Sunday, January 15, 2017

NISPOM Questions

Get your copy @ www.redbikepublishing.com



If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice. Here's a way to get 440 practice questions.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study the NISPOM and use sample questions to practice, practice, and practice. It can help you prepare for the test. Using practice tests to augment your ISP exam preparation can help. According to reader comments and emails to the author, many who have bought our book, NISPOM flashcards, and ISP Test Tips to augment their preparation have performed very well on the exam.

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:

1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2. When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

d. KMPs and all security personnel

e. All the above









Scroll Down For Answers









1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2 When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

e. All the above


So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.



Preventing OPM-Like Sensitive Information Spillages

In September 2016, the Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress finally released what we’ve all been waiting for, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Wow, about time.

In a recent CSO Online article, The OPM breach report: A long Time Coming , Taylor Armerding summarizes congressional report and the national frustration with the entire fiasco. In fact, both report and article titles pretty much sum up how America feels about the Chinese exfiltration of personal data.

If you want to know the details of the event, please read the article and report as both are fascinating.  They explain very well how this incident will impact security cleared US citizens for generations; literally.

Readers in our career field (those of you reading this article) who are Facility Security Officers for cleared defense contractors, government employees, or other security practitioner under the national industrial security program (NISP) may experience additional frustrations in addition to those shared by the referred report and article.

Frustrations expressed from other sources:


My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there---James Comey, Director of the FBI

“(The SF-86) gives you any kind of information that might be a threat to ) the employee’s) security clearance.”---Jeff Neal, Former DHS official

Frustrations not nationally expressed:

The additional frustrations is grounded on the fact that the Office of Personnel Management conducts security investigations, collects very personal information from interviews and reports, contracts investigators who communicate the information, and stores the information. The data collected on each person and the compilation of that information warrants a robust security policy to protect personal identifiable information.

Keep in mind, OPM is one of the agencies that require industry to undertake intense security training in protecting PII, practicing cybersecurity, reporting security violations, detecting and denying insider threat, and so on. While cleared defense contractors are complying with training requirements, undergoing security reviews, and demonstrating security programs to protect classified information on information systems, compliance with DFARS requirements concerning computer networks, OPM was negligent in practicing what they preached.

The report lists OPMs failures to protect the network and sensitive information and slow reaction to both the attack and reporting requirements.  Additionally, while contractors are required to conduct investigations of security violations, determine cause, and as necessary, practice disciplinary action, no one has been fired as a result.

Imagine what would happen if a defense contractor networked was hacked and the following information was infiltrated:

Employee information including:
·         Current and past addresses
·         Security violations
·         Mental health counseling
·         Alcohol and drug dependency
·         Marital problems
·         Credit history

Get the picture? The employees would sue and the oversight agencies would review and report circumstances. Chances are that the responsible parties would be terminated.

According to the report, the cyberattack issue was detectable, preventable, and actionable, but OPM failed on all three.

Lesson for FSOs and security practitioners
Become cyber-aware…become involved in cybersecurity. It’s not necessary to become an expert, just understand. Many FSOs are great at the physical security requirements for PII, classified information, export controlled and other tangible items requiring clearance and / or need to know enforcement. It’s not too much of a leap to relate physical security requirements to that of protection of information on networks or stand alone computers.

Our profession has to become more involved in cybersecurity other than advising “don’t open attachments”, “only conduct company business on the computer”, and the standard slogan heavy or bumper sticker appropriate language. FSOs should become informed of how to respond to different threat categories and access points and provide cutting edge security awareness and security refresher training.

Applying the knowledgeable security focus:
Read, learn, discuss with IT and network professionals how the importance of programs to deny, deter, detect, observe, and report cyberattacks.  Here are some physical security fundamentals that can be applied for immediate cybersecurity action:
Though the reader may not be an expert, they can form a team from IT and all business units to accomplish the task.  This is the same exercise physical security and loss prevention practitioners’ use; or at least they should:

Determine what needs to be protected

Identify sensitive information on the enterprise network. Every business unit has a piece in the puzzle; program managers, accounting, personnel, contracts, etc.  Involve all aspects of the enterprise in the exercise.

Determine where the information exist

Is the information on an internal or external network? Which one(s) On a standalone computer? Document all locations

Determine who needs access to the information

Limit access to the networks, folders or locations based on who is authorized to use it.
Do program managers need financial information related to other contracts? Does the CFO need intimate software development details? If yes, ensure they have access, if not deny access.

