Saturday, December 29, 2012

Protecting Proprietary Data and Intellectual Property-FSO Task


The Opportunity
If employed by a defense contractor, chances are that you perform work on
goods and services for research and development of a weapon system or other new capabilities. That being the case the DEFAULT focus as a Facility Security Officer (FSO) or security specialist is on technical data.
The problem is: while there is abundant guidance on protection of classified information (proscriptive regulation aka NISPOM) bridging the GAP between classified and sensitive, protecting unclassified is of utmost concern. Here is where FSOs can really provide value to the enterprise.

The Problem
Take a look at this paraphrase from Allen Dulles' book The Craft of
Intelligence:

In the 1950's the US Congress was concerned that there was just too much technical information available on government programs.  From that concern, they commissioned researchers to assemble as much information from public domain about a particular program as they could. The group scoured libraries, newsstands, TV, radio and other media common to the decade and provided a report. As a result, the government determined the information to be classified, safeguarded the information and disbanded the group. The lesson; intimate program details were not properly identified, marked and protected.

The best result is we learned a valuable lesson and no longer have to worry about sensitive information appearing in the public domain, NOT. Here is a modern day example:

Recently the State Department reacted to an ITAR violation where Georgia Tech Research Institution made ITAR protected training available on their website.

In this case, the US Government had identified the information as ITAR controlled, but GTRI mistakenly made it available to both US and foreign nationals. See story here:

In the first example, sensitive information was not properly identified and therefore could not be handled appropriately. As a result, compiled information became classified. The second example demonstrates what can happen when information is properly identified and marked, but handling is not fully understood.

There are many other accounts of technology that is passed through theft, public release, presentations, white papers, patents and etc. How do we solve such problems?

Incorporate an enterprise-wide, comprehensive system of identifying sensitive information by owner and technology, then limiting distribution. For example, where NISPOM gives guidance on how to protect information already identified as classified, Proprietary information, ITAR controlled technology, intellectual data and others aren't always given the same level of scrutiny.

Protecting company sensitive information
This may need to be performed at the contractor level. Once sensitive items are identified, intimate program details should be cataloged and documented. Those who work with and handle the technical information can fully understand who owns it, how to get access to it and how to properly limit distribution.

Be sure to include technical information owned by customers and vendors.
Employees should understand how to properly handle sensitive information of outside organizations. If it's not clear, ask.

Finally, any technical information that is legitimately distributed should only be done so with a joint understanding of how to use and further distribute the technical data.


Jeffrey W. Bennett, SFPC, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, December 18, 2012

Proscribed Regulations and a Sensible Security Assessment, Cleared Contractor Protection Measures


Cleared contractor facility security officers (FSO) and security specialists have a unique challenge. They protect classified information and have lots of guidance on how to do so. However, they also have to figure out how to best protect sensitive information based on competitive budget requirements. Some of the forces acting on the budget include NISPOM, ITAR and other regulatory requirements as well as actions required by a thorough risk assessment

The NISPOM is a proscriptive policy, meaning that FSOs and security specialists have a list of “to do” countermeasures to protect Government identified classified contract information. For example, a secret document should be stored in a GSA approved security container.

Other solutions that appear proscribed are standard practices. Some industry standards include access control, alarms and CCTV. One might think they were required based on the general acceptance and wide use. For example, the NISPOM states that SECRET should be stored in a GSA approved container. However, some might find it shocking that alarms are NOT required. It is important to distinguish the difference as non-proscribed countermeasures protect classified information, but the trade off is high cost and focus on the wrong protection measures.

Security is meant to provide the right amount of countermeasures at the right place. Blanket countermeasures are costly and burdensome; thereby abusing the intent of NISPOM.

Assigning security measures without real risk or security assessment seemingly provides protection and makes us feel better.  Such actions result in construction or modifications of cleared facilities to create reinforced security fortresses built to withstand repeated break in attempts. However, the threat of these break-ins has not be established.

