Tuesday, July 22, 2014

Try these NISPOM Based ISP Certification Questions

Try your knowledge of the NISPOM and apply your experience as an industrial security professional with these challenging questions:


1. Recommendations for the downgrading of NATO classified information should be forwarded to:

a. Originating activity

b. CSA
c. GSA
d. CUSR
e. FSCC

2. All of the following require accountability receipts EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIC TOP SECRET
d. NATO CONFIDENTIAL
e. NATO CONFIDENTIAL ATOMAL

3. Which form is used for registration of Scientific and Technical Information Services?
a. DD Form 214
b. DD Form 254
c. DD Form 1540
d. DD Form 2345
e. DD Form 1234

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:
a. CSA
b. GCA
c. FSO
d. ISSM
e. GSA


**************No Peeking-Keep scrolling when ready for answers****************





1. Recommendations for the downgrading of NATO classified information should be forwarded to:

d. CUSR (NISPOM 10-710)


2. All of the following require accountability receipts EXCEPT:

d. NATO CONFIDENTIAL (NISPOM 10-17b)

3. Which form is used for registration of Scientific and Technical Information Services?

c. DD Form 1540 (NISPOM 11-202a)

4. An approved vault is constructed according to guidance in the NISPOM and approved by the:


a. CSA (NISPOM 5-800)




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, July 20, 2014

Thanks NCMS-New ISP Coin

My new NCMS ISP Certification coin came in the mail. Another great reason for ISP Certification; thanks NCMS...






















Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

FSO's and Cleared Consultants

As a recap from the last article, we can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(D) FOCI
(E) Classification

Though not applicable to all cleared contractors, consultant agreements may apply to some. This article will address the requirements of the consultant agreement and how to basically treat consultants as part of the cleared contractor enterprise.

According to the Defense Security Services (DSS) Facility Security Officer (FSO) Toolkit might look as follows (formatting and content can vary, but this is a template that works just fine). See it here: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html


Here are the elements of the template.

A consultant for cleared contractors is an individual who provides professional or technical services requiring access to classified information. According to paragraph 2-212 of the National Industrial Security Program Operating Manual (NISPOM) DoD 5220.2-M, a cleared contractor can process a consultant for a personnel security clearance as if they were a cleared employee of the organization. However, the consultant either outright owns or co-owns the business with family members, but is the only employee requiring a security clearance. If other members of the consultant’s organization are required to access classified information, then the company will need to be sub-contracted and sponsored for a facility security clearance (FCL).

The consultant agreement should ensure that the following apply to the work performed (exceptions exist when connected authorized visits):

In the case of a consultant “treated” as an employee, the DD Form 254 is clear about where classified work is performed. The 254 applies to all work performed by cleared employees. By agreement and NISPOM guidance, the consultant is the cleared employee. As such the FSO should document the following actions and be ready to demonstrate during the self inspection and the DSS review:

a. The consultant shall not possess classified material away from the premises of the using contractor.

b. The using contractor shall not furnish classified material to the consultant at any location other than the premises of the using contractor.

c. The consultant shall accomplish performance of the consulting services only on the premises of the using contractor.

Since the consultant’ clearance is held and processed by the consulted, they should have an initial security briefing and annual security awareness training. This training should include the requirements of the NISPOM:

a. The using contractor shall provide classification guidance to the consultant, and shall brief the consultant as to the security controls and procedures applicable to the consultant’s performance.

b. The consultant shall not disclose classified information to any unauthorized person.


Finally, the consultant agreement should state language to the effect that the consultant is the owner of the consulting firm and is the only official/employee of the consulting firm who may provide consulting services pursuant to this agreement.

Once the memo is written and agreed upon, both parties should sign and records available for self-inspection and DSS review.

Using this article and experience, the FSO should now be able to demonstrate efficiency with following questions:

D.  CONSULTANTS
NISPOM REF:
Question:
YES
NO
N/A
2-212
Have you and your consultants jointly executed a consultant agreement” setting forth your respective security responsibilities?
RESOURCE:  Consultant Agreement under Forms at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html. VALIDATION:



2-212
Does the consultant possess classified material at his/her place of business?
VALIDATION:













Friday, July 11, 2014

Justifying a Clearance – Why Need to Know May Become the New Norm



*My article as published @ Clearancejobs.com


http://news.clearancejobs.com/2014/03/28/justifying-clearance-need-know-may-become-new-norm/


Bradley Manning, Eric Snowden and Aaron Alexis.


