Thursday, March 31, 2011

Five Good Points to Consider In the Reproduction of Classified Information

Five Good Points to Consider In the Reproduction of Classified Information


1. Start at the beginning; establish controls to limit access to classified information. An Information management system, access control system or other means of controlling who accesses classified information, when they access it and what they do with it is the right place to start.

2. Establish policy controlling use of classified reproduction equipment. Copy machines, scanners and other reproduction equipment should be identified and designated for classified information reproduction. Additionally, all other enterprise equipment should be off limits to classified reproduction.

3. Control the use of unclassified reproduction equipment. This will help prevent security violations where authorized employees access classified information and copy it using public copiers, load them to unauthorized disks, fax them using unauthorized machines all in an effort to remove it from the company undetected.

4. The FSO should consider the type of equipment they purchase, lease or rent. When service contracts expire, repairs are needed, equipment is to be replaced or other transactions replacing or removing the equipment occur, the hard drive or memory should be destroyed or wiped in an approved manner to remove all stored classified information.

5. Afford copies the same level of protection as the original. Ensure the markings are legible and stand out. Also, assign document numbers to track the amount of copies made. For example, if a copy of a document assigned an internal document number 401is copied, the new number might be 401 copy1 or 401-01.

Tuesday, March 22, 2011

How Cleared Contractors Appoint Facility Security Officers

 

Excerpt From Our Newest Book


Becoming a cleared defense contractor demands more than just a defense contractor getting a security clearance. It's more to do with, what to do once the clearance is awarded; specifically, protecting classified information. This protection involves physical, classified processing, and information security. It's more than just buying safes, installing access controls and getting employees security clearances. Primarily, the cleared contractor must appoint a Facility Security Officer (FSO) responsible for implementing a program to protect classified information.


To better answer frequently asked questions, I've written several times on the topic of selecting the right Facility Security Officer (FSO) qualifications. According to the National Industrial Security Program

Operating Manual (NISPOM), the FSO must be a US Citizen and be cleared to the level of the facility (security) clearance (FCL); period. This provides a lot of room for a cleared facility to figure out how to get the job done. However, in the book, DoD Security Clearances and Contract Guidebook-What Defense Contractors Need to Know About Their Need to Know, the author identifies what additional qualifications cleared contractors should recognize prior to appointing or hiring the FSO.

Primarily, the FSO should understand how to protect classified information as it relates to the cleared contract, organizational growth, enterprise goals, and NISPOM guidance. The FSO should be able to conduct a risk analysis, express the cost, benefits and impact of supporting a classified contract under the NISPOM requirements and incorporate an environment of cooperation and compliance within the enterprise. Finally, they must be able to influence and compel the senior leaders to make good decisions, support compliance and integrate security into the corporate culture. After all, security violations not only cause damage to national security, but could also impact the organization with loss of contracts. The FSO is pivotal to the successful execution of classified contracts.

In larger cleared contractor organizations the FSO is a full time job held by a department manager or higher level person. This FSO is supported by a staff of security specialists who may manage classified contract administration, safeguarding classified documents, process classified information on information systems, security clearances and other disciplines. The FSO oversees the entire security program as executed by the competent staff. In a best case scenario, they will report to the senior officer of the organization.

In small business the FSO may be the owner, chief officer, vice president or other senior leader picking up an additional responsibility. This is more of a situation of selecting the most knowledgeable, capable or competent and is usually the best choice. However, these people are already very busy trying to meet cost, scheduling and performance objectives. They may be able to implement and direct a security program to protect classified information, but not the day to day job functions that can pull them away from critical tasks. Jobs such as document control, visit authorization requests, security clearance requests and etc can be delegated to other competent, organized and less busy employees.

When competing for classified contracts, the winning company must be eligible to receive a security clearance. Prior to performing on the contract, they should have a security clearance in place and appoint an FSO. The FSO is responsible for the security program, but not necessarily solely responsible for executing the day to day activities. Just as FSOs in large organizations have a staff of employees, the FSO of small organizations should delegate day to day activities to competent cleared employees.


Saturday, March 12, 2011

DoD Security Clearance and Contracts Guidebook — Red Bike Publishing

DoD Security Clearance and Contracts Guidebook — Red Bike Publishing

Our Newest Book
DoD Security Clearance and Contracts Guidebook - What DoD Contractors Need to Know about Their Need to Know

Coming April-Pre-Order your copy now

This new book will demystify the security clearance process and help cleared contractors develop security programs to win and keep classified contracts. It is a good companion for all seasoned and novice defense contractors, Facility Security Officers (FSO) and the college student.

