NISPOM Reference(s):
1-202a

Discussion:
Once the Insider Threat Program Senior Official (ITPSO) is designated, the Celared Defense Contractor (CDC) enterprise can begin to create an Insider Threat Program (ITP) that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.

The ITPSO should establish the program to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the CDC and their product or contract deliverables.

ITP Guidance

Elements of a successful insider threat program are listed in the NISPOM. NISPOM guidance can be used as measurable criteria to establish and determine ITP effectiveness. The NISPOM has identified the following requirements to establish an Insider Threat Program:

1. Designate an Insider Threat senior official
2. Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
3. Establish an Insider Threat Program group
4. Provide Insider Threat training
· cleared employees (initial security briefing and follow-up briefings)
· cleared employees assigned insider threat program responsibilities
5. Monitor classified network activity
6. Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
7. Conduct self-inspections of Insider Threat Programs

ITP Goals

Insider Threat Program should be levied to develop awareness of and respond to information indicative of potential or actual insider threats. ITP goals should be to:

1. Gather insider threat information-what evidence is available that suggests potential or actual insider threat (actions, observations, direct communication, tampering, etc.)
2. Integrate gathered information-develop a communication channel to report such information for the ITP. The ITP should understand how to gather, respond and report relevant information
3. Report relevant and available insider threat information as required by:
· Executive Order (EO) 13587 - directs the heads of agencies that operate or access classified computer networks
· National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs
· And the catchall; as required by the appropriate CSA (DSS)

CDCs who do not have a ITP at this point should have a strategy or plan outlying how they will achieve compliance. This plan should outline how they will appoint the IPTSO, establish the working group, and apply the guidance. The plan should have milestones and measurable results that DSS can review and understand.

Validation:
1. ITPSO is appointed in writing. Appointment is available for review.
2. Written policy, procedures and / or guideline is available demonstrating how the ITP is applied and measured.
3. Where no policy is in place, a roadmap or “get healthy” plan is available.
4. ITP team members are identified and trained (certificates or memorandums of record)
5. CDC employees have received insider threat training (certificates or memorandums of record)

Insider Threat Programs and appropriate training are required of all CDCs. CDS should appoint an ITPSO in writing and establish the ITP with the goal of gathering, integrating, and reporting insider threat information.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Selecting the Insider Threat Program Senior Official

This article addresses the designation of the Insider Threat Program Senior Official (ITPSO). The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?
EVIDENCE: Name of Senior Official in writing

NISPOM Reference(s):
1-202b, 1-202c, 2-104

Discussion:
The Insider Threat Program (ITP) is established to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the Cleared Defense Contactor (CDC) and their product or contract deliverables. The ITP is also scoped to protect the CDC employees from the insider threat actions. The ITP is a requirement as covered in both the National Industrial Security Program Operating Manual (NISPOM), E.O. 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.

Cleared Defense Contractors (CDC) should designate an employee to manage the Insider Threat Program (ITP). The contractor will designate an employee to establish and execute an insider threat program. The first step is to designate a “Senior Official” with the following qualifications:

1. U.S. citizen

2. Company Employee

3. Senior official within the company

4. Security Clearance at the same level as the facility clearance (FCL) to establish and execute an insider threat program

· If the FCL is TOP SECRET, then the ITPSO must also have a TOP SECRET clearance

5. Could be the FSO is not the designated official, the FSO is an integral member of the program

Some larger corporations may have separate legal entities. If the corporation desires one ITPSO to serve corporate wide, each cleared legal entity should each designate that person as their ITPSO.

Once the ITPSO is designated, the enterprise can begin to create an Insider Threat Program that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.

Validation:

ITPSO is designated in writing and documentation is available for review
Designated ITPSO meets all the qualifications required as demonstrated in training records available for review.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, June 3, 2018

NISPOM Certification Questions (May help with NCMS ISP and DoD SPeD Certification)



These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.

http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
We've updated our manual for NISPOM Change 2. 


Have a go at some new questions. 




Try these questions to see how you do:


1.      Contractors shall conduct formal self-inspections at intervals consistent with:
a.            Risk management principles
b.            DSS inspection dates
c.             FSO determination
d.            Previous results
e.             All of the above


2.      All classified information and material should be marked to clearly convey:
a.            Level of classification
b.            Portions that reveal classified
c.             Portions that contain classified
d.            Period of time protection is required
e.             All the above



3.      NATO has the following levels of security classification EXCEPT:
a.            COSMIC TOP SECRET
b.            NATO SECRET
c.             NATO CONFIDENTIAL
d.            NATO RESTRICTED
e.            NATO TOP SECRET









Scroll Down for Answers









4.      Contractors shall conduct formal self-inspections at intervals consistent with:
a.            Risk management principles (NISPOM 1-206b)
b.            DSS inspection dates
c.             FSO determination
d.            Previous results
e.             All of the above


5.      All classified information and material should be marked to clearly convey:
a.            Level of classification
b.            Portions that reveal classified
c.             Portions that contain classified
d.            Period of time protection is required
e.             All the above (NISPOM 4-200)




6.      NATO has the following levels of security classification EXCEPT:
a.            COSMIC TOP SECRET
b.            NATO SECRET
c.             NATO CONFIDENTIAL
d.            NATO RESTRICTED

e.             NATO TOP SECRET (NISPOM 10-701)






So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".