Insider Threat Training Tips for Security Officers and Employers

Consider the Insider Threat. It’s a great bumper sticker and we’ve heard it a million times, but what does it mean? The thought should bear more weight to the practice of preventing the insider threat than to serve as a slogan. It is tempting to pay homage to the thought of insider threats, but those who successfully deter insider threats realize these thoughts take critical analysis to put them into action. Consider the fortresses many defense contractor organizations have become. Best practices to protect organizational, employee, materiel and cyber assets from outside actors are evident. Such careful contemplation must be made to counter the harmful accidental and deliberate actions of a trusted employee.

INSIDER THREAT DEFINED

The insider is any trusted person who has any access to assets. For this article’s purpose, we’ll define the insider threat trusted person who deliberately or accidentally causes damage to national security. This article address requirements found in Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Threats include acts of sabotage, theft, terrorism, unauthorized disclosure of classified information, and espionage.

While contemplating the insider threat, the analyst should be aware that anyone can exploit any level of permissions to steal, damage, or manipulate whatever they can affect. This includes the full and part time employees, vendors, consultants or others with the ability to touch or impact assets. The insider could have full range of motion throughout the organization or limited by technical or physical restrictions. These permissions give them some motion to negatively impact the organization. An example would be a trusted employee with access and need to know going through the proper permissions to accessing classified information. That same employee then takes advantage of privileges and removes the classified items unhindered and provides them to unauthorized persons.

The same opportunities exist for those accidental harmful occurrences, incidents or events that can harm an organization or their reputation. They could accidentally bypass safety, security and other countermeasures and cause major damage. For example, an employee introduces a harmful computer virus to the network by clicking on an email hyperlink. Also, consider a situation where an organization gives a tour of their production facility. A visitor ignores the rules and damages a sensitive electronic device while the overwhelmed escort is distracted answering questions from the other visitors. These unintentional events will harm the organization just as real as a deliberate threat would.

EVALUATE YOUR INSIDER THREAT POLICY AND PREPARE NOW

Now that we have identified ways an insider could harm an organization, let’s take a look at what the organization can do to deter, detect and prevent incidents. EO 13587 directs government agencies and task forces to evaluate and protect classified information from the influences of an insider threat. Though not yet a requirement on industry, policies and regulations may soon follow directing cleared contractors to take the appropriate steps to address the insider threat. These requirements may soon manifest in updates to DoD 5220.22-M, The National Industrial Security Program Operating Manual (NISPOM) or other policies.

Now is the time for cleared defense contractors to prepare for those directives by instituting policy addressing the insider threat. The Presidential Memorandum’s, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs spells out requirements that can be adapted for cleared defense contractor use. The memorandum states these requirements as the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.

ADDRESSING INSIDER THREAT: TWO EASY STEPS

Cleared defense contractors can easily incorporate two of these requirements and meet the intent of future NISPOM guidance. These two efforts include:

Monitor employee use of classified networks.

This requirement can also be applied to unclassified networks hosting FOUO, technical data, proprietary, intellectual property, personally identifiable information, and other sensitive unclassified information. The first step is to understand what sensitive information (classified and unclassified) exists and develop controls that facilitate monitoring. For example, an unclassified network may host proprietary information critical to the organization’s product success. This information could be tagged in the information system and appropriately monitored. This effort is similar to document and inventory control. Authorized users would then be given access and controls set in place to limit viewing, printing, downloading, copying, and etc. What would be monitored? Access. The second step would be to identify those with need to know and allow their access to the information. Monitoring would then include ensuring only those with need to know are able to access the information.

Access is now limited to a specific group of insiders. Monitoring would now include how insiders are accessing and what they are doing with the information. An authorized insider with malicious intent could be easily recognized and stopped by a system audit to see who accessed, how they accessed and what they did with it (printed, downloaded, manipulated or viewed it). Flags could easily be raised when controls are bypassed. If information is missing or unaccounted for, an audit would provide the answer.

Threat awareness training.

Employees would be educated concerning what needs protection (assets), who an insider is, what the impact of damage could be, how to prevent it, and how to report incidents. Employees would be briefed on access and need to know privileges and limitations as well as how to operate within their allowances.

