Friday, November 30, 2012

Cleared Contractor FSOs Can Create Impact Outside of the NISPOM


Facility Security Officers (FSO) have a tremendous responsibility developing a security program to protect classified information. After all, they (individual or staff) are the link between the government oversight (cognizant security office), customer (prime contractor or Government Contracting Activity) and the cleared defense contractor to ensure that classified information is properly protected.

However, if FSOs focus solely on the classified responsibilities, they are missing great opportunities to increase their effectiveness. That’s right, focusing solely on the single task of protecting classified information may reduce chances of being more effective.  Providing value added outside of the National Industrial Security Program Operating Manual (NISPOM) actually helps the FSO create a better security program.

FSOs can expand their influence by providing lessons learned and best practices to integrate security into all enterprise areas. These areas become part of a holistic approach to security of information across the facility. Few controls are in place to protect unclassified but sensitive info. The FSO can be a rock star in this area. FSO could use skill to protect government and other customer supplied sensitive products as well as internally created

Here are a two ways FSOs can use their skills to identify and protect proprietary information, intellectual property, and other sensitive information.

1.  Government and other customer provided products:
  •      Classified information-Government information that is identified and protected based on levels of potential damage to national security. Classified information is protected with guidance found in the NISPOM. It is prescriptive, meaning, if information is SECRET, it must be stored, handled, transported and destroyed according to regulations and policies. The government appointed original classification authority (OCA) uses a 6 Step OCA process to identify and protect classified information. Follow policies of NISPOM, contract and other applicable regulations to build your security program.

  •         OPSEC- A process to deny potential adversaries information about capabilities and/or intentions. OPSEC plans are required on many classified and UNCLASSIFIED contracts. You can see the requirements in the DD Form 254 section of classified contracts and in the contract of unclassified contracts. Use the 5 Step OPSEC process to identify OPSEC indicators, determine threat, determine vulnerability, assess risk and implement countermeasures.  

  •            Technical information- scientific information, that relates to research, development, engineering, test, evaluation, production, operation, use, and maintenance of munitions and other military supplies and equipment. Information falling under this category are protected by export compliance and International Traffic in Arms Regulation (ITAR). You may see this information in program tests, work breakdown structure and other program related materials.

  •      Critical Technology - technologies are so fundamental to national security or so highly enabling of economic growth that the capability to produce these technologies must be retained or developed in the United States. The government has identified this information and is also required to be protected.

2.  Internally created company information
Company information is harder to identify and requires more proactive work. Where government and customer provided material should come with sensitivity level and protection requirements, internal secrets require proactive identification and protection requirements. The FSO can incorporate processes similar to the 5 step OPSEC process or 6 step OCA process to help accomplish the task. The following are examples of such items:
  •   Trade Secrets-processes, procedures, formulae and etc that an enterprise produces and is not well known.
  •  Proprietary information-Same as trade secrets and includes documentation, financial data, program details, test data, trade secrets that are not well known and that an enterprise would like to keep a secret.
  •  Intellectual property-Something designed, written, published, built, and etc that belongs exclusively to an individual or corporation. These differ from trade secrets and proprietary information in that they are an exclusive creation such as music composition and not personal or financial information. Intellectual property covers trademarks, patents, copyrights and others.

 Identification of trade secrets, proprietary information and in some cases intellectual property may require a working group of subject matter experts. The FSO can lead discussions to help determine trade secrets and use skills to protect it.

Personally Identifiable information (PII)-includes details that can help find or identify a person. This includes name, address, drivers license number, social security number, etc. This protection is required by law. The FSO can help determine who needs to maintain PII and how to protect it from unauthorized disclosure.

Once all internal information is identified and protection measures are implemented, employees can have left and right limits that help prevent unauthorized disclosure commonly found in events such as: conferences, papers, patent applications and press releases.

The FSO is a pivotal member of the cleared contractor facility. They are one of two employees absolutely required by NISPOM and their sole purpose is to protect classified information. However, this role can be expanded to protect all levels of sensitive information and make them a star when it comes to enterprise protection.

Find more about the role of the FSO and security specialist in DoD Security Clearance and Contracts Guidebook.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, November 26, 2012

http://www.icontact-archive.com/c4PNVL0-z66WLzORFNJCef4n0g49XcbI?w=7

Our latest newsletter. Come see it...

2 Obstacles Every Facility Security Officer Must Overcome

3 Pronged Plan of Attack FSOs Should Consider 

Determining ITAR License Requirements with Bob Schuettler, Director, Corporate Export Licensing and ATK

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, November 20, 2012

Sample Questions from ISP Certification-The Industrial Security Professional Exam Manual


Here are actual questions from the book ISP Certification-The Industrial Security Professional Exam Manual. The questions here are all about NISPOM Chapter 8.


