Monday, February 6, 2017

NISPOM and Classified Shipments




This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Prior to sending classified information via commercial carriers, the holder of the classified information should gain approval of the intent to ship and the method of shipment.  Once the approval is gained, the shipper should properly prepare the product and coordinate the shipment with the government, shipper, and receiver.

Question:

Are classified shipments made only in accordance with the NISPOM or instructions from the contracting authority?

Answer:

NISPOM 5-408 addresses SECRET Transmission by Commercial Carrier.  In an earlier article, “shipping Classified Information with Commercial Carriers”, we discussed the coordinating shipping with the DSS, government customer, and carriers. We also covered the GSA website listing approved commercial carriers. This article assumes approval to ship by commercial has been coordinated and begins the process of preparing the classified information for shipment.

Discussion:

Classified material should be prepared for transmission to provide protection against compromise. Consider the requirements for packaging classified information for shipment as discussed in the article, “Preparing Classified Information for Shipment”, for those details.

Preparation:

As with smaller packages that are easily wrapped in envelopes and boxes, larger items such as weapon systems, vehicles, equipment and etc. should be prepared similarly with hardened containers or equivalent unless the government authorizes an alternate solution.

The shipper should request and receive all necessary approvals from the government. The government should provide the shipper with the approved carrier and routing instructions from the point of classified material pick up to the destination. Finally, the shipper should coordinated the shipment with the carrier and the intended receiver

Where the classified item(s) constitute a full, load, compartment, crate, vehicle or other final packaging that segregates items from other items in a shipment, numbered seals are required.  The numbers are also written on the bill of lading for tracing and accountability at the receiving end. Any discrepancies with seals, bills of lading, or inventory should be further investigated and reported consistent with receiving any classified information.

According to NISPOM 5-408 the BL should be annotated with the following wording: DO NOT BREAK SEALS EXCEPT IN CASE OF EMERGENCY OR UPON PRIOR AUTHORITY OF THE CONSIGNOR OR CONSIGNEE. IF FOUND BROKEN OR IF BROKEN FOR EMERGENCY REASONS, APPLY CARRIER'S SEALS AS SOON AS POSSIBLE AND IMMEDIATELY NOTIFY BOTH THE CONSIGNOR AND THE CONSIGNEE.

Also on the BL: CARRIER TO NOTIFY THE CONSIGNOR AND CONSIGNEE (Telephone Numbers) IMMEDIATELY IF SHIPMENT IS DELAYED BECAUSE OF AN ACCIDENT OR INCIDENT. IF NEITHER CAN BE REACHED, CONTACT (Enter appropriate HOTLINE Number). USE HOTLINE NUMBER TO OBTAIN SAFE HAVEN OR REFUGE INSTRUCTIONS IN THE EVENT OF A CIVIL DISORDER, NATURAL DISASTER, CARRIER STRIKE OR OTHER EMERGENCY.

And,

PROTECTIVE SECURITY SERVICE REQUIRED, on all copies of the BL and maintain the in a suspense file to follow-up on overdue or delayed shipments.

Consistent with any classified transmission (mail, fax, courier) the contractor (sender) notifies the consignee (receiver and any U.S. Government Transhipper) of the shipment details including the 5 W’s, specifically:
·         nature of the shipment
·         transportation
·         numbers of the seals, if any
·         anticipated time and date of arrival by separate communication at least 24 hours in advance

As with classified mailing (see article “Preparing Classified Information For Shipment”) the notification should be provided to the address as found in the Industrial Security Facilities Database; identifying the organization, office, entity and not a person.

Reception:

Request that the consignee activity (including a military transshipping activity) notify the consignor of any shipment not received within 48 hours after the estimated time of arrival indicated by the consignor.

Validation:

1. Keep copies of the following government documents:
  • Approval to ship
  • Routing instructions
  • Approved carriers

2. Keep signed shipping receipts and bills of lading



ISP Certification and NISPOM Questions

Get your copy @ www.redbikepublishing.com



If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice. Here's a way to get 440 practice questions.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study the NISPOM and use sample questions to practice, practice, and practice. It can help you prepare for the test. Using practice tests to augment your ISP exam preparation can help. According to reader comments and emails to the author, many who have bought our book, NISPOM flashcards, and ISP Test Tips to augment their preparation have performed very well on the exam.

