Monday, May 29, 2017

Security Controls

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Prior to sending classified information via commercial carriers, the holder of the classified information should gain approval of the intent to ship and the method of shipment.  Once the approval is gained, the shipper should properly prepare the product and coordinate the shipment with the government, shipper, and receiver.

Question:
Do your cleared employees understand their safeguarding responsibilities?

Answer:

NISPOM 5-100. General.

Contractors shall be responsible for safeguarding classified information in their custody or under their control. This includes classified material controls that govern procedures or capabilities that deny, deter, and detect any unauthorized attempt to gain access to classified information.

NISPOM Chapter 5 is a large section that attempts to provide information to protect classified information by format (written document, electronic document, hardware item, information system, etc.) and location (open storage, computer, in transit, at work, etc). Chapter 5 addresses protection of classified information during reception, storage, transmission, destruction, physical security, and more. This protection involves marking, physical security specifications, oral communication, access, hand carrying, need to know, and other measures to prevent unauthorized access.

While other NISP Handbook sections address format and location of classified information, Section Q focuses on controls that are in place to trace and account for classified information at the cleared facility. This safeguarding question addresses a theme that is undercurrent to the entire Chapter 5; the administrative and technical controls in place to document and detect status of classified information. Though some of these controls were covered in other NISP Handbook questions, they are re-visited here to demonstrate a specific security function.

The question again is general and will be further unpacked in in specific application as we work our way through Section Q. The point with this article is to explain the controls at a high level and dig deeper in consecutive articles. The cleared employees should understand how to answer the question in the context of information management system and perimeter controls available to ensure classified information is received, only authorized persons gain access, and any unauthorized attempts to gain access is detected.

Validation:
Policy and procedure in place that describe information management and perimeter controls
Employee acknowledgement of security training and understanding of classified material controls
Provide written authorization for hand carrier to transport classified information
Develop tracking system to ensure receipts are returned in a timely manner
Provide proof of hand carrier or escort briefing
Review and compare signatures of couriers who have attended training and briefings


Saturday, May 6, 2017

Hand Carrying Classified Information and Multi-mode Travel



Traveling with classified information.

The other day as I traveled home from work I thought about my coffee pot. Did I turn it off? Am I sure it’s off? How do I know it’s off? The only way I was able to hold anxiety back is to recall my end of day process and determine with conviction that I had indeed turned it off.

Imagine how the anxiety increase if you can’t recall whether or not you secured the security container, removed classified information from the printer, or set alarms. Well, the dedicated security professional understands the need for process, procedure, and end of day check lists. Without these controls, many would have a hard time sleeping.

You may be able to recall news reports, security awareness training, briefings, or other notifications where someone has had unattended sensitive information stolen from their rooms, vehicles, or other location while in transit. These incidents are preventable with application of process and procedure.

This prior planning (processes and procedures) not only helps ensure classified information is protected during transport, but it gives assurance that once planned and rehearsed, it should work well during execution. Even with the many variables that could be faced during travel (weather, delays, re-routing, cancellations, etc.) the process can be tailored and applied with assurance of mission accomplishment.

This planning and rehearsal should be conducted with the mode of transportation in mind. The remainder of this article is from the book “DoD Security Clearance and Contracts Guidebook” and discusses how to protect classified information during travel.

Modes of Travel
Hundreds of thousands of tons of cargo travel our roads, rails, and airspace daily. America depends on transportation to get products to customers safely and on time. When products are lost or damaged, carrier insurance will reimburse either the shipper or receiver. However, there is no insurance for damage to national security. Classified items lost, stolen or exposed during shipment pose a threat. No matter how dependable a carrier’s track record, the government approver, sender, and hand carrier should do everything possible to transport classified information while mitigating any risk of loss or compromise.

The volume of material transported on any given day is staggering. Transportation by any means is reliable but not risk free. Vehicle accidents, traffic jams, break downs or any number of problems with land, air, rail and sea transportation can threaten the security of the classified product. Natural disasters and mechanical failure can cause delays in the reliable movement of items. Air travel also has inherent risks including: late gate departures and arrivals, crowded terminals, and maintenance problems significantly threaten the ability of an escort to keep a close eye on the cargo hold. Those escorting classified material via trains, over the road vehicles, and air carriers should be aware of inconsistencies or events during the shipment that could negatively impact the security of the item. When any event happens to cause an unscheduled delay, the escort should immediately notify the shipper.