Defense contractors can confidently pursue classified contracts with:
•Step by step guide demonstrating how to meet requirements for security clearances
•Senior leader responsibilities in security cleared facilities
•Classified contracts administrative responsibilities
•Method for reducing costs associated with protecting classified information and NISPOM requirements
•Description of exceptional (FSO) qualities

Cleared contractors can protect program information through:
•Building award winning security programs
•Understanding international operations
•Improving Defense security services (DSS) inspection results
•Winning the Cogswell award

Security professionals and FSOs can:
•Build skills as a security specialist or FSO
•Gain access to valuable resources for security programs

College students can:
•Improve understanding of national security
•Learn new career opportunities
•Have a vauluable resoure for homeland security studies

Ready for pre-order, get yours today.

Pre-Order Paperback Version-$24.95
Pre-Order Hardcover Version-$34.95

Friday, March 11, 2011

Dice Holdings, Inc. - Press Release

Learn about
Security Clearances
Those holding security clearances aren't as affected by the economy. Cleared defense contractors seem to be isolated against job related uncertainties experienced by otheres in the private sectors. This report issued by Dice Holdings, Inc. expresses the benefits of working with a security clearance.

Dice Holdings, Inc. - Press Release











ISP Certification


Also, if you have a clearance, consider the job security offered by certification. Security specialists can further protect themselves with ISP Certification.

Tuesday, March 8, 2011

Join our Team

Now you can receive 10% payment by referring customers to Red Bike Publishing. Join our affiliates program and receive 10% of any product sold through the Red Bike Publishing online bookstore. Our products sell from $7.00 to $99.00. That means an earning potential of up to $9.00 for each item sold through our store. Why not enhance your website by offering quality security and compliance books through Red Bike Publishing.

How? 
1. Simply visit http://www.redbikepublishing.com/affiliates/


2. Scroll to the bottom of the page and click the link in the yellow box that says “Click here to join Red bike Publishing's’ affiliate program”

3. Login or Register

4. Under “Manage Your Affiliate Account” click “Get Affiliate Code”

5. Select “Red Bike Publishing” as the merchant

6. Click the button “Get Affiliate Code”

7. Copy the link provided in the yellow box.

8. Add the link to your website.

That's it...we hope to see you on our team.

How Defense Contractors Request Security Clearances

How Personnel Security Clearances are Granted


From: "Insider's Guide
to Security Clearances"
The Defense Industrial Security Clearance Office (DISCO) processes security clearances for organizations falling under the NISP. According to Executive Order 12968—Access to Classified Information, employees should not be granted access to classified information unless they possess a security clearance, have a need to know the classified information involved, received an initial security briefing and have signed a nondisclosure agreement.

The Facility Security Officer (FSO) is a position that the defense contractor must appoint during the FCL approval process. The FSO implements a security program to protect classified in information. They also request investigations for employees who require a security clearance. What this means is, all cleared contractors must appoint an FSO. It could be the business owner in a small organization or an employee with an additional duty. The primary qualifications of an FSO are to be a US Citizen and have a PCL at the same level as the FCL. It is possible for an FSO to be the sole employee in the company.

The contractor and DSS have joint responsibilities with the PCL process as they do with the FCL process. When the FCL is being granted, key employees should complete a Questionnaire for National Security Positions, also known as Standard Form (SF 86). Part of the process includes ensuring that the applicants are US Citizens. They should submit the application to the FSO who then submits applications to DISCO. An investigation is conducted and the central adjudication facility (CAF) makes a security clearance determination. The determination is then entered into the Joint Personnel Adjudication (JPAS), the Department of Defense provided system where security clearance information is stored. Other government organizations may have different systems. Once entered into JPAS, the FSO can grant access based on need to know and the clearance level.

The SF 86 is the main area the applicant can affect the speed of the security clearance process. A properly filled out application form is the key. Incomplete or inaccurate information is the number one cause of clearance delays. Names, addresses, telephone numbers, and dates of birth for relatives should be gathered as background research. Fortunately the SF 86 form is online and requires only filling out once. When a clearance is up for renewal, the applicant can log in their SF 86 and make updates.

DSS and FSOs use JPAS to update personnel information. This system allows instantaneous updates of records as well as notification of access, denial or revocation of clearances. At the time of this writing, there are more than 89,000 users of JPAS and 23,000 are from defense contractors.

Not everyone investigated is guaranteed a security clearance. In some instances a clearance can be denied, revoked or suspended. The employee’s background is investigated thoroughly for the initial clearance and again every five to fifteen years while maintaining a clearance and depending on the required security clearance level. In the event that a security clearance is denied, suspended or revoked, DSS will also notify the FSO. The FSO will then deny access to classified material to that employee and update JPAS.

The personnel security clearance investigation

Prior to granting a security clearance, DSS will ensure the proper security clearance background investigation is conducted. Two primary types of investigation included the Single Scope Background Investigation (SSBI) and the National Agency Check with Local Agency Check and Credit Check (NACLC).

The SSBI is the most detailed investigation and is used to process TOP SECRET (TS), and Sensitive Compartmented Information (SCI) clearances. The FSO initiates the security clearance request with DSS through JPAS. The FSO notifies the employee to begin the application by filling completing Electronic Questionnaires for Investigations Processing (e-QIP) Standard Form 86 (SF 86) to verify employment. The federal investigator verifies the information by interviewing references, employers or others who have known the subject socially or professionally. The investigator may use names identified on the SF 86 and as discovered during the course of the investigation. To facilitate an efficient investigation, applicants should complete the SF 86 accurately and completely.

The SSBI will also cover periods of employment and education institutions attended. The applicant should be accurate about the attendance and degrees, certificates or diplomas credited and list contacts or references as completely as possible. Other areas subject to investigation include places of residence, criminal records and involvement with law enforcement and financial records. The investigators may contact those with social and professional knowledge of the applicant, and divorced spouses.

The NACLC is required for SECRET and CONFIDENTIAL levels of security clearances. Investigations are conducted to determine suitability for a clearance, fingerprint classification and a background check using a search of the Federal Bureau of Investigation’s (FBI) database. Investigators also conduct a credit check based on residence, employment and education locations. The investigation will also cover law enforcement issues at all locations listed on the SF 86. Once assigned a case, investigators will use the submitted request to research factors about the employee’s life to help determine suitability. The suitability is assessed by a trained adjudicator based on an approved background investigation.

The granted security clearance is honored across agencies and no additional investigations should be conducted to access classified information at the same level or lower of the PCL. If an employee has a security clearance granted by any agency with an investigation meeting the same or higher requirements, access to classified information can usually be granted without further investigation.

Security Clearance Opportunities for Defense Contractors and Cleared Employees

The NISPOM the Cleared Contractor's
 Guide to Security Programs
Potential for Security Clearance Required Jobs


There are more than 12,000 cleared Department of Defense contractor facilities. Considering that organizations can have anywhere from one to thousands of cleared employees, the amount of employees performing classified work is in the hundreds of thousands. Positions requiring security clearances include scientists working on projects to janitorial services and repair providers. Some clearances are based on actually performing classified work or just being cleared to access an area to perform repairs or cleaning services.

Even though a job may require a security clearance, an employee does not need a security clearance to apply for the job. The potential employee must only be eligible for the security clearance. Many frequently asked questions in the defense contractor field are from those who want to know how to get a security clearance so that they can apply for a job. Familiar requests include: “Can I get a security clearance in case I need to apply for another job?” Some employees in the defense industry who do not have clearances often request one just in case it is needed later. Remember that a clearance is contract and performance related; one cannot get a clearance just to apply for a job.

A job seeker’s main responsibility is to find a match to a job they can do well and get the interview. The job description may require the ability to get a clearance, but uncleared people can and should apply. It is up to them to get an interview and win the job. If the potential employer finds a good match, then they will hire the employee and subsequently put in the clearance investigation request. As technology changes and homeland security needs increase, more opportunities for cleared work may arise.

Becoming a cleared contractor

Businesses and entrepreneurs can become a defense contractor entity by applying through www.ccr.gov. This website allows the establishment as a contractor and building of their profile. Once established, the new company can register and bid on government contracts, including those requiring classified work. However, getting a classified contract directly with the government is not easy. Many defense contractors have experienced success only after subcontracting with a prime cleared contractor.

Cleared Security Professionals

Each of the 12,000 facilities appoints an FSO to implement and direct a security program to protect classified information. Additionally, other CSAs (Department of Energy, Central Intelligence Agency, and Nuclear Regulatory Commission) have their own security descriptions with several more thousands of employees. In total, there are thousands of individual security opportunities in the contractor arena. The numbers increase when Government civilians and uniformed personnel are included.

More and more job announcements for FSOs and experienced security specialists are carrying descriptions requiring a certification and education. Recently, the only experience necessary was the ability to get a security clearance and a High School Diploma or GED. However, more and more announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly; simultaneous education and certification will make future leaders more competitive.

The NISP provides an excellent opportunity for an employee with little experience to enter the field. For example, a veteran of the armed forces with a security clearance and some security experience may find it easy to transition to a security specialist job. Additionally, a young adult with limited work experience or skills may be able to join the security division of a large defense contractor to wrap classified articles or work in the cleared mail room after getting an interim security clearance.

Large Defense Contractors and Government agencies have available entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following:

“The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.”

Administrative, military, security guard, police and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.

Cleared Contractor Reporting Requirements

From "Insider's Guide to Security Clearances"
Reporting Security Violations


Providing required reports to the authorized persons or agency contributes to reducing the impact of the potential security violation, compromise or suspected compromise. Cleared employees should understand to whom and what to report. The sooner the report is issued and the more details given, the more can be done to prevent or mitigate damage to national security.

Cleared employees should be trained to report events affecting the facility security clearance or personnel security clearances. These events include threats to the security of classified information or the fact that classified information has been lost or compromised. All cleared employees should be trained how to submit reportable information internally to the FSO. Additionally, FSOs have reporting channels through DSS and the Federal Bureau of Investigation (FBI). The quicker information gets to the proper reporting authority, the sooner it can be address and damage can be prevented or mitigated.

Reports to the FBI

Contractors report to the FBI when they become aware of any of the following occasions:

Espionage – Persons attempting to obtain national defense, proprietary or other sensitive information without the proper permission or clearance and need to know.

Sabotage – Persons causing damage, diversion, destruction or other activity resulting in an opponent becoming less effective.

Terrorism – These are acts to create havoc and shock in order to advance goals of ideology, money, or furtherance of political agendas.

Subversion – Acts to overthrow forms of Government authority.

Reports to DSS

DSS is more able to address other issues impacting a contractor’s facility and personnel security clearances. FSOs should train cleared employee to submit information that adversely impacts the ability of a person or facility to protect classified information. More specifically, reports submitted to DSS include:

Adverse information – involves reports about a contractor or federal cleared employee that indicate that they may not be able to properly protect classified information. Adverse information topics include criteria found in the investigation/adjudication process:

• Allegiance to the United States

• Foreign preference

• Foreign influence

• Sexual behavior

• Personal conduct

• Financial considerations.

• Alcohol consumption

• Drug involvement

• Psychological conditions

• Criminal conduct

• Handling protected information

• Outside activities

• Use of Information Technology Systems

Any activity demonstrating a violation of any of the 13 investigation criteria could define reportable adverse information. When cleared employees display any characteristics that could imply inability to protect classified material or make them vulnerable to recruitment, they should report that information.

Suspicious contacts – Any attempt by any individual to obtain unauthorized access to classified information.

Change in Status – Agencies and contractors should report any changes in status of cleared employees. These reportable changes include: name, marital status, citizenship or termination of employment.

Citizenship by naturalization – When necessary, Non-U.S. employees can be granted Limited Access Authorization.

Refusal to sign the SF 312 - Refusing the sign the SF 312 communicates lack of agreement to protect classified material or lack of training

A change affecting the contractor facility clearance – The defense contractor is granted a clearance based in part on their ability to safeguard classified information.

Changes in storage capability – These changes include improvements or additions to the security program which raises the protection level or implement changes that deteriorate the protection level.

Inability to protect classified material – Anything preventing a cleared facility from being able to protect classified information should be reported.

Unauthorized receipt of classified material – Any classified information delivered from the cleared facility to an uncleared facility or person or classified information received without a contractual relationship should be reported.

Tuesday, March 1, 2011

Technology Protection and Foreign Travel

Red Bike Publishing's NISPOM
Anytime an employee travels abroad, they should expect to be liberated from their computer at the host country's customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute technology control officers, export compliance officers and security specialists plan. Sensitive, and protected technology should not be contained within computer and related media without proper permissions.


Foreign governments want US Technology and aggressively seek it and defense contractors should make the information very difficult to get. However, they may spend too many resources on actions that don't address the real threat. For example physical security efforts may focus on fortifying businesses with barriers, alarms, access control, cameras and etc. Risk assessments indicate that technology is leaked through careless or malicious employee behavior or actions taken due to poorly understood responsibilities and security discipline.

Export compliance officers and Facility Security Officers should develop a culture within their organizations to prevent unauthorized disclosure of economic, classified or sensitive information. Such practices include destroying sensitive waste properly, locking all desk and cabinets drawers after work, and using access control to keep employees, vendors and non-US persons from accessing unauthorized areas.

Prior to cleared employee travel anywhere, they should be given a defensive security briefing. A defensive security briefing is for cleared employees who travel overseas and may be vulnerable to foreign entity recruiting methods. They could be tailored for protecting export controlled information and given to all employees who travel abroad. Briefings should be constructed to make the traveler aware of their responsibilities to protect employees, product, customers and those with which they do business.

If technical data and laptop computers will be travelling with employees, export controlled information not under license or TAAs should be removed from the computer. Some companies issue special travel computers with only the information needed to conduct business ensuring the information is authorized by license or agreement with the State or Commerce Department to prevent an exports violation.

Those conducting export operations should ensure that such actions are authorized with a license and or TAA before discussing technical data that falls under exports compliance. Employees should know the boundaries in advance before sharing any technical information with the foreign hosts. Additionally, a sanitized computer provides no threat of export violations or theft of economic or corporate data. An organization's information technology department or equivalent could provide a sanitized computer for the traveler's administrative needs. Travelers should keep technical information close at hand and prevent unauthorized disclosure of anything that could lead to export violations or the release of proprietary data.

When making corporate travel plans, a trigger mechanism should be in place to notify the security office of an employee's need to travel on international business or pleasure. This includes plans for Canada, Mexico and Caribbean Countries. The security department can then construct a defense briefing for the specific area after researching the area to be traveled. The State Department has a great website which can inform the business and the traveler on all necessary travel documentation and what to expect while abroad (www.state.gov).

Some threats an employee can face while abroad are economic and intelligence related. Economic Threat is the theft of technology and commerce. The agent may be after formulas, financial gain and etc. Foreign entities may target classified or company sensitive information to gain a competitive edge.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing http://www.redbikepublishing.com. You can register for our newsletter at our website.

How Defense Contractors Protect Technology - Applying NISPOM and ITAR

Red Bike Publishing's ITAR
Defense Contractors providing defense items or services have the tremendous responsibility of keeping the technology out of the wrong hands. As identified in the ITAR, unauthorized release of technical information can affect the US military's fighting capability. Licenses and agreements provide a checks and balances between the US Government and the US Company desiring to export the technology. The company identifies the technology and application and submits export requests to the State Department. The State Department reviews the application and further researches military application and how the export could affect national defense.

Without such checks and balances, other countries could gain a technological advantage. Consider the GPS and night vision technology. No other nation has the abilities as the US does to operate at all times and in all weather. The US military's technological lead creates the ability to determine, where, when and how to fight. When other nations gain unauthorized technology, they can duplicate US products and either fight like the US military or degrade US military effectiveness.

According to the ITAR, organizations are required to have permission prior to exporting technology to non-US persons. The organization is responsible for understanding the permissions required as well as the exemptions and the documentation necessary to ensure compliance. The ITAR governs defense technology exports and is a broad regulation subject to interpretation by the exporting organization.

An export is simply transferring controlled technology to a foreign person either inside or outside the US. The export or transfer is conducted in many different ways and the following is a list of examples:

•hand carrying

•performing a service or demonstration

•reading blueprints, plans using software or other computer media

•turning over ownership of vehicles, equipment or other items identified on the US Munitions List

Technology refers to specific information one would find necessary to reproduce, develop or use an item and can be classified or unclassified. Also, the technology can be a product such as a model, blueprint, or instruction book. Technology can also be a service, instruction or some type of training.

What is a US Person?

Citizenship designation is defined differently in the ITAR and NISPOM. The ITAR addresses export of items with military application and NISPOM is concerned with protecting classified information. According to the ITAR, the definition of a US person includes those who have applied for citizenship to the US. This includes lawful permanent residents, lawful temporary residents, US citizens and nationals, and US organizations. These US persons may not be citizens, but are still authorized access to technical data without requiring export permissions. However, the NISPOM requirements prevent such US persons from having a security clearance. When access to classified information is necessary, a Limited Access Authorization (LAA) may be requested. US persons can access technology controlled items without a license, but only US citizens with a clearance and need to know can access classified information.