It makes sense to provide overwhelming physical security; if the security assessment requires it. However, there may be more pressing issues and real threats to address that compete with the same budget. Following the proscriptive measures of NISPOM may be the minimum and engaging tougher physical security measures may be the wrong course of action.

Suppose your risk assessment determines that the greatest threat to sensitive information is forgetful and irresponsible employees. Adding badge readers and alarms to negate the actions of a non existing threat of theft doesn’t address the insider issue.

However an aggressive procedure, policy and training program to focus on the real threat (bad habits) does help. For example, the real threat may be lack of understanding of protecting intellectual property. How do cleared employees work with, discuss, or demonstrate their technology through reports, tradeshows, patents or press release without inadvertently transferring technical information? An intellectual property identification, security training and compliance program would do more to protect the information than guns and guards.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, December 5, 2012

World Class FSO


Olympic competition is just another step in the journey of a world class athlete. The competitors didn’t just wake up and perform spectacular feats; they incorporate winning performance into their daily rituals. They won a seat on the team because of conditioning, determination and dedication. If an athlete breaks records or fails to qualify, the success or failure isn’t the onetime performance. They didn’t just wake up as champions, they prepared.

Leaders are successful for the same reason. Consider the following questions about leaders: What makes them successful? Why are ideas they present more contagious than mine? How are they able to influence major decision makers?

Successful Facility Security Officers (FSO) and other security executives are no different. Just as a world class athlete performs to win; the FSO demonstrates world class security programs designed to protect classified information. These champions impact organizational policy, generate buy in at all levels and successfully integrate security programs into the organization’s DNA. They also are able to demand higher compensation, more impacting positions and stature within the company.

These winners exhibit these four characteristics of world class FSOs:

1. Tie-in security functions with the goals and mission statement

Successful leaders don’t limit themselves to busy work or focus on individual tasks. For example, they focus priorities on supporting the company’s mission instead of touting success with the amount of JPAS transactions or combination changes.

They demonstrate effectiveness by linking security and professional goals with the senior officer’s priorities. For example, suppose the defense contractor’s mission statement is “Provide the warfighter with superior night fighting capability”. The FSO would implement a security program to prevent unauthorized disclosure of classified and unclassified program information. But they don’t stop there. They ensure that everyone understands how the security program is vital to “providing the warfighter with superior night fighting capability”.

The message to the top might go like this:

“Before we proceed with this business development plan, we should review the press release for program information and anything not authorized for public release. Failure to do so may compromise our efforts to provide the warfighter…”

“Let’s considered the ITAR implications for your speech to the World Wide Night Fighter Research Symposium. Since there will be non US persons attending we should…”

“I’ve reviewed the government’s requirements. Are you aware that winning this contract will require us to enhance our security posture? Let me brief you on what you might expect per the NISPOM:”

2. Demonstrate the value of security program to the ability to perform on classified contracts

The first step is to understand the acquisition process and the requirements found in the statement of work, contract and Contract Security Classification Specification (DD Form 254). The proactive FSO gets involved early in contract negotiations and contributes to the customer’s requirements. Without the proper understanding the FSO will not be able to properly advise and guide business development or program actions.

Protecting the nation’s secrets is not just a job for the security department; it should be integrated into the cleared contractor’s culture. When cleared employees understand their roles in protecting the facility security clearance, the entire organization wins. To do this the FSO has to demonstrate his function’s value to protecting classified contracts. It’s not enough for the FSO and staff to protect classified information, but the entire enterprise must own the process.

3. Ensure the FSO reports to the senior executive.

If that’s not possible, then at least report to the same level management as contracts, human resources and other overhead managers. Successful leaders are not buried under many layers of management and bureaucracy, but report directly to the senior officer. When they speak people listen. Business development, engineering, research and development, program management, contracts and others seek out their guidance.

