Security Executive Blog

Classified information can arrive to a cleared contractor in many different ways. Whether delivered via courier, mail carrier, overnight carrier, classified electronic means, and etc. the FSO should have a process in place to control and protect classified information from reception to dissemination or destruction. The FSO should establish procedures for the proper reception of classified material. The receiver of classified material plays a critical role in both safeguarding classified material as well as identifies security violations that the sender may have committed. FSOs can control the introduction and dissemination of classified information with a centralized document control system. The NISPOM requires that a cleared contractor have an information management system in place to control classified information. This can be accomplished with a centralized system to facilitate the proper introduction and control of classified information entering the facility. This system r...

How to Wrap Classified Packages By: Jeffrey W. Bennett, ISP The National Industrial Security Program charges cleared contractors with protecting classified information. This protection extends through all phases of contracts and throughout the duration of the classification. Protection also includes the reception, storage, dissemination, and destruction of the information. Dissemination is a critical part of protecting classified information as the classified information leaves the control of the cleared organization. Whether couriered, mailed, or otherwise delivered, it is removed from a cleared facility and must be prepared in a way to protect the information from unauthorized disclosure. Prior to sending out classified information the FSO should ensure that it is double wrapped with opaque paper to preclude casual observation of the classification markings and contents. The inner wrapper is marked with the proper classification, provided an address with sender and address...

Just five short years ago several changes came out almost simultaneously. The changes challenged the thinking of many security specialists because the ideas were so new. The proactive employees put plans into place that made the changes easier to implement within their organizations. The others found themselves implementing the changes at the last minute. I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals)...

According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below. However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security c...

Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas. At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile st...

One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way. The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presente...

FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met: According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met: (1) an original classification authority is classifying...

Consultants are hired by a company to fill a need the organization is not prepared to meet. The consultants share office furniture, the water cooler and are hopefully made to feel as part of the team. In spite of being a well respected contributor to the cause, consultants do not always enjoy the same benefits of a regular employee. However, this difference should occur when working on classified contracts the consultant has been hire to perform on. According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the service...

I receive a lot of emails from people who wonder how to get into the security field. Many are looking for a career change and are curious about what kind of education and experience is needed to work as a security specialist in the defense and contractor industry. Others are just starting out in life and looking for a job with challenges and opportunities the security field offers. There are plenty of great opportunities in with large and small contractor companies providing the venue. Here is what I have discovered about our industry and some of you may have other experiences and advice you can pass to those who ask about a career in security. Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as t...

While on vacation this summer I had the opportunity to bump into a famous actress. Actually, I didn’t even notice her until my wife pointed her out. But, there she was walking right past us in Dollywood, USA. At first, I did not recognize her because I really was not looking for her. Also, she had not been dressed in the fashion of her TV career. A moment later I asked my wife to continue with the children while I back tracked to get a better look. I turned back and finally caught up with the actress and her group. Since I only wanted to verify my sighting and not bother her, I continued to walk past her, took a right and pretended to be lost. I looked around as if searching for something. After taking a discreet look I was able to finally recognize her as the TV personality. I then made my way back to my family smiling and nodding to the actress as I walked by. “I’m not sure, but I think that was her,” I later told my wife. “Good sighting”. Later that night, a...

Reading the National Industrial Security Program Operating Manual (NISPOM) will certainly have one learning new jargon and acronyms necessary to becoming fluent in Industrial Security Professional language. Throughout the exam there are questions referring to roles of government agencies. Such questions concern which organization has oversight, which organization would a security manager report a particular incident to, or which organization inspects a certain security program. The answer could be any possibility such as government contracting agency (GCA), general services administration (GSA), Cognizant Security Agency (CSA), or any other acronym of a critical federal organization listed in the NISPOM. Consider the letters CSA which stand for Cognizant Security Agency. This acronym appears 250 times throughout the NISPOM between chapters one and eleven. The multiple listings pretty much conclude that the CSA plays an important role in managing the National Industrial Secur...

There are several books that a security manager or facility security officer should have in their possession. No professional library is complete without these valuable resources. The books provide wonderful instruction on security systems, performing risk management, structuring a security department for success and managing classified information. I’ve read each of the books and will provide reviews as follows. Managing the Security of Classified Information and Contracts, By: Jeffrey W. Bennett ISP I’m pleased to announce the upcoming release of Managing the Security of Classified Information and Contracts from CRC Press. This book is the only one of its kind written with defense contractors in mind. The facility security officer, contracts manager, senior officers, and cleared employee roles are defined. The reader will understand how to operate in a cleared contractor environment. This is a great overview of the National Industrial Security Program Operating Manual (...

Recently, I had the opportunity to speak with a facility security officer who was ready to move on to another job. He was frustrated because he had not been able to get his senior leaders on board with the security plan. It seemed no matter what he had sent for approval, his policies were not taken seriously. Since I had only heard one side of the argument, I could not come to a conclusion about the root cause of his frustration. However, I do know that he is not alone as many FSO’s of small defense contractors face similar issues within their own companies. Problems such as those mentioned above stem from two possible reasons in small defense contractor companies. The first is the FSO has not developed a reputation of understanding how to apply security measures to the way the company makes money. The second is that the senior officers have appointed a lover level employee to the FSO position. Understanding how security fits into the organization is vital. Security managers ...

Business growth affects the entire organization. The best thing that can happen in this case is for all the employees to be actively engaged in making the company successful. Each business unit doing its part to meet deadlines, supporting the contract or performing on the contract paves the way to overall success. The worst position for any unit to be in is failing to project the growth and causing a bottleneck in production. When a defense contractor business grows, the engaged cleared facility security officer (FSO) is prepared for that growth. The constant development and maintenance of relationships with employees and key business units allows the FSO to forecast requirements for the storage of classified material, performance of classified work and the protection of the enterprises employees, products, and capital. Preparing for growth involves the FSO not only training and hiring security employees, but accurately calculating classified inventory storage and work ...

Try this question out and see if you know what to do. Better yet, if you are a security manager or facility security officer, run the following scenario by your cleared employees: Your colleagues leave for lunch. On their way out, they inform you that you are going to be the only one left. Your facility is authorized to store classified materials. What will you check for prior to leaving? Which form will you sign? The end of day security check lists play a critical role in protecting our classified items as well as personal, proprietary and company sensitive material. The end of day checklist is a procedure required in the NISPOM and other federal agency regulations. However, they could be implemented in any situation where privileged or sensitive items prove vulnerable to theft or espionage. Though the checklist is signed daily, it should not be signed just for the sake of compliance or "checking the block". This signature should only be annotated as a result of completing t...

What defines this room as approved for open storage?” I had asked while consulting on a project a few years ago. I had been in the middle of an extreme security discussion. The whole time I realized that the security employees I consulted understood their responsibilities, but did not know why the security measures were in place or where to find the guidance. “This area is approved for open storage. So, when we leave, we don’t have to set the alarm or spin the dial,” they said. “So, does that mean your document control folks in the other area can leave their safe open as long as they shut the door?” I asked, picking up on their logic. “No, they are not approved for open storage.” They have to lock the security containers in their office prior to leaving them unattended. “Correct, classified items should be secured prior to leaving the area,” I replied. “However, an area approved for open storage should be secured before leaving. That means setting the alarms and “spinning the dia...

In the course of performing on defense contracts, exchange of classified information is inevitable. The movement of classified information outside of a secure environment is to be kept to a minimum and as a last resort. Prior to removing classified information, the holder should determine whether or not the classified information is necessary and whether or not the information may already be available. When classified information is necessary in the performance of the contract, the information should be sent via approved channels. Once the classified information is on-site, it's time to get to work. When we talk about work, we are referring to conferences, classes, engineering, services or any other environment where classified information is used. Classified information is controlled at all times to include conversations. As the senior industrial security manager in Defense contracting companies, the FSO leads the security program designed to protect classified information and pre...

On my first day as an FSO at a defense contractor, I came across a situation that I did not like very well. It was after walking the floor and talking to employees that I became introduced to a security container. As part of my inspection, I wanted to verify all documents were properly marked and stored appropriately. Upon asking for the custodian to open the container, he pulled out his cell phone and began scrolling. I asked what he had been looking for an he stated: "I can't remember the combination, but I'm sure that it's in here somewhere." Whoa! Hold the presses. I immediately changed the combination and took possession of the security container in my office. I also providing a clear policy and training agenda and that problem disappeared. The story has been altered to change the exact situation, but the story may sound familiar to you. But here's the question: Do your employees really understand how to protect classified information? Some younger and le...

Security specialists, document control professionals, facility security officers and others receive classified information, depending on the contract. Part of the receipt is the critical inspection of the package throughout the unwrapping process. The inspector is searching for evidence of tampering or to otherwise to inspect that there has been no compromise of classified material since leaving the sender’s organization. Classified material is protected by a two layer wrapping job. Each layer consists of material that is impossible to see through such as: an envelop, paper, box or other strong wrapping material. To prevent opening, the seams of the layers are covered with anti-tampering rip proof tape to create a solid layer of covering. The initial inspection is more cosmetic as the inspector looks for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material. Next, review the address labels for approved classified mailing addres...

An Facility Security Officer (FSO)should put careful consideration into the security budget. This is a primary opportunity in the continuing plan of building credibility. The manager who arbitrarily throws in a number with meritless base is sending the wrong message. However, a well thought out line item count based on risk management, company mission and NISPOM requirements is more apt to impress and build instant respect. The budget contribution should enforce and support a message the FSO is constantly communicating. The budget request should not be first time executives are introduced to figures. Managements support or lack of support of a security budget demonstrates either a well received or an unsupported security program. The intuitive FSO understands business, the company mission and how the role of protecting classified material fits. In that environment, the FSO provides a risk assessment based on the threat appraisal and speaks intelligently of the procedures, e...

Today I finished up a short but very rewarding eight hour seminar on the International Traffic In Arms Regulation (ITAR) Overview. I am grateful to the staff at the University of Alabama in Huntsville and the North Alabama Trade Association for both sponsoring the event and allowing me to present. I found the course rewarding as I presented to a mixed audience of 30 professionals ranging from shipping and receiving specialists to executive vice presidents. The mix also consisted of professionals with various degrees of know-how as consultants, attorneys, technology control officers and those brand new to the field shared experiences and learned from one another. As a compliance officer in various disciplines, I have had the privilege of leading security and compliance teams and seminars on multiple topics Though this was my first of hopefully many export regulations seminars, I noticed the similar need in the compliance field. Regardless of the discipline, compliance works be...

Let’s test your knowledge of international operations. The following situation is fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question: As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases such as JPAS. Besides, you have a very large staff and the process is pretty much routine until…. A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual...

I’ve recently fielded questions to some cleared employees. The intent was to generate discussion and get an assessment of how well they understood the National Industrial Security Program. I’ve received a variety of answers. The responses were intelligent, well thought out, but inaccurate. They demonstrated a lack of understanding based on popular culture and word of mouth. Keep in mind that out of all possible respondents less than a handful replied to each question. Additionally, the survey was in no way scientific. It was just a simple fielding of questions and not intended to be a representation of the industry in general. However, they do provide a sound training solution. How can one use such data to train the force? Well, thanks for asking. First of all, followers of this blog and the subsequent newsletter can use the same questions while conducting walk around security or otherwise conducting a security survey. Field these questions to your teams. If they respond cor...