These are names of co-workers and fellow employees with security clearance who violated trust. After each incident reviews were established to discover: How did they get security clearances? How, in the case of the spies, did classified information get taken? In the case of work place violence, how did such untrustworthy and threatening persons get security clearances?


A Pentagon report released last week provided an independent review of the Navy Yard Shooting, and asked the critical question – are there currently too many individuals with access to classified information?
CURRENT PRACTICE; DEFEND THE PERIMETER


Proscribed security measures to protect classified information are in found in government agency security classification guides, policies, instructions and procedures. Where classified information exists, there are countermeasures required to protect that information. Depending on the classification level, these protection efforts include proper classification markings; storing classified information in General Service Administration (GSA) approved security containers and vaults; using alarms, sensors, a guard force, or a combination.


Current security measures are deemed adequate to protect classified information from falling into the wrong hands. After all, a thief or spy would have to go through several layers of security to get their hands on national security information at significant risk to themselves; or would they? These days, sometimes all they have to do is ask nicely and an otherwise authorized employee might just bring it to them.


Protection measures only go so far to deny unauthorized persons access sensitive information. In a time where the biggest threats to national security are the Bradley Mannings and Eric Snowdens, trusted employees walking out with the goods; physical security measures are just not enough as they keep bad guys out, but do little to prevent the insider threat.


This is not limited to the federal government and contractors, but also occurs elsewhere. Theft of proprietary information, personally identifiable information, intellectual property, workplace violence and more are perpetrated by the co-worker who was so quiet and hardworking.
FINDINGS


The Washington Navy shooter, Aaron Alexis held a SECRET clearance. According to the report, he was awarded his security clearance while in the Navy, but this was a “just in case” measure and not based on need to know. The result is the ability to maintain the security clearance for 10 years as long as he didn’t have too long of a break between jobs requiring a secret clearance. Once hired by The Experts, Inc., he was back in the system. His eligibility would depend on self-reporting any adverse information, and the periodic review due at the 10 year mark. Couple that with the rapid growth of cleared personnel, and we see how an insider threat can grow unchecked. The risk was the inability to connect police records and other historical data that might have indicated that he was ineligible for a security clearance.
A NEW PARADIGM

Some of the findings of the Pentagon’s review break the paradigm of relying on “defending the perimeter” to focus on the challenges of protecting National Security from those within our own ranks.

The first recommendation is to: “Cut the number of Department of Defense employees and contractors holding Secret clearances, and adopt a “just in time” clearance system more tightly linked to need to know.”

This solution may appear extreme and many reading this may take issue with such cuts. After all, many cleared defense contractors rely on having the adequate pool of cleared contractors and offer salaries and benefits tied to security clearance levels. Those holding security clearances may feel the pressure of such cuts as career ending.

These cuts are recommended as a countermeasure to free the workload of investigators and focus on more efficient and effective adjudication. As such, this could be just the countermeasure needed to protect national security. Further study demonstrates the intent is not to cut positions, but to determine whether or not existing positions require a security clearance. Validating the need for a clearance early is a determining factor. The cuts are simply requiring better stewardship and oversight of the security clearance process. Jobs do not need to be cut, but justification for requesting security clearance investigations and follow-on security clearances needs to be better defined and controlled.
BRING BACK NEED TO KNOW

Many cleared employees may concede that access to classified information is based on a security clearance level AND the need to know classified information. Many times the need to know is not fully understood nor properly identified for security clearance requests. Defense contractors are granted facility security clearances based on a contractual need. After being granted a facility security clearance they then request personnel security clearances for employees who will need access to perform on the classified contract. In many cases this breaks down occurs when the cleared defense contractor or government agency requests security clearances using a standardized tool based on position or to form a pool of classified personnel in case they are needed.

This review recognized that the current state of security clearance process was flawed. That made sensitive information and the workplace vulnerable to the insider threat. The report makes recommendations to exercise more control of the security clearance process, making a greater argument for resting justification on need to know.
INTERNAL CONTROLS

One clearance justification practice used by cleared defense contractors is to have management provide rationale in a statement or security clearance request form of the need to request a clearance on a particular employee. Another practice is to directly link the new-hire employee to an employment opportunity requiring access to classified information to perform the job. However, these successes are based on internal controls and policies of the responsible cleared contractor, and not strictly enforced by government oversight.

The review made many other recommendations to streamline and improve oversight of the security clearance process for contractors. Whether or not the recommendations are acted upon remain to be seen. However, industry can become part of the solution by properly justifying the need for a clearance.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".