Cleared Defense Contractors should be aware of the insider threat and make the concept more than a bumper sticker. Real analysis is required to go above the gates and guards approach to keeping out the malicious actor. With the insider threat comes the question of how to limit access to those with need to know and protect sensitive information from exploitation by authorized personnel. The President has issued EOs and memorandums to address this issue as applied to government agencies. Cleared defense contractors can be proactive and protect their organizations from the insider threat by analyzing the requirements and creating a system to meet those requirements.

As published by clearancejobs.com.  http://news.clearancejobs.com/2014/10/01/insider-threat-training-tips-security-officers-employers/


                                          



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

ISP Certification, FSOs, and New Year's Resolutions

Wow, New Year’s Eve is just around the corner and many of us have already set goals. It’s traditional to plan events as the calendar rolls over to a new year. It’s great to dream big and visualize these goals, it’s quite another to actually reach them. So let’s talk professional goals, the NCMS’ ISP Certification is a great one to strive for.

It’s one thing to dream and another to plan. The difference is what you do from the vision to make it a reality. Here are some deliberate actions you can use to help develop a plan to become ISP Certified.

1.  Begin at the NCMS, ISP Certification information website @ http://www.ncms-isp.org/ISP_Certification/index.asp. There you can find ISP Certification testimonials, brochures, application and other information about the certification. When you review the qualification, study and application information, begin with the end in mind. If your goal is to become ISP Certified in 2015, gather all the data needed and determine the possibility. If the application, approval and study timeline is too timely, consider changing your goal to “Prepare for ISP Certification in 2016” or “Study for ISP Certification”. The goal is to study the requirements and build a realistic plan to achieve your goal. Let preparation set the way and not a calendar date. Once you determine how long it will take to get prepared (6 months, 1 year, etc.) build a plan based on the date and work backward.

2. Understand the application process. There are minimum experience requirements that applicants must meet as well as administrative tasks built into the process. If an applicant does not meet minimum requirements, they can begin study, but will have to wait to meet those requirements before applying. This should be built into the timeline. Applicants who meet the minimum, should build in the administrative tasks into the timeline. This includes filling out applications, payment, getting approval to take the exam and setting up a test date.

3. Understand the testable topics. Gather the relevant test information from the website. Understand the requirements and get a feel of where you are professionally and any gaps you need to breach to bring your knowledge of NISPOM and ISP Certification categories to where it needs to be. It’s not necessary to be an expert in all areas or to be able to quote regulations and requirements. What’s important is a knowledge of where to find information in source documents and apply that knowledge to question based scenarios. In other words, understand where the information can be found and applied to the situation in a quick manner. For example, a person appointed as FSO may have substantial experience with personnel and contract security after working those areas exclusively for many years. However, they are still responsible for understanding information security as outlined in the NISPOM. This means that they will need to spend some time understanding where to find topic related information and answer questions in context.

4. The following are some things that you can do to prepare to fill those knowledge gaps:

a. Study the NISPOM and other reference document structure and understand where to find topic related information. Also, become familiar with key industry standard words found in the source documents. Some of these words are original classification authority, government contracting agency, DSS, security clearance, cognizant security agency, and etc. The NISPOM and source documents are available in print and electrons and can be used in the exam. Understand where certain information can be found or how to search an electronic copy is a very good technique for real life and test based scenarios.

b. Join the NCMS study group. There you can study their material, ask questions and get feedback.

c. Find an ISP certified professional mentor. They understand the stress of working full time and studying for a professional level exam. Mentors can calm fears, answer questions, put rumors to rest, and put the right perspective on stress, studying and life in general.

5. Set a date. Just like getting married, sometimes you just have to put a date down. Once that date is set and approved, you have a certain amount of to take the test before having to reapply. Setting the date will keep you motivated to study and stay focused.

Dreaming is one this, but achieving is another. The best way to ensure success is to build a plan and follow it. Begin with the end in mind, understand the limitations, meet those limitation, set a date and stay focused. Let 2015 be the start of a new professional achievement.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Facility Security Officers, NISPOM Training and What We Really Do

NO, I will not move your office furniture.

The misunderstanding.

Not because I’m not a nice guy or a helpful employee, but you just came to the wrong office.

Ever have one of those days?

A few years ago while serving diligently as an FSO an employee came by my office. She shot the breeze for a few moments, then floored me with a question.

“Could you help me move my desk out of my office? I’m getting it replaced.”

I thought it a strange request as I was still kind of new and we hadn't built up the kind of relationship where she should ask for those kind of involved favors.

Sure, I could grab someone and we  can come over and move it.

“That would be great,” she responded.

“But, better yet,” I said on second thought, trying to protect my back from sure injury. “Why don’t I call the facilities manager and we can get someone with the right equipment.”

“That’s what I meant,” she responded. “You are the facilities guy…”

Oooooh, now I know what’s going on.

After a brief exchange, I educated her on the role of a Facility Security Officer, which is to develop and implement a security program to protect classified information. She apologized for the misunderstanding and quickly moved on.

Confined to a small box.

It’s possible that you or someone you know has or is currently having same experience. This stems with fellow employees not understanding the FSO's role or responsibility. This misunderstanding could not only have people assuming FSOs control furniture and building use, but could lead to effectively undercutting potential leadership roles.

FSOs should have the ability to influence business and vision making decisions. Without such input, the enterprise may not reach its full potential.

FSOs should be regularly consulted for and be involved in business, statement of work, request for proposals, capabilities statements and areas of increasing value while working classified contracts. After all, FSO tasks encompass so much more than requesting security clearance investigations, sending visit authorization requests, or other general administrative tasks .

Breaking out of the box.

Nobody will ever understand what you can do unless you tell them in words they can understand and in the language they speak. What might be useful is a quick elevator speech of about 30 seconds. One that FSOs can relate in real time and highlights their capabilities and how they impact the company’s ability to work on classified contracts. A good place to start is reviewing contractual requirements and comparing them the already established security program.

Reference Documents

The first step is to review DD Forms 254 and look for specific security requirements as outlined in blocks 10 and 11 and those additional ones mentioned in blocks 13 and 14.  Additionally, statements of work may list some opportunities the FSO can take advantage of to demonstrate value to the enterprise.

With this information FSOs can share with the enterprise not only the popular security clearance issues, but also:

1. Training requirements for employees to work with classified information (NISPOM training, initial security training, annual security awareness training, SF3-12 briefings, derivative classifier training)
2. Additional storage space required to include GSA approved containers, shelving, closed areas, classified discussions
3. Vision statement to include areas for business growth, business opportunities or hiring of additional security employees. 

An elevator speech might look like: “As FSO I create, implement and lead security programs that protect classified information. To do this I help the enterprise make risk based decisions and implement countermeasures to ensure classified work performance is conducted as required, ahead of schedule and within budget.”

This proactive effort leads the FSO from bolting on security at the end of the product to weaving it in throughout the acquisition life-cycle.

The Setup

Consider two possible responses to a security opportunity:

Someone would notify the FSO with the good news of the contract award believing that everything is in place to proceed. A new DD Form 254 requires not only a product demonstration, but a classified research paper demonstrating how the product will meet the customer’s requirements. The contract also comes with the delivery of 300-400 classified documents.  

1.        A misunderstood FSO’s role might lead to a disaster as such:

The FSO is not directly involved with the acquisition and contracts process. They are just there to react to emerging contractual opportunities. As such, the organization could be left with reacting on short notice tasks  with long lead times. 

This might involve security briefings, training new or existing employees, determining where the classified work would take place, and where the product and 300-400 documents would be stored. This would be a large task for someone just discovering the requirements only after the contract is awarded. 

Such a position of reaction could lead to delays in work as clearances would need to be requested, security containers ordered and restricted areas imposed please keep in mind that this is a made up scenario based on any level of classified work experience.)

2.       A well-integrated FSO’s role might lead to success: Given advance notice the FSO can deliver sound advice as soon as rumors of new work whispers through the corridors. From the beginning the FSO could help determine how many cleared employees are needed vs. what is available, whether or not additional security training is required, whether or not existing storage space is adequate for documents and work performance and on and on. The FSO would inform business making process before decisions are made.

FSOs should be prepared to lead the organization through the requirements of performing on classified contracts. This opportunity can be clouded by misconceptions and misunderstanding. A difficult, but vital responsibility includes informing the enterprise of roles, responsibilities and capabilities. The FSO should research requirements and present a sound solution.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

FSO's, Self-Inspection and Classification

Facility Security Officers (FSO) should coordinate an annual self-inspection to ensure their organizations are equipped to conduct and capable of conducting continuous protection of classified information. A great tool FSOs or designated inspecting officers can use for preparing, conducting and documenting the self-inspection is DSS’ The Self-Inspection Handbook for NISP Contractors. The handbook identifies “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. The five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education,

(D) FOCI

(E) Classification

This section covering Classification will consist of multiple parts. Keep reading future newsletters and posts for the rest of the story.

Part I

First off, cleared defense contractor employees do not perform classification. That’s the government’s job. Classification is conducted by the Original Classification Authority (OCA). The OCA is a designated position that uses a six step process to identify whether or not something is classified, at which level of classification, for how long it is to remain classified, and communicate the decision.

Derivative classification in general terms includes, paraphrasing, incorporating, restating or regenerating classified information into a new form. Since contractors are not performing original classification, most of their work would involve using classified sources to create new classified products.

Cleared defense contractors are responsible for establishing security program to protect the classified information. The program should consist of protecting classified information in all instances according to guidance found in the classified contract and NISPOM. This guidance can include handling, storing, marking, training cleared employees, and etc.

So aside from protecting classified information, what roles do cleared contractors play in classification?

Derivative Classification

When classified information is used to derive a new product, the original classification should be carried over into the new product. Items assembled, copied, scanned, or reports made based on instructions or requirements found in the DD Forms 254, Statements of Work, and Security Classification Guides (SCG) are considered derived or derivative classification decisions.

Here are some questions and explanations from the DSS handbook.

4-102d Have employees received appropriate training before they were authorized to make derivative classification decisions for you company? Here’s where you provide a list of the trained employees and a sample of the training or other proof that required NISPOM topics are taught.

According to NISPOM paragraph 4-102d, cleared employees must receive derivative classification training prior to being authorized to make derivative classification decisions.

Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. According to NISPOM derivative classifiers should be trained “…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.”

Here's the important part, no training; no work. Appropriate NISPOM training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. FSOs must plan to train cleared contractor employees who perform derivative classification responsibilities.

More information on derivative classified training can be found here: http://dodsecurity.blogspot.com/2013/04/nispom-change-1-derivative.html

http://dodsecurity.blogspot.com/2013/05/derivative-classified-training-what.html

4-102d Are all derivative classifiers identified on the documents on which they made derivative classification decisions? This can be both demonstrated by providing the proof of training as well as actual derivative classification documents if appropriate.

One such training task ensures that the authorized employees apply proper markings to their products. Not only are classification markings required, but so is the proper documentation of who is actually performing the derivative classification. According to NISPOM paragraph 4-102d, cleared employees who are authorized to make derivative classification decisions are responsible for identifying themselves on the documents where they make those decisions. Identification instills discipline, control and accountability of derivative classification decisions.

Only authorized cleared employees are assigned as derivative classifiers and they must be identified as such. The identified employees must be provided with the appropriate derivative classifier training.

Proper identification occurs when authorized derivative classifiers apply their names and titles on the derived items. However, contractors can substitute using their names with some type of personal identifier that translates to an authorized name and position. The use of the personal identifier is usually allowed unless the government customer states otherwise.

When the alternative identifier is used, the organization should develop a designator that aligns with a person’s name and position. If the government customer or anyone authorized to view the classified information has any questions, the derivative classifier can be identified from the list. The contractor should maintain this list for at least the as long as the cleared employee is with the business organization.

Once derivative classifier training is complete, the FSO should provide documentation listing the trained employees and the training topics. A good idea is to keep the training available in case details of the training are needed. Once filed, this documentation can be shown to demonstrate compliance with the NISPOM. Whether the inspector is part of a self-inspection team or with industrial security representatives from DSS, the proof of training should meet the intent.

For more information about derivative or classification training visit www.redbikepublishing.com/training or see: 





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

NISPOM Based Questions

Try these NISPOM based questions. This study may help you prepare for the ISP Certification or the DoD's SPeD certification. These answers aren't in the NISPOM. Can you answer them anyway?






1. What are the appropriate steps to take in JPAS when a cleared employee no longer needs a clearance but will not leave the company?

a. Debrief from access, out process
b. Debrief from access, separate from JPAS
c. Separate from JPAS, out process
d. Out process only
e. Separate from JPAS only


2. Applicants will be required to change initial golden question to _____ unique golden questions.
a. 2
b. 3
c. 6
d. 4
e. 5

3. You must include information about all of the following EXCEPT on the SF86.
a. Parents
b. Cousins
c. Brothers
d. Sisters
e. Spouses


4. When must fingerprints be submitted?
a. For initial investigations and Periodic Review
b. For initial investigations only
c. For PR’s only
d. At the completion of investigation
e. Never







Scroll down for answers












1. What are the appropriate steps to take in JPAS when a cleared employee no longer needs a clearance but will not leave the company?
a. Debrief from access, out process
b. Debrief from access, separate from JPAS
c. Separate from JPAS, out process
d. Out process only
e. Separate from JPAS only'

2. Applicants will be required to change initial golden question to _____ unique golden questions.
a. 2
b. 3
c. 6
d. 4
e. 5

3. You must include information about all of the following EXCEPT on the SF86.
a. Parents
b. Cousins
c. Brothers
d. Sisters
e. Spouses

4. When must fingerprints be submitted?
a. For initial investigations and Periodic Review
b. For initial investigations only
c. For PR’s only
d. At the completion of investigation
e. Never



More study information can be found here:

                                                   
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Does a secret security clearance fulfill the requirements of a public trust clearance?

As published in clearancejobs.com

Recently, a reader asked the following question: “If I have a current secret clearance, does that fulfill the requirements of the “public trust” clearance?” Before we answer the question, let’s look at public trust as a whole.

THE SHORT ANSWER

It depends. The security clearance process is part of the Public Trust evaluation. According to Standard Form (SF) 86 and SF 85 instructions and DSS publications some public trust positions require security clearances and some do not. So, the answer depends on the level of the public trust required. If a desired public trust requirement is for a low to moderate risk position or requires a clearance of SECRET or CONFIDENTIAL, then yes, the request for the SECRET clearance (SF 86) adjudication should cover the requirements and the applicant should not have to complete a new SF 85 or 85P. If the public trust position requires a higher security clearance, then the applicant would undergo another investigation and adjudication to cover the requirements of the higher clearance level.

BACKGROUND

A position of public trust is evaluated to determine the type of impact on the organization based on the sensitivity of the position and the risk of information the employee of the position might work with or otherwise possess. These positions are designated by an authorized manager based on low, medium or high risk.

Sometimes people mistakenly think that public trust and security clearances are two separate events or positions and the terms are often wrongly switched up. Though there are two different processes, both are under the same designation. The mistake is in thinking that there are two categories of clearances with public trust and security clearance topics. However, the term public trust encompasses both classified and unclassified position needs.

RISK LEVELS DEFINED

Understanding the risk level is fundamental to comprehend the public trust requirements. The public trust positions are designated according to amount of risk assumed.

• Low risk public trust positions are for duties that have limited potential impact on the organization or mission.
• Moderate risk public trust positions are designated for those positions with potentially moderate to serious impact on the organization or mission.
• High risk public trust positions are for positions with exceptionally serious impact on the integrity or efficiency of the mission.

HOW RISK POSITIONS ARE FILLED

Public trust position investigations are conducted by the Office of Personnel Management (OPM). If a position is designated as being low, moderate or high risk, OPM investigates the employee for suitability to the level of risk. The higher the public trust position risk, the more detailed the investigation.

The process begins with the justification of the position. The authorized manager has already determined this when the position is created. Each employee that fills that position must have had an investigation or will have an investigation to qualify them for the level of public trust required. Once notified by an authorized person, the next step is for the employee to complete the correct Standard Form (SF).

There are different types of adjudications for public trust positions and each type of adjudication requires a different form. The SF 85 is the correct form for the low risk, the SF 85 or SF 85P for the moderate risk, and the SF 86 is for security clearances and high risk public trust positions. Each SF provides a basis of information used for the appropriate investigation for suitability of public trust. Whichever SF is used the applicant should accurately and completely fill each of the fields asking for form unique information. OPM investigators use the completed forms to research the subject and gather information necessary for the adjudicator to make a suitability determination.

A NOTE ABOUT SECURITY CLEARANCES.

Keep this in mind, compromise of SECRET information could cause serious and compromise of TOP SECRET information could cause extremely grave damage to national security. Does this determination sound familiar? The levels of damage described matches key words in the moderate and high risk definitions quoted earlier. Both complement each other and describe levels of risk and impact.

Not all sensitive duties require access to classified information. However, those employees requiring a security clearance fill out the SF that leads to more in-depth and appropriate investigation. For security clearances, it is the SF 86. This is an important distinction as the moderate risk public trust position normally requires the SF 85P. However, when a security clearance is required, the SF 86 is always used. The bottom line is that regardless of the risk level, when the National Security Adjudications grant access to all classification levels; TOP SECRET, SECRET, or CONFIDENTIAL, an SF 86 is required.

For example, if an employee is hired against a moderate risk position that requires a SECRET security clearance, the SF 86 investigation is more detailed and will fulfill all moderate risk adjudication information required of the SF 85P. In other words, the more in-depth investigation requirement will cover all lower level investigation requirements. The applicant will not need to complete both forms.
JOB TRANSFERS

If an employee is transferred, there is a degree of technical difficulty. When occupying a position of moderate risk where no clearance is required, the employee completed an SF 85P. If the same employee is transferred to a similar position and a SECRET clearance is required, they will have to complete an additional SF86 and undergo a different investigation. If, on the other hand, they transfer from a moderate risk position requiring a security clearance to a moderate risk position not requiring a clearance, the original SF 86 will suffice.

So, back to the original question, “Does a secret security clearance fulfill the requirements of a public trust clearance?” The answer is yes. A SECRET clearance is designated as part of the public trust process. The holder of the SECRET clearance is in a position of moderate risk and they require a security clearance. In this case an SF 86 investigation and security clearance adjudication will cover the requirements of the moderate to low risk positions.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

NISPOM Study Questions

Some NISPOM based questions that might augment your study for the ISP Certification exam.

1. In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:

a. NSA
b. GCA
c. DNI
d. CSA
e. GSA

2. Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.

a. SECRET, TOP SECRET
b. TOP SECRET, CONFIDENTIAL
c. CONFIDENTIAL, FOUO
d. SECRET, FOUO
e. CONFIDENTIAL, SECRET

3. The COR establishes the COMSEC account and notifies the _____:

a. CSA 

b. GCA
c. FSO
d. NSA
e. DIA

4. Contractors maintain TOP SECRET reproduction records for _____ years.

a. Two years
b. One year
c. Five years
d. Ten years
e. None of the above

Scroll Down for Answer

1.      In order to protect fragile intelligence resources and methods, SCI has been established as the SAP for:

a.            NSA

b.            GCA

c.             DNI (NISPOM 9-302b)

d.            CSA

e.             GSA

2.      Interim TOP SECRET FCLs or PCLs are valid for access to COMSEC at the ____ and ____ levels.

a.            SECRET, TOP SECRET

b.            TOP SECRET, CONFIDENTIAL

c.             CONFIDENTIAL, FOUO

d.            SECRET, FOUO

e.             CONFIDENTIAL, SECRET (NISPOM 9-402c)

3.      The COR establishes the COMSEC account and notifies the _____:

a.            CSA (NISPOM 9-403b)

b.            GCA

c.             FSO

d.            NSA

e.             DIA

4.      Contractors maintain TOP SECRET reproduction records for _____ years.

a.            Two years (NISPOM 5-603)

b.            One year

c.             Five years

d.            Ten years

e.             None of the above

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

The FSO, Sub-Contracts and NISPOM

As we continue the series of articles on the self-inspection, we should understand that FSOs or designated inspecting officers may find themselves addressing “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. Still, there are other topics that do not apply, but the opportunity to learn something new applies. There are a few more elements that might be applied at unique cleared facilities, but FSOs  in those situations can adapt these articles to those specific needs. As a recap, according to DSS’  The Self-Inspection Handbook for NISP Contractors, the five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education,

(D) FOCI

(E) Classification

 Though not applicable to all cleared contractors, subcontracting is covered in NISPOM. This article will address the requirements of the subcontracting and how to set up both the prime and sub for success.  The following are questions from the self-inspection handbook and how to address them.

Are all required actions completed prior to release or disclosure of classified information to sub-contractors?

An FSO might get direction by referring directly to the DD Form 254. Since it’s called the Contract Security Classification Specification, it should be used for the prime to direct classified work requirements and the sub to prepare their cleared employee and facility to perform. Items 10 and 11 provide performance and access information required of the subcontractor. These yes or no questions will outline expectations. Will the sub-contractor be expected to use COMSEC equipment, operate a SCIF, or create classified documents? If so, there are some subtasks required during preparation. For example, if the prime expects the sub to perform classified work on site, appropriate storage space, designated or dedicated work areas, information systems, and etc. should be approved, certified and accredited in time to meet performance requirements.

Are the clearance status and safeguarding capability of all subcontractors determined as required?

The cleared contractor should identify work requirements in the DD Form 254 to include storage level, where classified work will be performed, access requirements, and security guidance expected to be flowed down to the subcontractor. The DD Form 254 should be provided with the statement of work, contract, request for quote and etc. Iis the nexus of work, preparation, and expectations required of the sub and it allows the sub to cost the work performance. This documented performance requirement ranges from simply requiring a facility clearance with no storage capability to provide cleared employees to perform off site to classified storage capability to receive and generate classified information on site.

The DD Form 254 should trigger some actions by the prime contractor. For example, in block 11, the prime informs the subcontractor whether or not they will need to access classified information on-site.  Prior to the subcontracting effort, the prime contractor should make that determination and flow requirements to the sub-contractor. The prime contractor should show due diligence that they vetted and awarded the classified contract to a subcontractor who is able or will be able to protect classified information or otherwise perform on classified contracts per NISPOM when the performance requirements begin.

Do requests for facility clearance or safeguarding include the required information?

If the winning subcontractor is not currently cleared, the prime will have to jump into action to sponsor them (see how this is done) for a facility security clearance (FCL). This requires the prime to be proactive as they must solicit the cognizant security agency (usually Defense Security Services (DSS) for the Department of Defense) on behalf of the sub-contractor and provide rationale for the FCL. This rationale should include any safeguarding requirements and description of classified work required in the contract. The rationale should also include all factors to help DSS determine whether or not the subcontractor meets NISPOM requirements.  Though the sub can prepare administrative actions such as compiling and completing required documents and certificates, the sub-contractor cannot request their own clearance.

If your company is a prime contractor, have you incorporated adequate security classification guidance into each classified subcontract?

This is where blocks 13 and 14 really count. According to the DSS’s Guide For Preparing a  DD Form 254, block 13 should not just be a list of requirements documentation. Prime contractors should not just write, “protect all classified information according to NISPOM” or similar vague instruction. This area should be used to provide explicit information to help the subcontractor understand the nuances of protecting classified information according to the contract. To be specific, exact protection language should be incorporated here. If reference documents are used, such as security classification guides, statements of work, or other requirements items, the prime should list the document name, page number and exact language. This also includes any source documents as attachments to the DD Form 254 or delivered separately. The point is that blocks 13 should include specific security language to protect contract specific classified information.

If there are any security requirements that go above and beyond the NISPOM, these should be listed in Block 14. These also require prior approval from the government contracting activity.

Are original Contract Security Classification Specifications (DD 254) included with each classified solicitation?

This is a fair and accurate way to get the message across that any contractor that bids on the classified contract understands the requirements to protect the classified information. The DD Form 254 is a legally binding contractual document and the subcontractor will be required to perform to the contract specification. This requires the prime contractor to present the expected work outright in the statement of work and the DD Form 254.

If your company is a prime contractor, have you obtained approval from the GCA for subcontractor retention of classified information associated with a completed contract?

If the prime contractor expects to deliver 2000 classified documents or expects the sub-contractor to generate and or store classified information on site, the prime will need to secure approval from the Government Contracting Activity. Then the prime will flow approval and protection requirements down to the sub-contractor. Among other uses, this approval provides the GCA with assurance that the classified information is offered the same level of protection as required at the prime contractor cleared facility. The sub in return will receive the protection specifications and prepare the storage and work performance compliance and prepare to receive them. 

The FSO or self-inspecting official should look at all DD Form 254s generated by the cleared facility. They should validate that each is issued properly while seeking a demonstration of answers to each question. 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".