Rail
When shipping classified information by train the escort should ride in the same car, keep the package under constant surveillance and remain vigilant during stops and layovers. Experienced travelers understand the frustrations involved when others have retrieved the wrong baggage. Escorts should ensure they maintain their receipts and watch their package to prevent such mistakes from occurring as well as other attempts to pilfer or steal. Shipping classified material in a separate car poses a more difficult challenge. Coordination with railroad employees will significantly reduce the challenges while helping to strengthen security. When freight cars and passenger cars are separated, the FSO should arrange with the railroad for the freight car to be positioned immediately in front of the escort’s car. The biggest threat occurs during stops. When time permits, escorts should leave the train at all stops and perform a physical inspection of the protective measures (seals, locks, etc) applied to the classified items on the shipment cars.

Highway
Overnight escorts should remain alert for security violations, theft, piracy, pilferage, hi-jacking, damage or other incidences that could jeopardize the shipment and compromise the classified information. Rest and overnight stops, regulated driving hours and refueling pose additional risks to the voyage. At every stop the escort should keep the vehicle in view and remains alert to threatening actions. Highly sensitive items, urgency and threat may require a carrier to provide enough escorts to work around the clock shifts.

Air
Airlines also offer unique challenges to transporting classified material. Air carriers are experienced in flying various types of cargo to worldwide locations. Federal marshals fly prisoners, zoo keepers ship exotic animals, and doctors transport donor organs. Those transporting classified materials are also limited to the type of cargo the Federal Aviation Administration and the National Transportation Safety Board authorizes. Prior arrangements with the air carrier help them understand the unique requirements for shipping classified material and will better meet the requests of the consignor.
Passenger travel is a choreographed event. Passengers board when invited, remain in their seats during takeoff and landing and deplane when instructed. When transporting classified material, the escort should request boarding and deplaning services outside of normal operations.

When layovers are expected, the escort should be the first off the plane and wait in an area where they can observe activities on and around the cargo access door. If the cargo is transshipped using another airplane, the escort should observe the process. When the plane is ready to continue the journey the escort is again the last to board. Upon reaching the final destination, the escort becomes the first to deplane.

Cleared employees traveling by commercial aircraft should conduct extensive pre planning. In addition to identification, a courier briefing, and notification to maintain accountability of the classified material at all times, should be coordinated with the Transportation Security Administration (TSA). For example, while traveling by automobile, the courier may only need to drive to the final destination without having to speak to anyone. The route is often direct to the destination with no interruptions. However more vigilance is needed when traveling to and through an airport terminal.
Prior to a cleared employee traveling with classified information on commercial airlines the FSOs should coordinate with the TSA. TSA can help the courier or escort transition security with the least amount of interruption or intrusion for both the courier and TSA agents. TSA agents might examine the classified package with x-ray equipment.

Depending on the size of the airport, urgency and threat level, the arrangements and coordination made with TSA can help make negotiating through to the secure area easier. A good working relationship between the FSO and TSA helps both parties understand the importance of the courier remaining with the classified package at all times. When it is necessary to send the classified material through the x-ray machine, the courier must remain vigilant and know where the item is at all times.

 A risk based approach should be undertaken prior to sending classified information outside of secure facilities. Every effort should be made to plan the trip to protect classified information by format and location along the route. Plan for delays and interruptions in schedules as many travel issues are out of the travelers control. Training, planning, process, procedures, and rehearsal can provide safe travels and keep anxiety levels down.


Red Bike Publishing provides downloadable training and briefings that are helpful in managing security programs that protect classified information. You can find training and briefings that meet your need at our website.

This article is based on the book DoD Security Clearance and Contracts Handbook available at www.redbikepublishing.com


             

Hand Carrying Classified Information-Planning and Execution

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Prior to sending cleared employees to courier or escort classified material, the holder of the classified information should gain authorization. Classfied information should not leave the facilities without the authorization to do so, a complete inventory of the items to be removed, and the intent to protect it from unauthorized disclosure, loss, or theft.  

NISPOM 5-410. Use of Couriers, Hand Carriers, and Escorts. Contractors who designate cleared employees as couriers, hand carriers, and escorts shall ensure:

c. The employee retains classified material in his or her personal possession at all times. Arrangements shall be made in advance of departure for overnight storage at a U.S. Government installation or at a cleared contractor's facility that has appropriate storage capability, if needed.

d. If the classified material is being hand carried to a classified meeting or on a visit, an inventory of the material shall be made prior to departure. A copy of the inventory shall be carried by the employee. On the employee's return to the facility, an inventory shall be made of the material for which the employee was charged.

Question:
5-410
Is hand carrying of classified material outside the facility properly authorized, inventoried, and safeguarded during transmission?


Answer:

To help ensure that classified information is protected during shipment, the courier should understand their role and responsibility to protect classified information. The security manager, FSO, holder of classified information, Defense Security Services, and Government Contracting Activity should understand the mission, where the classified information exists, where it will go, the method of transportation, the route, and how it will be protected during transport, and secured once delivered. In this case, the classified information should be properly inventoried, wrapped, and hand carried by a fully briefed cleared employee. All parties should be involved in all phases of transporting classified information to include pre-trip, during transport, and after trip preparations.

Pre-Trip
Travel planning should include mode of travel, route to take, a travel plan to get there, and all necessary credentials for the cleared employee carrier. The involved parties might form a temporary planning team to discuss travel scenarios to prepare for and execute safe transport and protection of classified material. Prior to departure the planning team should also ensure that the classified package to be carried is inventoried and documented, receipted, provided written authorization is available and picture identification and credentials are on hand. A good practice is to issue a memorandum or other written authorization that identify the cleared employee the approved carrier.  

The credentials should be issued only after the cleared employee has acknowledged their understanding of their role and requirements along the way. Practice runs, hands on training or using experienced employees is a preferred way to prepare. Look for threat points and methods of tailoring the travel to protect items by their format, mode of travel, and location along the route. Such confidence, experience, and education help prevent security violations.

During Transport
Courier should adhere to the planned route and not make unnecessary deviations without coordination and approval. Where overnight or long term stops are required, they should be part of a plan with approved locations to store the classified information. The classified information must remain with the courier and should not be opened by unauthorized persons or contents discussed openly. The classified package should never to be left unattended and the courier should not allow themselves to be distracted from protecting the classified material.

If the trip involves an overnight stay, a stop should be scheduled during preparation and arrangements made for approved storage. Plans should also include what to do in case of emergencies, unintended layovers, vehicle breakdowns, or other unplanned events. This approved storage should be coordinated with the GCA or DSS. The courier should not store classified information in lockers, private homes, automobile trunks, hotel safes or other unauthorized areas.

After Trip
A government customer may require a defense contractor to attend a classified visit or meeting at another defense contractor’s cleared facility. The cleared facilities where the meeting occurs may authorize the courier to report directly to the meeting without additional processing. However, the courier should be prepared to introduce the classified information according to the cleared facility’s policies or per instruction from the government sponsor. Prior arrangements and coordination will prevent any delays or surprises.

The courier should expect the receiver to inventory the classified information, sign required receipts, and assume responsibility of the classified information. Once that is established, the courier’s job is complete and they are relieved of possession and responsibilities of protecting the classified information.

Once the courier returns, they should provide signed receipts and close out the travel action. This closeout might include a report of the trip to include any follow up for suspicious contact, incidents, or threats to the classified information.

Validation:
Document planning process with planning team
Provide written authorization for hand carrier to transport classified information
Develop tracking system to ensure receipts are returned in a timely manner
Provide proof of hand carrier or escort briefing
Review and compare signatures of couriers who have attended training and briefings

Red Bike Publishing provides downloadable training and briefings that are helpful in managing security programs that protect classified information. You can find training and briefings that meet your need at our website.

This article is based on the book DoD Security Clearance and Contracts Handbook available at www.redbikepublishing.com


             

Monday, February 27, 2017

Hand Carrying Classified Information

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.





Question:
Are couriers, hand carriers, and escorts properly briefed?

Answer:
NISPOM 5-410. Use of Couriers, Hand Carriers, and Escorts. Contractors who designate cleared employees as couriers, hand carriers, and escorts shall ensure:

a. They are briefed on their responsibility to safeguard classified information.

b. They possess an identification card or badge which contains the contractor's name and the name and a photograph of the employee.


Classified information should not be hand carried unless approved by the government. When authorized to do so, cleared defense contractors should designate or appoint a cleared employee and enable them to hand carry the material. However, before transporting the classified information, there are some requirements the courier must meet prior to the event.

Hand carrying classified information may be convenient, but should be well thought out and planned prior to execution and known risks should be considered. Some questions the FSO should ask and answer are:

When does information have to be accessed by the receiver? (Overnight, in a week, the day after tomorrow?)

What mode of transportation will be used? (Private vehicle, commercial bus, plane, train, or other?)

Who will hand carry the information?

How long will the transportation take?

The mode of transportation, length of travel, skill level of cleared employee, and other factors should be included in the risk equation.

Prior to using cleared employees, the FSO should also:

Ensure the cleared employee has the security clearance and need to know and is briefed on how to protect the classified material while it is in their custody.

The briefing can leverage information found in the initial security briefing and annual security refresher briefing. These briefings address fundamental security subjects such as classification levels and reporting requirements and would need to be enhanced with information from the risk assessment. Additional information should include how to wrap and prepare the classified information for transport, numbers to call in case of emergency, where to store classified information if overnight stay is required, how to pass through security at airports, and who to deliver that classified information to.

In short the courier should understand that classified info
rmation is in their control at all times and not relinquished until receipts are exchanged at the destination.

Validation:
Review list of designated or appointed couriers
Review training of all designated couriers
Review courier briefing topics

Review and compare signatures of couriers who have attended training and briefings


                                                           

Monday, February 6, 2017

NISPOM and Classified Shipments




This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Prior to sending classified information via commercial carriers, the holder of the classified information should gain approval of the intent to ship and the method of shipment.  Once the approval is gained, the shipper should properly prepare the product and coordinate the shipment with the government, shipper, and receiver.

Question:

Are classified shipments made only in accordance with the NISPOM or instructions from the contracting authority?

Answer:

NISPOM 5-408 addresses SECRET Transmission by Commercial Carrier.  In an earlier article, “shipping Classified Information with Commercial Carriers”, we discussed the coordinating shipping with the DSS, government customer, and carriers. We also covered the GSA website listing approved commercial carriers. This article assumes approval to ship by commercial has been coordinated and begins the process of preparing the classified information for shipment.

Discussion:

Classified material should be prepared for transmission to provide protection against compromise. Consider the requirements for packaging classified information for shipment as discussed in the article, “Preparing Classified Information for Shipment”, for those details.

Preparation:

As with smaller packages that are easily wrapped in envelopes and boxes, larger items such as weapon systems, vehicles, equipment and etc. should be prepared similarly with hardened containers or equivalent unless the government authorizes an alternate solution.

The shipper should request and receive all necessary approvals from the government. The government should provide the shipper with the approved carrier and routing instructions from the point of classified material pick up to the destination. Finally, the shipper should coordinated the shipment with the carrier and the intended receiver

Where the classified item(s) constitute a full, load, compartment, crate, vehicle or other final packaging that segregates items from other items in a shipment, numbered seals are required.  The numbers are also written on the bill of lading for tracing and accountability at the receiving end. Any discrepancies with seals, bills of lading, or inventory should be further investigated and reported consistent with receiving any classified information.

According to NISPOM 5-408 the BL should be annotated with the following wording: DO NOT BREAK SEALS EXCEPT IN CASE OF EMERGENCY OR UPON PRIOR AUTHORITY OF THE CONSIGNOR OR CONSIGNEE. IF FOUND BROKEN OR IF BROKEN FOR EMERGENCY REASONS, APPLY CARRIER'S SEALS AS SOON AS POSSIBLE AND IMMEDIATELY NOTIFY BOTH THE CONSIGNOR AND THE CONSIGNEE.

Also on the BL: CARRIER TO NOTIFY THE CONSIGNOR AND CONSIGNEE (Telephone Numbers) IMMEDIATELY IF SHIPMENT IS DELAYED BECAUSE OF AN ACCIDENT OR INCIDENT. IF NEITHER CAN BE REACHED, CONTACT (Enter appropriate HOTLINE Number). USE HOTLINE NUMBER TO OBTAIN SAFE HAVEN OR REFUGE INSTRUCTIONS IN THE EVENT OF A CIVIL DISORDER, NATURAL DISASTER, CARRIER STRIKE OR OTHER EMERGENCY.

And,

PROTECTIVE SECURITY SERVICE REQUIRED, on all copies of the BL and maintain the in a suspense file to follow-up on overdue or delayed shipments.

Consistent with any classified transmission (mail, fax, courier) the contractor (sender) notifies the consignee (receiver and any U.S. Government Transhipper) of the shipment details including the 5 W’s, specifically:
·         nature of the shipment
·         transportation
·         numbers of the seals, if any
·         anticipated time and date of arrival by separate communication at least 24 hours in advance

As with classified mailing (see article “Preparing Classified Information For Shipment”) the notification should be provided to the address as found in the Industrial Security Facilities Database; identifying the organization, office, entity and not a person.

Reception:

Request that the consignee activity (including a military transshipping activity) notify the consignor of any shipment not received within 48 hours after the estimated time of arrival indicated by the consignor.

Validation:

1. Keep copies of the following government documents:
  • Approval to ship
  • Routing instructions
  • Approved carriers

2. Keep signed shipping receipts and bills of lading



ISP Certification and NISPOM Questions

Get your copy @ www.redbikepublishing.com



If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice. Here's a way to get 440 practice questions.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study the NISPOM and use sample questions to practice, practice, and practice. It can help you prepare for the test. Using practice tests to augment your ISP exam preparation can help. According to reader comments and emails to the author, many who have bought our book, NISPOM flashcards, and ISP Test Tips to augment their preparation have performed very well on the exam.

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:


1. Required training under the Initial Security Briefing will include which of the following:
a. Threat awareness
b. Reporting obligations
c. Cleared Facility Orientation
d. A and b 
e. All the above


2. All contractor requests for interpretations of the NISPOM shall be forwarded through the _____ to the _____.
a. FBI, CSA
b. DSS, CSA
c. DSS, FBI
d. CSA, DSS
e. CSO, CSA (NISPOM 1-106)


3. FSO qualifications include being a _____ and _____.
a. U.S. Citizen, cleared as part of FCL 
b. U.S. Citizen, exempt from clearance
c. U.S. Citizen, certified as ISP
d. U.S. Citizen, attended college

e. U.S. Citizen, cleared to SCI










Scroll Down For Answers








1.    Required training under the Initial Security Briefing will include which of the following:
a.            Threat awareness
b.            Reporting obligations
c.             Cleared Facility Orientation
d.            A and b (NISPOM 3-106)
e.             All the above


2.    All contractor requests for interpretations of the NISPOM shall be forwarded through the _____ to the _____.
a.            FBI, CSA
b.            DSS, CSA
c.             DSS, FBI
d.            CSA, DSS
e.             CSO, CSA (NISPOM 1-106)


3.    FSO qualifications include being a _____ and _____.
a.            U.S. Citizen, cleared as part of FCL (NISPOM 1-201)
b.            U.S. Citizen, exempt from clearance
c.             U.S. Citizen, certified as ISP
d.            U.S. Citizen, attended college
e.             U.S. Citizen, cleared to SCI




So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Friday, January 20, 2017

Insider Threat Program Results


The first part of the template demonstrates outlines the purpose, policies, and demonstrates the contractor understands the ITP requirements.  The organization identifies themselves by name and lists the responsibilities of the ITP and positions within that organization. The remainder of the plan should spell out the ITP logistics:

A. Written designation of ITPSO.

B. The ITPSO responsibilities as addressed in NISPOM Change 2. Responsibilities include:
·         Self-certify the Insider Threat Program Plan in writing to DSS (Suspense has passed).
·         Provide copies of the Insider Threat Plan upon request and will make the plan available to the DSS.
·         Establish an Insider Threat Program based on the organization’s size and operations.
·         Provide Insider Threat training for Insider Threat Program personnel and awareness for cleared employees.
·         Demonstrate user activity monitoring on classified information systems in order to detect activity indicative of insider threat behavior.
·         Produce procedures to access, gather, integrate, and provide for reporting of relevant and credible adverse information across the contractor.
·         Demonstrate system or process to identify patterns of negligence or carelessness in handling classified information.
·         Conduct and document self-inspections of the Insider Threat Program.
·         Oversee the collection, analysis, and reporting of information across the company to support the identification and assessment of insider threats.
·         Provide proof of implementing and documenting all ITP assessments and reports to the Senior Management.

C. Insider Threat Training.
·         Provide documentation of ITPSO Training completed by November 30, 2016 and within for recently appointed ITPSO within 30-days of being assigned responsibilities.
·         ITP Personnel Training.
o   Provide to all contractor personnel assigned ITP duties within 30-days of being assigned duties and refresher training each year as long as they continue to serve.
o   Provide insider threat awareness training to all cleared employees before being granted access to classified information, prior to May 31, 2017, and each year as long as they maintain their clearance.
o   Incorporate Insider Threat Awareness into annual refresher training

D. Insider Threat Training Records Management.
·      Maintain training attendance records, certificates, or other documentation that verify completed initial and refresher training for review during DSS security vulnerability assessments.

E.  Insider Threat Reporting Requirements. Develop reporting requirements that capture:
·         Adverse information regarding cleared employees.
·         Suspicious contacts
·         Actual, probable or possible espionage, sabotage, terrorism, or subversive activities at any of its locations
·         Information determined to be any possible or potential successful penetration of a classified information system


You may notice that the above summarization follows the DSS Template, requirements in the NISPOM Change 2, pattern in the Self-Inspection Handbook for NISP Contractors, and other resources. Though not required in particular format, the information DSS is looking for remains consistent. Using the above format may suffice with proper documentation of compliance. Refer to the strategically placed hyperlinks for NISPOM, publications, and downloadable training that can help meet NISPOM and DSS requirements.