Monday, March 30, 2015

NISPOM Based Certification Questions.

Try these NISPOM based questions. They could complement your ISP Certification or SPeD certification study. See how you do.

1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA 
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract 
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared




Scroll down for answers:






1. Disclosure of U.S. Information to Foreign Governments is
guided by the:
a. CSA
b. GCA (NISPOM 10-200)
c. COR
d. ITAR
e. Exports Agreements

2. What is the required FCL a contractor facility must have if in possession of only NATO RESTRICTED information?
a. TOP SECRET
b. SECRET
c. CONFIDENTIAL
d. RESTRICTED
e. None of the Above (NISPOM 10-702)

3. Which of the following are eligibility requirements a company must meet before it can be processed for an FCL?
a. The company must be an organization of at least 25
people
b. The company must have a desire for classified access
c. The company must have a reputation for integrity
(NISPOM 2-102c)
d. The company must make its bottom line for three
consecutive quarters
e. The company is the only entity that can perform the work

4. When can a contractor disclose classified information to
another contractor?
a. Furtherance of contract (NISPOM 5-509)
b. Furtherance of business development
c. When directed by FSO
d. When directed by CSA
e. Just as long as other contractor is cleared



FSOs and End of Day Security Checks



This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-102a Is there a system of security checks at the close of each working day to ensure that classified material is secured? 

Security checks help, period. However, they are only as good as the purpose they serve. Many times these checks are just a list of mundane actions forced on an employee to complete before they go home. Many times the checks are performed by employees on a duty roster pulling the job for a week at a time leaving at various times of the day. 

The real intent is to ensure classified information is locked up and inaccessible by uncleared personnel and those without need to know. Desktops, trash bins, printers, copiers are checked to ensure classified information has not been left unsecured.

GSA approved security containers are checked and initialed to ensure they are closed and locked properly. Closed area locks are checked as well as security alarms. The list goes on to ensure all situations where classified information has previously been available  has been secured and compromise has been mitigated. 

Now, security checks are important and so is the responsible party doing the checking. Often, any employee with a clearance is given the "duty". However, diligence should be made to ensure the checks are made at the right time. 

Here's a little hint at inherent, but rarely pondered danger. 

The end of day checks should be performed at the end of the duty day and not the end of the day for the employee on duty.

Did you get the play on words? 

The danger with a duty roster in many cases is that some employees performing the end of the day checks may not normally stay until the end of the duty day. Where the employee might leave at 3 pm, other employees might not leave until 5 pm. The two hour time difference is simply not providing the proper mitigation.

Within that two hours, an employee could reenter a closed area, open a security container, have a classified meeting, and etc. Life goes on after the designated end of day checker goes home.

Out side the box ideas: 

1. Have employees performing the duty alter their work schedule accordingly. Make sure that someone is covering down on the end of day checks at the end of the day.
Some even go so far as to put safety and housekeeping information as well.

2. Have a last call for classified information. If the normal duty day ends at 5 pm, ensure all classified information is secured by 4:45. Of course there are emergencies and case by case issues that can be dealt with upon request.

3. Assign end of day checks to only employees who leave at the end of the day. Build in additional "beginning of the day" performance measures for employees who arrive earlier in the day.

Another common problem is using the end of day check for safety and house cleaning. Re-think a separate check list for those issues. Employees should be focusing efforts on securing classified information, not ensuring the coffee pot is turned off.

Hang on to those end of day check lists. DSS will want to see them during the review. Be sure to check for them during your self-inspection.

We've covered this discussion in depth in 2012 and 2013 posts.  As a reminder here are the links for further discussion of this important issue:

http://dodsecurity.blogspot.com/2013/03/traditional-security-tools-in-unique.html

http://dodsecurity.blogspot.com/2010/11/storing-classified-information-keeps.html#links

Though not required by NISPOM, government forms are available on line for use or just to serve as model in the strengthening of security programs. Companies are free to use these forms or create their own. The government forms are available online. One such form is the Activity Security Check List, Standard Form 701. Again, unless the contract or Government agency requires the use of a specific format, the company is free to adapt their own version.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


GSA Security Container Magnets
http://www.redbikepublishing.com/book/magnet/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


Sunday, March 15, 2015

Defense Contractor Self Inspection Handbook and Classified Discussions

This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. Now we are in Section M Classified Storage. So, here is the question:

5-101 Do your cleared employees know where they can and can't hold classified discussions?

According to NISPOM 5-101. Safeguarding Oral Discussions. Contractors shall ensure that all cleared personnel are aware of the prohibition against discussing classified information over unsecured telephones, in public conveyances or places, or in any other manner that permits interception by unauthorized persons.

There are at least two points that the FSO should address. The first is to ensure all cleared employees are aware of when and where classified discussions are and are not permitted. This awareness can be presented in any of the following formats. If possible, the FSO should implement as many as apply:
  • New employee orientation/Initial Security Briefing/Annualsecurity awareness training-FSO's should incorporate contractor specific training to ensure the cleared employees understand where and when classified contractors are allowed and the circumstances that must be met prior to the discussions being allowed.  This training should include designated areas, rooms, sections or other locations where conversations, presentations, telephones, and any other discussions should take place. The training should also include how to prepare the areas for the proper level of discussion to include any necessary VARs, COMSEC, or necessary information system support.
  • Posters-Posters serve as reminders to reserve classified conversations for designated or dedicated locations.
  • Pamphlets or flyers-Post these in obvious places as part of continuing security training and education. These flyers and pamphlets can convey a lot of significant information that will support your annual security awareness training.
  • Multi-media-broadcast your security message to the cleared employees through ocial media, websites, internal television channel, etc.


VALIDATION: The best way to demonstrate compliance to NISPOM requirements is to document actions and show examples. This can be done with:
  • cleared employee signature

  •  facility maps identifying designated and dedicated classified discussion areas

  • locations where pamphlets and flyers are posted
  • how many were posted, 
  • copies of presentations and training 

Presenting and documenting  topics, signatures and copies of any method of presenting the message are great metrics to demonstrate validation.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".