4. Develop policies that are supported and enforced from the top down.

Policies only work when they are owned and supported at the highest levels. Take for example, in processing by human resources, helpdesk requests by the IT department or accident reporting by safety. Those policies are some of the most effective and successful because they have been vetted and accepted by the entire organization. Along with the policies are well published procedures identifying what and how to meet requirements.

Success in any organization is not an overnight accomplishment. Just as the athlete trains to become the world’s best, FSOs should put in the focused work to become champions in their industry. The key is creating security goals and demonstrating how they support the organization’s mission. Create buy in of those goals and communicate goals regularly. Once senior leaders understand the security mission, they can make it part of the corporate make up and easier to execute.

For more information, why not check out DoD Security Clearances and Contracts Guidebook



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, November 30, 2012

Cleared Contractor FSOs Can Create Impact Outside of the NISPOM


Facility Security Officers (FSO) have a tremendous responsibility developing a security program to protect classified information. After all, they (individual or staff) are the link between the government oversight (cognizant security office), customer (prime contractor or Government Contracting Activity) and the cleared defense contractor to ensure that classified information is properly protected.

However, if FSOs focus solely on the classified responsibilities, they are missing great opportunities to increase their effectiveness. That’s right, focusing solely on the single task of protecting classified information may reduce chances of being more effective.  Providing value added outside of the National Industrial Security Program Operating Manual (NISPOM) actually helps the FSO create a better security program.

FSOs can expand their influence by providing lessons learned and best practices to integrate security into all enterprise areas. These areas become part of a holistic approach to security of information across the facility. Few controls are in place to protect unclassified but sensitive info. The FSO can be a rock star in this area. FSO could use skill to protect government and other customer supplied sensitive products as well as internally created

Here are a two ways FSOs can use their skills to identify and protect proprietary information, intellectual property, and other sensitive information.

1.  Government and other customer provided products:
  •      Classified information-Government information that is identified and protected based on levels of potential damage to national security. Classified information is protected with guidance found in the NISPOM. It is prescriptive, meaning, if information is SECRET, it must be stored, handled, transported and destroyed according to regulations and policies. The government appointed original classification authority (OCA) uses a 6 Step OCA process to identify and protect classified information. Follow policies of NISPOM, contract and other applicable regulations to build your security program.

  •         OPSEC- A process to deny potential adversaries information about capabilities and/or intentions. OPSEC plans are required on many classified and UNCLASSIFIED contracts. You can see the requirements in the DD Form 254 section of classified contracts and in the contract of unclassified contracts. Use the 5 Step OPSEC process to identify OPSEC indicators, determine threat, determine vulnerability, assess risk and implement countermeasures.  

  •            Technical information- scientific information, that relates to research, development, engineering, test, evaluation, production, operation, use, and maintenance of munitions and other military supplies and equipment. Information falling under this category are protected by export compliance and International Traffic in Arms Regulation (ITAR). You may see this information in program tests, work breakdown structure and other program related materials.

  •      Critical Technology - technologies are so fundamental to national security or so highly enabling of economic growth that the capability to produce these technologies must be retained or developed in the United States. The government has identified this information and is also required to be protected.

2.  Internally created company information
Company information is harder to identify and requires more proactive work. Where government and customer provided material should come with sensitivity level and protection requirements, internal secrets require proactive identification and protection requirements. The FSO can incorporate processes similar to the 5 step OPSEC process or 6 step OCA process to help accomplish the task. The following are examples of such items:
  •   Trade Secrets-processes, procedures, formulae and etc that an enterprise produces and is not well known.
  •  Proprietary information-Same as trade secrets and includes documentation, financial data, program details, test data, trade secrets that are not well known and that an enterprise would like to keep a secret.
  •  Intellectual property-Something designed, written, published, built, and etc that belongs exclusively to an individual or corporation. These differ from trade secrets and proprietary information in that they are an exclusive creation such as music composition and not personal or financial information. Intellectual property covers trademarks, patents, copyrights and others.

 Identification of trade secrets, proprietary information and in some cases intellectual property may require a working group of subject matter experts. The FSO can lead discussions to help determine trade secrets and use skills to protect it.

Personally Identifiable information (PII)-includes details that can help find or identify a person. This includes name, address, drivers license number, social security number, etc. This protection is required by law. The FSO can help determine who needs to maintain PII and how to protect it from unauthorized disclosure.

Once all internal information is identified and protection measures are implemented, employees can have left and right limits that help prevent unauthorized disclosure commonly found in events such as: conferences, papers, patent applications and press releases.

The FSO is a pivotal member of the cleared contractor facility. They are one of two employees absolutely required by NISPOM and their sole purpose is to protect classified information. However, this role can be expanded to protect all levels of sensitive information and make them a star when it comes to enterprise protection.

Find more about the role of the FSO and security specialist in DoD Security Clearance and Contracts Guidebook.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, November 26, 2012

http://www.icontact-archive.com/c4PNVL0-z66WLzORFNJCef4n0g49XcbI?w=7

Our latest newsletter. Come see it...

2 Obstacles Every Facility Security Officer Must Overcome

3 Pronged Plan of Attack FSOs Should Consider 

Determining ITAR License Requirements with Bob Schuettler, Director, Corporate Export Licensing and ATK

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, November 20, 2012

Sample Questions from ISP Certification-The Industrial Security Professional Exam Manual


Here are actual questions from the book ISP Certification-The Industrial Security Professional Exam Manual. The questions here are all about NISPOM Chapter 8.


Go ahead, test your knowledge:

80. Level of concern reflects the sensitivity of the information and the consequences of the loss of confidentiality, availability, or _____.
a. Truth
b. Equipment
c. Integrity 
d. Values
e. Ethics

81. Who has responsibility for accrediting information systems used to process classified information in industry?
a. CSA 
b. FSO
c. ISSM
d. ISSO
e. Contractor

82. The CSA can grant interim approval to operate an IS for up to:
a. 120 days
b. 90 days
c. 180 days
d. 1 year
e. 45 days

83. Systems operate at Protection Level 3 when:
a. All users have required approvals for access to all information
on system
b. All users have required clearance, but at least one lacks
need to know
c. All users have required clearance, but at least one lacks formal access approval of the information on the system 
d. None of the above
e. All of the above

84. For availability of information, what level of concern reflects that information must be available with flexible tolerance for delay??
a. Low
b. Medium
c. High
d. Basic 
e. Intermediate


Answers follow this line:
------------------------------------------------------------------------------------------------------------






80. Level of concern reflects the sensitivity of the information and the consequences of the loss of confidentiality, availability, or _____.
c. Integrity (NISPOM 8-401)

81. Who has responsibility for accrediting information systems used to process classified information in industry?
a. CSA (NISPOM 8-102)

82. The CSA can grant interim approval to operate an IS for up to:
c. 180 days (NISPOM 8-202)


83. Systems operate at Protection Level 3 when:
c. All users have required clearance, but at least one lacks formal access approval of the information on the system (NISPOM 8-402c)


84. For availability of information, what level of concern reflects that information must be available with flexible tolerance for delay??
d. Basic (NISPOM Chapter 8 Table 3)



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, November 15, 2012

3 Pronged Plan of Attack FSOs Should Consider



One thing I remember from my many years in the Army is that you can’t force motivation. Sure, I’ve done my share of pushups and flutter kicks ordered up by a drill sergeant who thought I needed to some incentive, but I didn’t do them out of my own initiative. It just made him feel better.

The point is most of what it takes to contribute to and become a sought after member of an enterprise team comes down to a professional’s motivation and initiative. In past articles I’ve addressed some important tasks FSOs should undertake to add enterprise value; all tied leader effort and initiative.

The FSO has marching orders to develop and implement security programs to protect classified information.  But, how effective is security policy if it is written by security and posted only in the security office?

Unless security requirements are incorporated into overarching policy and adopted by all business units (HR, safety, security, business development, operations, contracts and program management department policies), they won’t be very useful. Tying policy into each business unit allows them to own the requirements. Policy is better enforced published globally, but initiated locally.

Here are three plans of attack FSOs should consider to win a seat at the enterprise’s decision table: understand enterprise elements, align professional priorities with the company mission statement, delegate responsibilities and co-opt others.

1.      Understand Enterprise Elements
Everyone has a job to do and all tasks should be performed with company success in mind. Imagine a large company with HR, safety, security, business development, operations, contracts and program management departments. Though each department operates autonomously, all must function with the enterprise in mind. Each department has policies, but those policies should be in line with overarching enterprise policy.

     Learn what other parts of the enterprise do and how they do it

This is important as you can better align your goals with the company purpose. Seek to understand how each business unit operates to better prepare for your requirements. Form working groups, have meetings, solve problems, join committees, engage in lean six sigma activities.

     Identify items, events, and issues that security can help with
Look at upcoming contracts, business development goals, program requirements and then implement NISPOM guidelines. This is forward thinking and will position an FSO as the “go to” person. What other opportunities do FSO’s have? Think beyond NISPOM and apply protection skills to reduce probability of theft, protect personal identifiable information and intellectual property.

2.    Align Professional Priorities With The Company Mission Statement
Defense contractors provide products and want to make a profit in return. However the difference is the amount of resources they can afford to spend on protection. FSOs can answer the tough questions: How can security help reduce expenses while effectively protecting classified information? What is an acceptable balance?

     Policies should align with enterprise and compliment other elements’ roles

     The easier to implement – the better

3.    Delegate Responsibilities and Co-opt Others.

The appointed FSO who also serves as a senior officer should consider delegating the administrative duties to someone more available. FSO doesn’t necessarily mean doing it all yourself. Consider delegating administrative functions while maintaining authority for major decisions. For example, other employees can make JPAS input, conduct NISPOM training, and maintain classified documents. The FSO is designated to approve  and implement policy that supports administrative requirements.

     The best security measure is an educated and engaged work force. Training cleared employees to take on security tasks will significantly reduce FSO workload. It also co-opts the entire organization to own and exercise requirements.

     Form working groups to address and resolve problems and security issues. The FSO isn’t the only cleared employee and resolution may reside with the cleared employees who actually perform on classified contracts. With employee input comes employee endorsement and ownership; instant implementation.                                          

FSOs and security professionals should not be identifying problems, creating solutions, and providing security policy in a vacuum. To become a sought after member of an enterprise team, the FSO should be thinking “teamwork” which requires a high level of motivation and initiative. Use the three recommendations to create the right atmosphere and gain a seat at the decision table.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, November 14, 2012

2 Obstacles Every Facility Security Officer Must Overcome



Security policy is just as good as the paper that it is written on. However, those professionals who want to incorporate sound policy with demonstrated good procedures understand that a written document is just part of the solution. Success rests on the entire enterprise accepting and incorporating the policy as a normal part of doing business. The road to that success can be quite bumpy, but I’ll lead the way.

There two kinds of challenges facing security professionals; self-Inflicted and the second, institutional.

1.      Self-Inflicted challenges are the ones that we place in our own way. They are perceptions about our capabilities (or lack there) that professionals form about us. The perceptions manifest two different ways; lack of vision and lack of initiative.

a.     Lack of Vision - The Dr. No Syndrome- “No, you can’t do this or have that.” “The NISPOM says blah blah blah!!!”  “The answer is NO, now frame your questions accordingly.”