Determine threats to the information

The obvious threats are the trusted employees and external hackers. These categories are the bare minimum necessary to cataloging the threat. Ask, how can the internal threat access information? How can the external hacker access the information?

So far so good right? Well, it becomes more technical from here and it where you might need an advisor, consultant or other help.

Determine how to deny, detect, report, and monitor systems for cyberattacks.
This requires skill to buy the right technology or hire the right employees.

Document all actions and provide report to senior management.
Programs do not live long without senior management buy in. Since we recommend forming a team, use the team concept to develop and maintain momentum. Provide recommendations to the key management personnel, get approval, and have them champion the program to senior objects. Change management may be in order.

Hopefully, this article provides thought provoking and imagination stoking ideas to help develop a security system that includes cyber consideration. The referred report demonstrates and quantifies an active adversary with a demonstrated history of attacking high level government agencies; as well as the poor action of those responsible for preventing access to sensitive information. None are immune, but all are responsible. Our profession exists in the defense industry. Our national security depends on doing everything we can to be aware of, train for, and respond appropriately to all threats.


Saturday, December 24, 2016

Shipping Classified Information with Commercial Carriers

www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

When shipping classified information, the sender is responsible for requesting approval to use commercial carriers. The DSS or other Cognizant Security Agency (CSA) approves the use of commercial carriers. For overnight shipping, the Government Services Administration (GSA) provides a list of approved . 

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408. SECRET Transmission by Commercial Carrier. SECRET material may be shipped by a cleared commercial carrier that has been approved by the CSA to transport SECRET shipments.

Cleared Commercial Carriers

Department of Defense contractors may use government approved commercial carriers to transport SECRET and below. When SECRET is to be delivered, the carrier must be approved and cleared to the SECRET level. CONFIDENTIAL can be transmitted by an approved uncleared carrier. The deliveries are not authorized for international travel and can only be made within the continental US or within Alaska, Hawaii and each territory with Government Contracting Agency providing routing information.

When requesting commercial carrier support, the contractor should notify the CSA of the proposed classified material to be shipped, the point of origin and the destination. The CSA will review the information and make an approval decision. If approved, the sender should notify the consignee and the shipping activity of the shipment and provide details of the type of shipment, information about shipping seals, and projected time of arrival. Further coordination should be made with the intended recipient to expect the delivery of classified material along with a projected timeline and what they should expect to receive. If the shipment does not arrive within 48 hours the receiver should notify the sender

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408b. The contractor shall utilize a qualified carrier selected by the U.S. Government that will provide a single-line service from point of origin to destination, when such service is available, or by such transshipping procedures as may be specified by the U.S. Government.

 GSA Approved Overnight Delivery Service

SECRET and CONFIDENTIAL material may be sent using GSA approved companies. These services should not be used without DSS approval. When using an overnight delivery service, the FSO of the sending organization should alert the receiving organization that classified information will be arriving via overnight service. Though overnight carriers are approved through the GSA, the carrier companies do not need to hold a facility security clearance. The carriers are only required to meet requirements of tracking shipments.



Every precaution should be made to ensure that the overnight delivery will not arrive during a holiday or scheduled day off. The best method is to not deliver the day prior to a weekend or federal holiday unless the receiver is operating a mail room with cleared persons and the proper storage capability.

VALIDATION:

1. Produce request to CSA for commercial carrier use and the CSA response.
2. Produce receipts for classified shipments involving commercial carriers and / or GSA approved overnight shippers.
3. Provide policy and procedures for use of commercial carriers and / or GSA approved overnight shippers.
4. Provide documentation of signed receipts of classified information sent via commercial carrier and / or GSA approved overnight shippers.




               



Security Awareness, FSO and NISPOM Training



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 22, 2016

Determining Receiving Facility Security Clearance Level

Get your printed NISPOM at www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Those who possess classified information should determine security clearance and need to know before disclosing it. This is requirement for both cleared persons and cleared facilities. Where classified information is shipped from one CAGE code or facility to another, the shipper is responsible for ensuring the carrier and the receiving entity hare cleared appropriately and that the receiver is cleared and with the need to know to possess the classified information.

Question:
NISPOM 2-100
Is the facility clearance and safeguarding capability of the receiving facility determined prior to transmission of classified information?
2-100. … Contractors are eligible for custody (possession) of classified material if they have an FCL and storage capability approved by the CSA.
…b. FCLs will be registered centrally by the U.S. Government.

The cleared contractor possessing classified information is responsible for validating the appropriate personnel clearance level (PCL) and need to know before releasing classified information to that person. The same rational for shipping classified information from one cleared defense contractor (CDC) to another. The shipper should determine the proper clearance and need to know of the intended receiver. In other words validate facility clearance (FCL) level prior to shipping classified information.

This is performed through the Industrial Security Facilities Database (ISFD). According to the ISFD website, the ISFD provides users with a nationwide perspective on National Industrial Security Program related facilities, as well as facilities under DSS oversight in the DoD conventional AA&E program.

FSOs should have access to ISFD and other Defense Security Services databases in order to provide their employer with adequate security services.  See http://www.dss.mil/diss/isfd.html for more information.

Once registered an FSO or designated employee can access FCL information including clearance level, classified mailing addresses, and points of contact. Prior to sending classified information the sender can log in to ISFD, access the address, POC, and contact information, and coordinate the delivery and any inspection and receipting actions.

VALIDATION:
1. Demonstrate ability to log on to ISFD
2. Demonstrate proficiency with determining a CDC’s FCL

3. Demonstrate proficiency with finding a CDC’s address and POC information. 


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 8, 2016

Classified Shipping Receipts



This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The receipting action from receiving and transmitting classified information provides required tracing and accountability. Classified information should be documented as it enters and leaves each facility to reduce loss or compromise. Each facility that has a CAGE Code should have its own transmission process meeting NISPOM requirements. How is yours doing? Let’s find out.


Question: 

5-401

Are receipts included with classified transmissions when required?

5-401. Preparation and Receipting
a. …The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.

Receiving Classified Information

When classified information is transmitted, the NISPOM requires receipting action whenever SECRET and TOP SECRET information is transferred to or from a cleared contractor. However, it is a good practice to track deliveries and send receipts for outgoing CONFIDENTIAL information as well. Confirmation of receipt will help the sending contractor close the loop and account for their classified transfer. For the receiving contractor, the receipting action is it first step to internal visibility of newly introduced classified information. It should initialize the internal tracing of classified information and visibility to assist in recalling or retrieving classified information or identifying its location.

Classified information can arrive at a cleared contractor in many different ways including cleared contractor employee or government employee couriers, contractually related customers, secure fax, secure email, US Postal Service, overnight delivery services and other approved means of transmitting or disseminating classified information. Regardless of how classified material arrives, the contractor should provide the proper reception of classified material by authorized cleared employees. The receiver of classified material plays a role in both safeguarding classified material after it arrives as well as identifying discrepancies and security violations that may have occurred while the classified information is in transit.

Inventory Control

One possible solution for controlling the introduction, storage, and transmission of classified information is through an information management system (IMS) (SIMSSOFTWARE is an example). The IMS is a tool that could help track and find classified material at any time no matter how many classified documents or objects are stored. Additionally, cleared contractors could use the IMS as a centralized document control system. Used in tandem with a positive visitor control process, the contractor could direct the arrival of visitors, couriers, mail carriers, overnight delivery companies, and others who could potentially convey classified information to a centralized processing location. Through a process of document control, the cleared contractors can receive classified information, inspect it, sign receipts, document the contents, store, and make classified information available for authorized employee use. Without such controls, classified information could be vulnerable to unauthorized disclosure, loss, or compromise.

Inspecting and Documenting

Classified information (SECRET and above) should contain two copies of receipt. A good security practice allows for the sender to alert the receiver that classified material is being sent to their facility. Many times program managers, engineers or other technical employees are anticipating the delivery, but may not have all the details of delivery times and dates. However an FSO to FSO coordination can provide all the information of the transaction in advance.

The receiver should then check the receipt against the contents to ensure the item has been identified correctly and all items are accounted for. The properly filled out receipt should list the sender, the addressee and correctly identify the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, the inspector should ensure it contains no classified information. If the receipt contains a classified title, the sender may be able to coordinate for an unclassified title for internal use and treat the receipt according to the classification level.

The receiver should compare the classification identified in the receipt with that annotated on the inner wrapper and the actual classified material markings. This action validates that the classified contents are safeguarded and transmitted properly once the outer wrapping has been opened or removed. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities.

5-401b

Is a suspense system established to track transmitted documents until the signed receipt is returned?
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.


It is the sender’s responsibility to ensure classified information arrives at the intended destination. The sender should track the classified deliveries until they receive a receipt or verify arrival. A good practices is to schedule follow up dates in Microsoft Outlook Calendar, IMS, spreadsheet or other tools to validate reception of signed receipts. If the receipts have been returned, the sender can close the action. If not, they may need to send a request to the receiver. 

A good security program designed to protect classified material begins with the proper reception of classified information. Classified information should be delivered to an approved mailing address. Prior to delivery, the sender should contact the receiver and notify them of the intended delivery. The receiver should then prepare for the delivery and ensure that only the proper employee cleared to the appropriate level receives the classified delivery. The receiver should inspect the delivery for proper wrapping, address, and delivery method. After inspection, they should sign a receipt and return it to the sender. The inspector should then enter the classified items into an IMS. Once filed, they can make the information available for use to those with clearance and need to know.

 VALIDATION:


1. Demonstrate compliance through policy and procedure development and updates that include tasks to be accomplished during reception of classified information.

2. Save and file receipts for easy recall.

3. Develop and document inventory management for classified information that includes documenting receipt of classified information.

4. Include reception of classified information with job specific security awareness training.

5. Learn to correctly use information management systems for document control purposes, generate reports, and demonstrate compliance.

6. Develop process to trace and account for signed receipts and what to do when receipts are not returned.

Thursday, November 24, 2016

Preparing Classified Information For Shipment

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The transmission of classified information is an important concern. Classified information should be controlled as it enters and leaves each facility. Each facility that has a CAGE Code should have it’s own transmission process meeting NISPOM requirements. How is yours doing? Lets find out.

Question:


5-401 Is classified information properly prepared for transmission outside the facility?

Here’s what NISPOM says on the subject. Our narrative follows:

5-401. Preparation and Receipting
a. Classified information to be transmitted outside of a facility shall be enclosed in opaque inner and outer covers. The inner cover shall be a sealed wrapper or envelope plainly marked with the assigned classification and addresses of both sender and addressee. The outer cover shall be sealed and addressed with no identification of the classification of its contents. A receipt shall be attached to or enclosed in the inner cover, except that CONFIDENTIAL information shall require a receipt only if the sender deems it necessary. The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.
c. When the material is of a size, weight, or nature that precludes the use of envelopes, the materials used for packaging shall be of such strength and durability to ensure the necessary protection while the material is in transit.

The classification level should be the first consideration when determining how to disseminate classified information. Dissemination of TOP SECRET has more restrictions than does SECRET and CONFIDENTIAL. Likewise SECRET has more restrictions than CONFIDENTIAL. According to the NISPOM, classified information should be wrapped with opaque durable material such as cardboard, envelopes, or boxes. It should be transmitted in a way to prevent accidental and unauthorized disclosure and detect tamper.

Inner Layer

The NISPOM does not discuss whether or not seams of packages should be reinforced. A good practice is to cover seams with rip-proof opaque tape or other similar material.
Next, the preparer should mark the package on the top and bottom of all sides with the proper classification level.

Then they should add the “to” and “from” addresses with two copies of receipts either attached to the first layer or inside the first layer. The preparer should always coordinate with the intended receiver to notify of delivery and verify mailing addresses. If the package is being sent to a cleared DoD contractor, the address could be verified online through the Industrial Security Facilities Database (ISFD) available through the Defense Security Service (DSS) website.
DSS recommends hat the address on all inner wrappers contain the name and office symbol of the intended recipient to expedite accurate delivery.

Internal contents that come in contact with the wrapper could be imaged or observed in certain situations. To prevent this, the preparer can place wrapping paper, patterned paper, receipts or fold the documents in such a way that they cannot be read through the wrapping. DSS recommends using classification level cover sheets such as the Standard Form 703 (TOP SECRET), 704 (SECRET), or 705 (CONFIDENTIAL) can be used to prevent and adversary from reading or imaging the information during technical scanning.  However, though protecting the actual information being scanned, this could disclose the information as classified. If using cover sheets, be sure to use the SF appropriate for the classification level of information inside.

Outer Layer

The outer wrapper is the second line of defense for the classified information.
Once the classified information leaves the cleared facility, the level of protection is severely reduced. The wrapping requirements are similar to those of the inner wrapper and should be the same size to prevent looseness or movement that could fray or damage the inner wrapping’s seams. The outside label should not identify the recipient by name. Office numbers or symbols should be used to prevent associating a classified package with a particular person. When addressing shipment labels to contractors, the outer label should be addressed to “FSO” or “Security”. When addressing shipment labels to military agencies, the outer package labels should be “Commander”.

Additionally, addressing deliveries to an authorized department ensures the package is received by authorized persons. Providing a person’s name on the outside label could cause problems if they are not around to receive it and could result in returned packages.


Alternate wrappings

Large sizes, bulk, weight, mission requirements or other structural make up could prevent transmission of items by traditional means. These could be machines, vehicles, aircraft, missiles, or other cumbersome, odd shaped, heavy or odd sized items. Brief cases, canvas courier bags, hard cases, shipping crates, large tarps and other types of containers can serve as proper wrapping provided they are approved by DSS. The containers are a part of the process to provide multiple layers of protection, deny accidental access, detect tampering and ensure expedited transport.

VALIDATION:
·         Chose a designated location to prepare classified information for shipment
·         Publish comprehensive instructions, processes, and policies for sound security practices
·         Post reminders and instructions in designated areas
·         Use information management system or similar technology to keep pedigree of transmittal receipts

·         Demonstrate that processes are taught to authorized employees in security awareness training or refresher training


Thursday, October 27, 2016

NISPOM Chapter 5, physical protection of classified material at cleared contractor locations

In our continuing effort to bring you the latest in protecting national security, we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Our intent is to address major changes, excluding admin updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

The first topic in this article is NISPOM Chapter 5, physical protection of classified material at cleared contractor locations.

This begins where paragraph 5-303 is completely obliterated. No comment here except to say they drew the line in the sand in 2006 and finally erased it in 2016. Hopefully, four years to the month after expiration date these steel cabinets and sub-par containers are no longer an issue.


5-303. SECRET Storage. SECRET material shall be stored in a GSA-approved security container, an approved vault, or closed area. Supplemental controls are required for storage in closed areas. The following additional storage methods may be used until October 1, 2012:
a. A safe, steel file cabinet, or safe-type steel file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours.
b. Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock. The keepers of the rigid metal lock bar shall be secured to the cabinet by welding, rivets, or bolts so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container shall be held securely so their contents cannot be removed without forcing open the drawer. This type of cabinet will be accorded supplemental protection during non-working hours.

Paragraph 5-311 also removes reference to the era by-gone and rearranges sub paragraph structure.


The second topic is Chapter 9 Special Requirements.

Chapter 9 section 1 is completely removed and language concerning RD and FRD is re-written guidance in a new Appendix D. We will cover the specific changes when we write about appendix updates at a later date.

Similarly, Chapter 9 section 3 is completely removed and a new paragraph is added:

Paragraph 9-300. Background General. This section was prepared by CIA in accordance with reference (a) and is provided for information purposes only. It contains general information on safeguarding intelligence information. Intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes. General. National intelligence is under the jurisdiction and control of the DNI, who establishes security policy for the protection of national intelligence and intelligence sources, methods, and activities. In addition to the guidance in this Manual, contractors shall follow IC directives, policy guidance, standards, and specifications for the protection of classified national intelligence and SCI. Contractors are not authorized to further disclose or release classified national intelligence and SCI (including to a subcontractor) without prior written authorization of the originating IC element.

The NISPOM provides much less guidance on protecting national intelligence than previously provided. In this latest change, NISPOM recognizes the jurisdiction of the Director of National Intelligence and defers to DNI’s requirements. All definitions and guidance is removed and contractors are advised to follow Intelligence Community guidance and instructions concerning working with intelligence information. Contractors should also request guidance from the originating Intelligence Community element and receive it in writing prior to disclosing or releasing classified intelligence and SCI.

Contractors should closely work with the government contracting agency issuing the contract, the government program office, DNI guidance and instructions, DD Form 254, and security classification guidance to ensure proper handling and protection while working with national intelligence.

This completes the major updates to safeguarding classified information given through the NISPOM Conforming Change 2.

Cleared contractors who need assistance with NISPOM requirements can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, take a look at our print version of the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".