Go ahead, test your knowledge:

80. Level of concern reflects the sensitivity of the information and the consequences of the loss of confidentiality, availability, or _____.
a. Truth
b. Equipment
c. Integrity 
d. Values
e. Ethics

81. Who has responsibility for accrediting information systems used to process classified information in industry?
a. CSA 
b. FSO
c. ISSM
d. ISSO
e. Contractor

82. The CSA can grant interim approval to operate an IS for up to:
a. 120 days
b. 90 days
c. 180 days
d. 1 year
e. 45 days

83. Systems operate at Protection Level 3 when:
a. All users have required approvals for access to all information
on system
b. All users have required clearance, but at least one lacks
need to know
c. All users have required clearance, but at least one lacks formal access approval of the information on the system 
d. None of the above
e. All of the above

84. For availability of information, what level of concern reflects that information must be available with flexible tolerance for delay??
a. Low
b. Medium
c. High
d. Basic 
e. Intermediate


Answers follow this line:
------------------------------------------------------------------------------------------------------------






80. Level of concern reflects the sensitivity of the information and the consequences of the loss of confidentiality, availability, or _____.
c. Integrity (NISPOM 8-401)

81. Who has responsibility for accrediting information systems used to process classified information in industry?
a. CSA (NISPOM 8-102)

82. The CSA can grant interim approval to operate an IS for up to:
c. 180 days (NISPOM 8-202)


83. Systems operate at Protection Level 3 when:
c. All users have required clearance, but at least one lacks formal access approval of the information on the system (NISPOM 8-402c)


84. For availability of information, what level of concern reflects that information must be available with flexible tolerance for delay??
d. Basic (NISPOM Chapter 8 Table 3)



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, November 15, 2012

3 Pronged Plan of Attack FSOs Should Consider



One thing I remember from my many years in the Army is that you can’t force motivation. Sure, I’ve done my share of pushups and flutter kicks ordered up by a drill sergeant who thought I needed to some incentive, but I didn’t do them out of my own initiative. It just made him feel better.

The point is most of what it takes to contribute to and become a sought after member of an enterprise team comes down to a professional’s motivation and initiative. In past articles I’ve addressed some important tasks FSOs should undertake to add enterprise value; all tied leader effort and initiative.

The FSO has marching orders to develop and implement security programs to protect classified information.  But, how effective is security policy if it is written by security and posted only in the security office?

Unless security requirements are incorporated into overarching policy and adopted by all business units (HR, safety, security, business development, operations, contracts and program management department policies), they won’t be very useful. Tying policy into each business unit allows them to own the requirements. Policy is better enforced published globally, but initiated locally.

Here are three plans of attack FSOs should consider to win a seat at the enterprise’s decision table: understand enterprise elements, align professional priorities with the company mission statement, delegate responsibilities and co-opt others.

1.      Understand Enterprise Elements
Everyone has a job to do and all tasks should be performed with company success in mind. Imagine a large company with HR, safety, security, business development, operations, contracts and program management departments. Though each department operates autonomously, all must function with the enterprise in mind. Each department has policies, but those policies should be in line with overarching enterprise policy.

     Learn what other parts of the enterprise do and how they do it

This is important as you can better align your goals with the company purpose. Seek to understand how each business unit operates to better prepare for your requirements. Form working groups, have meetings, solve problems, join committees, engage in lean six sigma activities.

     Identify items, events, and issues that security can help with
Look at upcoming contracts, business development goals, program requirements and then implement NISPOM guidelines. This is forward thinking and will position an FSO as the “go to” person. What other opportunities do FSO’s have? Think beyond NISPOM and apply protection skills to reduce probability of theft, protect personal identifiable information and intellectual property.

2.    Align Professional Priorities With The Company Mission Statement
Defense contractors provide products and want to make a profit in return. However the difference is the amount of resources they can afford to spend on protection. FSOs can answer the tough questions: How can security help reduce expenses while effectively protecting classified information? What is an acceptable balance?

     Policies should align with enterprise and compliment other elements’ roles

     The easier to implement – the better

3.    Delegate Responsibilities and Co-opt Others.

The appointed FSO who also serves as a senior officer should consider delegating the administrative duties to someone more available. FSO doesn’t necessarily mean doing it all yourself. Consider delegating administrative functions while maintaining authority for major decisions. For example, other employees can make JPAS input, conduct NISPOM training, and maintain classified documents. The FSO is designated to approve  and implement policy that supports administrative requirements.

     The best security measure is an educated and engaged work force. Training cleared employees to take on security tasks will significantly reduce FSO workload. It also co-opts the entire organization to own and exercise requirements.

     Form working groups to address and resolve problems and security issues. The FSO isn’t the only cleared employee and resolution may reside with the cleared employees who actually perform on classified contracts. With employee input comes employee endorsement and ownership; instant implementation.                                          

FSOs and security professionals should not be identifying problems, creating solutions, and providing security policy in a vacuum. To become a sought after member of an enterprise team, the FSO should be thinking “teamwork” which requires a high level of motivation and initiative. Use the three recommendations to create the right atmosphere and gain a seat at the decision table.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, November 14, 2012

2 Obstacles Every Facility Security Officer Must Overcome



Security policy is just as good as the paper that it is written on. However, those professionals who want to incorporate sound policy with demonstrated good procedures understand that a written document is just part of the solution. Success rests on the entire enterprise accepting and incorporating the policy as a normal part of doing business. The road to that success can be quite bumpy, but I’ll lead the way.

There two kinds of challenges facing security professionals; self-Inflicted and the second, institutional.

1.      Self-Inflicted challenges are the ones that we place in our own way. They are perceptions about our capabilities (or lack there) that professionals form about us. The perceptions manifest two different ways; lack of vision and lack of initiative.

a.     Lack of Vision - The Dr. No Syndrome- “No, you can’t do this or have that.” “The NISPOM says blah blah blah!!!”  “The answer is NO, now frame your questions accordingly.”

In my early days as a facility security officer (FSO), I once told a program manager that we couldn’t do what he wanted. However, later research indicated that his solution was definitely a possibility. Unfortunately, he did the research himself and pointed out my error.  I was lucky that he approached me professionally and I was able to maintain a good reputation and not that of a “Dr. No”.  As part of an enterprise team, we should help with solutions that help the organization perform while complying with National Industrial Security Program Operating Manual (NISPOM), national, or corporate regulations and policies.

b.    Lack of initiative – “If people thought security could do better they would come talk to me.” I remember as an export compliance officer an incident where one of our business developers proceeded to form a business plan with International Traffic in Arms Regulations (ITAR) controlled implications. A colleague of mine expressed remorse that he had not been contacted. “They know I’m here,” he said. “It’s their responsibility to find me and start the licensing process.”

Though he was technically correct, where’s the motivation and initiative? I learned from that initiative and made it my business to attend every program and business development and contract meeting I could find. Taking such initiative allows the security manager to anticipate program needs ahead of time. In this capacity you can implement and direct policy as issues arise and not after the issue gets ugly.

2.    Institutional Perceptions

a.     Lack of understanding  - “You’ll interrupt cost, schedule and performance.”

The statement above is a well expressed perception that security provides no value added. Many times, it’s a direct result of self imposed obstacles. Recall the earlier example where I began attending all program, engineering and business development meetings. As a brand new FSO, I invited myself to one of my first security meetings. I was able to demonstrate the impact of security requirements to the enterprise should we win an engineering contract. The value added was the identification of storage and classified work requirements and what it would take to meet those requirements.

After the meeting, I headed back to my office. The phone rang.

“Hello”, I answered.

“Who did you charge the meeting to?” replied the no nonsense contracts manager.

“Huh?” I replied, obviously not understanding.

“What line item, did you charge to? I can’t afford to pay everyone’s way to any meetings they want to attend.

“Oh, now I’m following. Don’t worry, I’m free; indirect charge. I hope you liked the direction the meeting went.”

The phone was silent for a moment.

“Sure, you’re welcome to attend anytime,” she relented before hanging up.

Demonstrate that security is a value added when applied early and effectively.  Proper procedure can help programs to reduce costs, improve schedule and enhance performance.

b.    Limited expectations - “Just take care of the clearances.”

I remember sitting in an FSO’s office while she lamented her lack of effectiveness. She explained that she was not involved in her company in any other way than taking care of security clearances and annual security refresher training. She wanted to offer so much more and she did have many years of valuable experience.
Expand expectations by demonstrating incredible value. Contribute to contracts discussions, help the HR department protect personal identifiable information, consult business development on possible impacts of the classified contracts they are pursuing. Think of ways beyond the NISPOM or other requirements and assist the enterprise.

In most cases security is an indirect charge, capable of contributing to the entire organization without impacting individual program costs. However, FSOs and security specialists have to overcome self imposed and institutional perceptions. It takes work and initiative to do so, but the entire enterprise benefits.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing. Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook". See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM