Wednesday, September 26, 2018

NISPOM Based Questions For SPeD, Industrial Security Oversight Certification (ISOC), and ISP Study


 By Jeffrey W. Bennett, ISP, SAPPC
Get your copy @ www.redbikepublishing.com
These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Industrial Security Oversight Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

In fact these study questions are in the same question format as you might find on the exam.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. 
Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM
We've updated our manual for NISPOM Change 2. 
Have a go at some new questions. 
Try these questions to see how you do:
1.      CONFIDENTIAL is approved for transmission by which of the following means?
a.            U.S. Postal service Priority Mail
b.            U.S. Postal Service First Class Mail
c.             Any commercial overnight delivery company
d.            U.S. Postal Service Certified Mail 
e.             All the above
2.      Authorization in writing by the _____  is required for transmission of TOP SECRET outside of a facility while the electrical transmission means over _______ approved secured communications security circuits.
a.            CSA, GSA
b.            CSA, FSO
c.             FSO, DOT
d.            CSA, DOT
e.             GCA, CSA 
3.      What should be provided in an escort’s written instructions prior to shipping classified information?
a.            Receipt procedures
b.            Means of transportation
c.             Emergency communication procedures
d.            Route to be used
e.             All the above 
Scroll down for answers












1.      CONFIDENTIAL is approved for transmission by which of the following means?
a.            U.S. Postal service Priority Mail
b.            U.S. Postal Service First Class Mail
c.             Any commercial overnight delivery company
d.            U.S. Postal Service Certified Mail (NISPOM 5-404)
e.             All the above
2.      Authorization in writing by the _____  is required for transmission of TOP SECRET outside of a facility while the electrical transmission means over _______ approved secured communications security circuits.
a.            CSA, GSA
b.            CSA, FSO
c.             FSO, DOT
d.            CSA, DOT
e.             GCA, CSA (NISPOM 5-402)
3.      What should be provided in an escort’s written instructions prior to shipping classified information?
a.            Receipt procedures
b.            Means of transportation
c.             Emergency communication procedures
d.            Route to be used
e.             All the above (NISPOM 5-412)
So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on certification exams.

                                             ___________________________________________________________________


Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Industrial Security Oversight Certification, Industrial Security Professional Certification and NISPOM Study Questions



These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Industrial Security Oversight Certification exams.

Here's how to use our study guide:

1. Use hard copy or download online version of NISPOM to search for answers.

http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf


2. Mark best answer for each choice.

3. Once complete, check your answers against the answer key below.


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
We've updated our manual for NISPOM Change 2. 


Have a go at some new questions. 




Try these questions to see how you do:


1. Contractors shall maintain a record of reproduction of 
SECRET material for _____ years. 

a. Two years

b. One year

c. Five years

d. Thirty days

e. None of the above
2. Controlling access to classified material in an open area 
during working hours is an example of: 

a. Supplemental protection

b. Establishing a closed area

c. Establishing an open area

d. Establishing a restricted Area 
e. None of the Above
3. What information shall NOT be included on receipts?

a. Identity of sender

b. Identity of addressee

c. Identity of the document

d. Classified Information 

e. All the above


Scroll down for answers















1. Contractors shall maintain a record of reproduction of 
SECRET material for _____ years.

a. Two years

b. One year

c. Five years

d. Thirty days

e. None of the above (NISPOM 5-603)
2. Controlling access to classified material in an open area 
during working hours is an example of: 

a. Supplemental protection

b. Establishing a closed area

c. Establishing an open area

d. Establishing a restricted Area (NISPOM 5-305)

e. None of the Above
3. What information shall NOT be included on receipts?

a. Identity of sender

b. Identity of addressee

c. Identity of the document

d. Classified Information (NISPOM 5-401)

e. All the above


So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Limited Access Authorization

The Limited Access Authorization (LAA)
By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP
Many people of the world reside in the United States where they temporarily live and work under authorized conditions. They could be applying for citizenship or residing for a season of work. While they are here under certain authorizations such as visas or other agreements, they are legal residents but not U.S. citizens. They participate in the work force, contribute in the advancement of technology, benefit industry, but there are restrictions to information they are able to access. In the commercial industry, access to technical information is controlled under Export Administration Regulation (EAR). In the defense contracting industry, non-U.S. persons are restricted from accessing certain technical information per the International Traffic in Arms Regulation (ITAR), and they are not eligible for security clearances.
While non – U.S. citizens can work with technical information after approval from the Departments of Commerce or State, they could not be authorized to possess U.S. security clearances. There are situations where they can access classified information, but it is only after a deliberate need is identified, rationale is determined, and the access is granted after a favorable background check. However, in no situation is this the granting of a security clearance.
The National Industrial Security Operating Manual (NISPOM) states that only U. S. citizens are eligible for security clearances. However, in approved circumstances, non-U.S. citizens can access classified information. Again this is access and approval to work with classified information, but should not be confused with being granted a security clearance.
There are limited situations where a non-U.S. citizen would be authorized to have access to and work with classified information. Some reasons include situations where they possess unique or unusual skills necessary to support a U.S. Government classified contract. In these events, the Government can authorize a Limited Access Authorization (LAA). The LAA authorization is not a security clearance, but a process by which access to specific classified information is provided through an approval process.
The approval process requires multi-agency coordination beginning with the defense contractor requesting the need to provide a non-U.S. citizen access to classified information, the government customer justifying the need with specific rationale, State Department visibility, and final Defense Security Services (DSS) approval. Once DSS approves the letter of justification they notify the defense contractor who initiates a background investigation.
Once the LAA is in place the non-U.S. citizen can access classified information specific to the contract and based on their need to know. The letter of justification should specify the contract number, a precise list of material to be access and the contractor should ensure that the person under the LAA accesses only the specified information. They are not allowed access to anything above the SECRET level, to include COMSEC and intelligence information. Any access above and beyond what is specified should be considered and reported as a security violation.
The average citizen should view the LAA process as a means to fill a unique situation using risk based rationale and not as a means of convenience. The non-U.S. citizen subject matter expert is identified as such, properly vetted, the need is communicated, evaluated and assessed, and the Department of Defense, State, Commerce, and other applicable agencies make joint approval decisions.
Avoiding FOIA Fiascos
By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP
When writing, reviewing or approviding classified or unclassified technical documents, keep in mind that even unclassified technical information should be scrutinized for protection under the Freedom of Inforamtion Act (FOIA). What this means is that if someone needs Government information that is not readily available, one option is for them to submit a FOIA request. Even unclassified documents may have technical information that should be identifified and as necessary, protected from public release. This information includes technical date, controlled unclassified information, personal identifiable information, and should be portioned marked as such. UNCLASSIFIED//FOR OFFICIAL USE ONLY or FOUO is a reasonable way to protect information from release under a FOIA request.
Here's why:
There are many reasons for submitting a FOIA request to include conducting research, writing a book, curiosity, advancing a theory, developing a project, and etc. Regardless of the reason, anyone can submit a request. Once a request has been submitted, the government is required provide the information unless it falls into the exemptions designed to ensure the protection privacy, national security, and law enforcement. The government program office is primarily charged with the reviews, but unless the contractor marks information properly, they may not understand what might be sensitive and should not be released.
Again, anyone can request that the U.S. Government release information. A non U.S. citizen has the right to request and receive the information as much as a U.S. citizen does. It is up to the Federal agency to identify and protect any information that meet the exemption criteria. For national security concerns, this is usually accomplished by the federal agency using a security classification (CONFIDENTIAL, SECRET, TOP SECRET), For Official Use Only, or other designation to protect information falling under one or more exemptions.
We'll explain how this works so that you can be better prepared to identify and exempt sensitive unclassified information from public release.
Here's how it works:
The first step to take when requesting information is to determine if the information is already available. This can be easily accomplished by visiting https://www.foia.gov/faq.html and conducting a search for available information. If the information requested is already available, it can be use by the potential requester. If the information is not there or incomplete, the requester should begin the request process.
The next step should be to determine which federal agency owns the information being sought. Even if the requestor cannot determine which agency owns the information, they may still be able to provide enough information for someone to refer the request to the appropriate agency.
Next, they submit the FOIA request in writing and with a description of the information desired. The requestor can submit the request via a web from, email or fax and the submission information is available at the listed FOIA website. There are even “how to” and descriptive FOIA request videos that informs of the request process. The requestor should specify how they would prefer to receive the information such as printed or electronic. If available the agency will provide the information in the format that it already exists. 
Once the request is received and processed the agency should send an acknowledgement of receipt and a tracking number. They may contact the requester to seek additional information or if they have enough information, go ahead and provide requested information. Any information that falls under any exemption will not be provided. Those performing the function of reviewing information may mark out or remove protected information from the final product.
What you can do:
1.  Develop a program to identify sensitive information that is either protected under Controll Unclassified Information, Personal Identifyable Information (PII), International Traffic in Arms Regulation (ITAR),  Export Administration Regulations (EAR), or other guidance.
2.  Document and publish (protect the publication) the identified information so that those performing on contracts understand what is protected can refer to the publication.
3. Consult the security classification guide specific to the program for additional guidance.
4. Mark all work products correctly to prevent public release where appropriate.
4. Develop a document review team to validate markings and approve the marking.
Each agency is responsible for reviewing the request for the information under its cognizance and each agency has its own internal review process. However, they do not have the leisure of reading minds or intent to understand what should be protected. All they have is the request and the document and their own internal process and guidelines. It's up to the document source to indicate what should be protected. Those producing sensitive unclassified information can further protect it by identifying it up front and marking it correctly so that the agency can understand what should be exempt from release. If the receiving agency has little context or ability to contact the document's source, they may err on the side of releasing the information. 

SPeD Inustrial Security Oversight Certification

Industrial Security Oversight Certification
Red Bike Publishing is so happy to have helped hundreds of people study for security certification with Red Bike Publishing’s Unofficial Study Guide for ISP Certification and we appreciate all of your encouraging emails. With such success, we’ve had many requests asking Red Bike Publishing to write exam preparation material for Security Professional Education Development (SPēD) Certification. For a long time, we have struggled with how to meet the challenge.
Until now! Red Bike Publishing’s own Jeffrey W. Bennett, SFPC, SAPPC, and ISP just tested and qualified for the newest SPēD certification, Industrial Security Oversight Certification (ISOC).  He tested without additional preparation other than his NISPOM experience covering what he has learned from working in the NISP, writing articles and training programs, and keeping up to date with the Red Bike Publishing’s Unofficial Study Guide for ISP Certification.
That’s because an understanding of NISPOM is the fundamental skill set to pass the ISOC exam. Per the website, “The Industrial Security Oversight Certification (ISOC) is ideal for DoD, Industry, and federal members under the National Industrial Security Program (NISP).” The prerequisite certification is the Security Fundamentals Professional Certification (SFPC) and is also NISPOM based.
The ISOC assesses foundational knowledge in the following competencies (NISPOM topcis):
Industrial Security Basics Security Reviews and Inspections Security Systems and Requirements
Though Red Bike Publishing has not written any additional material for the ISOC certification, we are confident in sharing that Red Bike Publishing’s Unofficial Study Guide for ISP Certification can be used to help prepare for the ISOC exam. Our security books including NISPOM, ITAR and DoD Security Clearance and Contracts Guidebook, and FSO Tool Box training packages are also great resources and study prep for your security certification needs.

Saturday, August 18, 2018

Security Clearances and Information Technology


Remember the old saying? “Rank has its privilege”? It’s not always prudent to assume certain privileges just because you have means and intent. It’s not safe to assume just because you have access to government Information Technology (IT) systems as a manager or system administrator, for example, that you have the authority to do so anytime and for any reason. Use of government IT systems takes into consideration how an applicant has used technology on the job. Viewing pornography, working non-mission related tasks, hiding evidence, and harassing fellow employees while using employer computers are some indicators that an applicant could bring risk to sensitive information residing on information technology.

Guideline M: Use Of Information Technology is a very important criteria since cleared employees must demonstrate the ability to follow rules and regulations. This is especially critical as more and more sensitive information resides on computers. Gaining unauthorized access, downloading malware, manipulating data, or otherwise misusing information technology could increase risk to sensitive and classified information. An applicant’s history and pattern of use can provide indicators of their ability to protect what resides on information systems. The following are case studies where Guideline M concerns were either mitigated or clearance was denied:

CYBER POWERED SEX ADDICT

An applicant installed an email program on the company’s computer to allow him to access anonymous email accounts. He also logged onto pornographic sites, downloaded pornographic materials, wrote and posted 30 sexually explicit stories, doctored a photograph of a female former coworker in a sexually explicit manner and posted it, sought sexual partners and engaged in sexual activity as a result of people answering the posted requests. The applicant was eventually fired for the activity.

The applicant did seek help and engaged in group therapy including a sexual compulsive addicts’ group. Sponsors, group participants and counselors made statements that the applicant was indeed recovering and demonstrates remorse for his activities. Both he and his wife are continuing to get marriage counseling.

The judge ruled favorably in that the applicant mitigated the risk to national security for the concern Use of Information Systems. However, he was not able to mitigate other concerns such as those that arose from his Personal Conduct and Sexual Behavior.


I WAS GOING TO PUT THEM BACK

After a female employee accused him of sexual harassment, the applicant decided to take matters into his own hands. His plan was to temporarily hide incriminating emails so that his coworkers would not find the files. The applicant followed through and took advantage of his position to move the implicating emails to a separate location, with the intent of moving them back.

Unfortunately for him, he was unable to restore the files following a software upgrade. The messages were lost and could not be restored. His deeds were discovered, and Guideline M concerns had to be addressed in a hearing.

Surprisingly, the judge ruled in favor of the applicant. The judge determined that the applicant did not intend to delete the files. Government counsel was concerned that he was granted a security clearance although he gained authorized access to her computer to get rid of evidence.

HAD I KNOWN YOU WERE LOOKING…

An applicant used his government computer to download pornography; clearly violating policies, rules, and regulations to misuse his computer. Further, when interviewed by Defense Security Services (DSS), he lied about the incident.
He responded in the hearing the he was very sorry and that he did not mean to break rules. He also stated that had he known that the pornographic files existed on his computer, he would not have lied about accessing the porn. He also offered that the incident happened a few years prior and that he has been given increasing responsibilities and positions of trust since then.

Unfortunately, saying sorry is not enough. While a good first step, it does not mitigate the activity. Additionally, whether records of adverse behavior exist, he has no excuse for falsifying his statement to DSS. As a result, his clearance was denied.

Because of the increasing reliance on information systems, a cleared employee must be able to demonstrate that they can be trusted to not abuse privileges, information systems, and responsibilities. Past performance that demonstrates breaking information system policies, procedures, rules and regulations indicate potential risk to information residing on the systems. Employees who use computers as intended and only for authorized and work-related projects should have no problems demonstrating compliance with Guideline M.

Adjudicative Guideline L: Outside Activities

Outside activities are those jobs or relationships occurring outside of the United States and involving relationships with foreign countries, persons and businesses. With the internet, social media, and connectivity, there are great opportunities to meet other like-minded business people. The world seems to be getting smaller, while opportunities are increasing. Forming businesses with foreign people and companies can create new jobs, products, and services. These opportunities can also elevate partners to senior management levels and with high value stocks. However, they could come with a cost to those who might seek a government security clearance. Let’s look at a few examples:

It’s Complicated

An applicant is the president and CEO of a company incorporated in Singapore. Key management employees and decision makers are foreign citizens and almost half of his income is from the company. He spends time oversees, with foreign citizens, and other foreign companies related to his business.

His ability to safeguard classified and sensitive information could be influenced by his business interests, foreign relationships, or financial portfolio. Pressure from his outside activities could cause him to disclose classified or sensitive information to unauthorized persons through coercion or exploitation. Therefore, the decision to deny the applicant a security is made in favor of the national security.

Hail Britannia

The applicant is the president of an American subsidiary of a British-based company that does business with the Department of Defense. Prior to the promotion, he was an employee at the same foreign company. He has a substantial financial stake with the company by virtue of his high valued stock. Because of his employment in the foreign organization and serving as a representative of the foreign country, his clearance was denied. His high position in the company, share of stocks, and possible relationships with foreign partners could cause him to be vulnerable to coercion or exploitation.

Risk Mitigated

An applicant worked as vice president of business development for a wholly-owned subsidiary of an Israeli company. In his position, he marketed computer hardware and software to U.S. companies. He was hired for the job after meeting the owner at a trade show, but had very infrequent interaction with the owner.

The applicant has not worked for the company in a few years. Also he no longer has ties with the company neither by positions, finances, relationships, or shares. His relationship and interaction with his former employer and employees is infrequent if ever. The applicant has mitigated concerns raised by Guideline L by completely separation himself from the business. This demonstrated separation has greatly reduced the likelihood of any potential security incident and therefor has been granted a security clearance.

Outside activities where U.S. persons enjoy foreign positions, relationships, and financial benefits can be rewarding but do come with a cost. Though these are great opportunities, they can be detrimental to those who are or wish to eventually pursue jobs requiring U.S. government security clearances. Security clearance applicants should demonstrate that they are not bringing additional risk to classified or sensitive information through their outside activities. The concern for Guideline L is that certain types of outside employment or activities is of security concern if it poses a conflict of interest with an individual's security responsibilities and could create an increased risk of unauthorized disclosure of
 classified or sensitive information.