Thursday, April 28, 2016

Automated Access Control Systems

Get your's here
In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-313a. This is another installation from the handbook under the topic of M. Classified Storage
                                   
Do ID cards or badges used in conjunction with Automated Access Control Systems meet NISPOM standards?

The NISPOM states:

Automated Access Control Systems. The automated access control system must be capable of identifying the individual entering the area and authenticating that person’s authority to enter the area.
a. Manufacturers of automated access control equipment or devices must assure in writing that their system will meet the following standards before FSOs may favorably consider such systems for protection of classified information:
(1) Chances of an unauthorized individual gaining access through normal operation of the equipment are no more than one in ten thousand.
(2) Chances of an authorized individual being rejected for access through normal operation of the equipment are no more than one in one thousand.

Facility security officers have some options in providing access control. One option with varying means of execution is to provide a person to guard an entrance. That guard can refer to or access a catalog of those employees authorized to enter the area. This catalog can be a printed sheet of paper, spreadsheet, electronic, computer accessed, or other approved collection of authorized persons. The guard then permits access once the person desiring access provides the proper credentials. The credentials are usually a government identification card such as a driver’s license or military ID card or enterprise access badge for presentation. The guard compares the identification with the approved list and authorizes or denies access.

Another more technical option is to install automated access control systems that performs the same services as a guard. However, the system provides a less personal touch and does not require having to appoint an employee or hire an additional person to the role. The FSO is approved to choose the option as long as the manufacturer of the automated access control system provides documentation that their products meet the requirements as specified NISPOM paragraphs 5-313a (1)-(2).

The approved automated access control system works the same way as the human guard. The system houses the catalog of authorized persons. The person desiring entry provides the proper credentials. However this time the credentials might be a swipe badge, pin number, finger print, eye scan, or other proof of identification and access. The system receives the identification and authorizes or denies access.

VALIDATION:         
1. Manufacturer’s documentation validating meets the required NISPOM standards.

2. Documented process governing access control within the enterprise.                                                                                                                                                    

Monday, April 18, 2016

NISPOM Based ISP Certification Practice Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.
Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
Try these questions to see how you do:

1.      Classified working papers generated by contractors in preparation of finished project shall be:
a.            Dated when created
b.            Marked with overall classification and annotated “WORKING PAPERS”
c.             Stored separately from finished documents
d.            A and b 
e.             All the above
2.      What type of security reviews shall be conducted on cleared facilities?
a.            Periodic
b.            Aperiodic
c.             Annual
d.            Semi-Annual
e.             Monthly
3.      Contractors are required to report:
a.            Events that have an impact on FCLs
b.            Events that have an impact on PCLs
c.             Events that have an impact on ability to safeguard classified information.
d.            All of the above (NISPOM 1-302)
e.             B and c




Scroll down for answers:











1.      Classified working papers generated by contractors in preparation of finished project shall be:
a.            Dated when created
b.            Marked with overall classification and annotated “WORKING PAPERS”
c.             Stored separately from finished documents
d.            A and b (NISPOM 5-203b)
e.             All the above
2.      What type of security reviews shall be conducted on cleared facilities?
a.            Periodic
b.            Aperiodic (NISPOM 1-206a)
c.             Annual
d.            Semi-Annual
e.             Monthly
3.      Contractors are required to report:
a.            Events that have an impact on FCLs
b.            Events that have an impact on PCLs
c.             Events that have an impact on ability to safeguard classified information.
d.            All of the above (NISPOM 1-302)

e.             B and c



According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.
So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,  DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams. 



Friday, April 15, 2016

Approved Security Container Repairs

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-311a.
                                   
5-311a If any of your approved security containers have been repaired, do you have a signed and dated certification provided by the repairer setting forth the method of repair that was used?
RESOURCE:  ISL 2006-01 Container Repairs under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

The NISPOM states:

Repair of Approved Containers. Repairs, maintenance, or other actions that affect the physical integrity of a security container approved for storage of classified information shall be accomplished only by appropriately cleared or continuously escorted personnel specifically trained in approved methods of maintenance and repair of containers. Repair procedures may be obtained from the CSA.

a. An approved security container is considered to have been restored to its original state of security integrity if all damaged or altered parts are replaced with manufacturer’s replacement or identical cannibalized parts. A signed and dated certification for each repaired container, provided by the repairer, shall be on file setting forth the method of repair used.

ISL 2006-01 States:
While the procedures for repairing approved security containers have been removed from the NISPOM, repair standards have not changed. Repairs, maintenance, or other actions that affect the physical integrity of a security container must still be accomplished by appropriately cleared or continuously escorted personnel specifically trained in approved methods of maintenance and repair of containers.


Let’s explore the NISPOM requirement further, part by part.

Paragraph 5-311

The integrity of a GSA approved container protects classified information. Just as a chain is only as strong as its weakest link, classified information is protected only as long as the security container performs as designed. Any repairs, augmentations, maintenance or other manipulations that impact the integrity can only be performed by cleared, authorized persons. Any repairs by untrained persons could cause an exploitable weakness or outright compromise of the container’s ability to remain secured.

So, what qualifies as such an action? Damage from forcible entry or natural disaster, broken locks, malfunctioning locks, broken latches, levers, rollers, replacement of metal, welding, and anything that impacts the activity of locking, latching, or enclosing classified information. In other words, FSOs should not be tackling welding projects nor should repairs be assigned to facilities maintenance UNLESS they are trained in such repairs.

The cleared, authorized persons may or may not be one in the same. The most important qualification is that the person is trained in the approved methods or actions to be undertaken. If they are not cleared, they can be escorted or the security container removed for such actions.

Paragraph 5-311a.

And

ISL 2006-01.

The containers are certified to perform as intended and any maintenance and upkeep of the security container should maintain the standard. Additionally, actions should be performed by approved repair persons using approved parts or approved cannibalized parts and approved methods. Just as a container’s repairs should not be performed by an organic and untrained maintenance facility group, the repairs should be made only with authorized components and not by any other supplier or fashion (homemade solutions are not authorized).

According to DoD Security Clearance and Contracts Guidebook, once the repairs are made, the authorized repair technician issues a certificate of repair and the certificate is kept in local files. Unless the repair person is a cleared employee with a need to know, they should never be allowed to change or set the combination. Combinations are classified at the same level as the contents of the security container and should be controlled per NISPOM and as described in recent newsletters and articles. Providing combinations to unauthorized personnel is a security violation.

When a security container is brand new or has been removed from service for repair or resale, it should be set to an industry standard combination of 50-25-50. This universal combination facilitates opening and closing the container during the resale, reuse or temporary disposition until the classified combination is assigned after the container is put back in use.

Upon initial use and after ensuring the certification of the container, the new owners of the security container should reprogram a new combination. The new combination is issued to authorized personnel and those having knowledge of the previous combination will no longer provide a security vulnerability.

Keep in mind authorized actions apply to cosmetic issues. As a reminder, neither the classification level nor the combination are applied to the outside of the container. Similarly, paint, wall paper or other “beautification” efforts should not be made without careful research and consideration to security program impact.

VALIDATION:                                 
  1. Authorized and trained repair persons are identified and on record.
  2. Escorts for authorized repairs are identified and documented.
  3. Security container actions (inspections, repairs, maintenance, etc.) are documented as required.
  4. A signed and dated certification for each repaired container is available as required.
  5. Repair of Approved Containers is included as a topic in Annual Security Awareness Training.