Tuesday, June 28, 2016

Classification Markings

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.

Question: Is all classified material, regardless of its physical form, marked properly?

The topic of Classification Markings covers eight of 138 NISPOM pages. That’s almost 5% of the NISPOM’s attention. That’s because the entire success of the Facility Security Officers security program to protection classified information depends on properly marked classified material and cleared employees’ responses to the requirements. This first article on the topic will cover classification markings at a high level, while future installments will drill down into specific actions and examples of best practices.

According to NISPOM:


4-200. General. Physically marking classified information with appropriate classification markings serves to warn and inform holders of the information of the degree of protection required…

4-201. Marking Requirements for Information and Material. … the markings specified … are required for all classified information regardless of the form in which it appears...

Properly annotating classification levels and handling instructions warns and notifies the holder of classified information. The holder of classified information is responsible for ensuring that they work with, store, transmit, and otherwise work with the classified material as appropriate with the classification level. They are also charged with ensuring only those with the proper clearance level and need to know gain access to the material.

According to the Original Classification Authority Desktop Reference, The OCA’s final step in the original classification decision process is to designate the information as classified and communicate the decision. There are three methods for communicating the decision.
• Security classification guides/declassification guides
• Properly marked source documents
• Outline classification instructions on a DD Form 254, DoD Contract Security Classification Specification

Properly Marked Source Documents:


The cleared employee working with classified information is required to use the classified information exactly as the OCA has specified. Once the government classified the information, the cleared defense contractors protect it and any derivative classified information appropriately. This includes proper markings on the physical item. These markings include classification level, “CLASSIFIED BY” Line, “DERIVED FROM” Line, “DECLASSIFY ON” Line, and “DOWNGRADE TO” Line. For documents classification markings should identify the level of the entire document and each portion (page, paragraph, graphic, and etc.).

These markings should stand out. Remember the purpose is to warn and inform. For example, if in a written document, the font size should be larger or the color significantly different to draw attention to the handling requirements. Marking should be applied to all material regardless of format or make up. Though there is no standard requiring a specific marking for a specific type or media, the user should do their best to warn and inform.

Follow Through:


Is all classified material, regardless of its physical form, marked properly?
VALIDATION:
  • Produce written process or procedures for marking classified materials.
  • Demonstrate inspection process to ensure internally generated, incoming and outgoing classified information is marked properly.
  • Cleared employees are trained on derivative classification and classification marking topics.

http://www.redbikepublishing.com/wp-admin/


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, June 7, 2016

NISPOM STudy Questions



Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:


1. All the following provide an appropriate proof of U.S. citizenship EXCEPT:

a. Driver’s license

b. Birth Certificate

c. Expired Passport

d. DD Form 1966

e. Current Passport


2. Announcements of meetings shall be _____ and require government approval.

a. FOUO

b. SECRET

c. CONFIDENTIAL

d. UNCLASSIFIED

e. TOP SECRET


3. Which of the following is NOT true concerning classified information in meetings:

a. Can be presented orally

b. Can be presented visually

c. Can be handed out to attendees

d. Attendees must turn in classified notes

e. Classified notes will be disseminated per NISPOM


4. When wrapping classified material for shipment, the _____ cannot go on the outer cover:

a. Individual’s name

b. Office code letter

c. Office code number

d. Directions for routing

e. Facility name

5. All of the following must be included in the authorization letter for hand carrying classified material on a commercial aircraft EXCEPT:

a. Traveler’s Social Security Number

b. Description of traveler’s ID

c. Description of material being carried

d. Identify points of departure, destination, and known transfer point

e. Location and telephone number of CSA




Scroll Down For Answers---Good Luck









1. All the following provide an appropriate proof of U.S. citizenship EXCEPT:


a. Driver’s license (NISPOM 2-208)


b. Birth Certificate


c. Expired Passport


d. DD Form 1966


e. Current Passport


2. Announcements of meetings shall be _____ and require government approval.


a. FOUO


b. SECRET


c. CONFIDENTIAL


d. UNCLASSIFIED (NISPOM 6-201c1)


e. TOP SECRET


3. Which of the following is NOT true concerning classified information in meetings:


a. Can be presented orally


b. Can be presented visually


c. Can be handed out to attendees (NISPOM 6-201c)


d. Attendees must turn in classified notes


e. Classified notes will be disseminated per NISPOM


4. When wrapping classified material for shipment, the _____ cannot go on the outer cover:


a. Individual’s name (NISPOM 5-406)


b. Office code letter


c. Office code number


d. Directions for routing


e. Facility name


5. All of the following must be included in the authorization letter for hand carrying classified material on a commercial aircraft EXCEPT:


a. Traveler’s Social Security Number (NISPOM 5-411)


b. Description of traveler’s ID


c. Description of material being carried


d. Identify points of departure, destination, and known transfer point

e. Location and telephone number of CSA


According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.





                                             

Monday, June 6, 2016

NCMS's 52d Annual Training Seminar in Nashville

This week begins the summer conference schedule. There is so much security and cyber education and training available to help attendees keep up with credits, work experience and goals. 

One such event is NCMS's 52d Annual Training Seminar in Nashville. Hundreds of National Industrial Security (NISP) Professionals will be on hand to learn more about their craft, industry updates, NISPOM Changes, best practices, and much more. Experts will be on hand to share experiences and lead seminars. Industry vendors will also demonstrate their capabilities.

Just recently DoD released NISPOM Conforming Change 2with plenty of updates and changes including Chapter 8 as well as new requirementsje such as Insider Threat considerations. Also, CDSE has released the corresponding Self-Inspection Handbook for NISP Contractors to reflect all changes.

Another great opportunity is ISP Certification training and testing. Good luck to all the attendees and future ISP Certified professionals.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, June 3, 2016

NISPOM Change 2 Guidance and Self-Inspections For NISP Contractors

Self-Inspection Handbook
For the past two years, we’ve been writing articles with the goal of helping FSOs manage their security programs. Hopefully we’ve provided a useful service and hope to continually do so. The greatest driver of our articles has been the Self-Inspection Handbook for NISP Contractors. This format has provided plenty of material for articles that the reader can implement immediately. Fortunately there have been many updates to the NISPOM and related guidance and tools.

Recently the National Industrial Security Program Operating Manual (NISPOM) has incorporated Change 2 and the Center for Development of Security Excellence (CDSE) has released the updated 2016 Self-Inspection Handbook for NISP Contractors. This handbook covers the latest NISPOM incorporating Change 2 and is an outstanding tool for novice and seasoned FSOs to perform a risk based assessment of their security program to protect classified information. We will continue to write articles and do our best to stay current and up to date with industry changes. As such, the following article describes a very recent update that FSOs should be prepared to implement.

Self-Inspection Requirement


According to NISPOM Paragraph 1-207b and subparagraphs. “Contractors shall review their security system on a continuing basis and shall also conduct a formal self-inspection, including the self-inspection required by paragraph 8-101h of chapter 8 of this Manual, at intervals consistent with risk management principles.”

This requirement provides a new element to the FSOs responsibilities. Additional documentation, coordination, and subtasks outlined in the NISPOM Change 2 add technical difficulty to the self-inspection requirement. Additional time and resources should be pre-planned to close the loops on what the NISPOM requires and what the Cognizant Security Agency (CSA) (DSS for DoD Contractors) will inspect. To meet the need, Defense Security Service’s Center for Development of Security Excellence (CDSE) has provided the 2016 Self-Inspection Handbook for NISP Contractors as a tool for planning, conducting and coordinating the contractor self-inspection. Used correctly, it can help facilitate inspection execution and documentation.

For example, detailed self-inspection requirements word for word:

(1) These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the insider threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy.

(2) The contractor will prepare a formal report describing the self-inspection, its findings, and resolution of issues found. The contractor will retain the formal report for CSA review through the next CSA inspection.

(3) A senior management official at the cleared facility will certify to the CSA, in writing on an annual basis, that a self-inspection has been conducted, that senior management has been briefed on the results, that appropriate corrective action has been taken, and that management fully supports the security program at the cleared facility.

(4) Self-inspections by contractors will include the review of representative samples of the contractor’s derivative classification actions, as applicable.

Interpretation and Application


Requirement (1) describes what is subject to inspection and includes a few updates. The newly redesigned NISPOM Chapter 8 and Insider Threat sections offer topics the FSO should be aware of prior to conducting the self-inspection. The goal is a holistic approach to demonstrating the effectiveness of the security program designed to protect classified information; each element is equally important.

Requirement (2) provides guidance on what to do with self-inspection results. This is where the added resources and time come in. The NISPOM is clear on how the contractor should demonstrate compliance; provide a report and make it available for the next CSA review. The size, details, and essence of the report are up to the contractor. However, using the handbook to facilitate the inspection, annotating the checklist, taking notes, and recording findings immediately takes care of the raw data. The FSO can then transcribe the findings, perhaps word for word, into a Microsoft Word document.

Requirement (3) requires buy in from senior management. If the FSO is not actively engaged with senior management because of corporate structure or other issues, this is the time to bridge the gap. The handbook data can be used to provide Microsoft PowerPoint or other type of presentation to brief management of the results, mitigations, and information necessary to get their full support. Another idea is to have the senior management members sign the self-inspection report, demonstrating their acknowledgement of the findings and support of the program.

Requirement (4) should not be too much of an operation change as DSS regularly reviews classified documents for markings and other issues.

How to Implement


While the self-inspection process is a NISPOM requirement, there is not a requirement to use the handbook. However, the handbook is an excellent resource to inform security and NISPOM training topics, train the inspection team, keep track of inspection topics, document results, and take notes. According to CDSE, “This Self-Inspection Handbook is designed as a job aid to assist you in complying with these requirements. It is not intended to be used as a checklist only; rather, it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company”.

Instead of trying to develop a new inspection process, FSOs should use the handbook as an established process to prepare the required reports, briefings, and senior leadership buy-in. The FSO should save all inspection results, artifacts, notes and reports for at least a year and the next DSS review.

Download your copy from DSS or purchase a professionally printed version here.