Security Executive Blog: July 2019

Monday, July 29, 2019

NISPOM Certification

Get your copy @ www.redbikepublishing.com

These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

1.    A contractor’s information management system should be able to retrieve classified material within:

a. 72 hours

b. 48 hours

c. A reasonable amount of time 

d. 30 days

e. 45 days

2.    A record of TOP SECRET material must be
made when material is:

a. Completed as a finished document

b.  Retained for more than 180 days of creation

c.   Transmitted outside of the facility

d.  None of the above

e.  all the above

3.    SECRET material shall be stored in which
of the following scenarios:

a.   GSA approved security container

b.   Approved vault

c.   Closed areas (Supplemental controls not necessary)

d.  A and b 

e.  All the above

Scroll Down For Answers

1.    A contractor’s information management system should be able to retrieve classified material within:
a. 72 hours

b. 48 hours

c. A reasonable amount of time (NISPOM
5-200)

d. 30 days

e. 45 days

2.    A record of TOP SECRET material must be
made when material is:

a. Completed as a finished document

b.  Retained for more than 180 days of creation

c.   Transmitted outside of the facility

d.  None of the above

e.  all the above (NISPOM 5-203a)

3.    SECRET material shall be stored in which
of the following scenarios:

a.   GSA approved security container

b.   Approved vault

c.   Closed areas (Supplemental controls not necessary)

d.  A and b (NISPOM 5-303)

e.  All the above

So, how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Insider Threat Program Compliance

This article addresses the NISPOM based Insider Threat Program (ITP) compliance requirements and is inspired by questions from the Self Inspection Handbook for NISP Contractors. The article uses the handbook’s format to through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):

Does your ITPSO ensure compliance with insider threat requirements established in the NISPOM and in the implementing guidance provided by DSS?

EVIDENCE: Explain who and how and how often oversight reviews are conducted

NISPOM Reference(s):

1-207b

1-202

The NISPOM references provided are to measure application of the cleared contractor’s Insider Threat Program (ITP). However, the compliance is applicable to the broad implementation of NISPOM and security disciplines and not just the ITP. For example, the NISPOM requires cleared contractors to conduct a security review incorporating the entire security program designed to protect classified information. This includes information security, access controls, classified storage, shipping and receiving, classified processing and not just for the purposes of implementing the ITP.

The Facility Security Officer (FSO) should demonstrate compliance in each area of security discipline falling under the NISPOM. In this case, they should be able to demonstrate specific requirements as identified for the ITP oversight. This includes providing artifacts and documentation demonstrating their actions. Again, the task does not have to be daunting as the exact countermeasures and mitigations to protect against insider threats could be applied across all security programs. We discuss some practical applications of NISPOM concerning ITP compliance and ways to document FSO actions.

According to NISPOM 1-207b, contractors should conduct internal security reviews on a recurring basis. These reviews could occur annually per self-inspection requirements or more frequently as risk analysis or other needs require. Some methods could include calendar reminders with posted agendas. For example, an FSO may want to break up the insider threat compliance review into monthly segments. One example agenda would include classified Information Systems (IS) as a focus topic one month and the following month, review access control, and even later, classified holdings. The agenda could use the self- inspection handbook as the nexus of review questions based on self-inspection topic.

NISPOM 1-202 addresses requirements to establish an Insider Threat Program (ITP) capable of gathering, integrating, and reporting relevant and available information indicative of a potential or actual insider threat. The ITP should be under the cognizance of a designated Insider Threat Program Senior Official (ITPSO) who is either a Facility Security Officer (FSO) or ensures that an FSO is a member of the ITP team.

To accomplish this, employees should have a method of reporting information that could indicate insider threat actions. This should be credible information and could include suspicious activities covered in the security awareness program. These activities may include: working long or unusual hours, undue affluence, emailing many documents, downloading massive files, suspicious contacts and other actions that may allow the exfiltration of information or sabotage of mission.

The ITPSO and members of ITP team should have a way of receiving that information and protecting reportable information as sensitive until required actions are accomplished. The information should be received and incorporated into company actions such as investigations, report writing, or referral of report to appropriate entities such as law enforcement or Defense Counterintelligence and Security Agency (DCSA). It’s a good idea to integrate ITP actions with the enterprise policies and entities such as security, ethics, legal counsel and human resources.

As mentioned earlier, IS should also be assessed with other NISP considerations for insider threat potential. This guidance falls under NISPOM chapter 8-101h discussion self-inspection program of IS section as found in the Self-Inspection Handbook for NISP Contractors, Element of Inspection T, Information systems

Thursday, July 18, 2019

DSS transitions to DCSA

The Defense Security Service (DSS) has transitioned into a security and counterintelligence organization called Defense Counterintelligence and Security Agency. This new entity still has some of the original mission, but is reorganized to include security clearance investigations, counterintelligence support, and NISP oversight for the DoD.

There are currently three mission areas: Critical Technology Protection, Professional Education, and Trusted Workforce. Of the three mission areas, the Trusted Workforce includes security clearance tasks and responsibilities.

The Defense Vetting Directorate (DVD) integrates background investigations, insider threats, screening, continuous vetting, industry clearance submissions and adjudications. To make this happen, the capabilities for the National Background Investigations Bureau (NBIB) and DoD Consolidated Adjudications Facility (DoD CAF) are brought in, contributing to a…”contribute to a holistic, responsive, end-to-end personnel vetting enterprise”.

A newer entity under the reorganization is the Vetting Risk Operations Center (VROC) which incorporates capabilities of industry’s Personnel Security Management Office, DoD’s Continuous Evaluation Program Management Office, and the Industry’s Insider Threat Office.

While these changes are being documented, websites redesigned, information management systems developed, and more, the security clearance process under the VROC continues as before. From the FSO point of view, little change is required of them. The below outlined steps for initiating a security clearance request look very similar to how FSOs have always been executing.

Obtaining a personnel security clearance

Once a Cleared Defense Contractor (CDC) determines that qualifying subject requires a personnel security clearance. As always, the employee completes or updates their Electronic Questionnaire for Investigations Processing (e-QIP) information and submits signature pages and fingerprints electronically for all investigation requests.

FSO Actions

The Facility's Security Officer (FSO) initiates the e-QIP and provides the applicant their e-QIP user instruction, pin and access code.

The applicant can then access the SF86 via the e-QIP system and completes the e-QIP and digitally signs their certification and release forms.

The FSO accesses the e-QIP system and reviews information for completeness and adequacy, then submits the security clearance package to VROC.

The next few steps provide opportunity for the applicant to engage with the security clearance investigation and adjudication process. This isn’t fire and forget, it should be interactive. For example, many applicants don’t understand the process and may not quite understand where they are in the process. I’ve encountered many who thought they were under the investigation process only to find out a year later they were never submitted.

It’s important for applicants and FSOs to realize that there are tools available to get real time updates on their clearance.

Once the FSO submits the request and all relevant information, they can now The FSO can confirm if the VROC has received the investigation request. This is important because the clock begins to tick for the FSO to submit electronic fingerprints within 14 days of the “Received” status date. Later, the FSO can confirm the status of the investigation and confirm that the fingerprints have been processed.

The recent change from DSS to DCSA primarily reflects reorganization of departments and personnel that work in the organization. Roles are changing and emphasis is on threat based risk management. However, while the organization changes are occurring the supporting architecture and customer (FSO) actions supporting NISPOM requirements are relatively untouched.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Subscribe to: Posts (Atom)

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages

Monday, July 29, 2019

NISPOM Certification

Insider Threat Program Compliance

Thursday, July 18, 2019

DSS transitions to DCSA