Security Executive Blog: October 2016

Thursday, October 27, 2016

NISPOM Chapter 5, physical protection of classified material at cleared contractor locations

In our continuing effort to bring you the latest in protecting national security, we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Our intent is to address major changes, excluding admin updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

The first topic in this article is NISPOM Chapter 5, physical protection of classified material at cleared contractor locations.

This begins where paragraph 5-303 is completely obliterated. No comment here except to say they drew the line in the sand in 2006 and finally erased it in 2016. Hopefully, four years to the month after expiration date these steel cabinets and sub-par containers are no longer an issue.

5-303. SECRET Storage. SECRET material shall be stored in a GSA-approved security container, an approved vault, or closed area. Supplemental controls are required for storage in closed areas. ~~The following additional storage methods may be used until October 1, 2012:~~

~~a. A safe, steel file cabinet, or safe-type steel file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours.~~

b. Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock. The keepers of the rigid metal lock bar shall be secured to the cabinet by welding, rivets, or bolts so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container shall be held securely so their contents cannot be removed without forcing open the drawer. This type of cabinet will be accorded supplemental protection during non-working hours.

Paragraph 5-311 also removes reference to the era by-gone and rearranges sub paragraph structure.

The second topic is Chapter 9 Special Requirements.

Chapter 9 section 1 is completely removed and language concerning RD and FRD is re-written guidance in a new Appendix D. We will cover the specific changes when we write about appendix updates at a later date.

Similarly, Chapter 9 section 3 is completely removed and a new paragraph is added:

Paragraph 9-300. ~~Background~~ ~~General~~. This section was prepared by CIA in accordance with reference (a) and is provided for information purposes only. It contains general information on safeguarding intelligence information. Intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes. General. National intelligence is under the jurisdiction and control of the DNI, who establishes security policy for the protection of national intelligence and intelligence sources, methods, and activities. In addition to the guidance in this Manual, contractors shall follow IC directives, policy guidance, standards, and specifications for the protection of classified national intelligence and SCI. Contractors are not authorized to further disclose or release classified national intelligence and SCI (including to a subcontractor) without prior written authorization of the originating IC element.

The NISPOM provides much less guidance on protecting national intelligence than previously provided. In this latest change, NISPOM recognizes the jurisdiction of the Director of National Intelligence and defers to DNI’s requirements. All definitions and guidance is removed and contractors are advised to follow Intelligence Community guidance and instructions concerning working with intelligence information. Contractors should also request guidance from the originating Intelligence Community element and receive it in writing prior to disclosing or releasing classified intelligence and SCI.

Contractors should closely work with the government contracting agency issuing the contract, the government program office, DNI guidance and instructions, DD Form 254, and security classification guidance to ensure proper handling and protection while working with national intelligence.

This completes the major updates to safeguarding classified information given through the NISPOM Conforming Change 2.

Cleared contractors who need assistance with NISPOM requirements can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, take a look at our print version of the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, October 21, 2016

Summary of Changes in NISPOM Conforming Change 2, Marking Classified Material

In our continuing effort to bring you the latest to National Industrial Security Contractors (NISPOM) we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

As a reminder, our intent is to address major changes vice administrative updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to how classification markings are applied. Throughout the article we write in actual verbiage from the “Summary of Changes” in its original format and edits.

Text in blue represents NISPOM Conforming Change 1 material and text in red is Change 2 material.

This brings us to NISPOM Paragraph 4-208. Markings for Derivatively Classified Documents.

a. CLASSIFIED BY Line. The purpose of the “Classified By” line is to identify the person who applies derivative classification markings for the document. If not otherwise evident, the line will include the ~~agency~~ contractor and, where available, the office of origin will be identified and follow the name and position or personal identifier of the derivative classifier.

This clarifies that the contractor performing derivative classification is identified and not the government agency the contractor supports. This further identification implies a few required steps. 1. The derivative classifier is indeed trained to make such a decision

2. The derivative classifier is responsible for proper classification markings

3. The derivative classifier can be held responsible for content

4. The derivative classifier can be later contacted for further information

The previous NISPOM Conforming Change 1 separated the two topics in subparagraph d and assigned the “CLASSIFICATION BY” Line to subparagraph a and “REASON CLASSIFIED” to subparagraph b. This clarification and separation of requirements further stress the importance of the contractor’s responsibility to understand classification instructions and responsibilities. The instructions should be specifically outlined in the DD From 254 and the accompanying security classification guide.

Additionally, the persons providing the derivative classification should be authorized to do so. The FSO should document derivative classifier training, those authorized to perform derivative classification, and ensure that cleared employees understand the classified work as required in contracting, programmatic, NISPOM, DD Form 254 and SCG documentation.

d. e. ~~"CLASSIFIED BY" Line and~~ "REASON CLASSIFIED" Line. As a general rule, ~~a "Classified By" line and~~ a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a ~~"Classified By"line to identify the derivative classifier and a~~ "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

• e. "REASON CLASSIFIED" Line. As a general rule, a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

REASON CLASSIFIED should only be applied to originally classified documents. As a rule, cleared defense contractors perform derivative classification when they generate classified material. However, there may be cases where cleared contractors produce originally classified documents. Where derivative classification occurs, contractors should not mark classified information with REASON CLASSIFIED unless required in the SCG.

This administrative update separates the once combined CLASSIFIED BY and REASON CLASSIFIED lines. For clarity, these lines have been provided new sub-paragraph numbers. Though an administrative and clarification update, we will cover this as it supports a major change to Paragraph 4-210b.

Paragraph 4-210b: b. E-mail and other Electronic Messages.

Electronically transmitted messages shall be marked in the same manner required for other documents except as noted. The overall classification of the message shall be the first item of information in the text and shall be displayed at the top and bottom of each message. A “Classified By” line, a "Derived From" line, a “Declassify On” line, is and portion markings are required on messages. Certain agencies may also require that messages contain a "Reason Classified" line in order to identify the specific reason for classification, which is carried over from the source document(s) or classification guide. Instructions for the use of such lines will be included in the security classification guidance provided with the contract documents.

4-210b removes the above crossed out verbiage to make it clear that REASON CLASSIFIED only applies to originally classified materially unless otherwise instructed to include on e-mail and electronic messages that represent derivative classification. The REASON CLASSIFIED is already addressed in 4-208e.

Paragraph 4-213. Marking Compilations. In some instances, certain information that would otherwise be unclassified when standing alone may require classification when combined or associated with other unclassified information. The determination that information requires classification by compilation will be based on specific guidance regarding compilation provided in a Contract Security Classification Specification or a security classification guide. If specific guidance is absent, the contractor will obtain written guidance from the applicable GCA.

When classification is required to protect a compilation of such information, the overall classification assigned to the compilation shall be conspicuously affixed. The reason for classifying the compilation shall be stated at an appropriate location at or near the beginning of the compilation.

The NISPOM Conforming Change 2 addition to paragraph 4-213 requires a specific source for determining the classification of the compilation. This information should be found in the SCG. For example, the top speed of a vehicle may be unclassified and the fact that the vehicle has good traction in mud may be unclassified. However, providing the top speed through mud might be classified and should be addressed in the SCG. If there is insufficient guidance, the contractor should contact the government program office and get clarification in writing. The contractor should also get guidance on how to treat the information until the program office provides the written guidance.

This completes the major updates to marking classified information given through the NISPOM Conforming Change 2. Next time we will cover safeguarding classified information.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, try the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us

Monday, October 10, 2016

NISPOM Questions

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:

1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary

b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL

e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA

c. ISSM
d. FSO
e. DIA

4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO

c. CSA
d. FBI
e. NSA

Scroll down for answers:

1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary (NISPOM 5-304)
b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL (NISPOM 10-713)
e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA (NISPOM 11-101)
c. ISSM
d. FSO
e. DIA

4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO (NISPOM 5-312)
c. CSA
d. FBI
e. NSA
According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

Subscribe to: Posts (Atom)

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.