In my early days as a facility security officer (FSO), I once told a program manager that we couldn’t do what he wanted. However, later research indicated that his solution was definitely a possibility. Unfortunately, he did the research himself and pointed out my error.  I was lucky that he approached me professionally and I was able to maintain a good reputation and not that of a “Dr. No”.  As part of an enterprise team, we should help with solutions that help the organization perform while complying with National Industrial Security Program Operating Manual (NISPOM), national, or corporate regulations and policies.

b.    Lack of initiative – “If people thought security could do better they would come talk to me.” I remember as an export compliance officer an incident where one of our business developers proceeded to form a business plan with International Traffic in Arms Regulations (ITAR) controlled implications. A colleague of mine expressed remorse that he had not been contacted. “They know I’m here,” he said. “It’s their responsibility to find me and start the licensing process.”

Though he was technically correct, where’s the motivation and initiative? I learned from that initiative and made it my business to attend every program and business development and contract meeting I could find. Taking such initiative allows the security manager to anticipate program needs ahead of time. In this capacity you can implement and direct policy as issues arise and not after the issue gets ugly.

2.    Institutional Perceptions

a.     Lack of understanding  - “You’ll interrupt cost, schedule and performance.”

The statement above is a well expressed perception that security provides no value added. Many times, it’s a direct result of self imposed obstacles. Recall the earlier example where I began attending all program, engineering and business development meetings. As a brand new FSO, I invited myself to one of my first security meetings. I was able to demonstrate the impact of security requirements to the enterprise should we win an engineering contract. The value added was the identification of storage and classified work requirements and what it would take to meet those requirements.

After the meeting, I headed back to my office. The phone rang.

“Hello”, I answered.

“Who did you charge the meeting to?” replied the no nonsense contracts manager.

“Huh?” I replied, obviously not understanding.

“What line item, did you charge to? I can’t afford to pay everyone’s way to any meetings they want to attend.

“Oh, now I’m following. Don’t worry, I’m free; indirect charge. I hope you liked the direction the meeting went.”

The phone was silent for a moment.

“Sure, you’re welcome to attend anytime,” she relented before hanging up.

Demonstrate that security is a value added when applied early and effectively.  Proper procedure can help programs to reduce costs, improve schedule and enhance performance.

b.    Limited expectations - “Just take care of the clearances.”

I remember sitting in an FSO’s office while she lamented her lack of effectiveness. She explained that she was not involved in her company in any other way than taking care of security clearances and annual security refresher training. She wanted to offer so much more and she did have many years of valuable experience.
Expand expectations by demonstrating incredible value. Contribute to contracts discussions, help the HR department protect personal identifiable information, consult business development on possible impacts of the classified contracts they are pursuing. Think of ways beyond the NISPOM or other requirements and assist the enterprise.

In most cases security is an indirect charge, capable of contributing to the entire organization without impacting individual program costs. However, FSOs and security specialists have to overcome self imposed and institutional perceptions. It takes work and initiative to do so, but the entire enterprise benefits.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing. Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook". See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, October 29, 2012

Try these 5 ISP Certification Questions

Here are 5 ISP Certification Questions you can try. Right out of ISP Certification-The Industrial Security Professional Exam Manual.




106. Which agency has classification authority and can authorize release of COMSEC information
to a foreign person?
a. NSA
b. DIA
c. CIA
d. DoD
e. DOE




107. The FSO, COMSEC and alternate COMSEC custodian shall be briefed by the _____ or their
designee.
a. Government representative
b. KMP
c. FSO
d. COR
e. Outgoing custodian

108. Initial reports submitted to the FBI must be followed up by:
a. Telephone reports and submitted to CSA in writing
b. Written reports and a copy submitted to CSA
c. Face to Face reports and submitted to CSA in writing
d. A and b
e. All of the above

109. When sending a report for changes in cleared Key Management Personnel, what information
must be included:
a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship;
status of exclusion from access
b. Special accesses; citizenship; date of employment; date of birth and current address; date of
facility clearance
c. Date of employment; clearance level and date; citizenship; social security number; status of
exclusion from access
d. Special accesses; date and place of birth; social security number; date of employment; status of
exclusion from access
e. Special access, level of clearance, citizenship

110. The _____ is required to periodically review existing Security Classification Guidance and
issue revisions:
a. FSO
b. CSA
c. GCA
d. DoD
e. Secretary of Defense



Scroll Down for the answers


106. Which agency has classification authority and can authorize release of COMSEC information
to a foreign person?
a. NSA (NISPOM 5-507)
b. DIA
c. CIA
d. DoD
e. DOE

107. The FSO, COMSEC and alternate COMSEC custodian shall be briefed by the _____ or their
designee.
a. Government representative (NISPOM 9-404)
b. KMP
c. FSO
d. COR
e. Outgoing custodian

108. Initial reports submitted to the FBI must be followed up by:
a. Telephone reports and submitted to CSA in writing
b. Written reports and a copy submitted to CSA (NISPOM 1-301)
c. Face to Face reports and submitted to CSA in writing
d. A and b
e. All of the above

109. When sending a report for changes in cleared Key Management Personnel, what information
must be included:
a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship;
status of exclusion from access (NISPOM 1-302g)
b. Special accesses; citizenship; date of employment; date of birth and current address; date of
facility clearance
c. Date of employment; clearance level and date; citizenship; social security number; status of
exclusion from access
d. Special accesses; date and place of birth; social security number; date of employment; status of
exclusion from access
e. Special access, level of clearance, citizenship

110. The _____ is required to periodically review existing Security Classification Guidance and
issue revisions:
a. FSO
b. CSA
c. GCA (NISPOM 4-103b)
d. DoD
e. Secretary of Defense


How did you do? Are you ready for the exam? If you need more practice, consider ISP Certification-The Industrial Security Professional Exam Manual, ISP Test Tips, or any number of related books at www.redbikepublishing.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, October 26, 2012

SETA and Annual Security Refresher Training


In the National Industrial Security Program Operating Manual (NISPOM) world, cleared contractors know to perform training to better equip cleared employees to protect classified information. This training comes under many different names and programs; annual security awareness training, annual refresher training, initial security training and required security briefings among others.  Some of the phrases are interchangeable. For example, where the NISPOM requires annual security refresher training, FSOs may conduct “annual refresher training” or similarly worded training events.

The point is, regardless of the event title, cleared contractors should conduct training to standards listed in NISPOM Chapter 3 and defend the training with proper documentation. The training execution is left to the contractor as long as the required elements are in place. As a refresher, these elements are:
1.       Reinforce topics provided during the initial security briefing
a.     A threat awareness briefing.
b.    A defensive security briefing.
c.     An overview of the security classification system.
d.     Employee reporting obligations and requirements.
e.     Security procedures and duties applicable to the employee's job.

2.    Keep cleared employees informed of appropriate changes in security regulations.

Here is another effective and easy to implement training tool.
Employed effectively outside of NISPOM circles, Security Education Training and Awareness (SETA) is training format used primarily in IT and non DoD formats. This is a simple and easy to implement training format that can be applied to NISPOM training.
Concerning the role of providing training, the facilitator should ask the question? “What skills do I have to offer?”  In other words, how does the trainer put together a training program to educate engineers, human resources, program managers and other cleared employees? How do they marry up the need to provide skills, develop processes and put Administrative, Technical, and Functional controls in place to implement a good security program?
Think SETA and employ it enterprise wide:
1.      Security-The program developed and implemented to protect classified information
2.    Education- Determine what information the enterprise requires to support the security program
3.    Training – Apply that education. Determine what matters to make enterprise successful at protecting the classified information
4.    Awareness- What regulations and policies (national and company levels) does the enterprise need to know?
The end state is to incorporate all of this into the NISPOM required training. The training should include all elements identified in the NISPOM and applied to all the business unit needs. One size doesn’t fit all where training is concerned. The NISPOM requirements are a guide and allow the flexibility of tailoring the training to meet individual and enterprise needs. Employing SETA principles can lead to a more productive training session.

See more about training requirements in our books Insider's Guide to Security Clearances and DoD Security Clearances and Contracts Guidebook.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM