Thursday, November 17, 2011

Three Excellent Ways to Meet Category Six of NISP Enhancement

National Industrial Security Program (NISP) Enhancement Category 6 is: Classified Material Controls/Physical Security. DSS can quantify a cleared contractor’s ability to track classified information throughout its lifecycle, implement countermeasures to deny access to sensitive information, and provide accountability of all classified information through this process. The FSO’s ability to demonstrate such capability is impactful and can help DSS determine whether or not the cleared facility is going “above and beyond NISPOM requirements.  Below are three ways an FSO can demonstrate going above and beyond the NISPOM requirements:

1.  Track location and disposition of classified information-This can be done on the cheap or with a decent Information Management System (IMS) such as software provided by vendors like SIMSSoftware. The point is for the FSO to not only know what they know about classified information moving within and without of the cleared facility, but to also demonstrate the capability to track it. A small organization can develop a tracking sheet to record the reception or creation of classified information.

a. Inexpensive methods-a small company or one with a tight security budget can create a tracking sheet (such as Microsoft Excel) that captures information as classified information is developed or received into the company. Useful information includes:
  • ·        item name
  • ·        item tracking number
  • ·        item type (hard drive, paper, CD/DVD, hardware, etc)
  • ·        contract number
  • ·        date item created or received
  • ·        amount of copies made
  • ·        disposition (shipped, couriered, destroyed just leave room for updates)
  • ·        receipts of disposition
  • ·        Location of item (security container number)
  • ·        Other information as needed

b. Vendor provided software. Software exists that can automatically track classified items as long as information such as listed above is provided to the database. Some (like SIMSsoftware) can generate and save receipts and disposition data for recall.

2.  Implement countermeasures-these countermeasures can be documented that protect classified items, unclassified technical data, export controlled items or personal identifiable information and proprietary information. Countermeasures include:
  • Conduct inventory-determine regularly that items are where they should be and protected according to government or company requirements (NISPOM for classified, ITAR for export controlled, company policy for intellectual property, etc).
  • Limit access-provide barriers to items that need protection and ensure only authorized persons are able to enter. For classified information, follow guidance provided by NISPOM. However, an FSO can go further to protect other sensitive data. This can be done by posting guards, placing signs identifying off limits areas, and locking intellectual property away. In other words, limit limiting knowledge and access to only those who need it. Does an executive assistant need to know the special fabric weave even if it is unclassifed? Does the financial officer need to know the algorithm that gives your product a capability? If not, ensure procedures are in place to prevent access.

3.  Conduct a regularly scheduled inventory. NISPOM does not require an accountability system for classified information SECRET level and below. However it does require the ability to retrieve classified information within a reasonable amount of time. To do this, conduct a regularly scheduled inventory. Use the spreadsheet to do this manually or automated IMS to either locate the classified item or account for the disposition.  Some IMS provide bar code capability to ease inventory requirements.


Though wrapped up in three steps, there are a lot of implied tasks to demonstrating above and beyond as outlined in category 6. If a cleared facility is authorized to store and process classified information, this is a fundamental basis for created a good information management program. This article covers the protection of classified and unclassified information for your use. Be sure to document and demonstrate your capability.
More information can be found in the book DoD SecurityClearance and Contracts Guidebook.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, November 14, 2011

5 Great Ways to Perform Award Winning Self-Inspections

Category 5 of the NISP Enhancement Program is titled: Self Inspection. Here, a cleared contractor's FSO documents a self inspection as part of a continuous security program evaluation. This is simply a health check of the established security program designed to safeguard classified information. The Defense Security Services (DSS) recommends that the cleared contractor’s Facility Security Officer (FSO) share the inspection results with their industrial security representative to keep communication open as well as address any issues that might be resolved prior to the scheduled DSS annual review.


The self inspection should be designed to evaluate all National Industrial Security Program Operating Manual (NISPOM) areas the cleared contractor operates under. At a minimum, each facility should inspect its compliance with NISPOM Chapters 1-5 and parts of Chapter 6. These chapters cover general security, personnel and facility clearances, FSO roles and responsibilities, required training, classified contracts, classified discussions and working with classified information and apply to every cleared facility in varying degrees. FSOs should determine how and if their facilities fall under the remaining chapters. Here are 5 ways to conduct and award winning self inspection:

1. Download the Self Inspection Handbook from http://www.dss.mil/. The handbook reflects questions based on NISPOM requirements. This is the resource for your inspections

2. Review the inspection criteria and determine which apply to your facility. The questions are thorough, but are limited to yes/no answers. You can further define metrics to dig deeper into issues and take notes to create a more comprehensive evaluation. Be sure to document the inspection.

3. Schedule to completely inspect applicable areas (should be conducted annually and within six months of a DSS review). Allow adequate time to complete the inspection and resolve issues as soon as possible. Allow time to have an after action review and develop a plan of action to fix, fine tune or develop new and effective processes.

4. Involve others. The self inspection does not need to be conducted by the FSO and there is value in delegating this responsibility to subordinates or sharing it with other business units. Correct on the spot deficiencies and take notes on processes or procedures that are successful or need improvement. Benefits include:

a. An Industrial Security Professional candidate can use the self inspection as a platform for increasing their NISPOM knowledge with real world application

b. Security employees can expand their knowledge base outside of their day to day disciplines (ie,a personnel security employee can inspect information security and vice versa)

c. An FSO can gain a better understanding of the security program by managing an inspection instead of conducting the inspection. A team concept and new points of view is incredibly valuable

d. Engineers, program managers and others working on classified contracts can provide more insight into the mechanics of the security program. Invite them to take ownership of the security program either by conducting an inspection themselves or advising on the results. They can provide the “impact” or answer the “what if” related issues brought up by the yes/no questions.

e. If you have cleared quality control, Six Sigma or other lean process team employees, invite them to participate. Since most security functions charge to overhead, costs directly impact the organization. Processes and procedures can be streamlined that directly impact paper, postage, storage, man hours and other costs.

5. Collect data and conduct an after action review. If you employed the team concept, invite everyone involved. The purpose; share results and improve the security program. Review results and provide a way ahead for implementing improvements. Once complete, provide a report available to employees and shareholders. This report should provide metrics:

a. for implemented processes that save money and improve security

b. procedures developed to fix a security shortfall. This should include training and plan to institutionalize the changes

c. recognizing those that have gone above and beyond. This should be by name or department where efforts reflect good results. Be sure to include efforts of inspecting members.

An award winning self inspection involves the entire team. Those inspected should understand their role within the security program as well as the importance of preparing and participating in the inspection. The FSO should coordinate the inspection and involve others in the process and use findings to improve the program. Reports should be generated to both identify the best performers as well as show metrics of how the inspection impacted the cleared contractor organization.

For more information on conducting self inspections, see DoD Security Clearance and Contracts Guidebook.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, November 4, 2011

10 Ways to Demonstrate Above and Beyond - Category 3 of the NISP Enhancement

Category 3 of the NISP Enhancement covers Security Education: Information/Product Sharing Within the Community.  This focuses on the FSO providing security education peers and other FSOs outside of their organization. This is a security community event where contractors and government managers can learn from each other. Think Society of Industrial Security, American Society of Industrial Security, or other professional organization level event. Or it can be a smaller venue. Either way, involve others outside of your organization. This demonstrates contribution to the community, a pursuit of improving national security, and helps quantify going above and beyond. For example, an FSO uses their facility, creates an agenda and executes a security conference or training event. Or, committees can be formed to share the tasks. Education of this magnitude has tremendous value as the security community learns from experiences and examples of their peers and applies them at their own organizations
Here are some recommendations on how to provide that training:
  •        Demonstrate how to conduct on the spot security inspections
  •      Introduce how your company receives classified material and enters it into an information management system (IMS)
  •          Compare benefits of different IMS vendors
  •          Hold a class on using Joint Personnel Adjudication System (JPAS)
  •          Conduct security refresher training for the security community
  •          Demonstrate unique and successful training strategies and programs
  •          Host an Industrial Security Professional Exam training session or study group
  •          Have a classified marking seminar
  •          Show others how to prepare classified items for shipment
  •          Provide training on how to read, understand and implement a DD Form 254

Training opportunities abound. Each cleared contractor has unique challenges and opportunities. Creating a training seminar where experiences can be shared benefits the entire community and each FSO can learn from another’s experiences.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, November 1, 2011

FSO Security Staff Training

Category 3 of the NISP Enhancement continues with Security Education.
This category addresses internal security staff professionalization. Specifically, it measures whether or not security staff training exceeds NISPOM training and DSS FSO certification requirements to include obtaining on-going professional certifications and incorporating the knowledge through the organic security program. There are currently several certifications and training available to the security professional, including some recommendations by DSS:
  • Industrial Security Professional (ISP) FSOs could set the ISP Certification as a goal and encourage staff employees to achieve. When employees study for the ISP Certification, they learn: how to read and apply the NISPOM, the importance of forming professional relationships with cleared employees, how the cleared contractor and the DSS representatives interact, and much more. DSS also understands the importance of individuals who achieve the ISP Certification as well as the organizations that hire them. The FSO can display the certificate and refer to it during the annual inspection as continued ISP and FSO training
  • Certified Protection Professional (CPP)-The CPP certification is for those who have a broad range of security experience to meet complex security issues.  Holders of the CPP certification understand the threats that face the workplace, employees, product and the public. This has a significant application in the defense industry as industrial security professionals, security specialists and FSOs demonstrate their knowledge of physical security, personnel security, business management, security principles, information security, emergency procedures, investigations and legal aspects.
  •  SPeD Certification-This is Security Professional educational Development. DSS has developed this program as a means of training government security professionals. This test begins at the fundamental level and includes information, general, physical and other security disciplines. Additional certifications are available that address more advanced and specific security areas..  More information can be found @ http://www.dss.mil/seta/sped/sped_what.html
  • Computer Information Systems Security Professional (CISSP)-The Certified Information Systems Security Professional (CISSP) is sponsored by International Information Systems Security Certification Consortium or ISC2. For those working as an Information System Security Manager, Information System Security Officer, Chief Information Officer or other mid to senior level management positions in information security should consider the CISSP. The CISSP measures competency and experience in 10 key areas: Access Control, Application Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security and Risk Management, Legal, Regulations, Compliance and Investigations, Operations Security, Physical (Environmental) Security, Security Architecture and Design and Telecommunications and Network Security.
  • The OPSEC Certification Program (OCP)-The OCP is for those who are actively engaged in identifying vulnerabilities of sensitive government activities and denying an adversary’s ability to collect information on the activities. In addition to the five years of experience, the candidate for the OCP  should have a four year degree and at least 48 hours of formal OPSEC training. The applicant submits a 10 page paper on the topic of OPSEC using one or more of the five OPSEC processes (identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; and the application of appropriate countermeasures). 

See pages 304 to 306 of DoD Security Clearance and Contracts Guidebook for more detailed information.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM