Friday, September 23, 2016

Appointing the Threat Program Senior Official (ITPSO)


This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

Question:

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?

NISPOM Reference: 1-202b, 1-202c, 2-104

 1-202b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. This Insider Threat Program Senior Official may also serve as the FSO. If the designated senior official is not also the FSO, the contractor’s Insider Threat Program Senior Official will assure that the FSO is an integral member of the contractor’s implementation program for an insider threat program.

 1-202c. A corporate family may choose to establish a corporate-wide insider threat program with one senior official designated to establish and execute the program. Each cleared legal entity using the corporate-wide Insider Threat Program Senior Official must separately designate that person as the Insider Threat Program Senior Official for that legal entity.

 2-104 PCLs Required in Connection with the FCL. The senior management official, the FSO and the Insider Threat Program Senior Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106.

Discussion:


The best method for ensuring compliance is to begin the Insider Threat Program with the appointment in of an Insider Threat Program Senior Official. This appointment can be executed on corporate letterhead and signed by the authority responsible for approving such actions.

 The appointed individual could be the FSO, but if not the FSO, should include the FSO as the primary purpose of the ITP is to address the threat to national security. Who better to include than the person responsible for the security program to protect national security information.


 
The qualifications of the ITPSO follow:
  • U.S. citizen
  • Employee
  • Senior official
  • Security Clearance at the same level as the facility clearance to establish and execute an insider threat program
 
If FSO is not the designated official, the FSO is an integral member of the program
 

 The appointment letter can be a simple paragraph stating the following as provided by the CDSE in their Sample Insider Threat Program Plan:

 _(ITPSO Name)_______ is designated as the Insider Threat Program Senior Official (ITPSO) for __(Company Name)_.  As such, the ITPSO will lead the effort to establish policy and assign responsibilities for the Insider Threat Program (ITP). The ITPSO will lead the ITP as they seek to establish a secure operating environment for personnel, facilities, information, equipment, networks, or systems from insider threats.

The ITP applies to all staff offices, regions, and personnel with access to any government or contractor resources to include personnel, facilities, information, equipment, networks, or systems.

The ITPSO is responsible for daily operations, management, and ensuring compliance with the minimum standards derived from Change 2 to DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM).”

Cleared contractors under the NISP should time to review the NISPOM and the questions in The Handbook for further guidance on the ITP. The ultimate goal is to assign a ITPSO who will lead a team of trained ITP personnel to implement an effective insider threat program. The program begins with a plan and that plan begins with the designation of the ITPSO adn documenting the activity in writing.

EVIDENCE: Name of Senior Official in writing

 
Validation:
Provide a copy of the ITPSO appointment memorandum.

For insider threat awareness training and security awareness training, visit our page @:
http://www.redbikepublishing.com/training/

Monday, September 12, 2016

ISP Certification Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
Try these questions to see how you do:

1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees 
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor 
d. Host installation





Scroll down for answers:








1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees (NISPOM 5-906d)
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship (NISPOM 6-102)
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor (NISPOM 6-105c)
d. Host installation


According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP CertificationDoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

Friday, September 9, 2016

In Depth Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.

This is the second article under the topic of Insider Threat Training. The earlier article addressed the requirement to training, who to train and when. This article addresses what to train.

NISPOM 3-103b states: NISPOM 3-103b states: All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.

Specific Application:
Question: Does your training align with the requirements outlined in NISPOM 3-103 and CSA guidance?

This is a specific question to determine how well the NISP contractor has developed, documented, and presented insider threat training to compliment the Insider Threat Program (ITP) and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Let’s break down NISPOM Chapter 3-103b into its basic requirements. This will allow us to develop specific training plans to address the topics.

Importance of detecting potential insider threats by cleared employees and reporting suspected activity
Report all viable suspicious activity. First, NISP employees should recognize reportable activity and how to report it. The NISP organization should be able to demonstrate a reporting process that emphasizes the importance of recognizing, reporting and reacting to insider threat activity. This process should be well documented, taught to employees and readily available for inspections and reviews. This is something that should be tailored to the enterprise’s internal policies.

Methodology of adversaries to recruit trusted insiders

There are many methods an adversary can use to target and engage authorized and trusted employees. Some ways adversaries have used to get sensitive information include:

·         Elicitation-Subtle form of questioning where conversation is directed to collect information; it is different than direct questioning and harder to recognize
·         Eavesdropping-Listening in on conversations to get information.
·         Surveillance-Watching target unobserved and looking for exploitation opportunities
·         Theft-stealing classified information
o   There is a technology gap in many weapons systems where the US leads. The best way to close that gap is to steal information from or sabotage US efforts.
o   Acquiring information circumvents the research and development requirement. While R&D is an expensive effort, stealing R&D information is an attractive option.
·         Interception-acquiring classified information as it is transmitted (oral, electronic, hand delivery) to the authorized receiver.
·         Sabotage-destroying, interrupting or corrupting. It is accomplished through cyber-attacks, insider manipulation, and destructive activities.

Indicators of insider threat behaviors and procedures to report

Cleared employees should understand how to work with, store and protect classified information; regardless of type. As a result of good security awareness training, there and expectation placed upon these cleared employees that they will treat classified information per NISPOM requirements. Employees disregarding procedures should be noted and reported. Here are some indicators:
·         Keeping classified materials in an unauthorized location
·         Attempting to access sensitive information without authorization
·         Obtaining access to sensitive information inconsistent with present duty requirements
·         Using an unclassified medium to transmit classified materials
·         Discussing classified materials on a non-secure telephone
·         Removing classification markings from documents
·         Repeated or un-required work outside of normal duty hours
·         Sudden reversal of financial situation or a sudden repayment of large debts or loans
·         Attempting to conceal foreign travel
·         Failure to report overseas travel or contact with foreign nationals
·         Seeking to gain higher clearance or expand access outside the job scope
·         Engaging in classified conversations without a need to know
·         Working hours inconsistent with job assignment or insistence on working in private

The above are but a few indicators contrary to good security policy. Anyone displaying this activity should be reported as soon as possible.

Counterintelligence and security reporting requirements, as applicable

The 13 adjudicative guidelines used to evaluate an employee’s trustworthiness should also be used for continuous evaluation. Any employee displaying behavior that is contrary to the guidelines must be reported when that information constitutes adverse information.

Such incidents that constitute suspicious contact must be reported as well as incidents concerning actual, probable or possible espionage, sabotage, terrorism or subversive activities at any of a NISP contractor’s locations must be reported to Federal Bureau of Investigation with a copy to the CSA.

Here are some specific examples of what should be reported. We recommend a process in place to first notify the Facility Security Officer (FSO) (unless they are the problem) so that the FSO can notify, DSS, and where required, the FBI. Events or behavior that changes:
·         The status of the facility clearance
·         The status of an employee’s personnel security clearance

Events or behavior that indicate:
·         An employee poses a potential Insider Threat
·         Inability to safeguard classified information
·         Classified information has been lost or compromised

Once a NISP contractor has developed insider threat training as described above, it should be included in the self-inspection. The Self-Inspection Handbook has a section entirely devoted to the Insider Threat and required training. Implementing the training and measuring effectiveness can be evidenced in the questions below (also from the handbook).

EVIDENCE:
·         Explain how and when this requirement is fulfilled for new employees
·         Explain and provide annual training
·         Explain how you keep a record of employees insider threat training
·         Can you recall any of the following being addressed in briefings?
o   Risk Management
o   Job Specific Security Brief
o   Public Release
o   Safeguarding Responsibilities
o   Adverse Information
o   Cybersecurity
o   Counterintelligence Awareness
o   Insider Threat


How does your company verify that all cleared employees have completed the required insider threat awareness training, per NISPOM 3-103b and documented as in NISPOM 3-103c?

3-103c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is easy enough to demonstrate. Save a copy of the training and sign in sheets.

Validation:

1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.
2. Provide sign in sheet or other media to demonstrate that required employees have received the required training.
3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.
4. Ask cleared employees the following questions and document their responses:
            a. Who is an insider?
            b. What is an insider threat?
            c. How do you report an insider threat?
            d. How might a cleared employee demonstrate adverse behavior?
            e. Who is in charge of the Insider Threat Program?
            f. Name two methods an adversary might use to recruit and “insider”.


For more information, consider visiting our website at www.redbikepublishing.com. You can find industrial security themed books such as NISPOM, ITAR, Security Clearance and Contracts Guidebook; NISPOM based training presentations including insider threat training that you can download and present. For questions, you can email us at FSO@redbikepublishing.com.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, September 8, 2016

Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

The current series of articles will be temporarily reset while the author considers the new self-inspection guidelines and requirements, especially as addressed in section (Y) Insider Threat.

A cleared contractor under NISP is required to establish an Insider Threat Program (IPT); this IPT will be reviewed by the cognizant security agency (CSA) (Defense Security Services is the CSA for the Department of Defense). This IPT is emphasized in the Self-Inspection Handbook and NISPOM:

These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the Insider Threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy. [1-207b, 1-207b(1) NISPOM]

While the NISPOM requires all participants in the NISP to conduct their own self-inspections, to include an insider threat self-assessment, the Self-Inspection Handbook is designed as a job aid and designed to assist with developing a viable self-inspection program. This article focuses on how NISP participants can tailor the NISPOM requirements and Self-Inspection Handbook questions for their own organizations.

For the purpose of this article series, we’ll address the questions per the spirit of the Self-Inspection Handbook; first generally, then later with specific questions as the handbook leads.

General Application:

Question: Does your company implement insider threat training as outlined in NISPOM 3-103 and CSA guidance?

NISPOM 3-103 states:
Insider Threat Program Senior Official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees complete training that the CSA considers appropriate.
a. Contractor insider threat program personnel, including the contractor designated Insider Threat Program Senior Official, must be trained in:
(1) Counterintelligence and security fundamentals, including applicable legal issues.
(2) Procedures for conducting insider threat response actions.
(3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information.
(4) Applicable legal, civil liberties, and privacy policies.
b. All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is a broad question demonstrating the requirement that the company develop, document, and present insider threat training to compliment the ITP and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Did you get that? Not only is it required annually, but must be provided as initial security training as well.  A further analysis of the training requirements suggest that the insider threat awareness and annual refresher address the same issues; it’s just repackaged. As such a NISP contractor’s initial security briefing and annual refresher should be repackaged to demonstrate requirements. Either the insider threat topic is added or it is incorporated into existing training programs.

·         Requirements PRIOR to the recent changes to NISPOM:
o   The FSO provided initial security training and annual refresher training
o   The holder of classified information validated an employee’s access (clearance level) and need to know.

·         Requirements AFTER the NISPOM updates:
o   The FSO demonstrates that cleared employees have completed ITP awareness training before being granted access to classified information, and annually thereafter.

Contractors under NISP should develop and implement insider threat initialization and annual refresher training for all cleared employees.

Validation:

1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.

2. Provide sign in sheet or other medial to demonstrate that required employees have received the required training.

3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.

If your company needs insider threat training, consider purchasing, downloading, and presenting our Insider Threat Training presentation. It's designed with notes that you can read word for word or tailor for your enterprise.

Tuesday, July 26, 2016

NISPOM Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
Try these questions to see how you do:


1.      Contractors shall limit the number of PCL requests to:
a.            One third of the company
b.            KMPs and direct reports
c.             That which is necessary to operate efficiently 
d.            Meet future requirements for classified contracts
e.             That which is specifically outlined on the DD Form 254

2.      The _____ is responsible for providing overall policy direction for the NISP.
a.            Nuclear Regulatory Commission
b.            Central Intelligence Agency
c.             Defense Security Services
d.            National Security Council 
e.             Secretary of Defense

3.      Among other requirements, the destruction records for TOP SECRET must contain the _____ and be kept for _____.
a.            Date of destruction, two years 
b.            SSN of destroyer, two years
c.             Name of destroyer, one year
d.            ID material destroyed, one year
e.             Date of Classification, five years

4.      Which types of door locking devices are approved for access to closed area doors?
a.            Key operated pad lock 
b.            Handprint reader
c.             Deadbolt key lock
d.            Swipe card reader

e.             All the above


Scroll down for answers:








1.      Contractors shall limit the number of PCL requests to:
a.            One third of the company
b.            KMPs and direct reports
c.             That which is necessary to operate efficiently (NISPOM 2-200d)
d.            Meet future requirements for classified contracts
e.             That which is specifically outlined on the DD Form 254

2.      The _____ is responsible for providing overall policy direction for the NISP.
a.            Nuclear Regulatory Commission
b.            Central Intelligence Agency
c.             Defense Security Services
d.            National Security Council (NISPOM 1-101a)
e.             Secretary of Defense

3.      Among other requirements, the destruction records for TOP SECRET must contain the _____ and be kept for _____.
a.            Date of destruction, two years (NISPOM 5-707)
b.            SSN of destroyer, two years
c.             Name of destroyer, one year
d.            ID material destroyed, one year
e.             Date of Classification, five years

4.      Which types of door locking devices are approved for access to closed area doors?
a.            Key operated pad lock (NISPOM 5-801e)
b.            Handprint reader
c.             Deadbolt key lock
d.            Swipe card reader

e.             All the above