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:


1. Required training under the Initial Security Briefing will include which of the following:
a. Threat awareness
b. Reporting obligations
c. Cleared Facility Orientation
d. A and b 
e. All the above


2. All contractor requests for interpretations of the NISPOM shall be forwarded through the _____ to the _____.
a. FBI, CSA
b. DSS, CSA
c. DSS, FBI
d. CSA, DSS
e. CSO, CSA (NISPOM 1-106)


3. FSO qualifications include being a _____ and _____.
a. U.S. Citizen, cleared as part of FCL 
b. U.S. Citizen, exempt from clearance
c. U.S. Citizen, certified as ISP
d. U.S. Citizen, attended college

e. U.S. Citizen, cleared to SCI










Scroll Down For Answers








1.    Required training under the Initial Security Briefing will include which of the following:
a.            Threat awareness
b.            Reporting obligations
c.             Cleared Facility Orientation
d.            A and b (NISPOM 3-106)
e.             All the above


2.    All contractor requests for interpretations of the NISPOM shall be forwarded through the _____ to the _____.
a.            FBI, CSA
b.            DSS, CSA
c.             DSS, FBI
d.            CSA, DSS
e.             CSO, CSA (NISPOM 1-106)


3.    FSO qualifications include being a _____ and _____.
a.            U.S. Citizen, cleared as part of FCL (NISPOM 1-201)
b.            U.S. Citizen, exempt from clearance
c.             U.S. Citizen, certified as ISP
d.            U.S. Citizen, attended college
e.             U.S. Citizen, cleared to SCI




So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Friday, January 20, 2017

Insider Threat Program Results


The first part of the template demonstrates outlines the purpose, policies, and demonstrates the contractor understands the ITP requirements.  The organization identifies themselves by name and lists the responsibilities of the ITP and positions within that organization. The remainder of the plan should spell out the ITP logistics:

A. Written designation of ITPSO.

B. The ITPSO responsibilities as addressed in NISPOM Change 2. Responsibilities include:
·         Self-certify the Insider Threat Program Plan in writing to DSS (Suspense has passed).
·         Provide copies of the Insider Threat Plan upon request and will make the plan available to the DSS.
·         Establish an Insider Threat Program based on the organization’s size and operations.
·         Provide Insider Threat training for Insider Threat Program personnel and awareness for cleared employees.
·         Demonstrate user activity monitoring on classified information systems in order to detect activity indicative of insider threat behavior.
·         Produce procedures to access, gather, integrate, and provide for reporting of relevant and credible adverse information across the contractor.
·         Demonstrate system or process to identify patterns of negligence or carelessness in handling classified information.
·         Conduct and document self-inspections of the Insider Threat Program.
·         Oversee the collection, analysis, and reporting of information across the company to support the identification and assessment of insider threats.
·         Provide proof of implementing and documenting all ITP assessments and reports to the Senior Management.

C. Insider Threat Training.
·         Provide documentation of ITPSO Training completed by November 30, 2016 and within for recently appointed ITPSO within 30-days of being assigned responsibilities.
·         ITP Personnel Training.
o   Provide to all contractor personnel assigned ITP duties within 30-days of being assigned duties and refresher training each year as long as they continue to serve.
o   Provide insider threat awareness training to all cleared employees before being granted access to classified information, prior to May 31, 2017, and each year as long as they maintain their clearance.
o   Incorporate Insider Threat Awareness into annual refresher training

D. Insider Threat Training Records Management.
·      Maintain training attendance records, certificates, or other documentation that verify completed initial and refresher training for review during DSS security vulnerability assessments.

E.  Insider Threat Reporting Requirements. Develop reporting requirements that capture:
·         Adverse information regarding cleared employees.
·         Suspicious contacts
·         Actual, probable or possible espionage, sabotage, terrorism, or subversive activities at any of its locations
·         Information determined to be any possible or potential successful penetration of a classified information system


You may notice that the above summarization follows the DSS Template, requirements in the NISPOM Change 2, pattern in the Self-Inspection Handbook for NISP Contractors, and other resources. Though not required in particular format, the information DSS is looking for remains consistent. Using the above format may suffice with proper documentation of compliance. Refer to the strategically placed hyperlinks for NISPOM, publications, and downloadable training that can help meet NISPOM and DSS requirements.

Sunday, January 15, 2017

NISPOM Questions

Get your copy @ www.redbikepublishing.com



If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice. Here's a way to get 440 practice questions.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study the NISPOM and use sample questions to practice, practice, and practice. It can help you prepare for the test. Using practice tests to augment your ISP exam preparation can help. According to reader comments and emails to the author, many who have bought our book, NISPOM flashcards, and ISP Test Tips to augment their preparation have performed very well on the exam.

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:

1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2. When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

d. KMPs and all security personnel

e. All the above









Scroll Down For Answers









1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2 When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

e. All the above


So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.



Preventing OPM-Like Sensitive Information Spillages

In September 2016, the Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress finally released what we’ve all been waiting for, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Wow, about time.

In a recent CSO Online article, The OPM breach report: A long Time Coming , Taylor Armerding summarizes congressional report and the national frustration with the entire fiasco. In fact, both report and article titles pretty much sum up how America feels about the Chinese exfiltration of personal data.

If you want to know the details of the event, please read the article and report as both are fascinating.  They explain very well how this incident will impact security cleared US citizens for generations; literally.

Readers in our career field (those of you reading this article) who are Facility Security Officers for cleared defense contractors, government employees, or other security practitioner under the national industrial security program (NISP) may experience additional frustrations in addition to those shared by the referred report and article.

Frustrations expressed from other sources:


My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there---James Comey, Director of the FBI

“(The SF-86) gives you any kind of information that might be a threat to ) the employee’s) security clearance.”---Jeff Neal, Former DHS official

Frustrations not nationally expressed:

The additional frustrations is grounded on the fact that the Office of Personnel Management conducts security investigations, collects very personal information from interviews and reports, contracts investigators who communicate the information, and stores the information. The data collected on each person and the compilation of that information warrants a robust security policy to protect personal identifiable information.

Keep in mind, OPM is one of the agencies that require industry to undertake intense security training in protecting PII, practicing cybersecurity, reporting security violations, detecting and denying insider threat, and so on. While cleared defense contractors are complying with training requirements, undergoing security reviews, and demonstrating security programs to protect classified information on information systems, compliance with DFARS requirements concerning computer networks, OPM was negligent in practicing what they preached.

The report lists OPMs failures to protect the network and sensitive information and slow reaction to both the attack and reporting requirements.  Additionally, while contractors are required to conduct investigations of security violations, determine cause, and as necessary, practice disciplinary action, no one has been fired as a result.

Imagine what would happen if a defense contractor networked was hacked and the following information was infiltrated:

Employee information including:
·         Current and past addresses
·         Security violations
·         Mental health counseling
·         Alcohol and drug dependency
·         Marital problems
·         Credit history

Get the picture? The employees would sue and the oversight agencies would review and report circumstances. Chances are that the responsible parties would be terminated.

According to the report, the cyberattack issue was detectable, preventable, and actionable, but OPM failed on all three.

Lesson for FSOs and security practitioners
Become cyber-aware…become involved in cybersecurity. It’s not necessary to become an expert, just understand. Many FSOs are great at the physical security requirements for PII, classified information, export controlled and other tangible items requiring clearance and / or need to know enforcement. It’s not too much of a leap to relate physical security requirements to that of protection of information on networks or stand alone computers.

Our profession has to become more involved in cybersecurity other than advising “don’t open attachments”, “only conduct company business on the computer”, and the standard slogan heavy or bumper sticker appropriate language. FSOs should become informed of how to respond to different threat categories and access points and provide cutting edge security awareness and security refresher training.

Applying the knowledgeable security focus:
Read, learn, discuss with IT and network professionals how the importance of programs to deny, deter, detect, observe, and report cyberattacks.  Here are some physical security fundamentals that can be applied for immediate cybersecurity action:
Though the reader may not be an expert, they can form a team from IT and all business units to accomplish the task.  This is the same exercise physical security and loss prevention practitioners’ use; or at least they should:

Determine what needs to be protected

Identify sensitive information on the enterprise network. Every business unit has a piece in the puzzle; program managers, accounting, personnel, contracts, etc.  Involve all aspects of the enterprise in the exercise.

Determine where the information exist

Is the information on an internal or external network? Which one(s) On a standalone computer? Document all locations

Determine who needs access to the information

Limit access to the networks, folders or locations based on who is authorized to use it.
Do program managers need financial information related to other contracts? Does the CFO need intimate software development details? If yes, ensure they have access, if not deny access.

Determine threats to the information

The obvious threats are the trusted employees and external hackers. These categories are the bare minimum necessary to cataloging the threat. Ask, how can the internal threat access information? How can the external hacker access the information?

So far so good right? Well, it becomes more technical from here and it where you might need an advisor, consultant or other help.

Determine how to deny, detect, report, and monitor systems for cyberattacks.
This requires skill to buy the right technology or hire the right employees.

Document all actions and provide report to senior management.
Programs do not live long without senior management buy in. Since we recommend forming a team, use the team concept to develop and maintain momentum. Provide recommendations to the key management personnel, get approval, and have them champion the program to senior objects. Change management may be in order.

Hopefully, this article provides thought provoking and imagination stoking ideas to help develop a security system that includes cyber consideration. The referred report demonstrates and quantifies an active adversary with a demonstrated history of attacking high level government agencies; as well as the poor action of those responsible for preventing access to sensitive information. None are immune, but all are responsible. Our profession exists in the defense industry. Our national security depends on doing everything we can to be aware of, train for, and respond appropriately to all threats.


Saturday, December 24, 2016

Shipping Classified Information with Commercial Carriers

www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

When shipping classified information, the sender is responsible for requesting approval to use commercial carriers. The DSS or other Cognizant Security Agency (CSA) approves the use of commercial carriers. For overnight shipping, the Government Services Administration (GSA) provides a list of approved . 

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408. SECRET Transmission by Commercial Carrier. SECRET material may be shipped by a cleared commercial carrier that has been approved by the CSA to transport SECRET shipments.

Cleared Commercial Carriers

Department of Defense contractors may use government approved commercial carriers to transport SECRET and below. When SECRET is to be delivered, the carrier must be approved and cleared to the SECRET level. CONFIDENTIAL can be transmitted by an approved uncleared carrier. The deliveries are not authorized for international travel and can only be made within the continental US or within Alaska, Hawaii and each territory with Government Contracting Agency providing routing information.

When requesting commercial carrier support, the contractor should notify the CSA of the proposed classified material to be shipped, the point of origin and the destination. The CSA will review the information and make an approval decision. If approved, the sender should notify the consignee and the shipping activity of the shipment and provide details of the type of shipment, information about shipping seals, and projected time of arrival. Further coordination should be made with the intended recipient to expect the delivery of classified material along with a projected timeline and what they should expect to receive. If the shipment does not arrive within 48 hours the receiver should notify the sender

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408b. The contractor shall utilize a qualified carrier selected by the U.S. Government that will provide a single-line service from point of origin to destination, when such service is available, or by such transshipping procedures as may be specified by the U.S. Government.

 GSA Approved Overnight Delivery Service

SECRET and CONFIDENTIAL material may be sent using GSA approved companies. These services should not be used without DSS approval. When using an overnight delivery service, the FSO of the sending organization should alert the receiving organization that classified information will be arriving via overnight service. Though overnight carriers are approved through the GSA, the carrier companies do not need to hold a facility security clearance. The carriers are only required to meet requirements of tracking shipments.



Every precaution should be made to ensure that the overnight delivery will not arrive during a holiday or scheduled day off. The best method is to not deliver the day prior to a weekend or federal holiday unless the receiver is operating a mail room with cleared persons and the proper storage capability.

VALIDATION:

1. Produce request to CSA for commercial carrier use and the CSA response.
2. Produce receipts for classified shipments involving commercial carriers and / or GSA approved overnight shippers.
3. Provide policy and procedures for use of commercial carriers and / or GSA approved overnight shippers.
4. Provide documentation of signed receipts of classified information sent via commercial carrier and / or GSA approved overnight shippers.




               



Security Awareness, FSO and NISPOM Training



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 22, 2016

Determining Receiving Facility Security Clearance Level

Get your printed NISPOM at www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Those who possess classified information should determine security clearance and need to know before disclosing it. This is requirement for both cleared persons and cleared facilities. Where classified information is shipped from one CAGE code or facility to another, the shipper is responsible for ensuring the carrier and the receiving entity hare cleared appropriately and that the receiver is cleared and with the need to know to possess the classified information.

Question:
NISPOM 2-100
Is the facility clearance and safeguarding capability of the receiving facility determined prior to transmission of classified information?
2-100. … Contractors are eligible for custody (possession) of classified material if they have an FCL and storage capability approved by the CSA.
…b. FCLs will be registered centrally by the U.S. Government.

The cleared contractor possessing classified information is responsible for validating the appropriate personnel clearance level (PCL) and need to know before releasing classified information to that person. The same rational for shipping classified information from one cleared defense contractor (CDC) to another. The shipper should determine the proper clearance and need to know of the intended receiver. In other words validate facility clearance (FCL) level prior to shipping classified information.

This is performed through the Industrial Security Facilities Database (ISFD). According to the ISFD website, the ISFD provides users with a nationwide perspective on National Industrial Security Program related facilities, as well as facilities under DSS oversight in the DoD conventional AA&E program.

FSOs should have access to ISFD and other Defense Security Services databases in order to provide their employer with adequate security services.  See http://www.dss.mil/diss/isfd.html for more information.

Once registered an FSO or designated employee can access FCL information including clearance level, classified mailing addresses, and points of contact. Prior to sending classified information the sender can log in to ISFD, access the address, POC, and contact information, and coordinate the delivery and any inspection and receipting actions.

VALIDATION:
1. Demonstrate ability to log on to ISFD
2. Demonstrate proficiency with determining a CDC’s FCL

3. Demonstrate proficiency with finding a CDC’s address and POC information. 



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".