Monday, March 25, 2013

Eliminate Export Violations



ITAR is here
Export compliance first and foremost helps companies and individuals successfully earn profits while playing by the rules. Our government encourages international business. The opportunities for expanding business and growing employee experience make international trade an attractive endeavor. The benefits are huge as long as enterprises know the rules and successfully transfer technology. The reality is that a license or technical assistance agreement may many times be possible and likely be granted when given the time and consideration required. 

Unfortunately, the routes professionals sometimes take to avoid licenses causes export violations and significant damage to our defense and economy. Successful export occurs where the whole team understands the mission and each business unit and employee role. The compliance officer trains the company and keeps the empowered official abreast on licensing and technical assistance issues. They also establish trigger mechanisms to ensure international travel, business, or employment opportunities come to their attention early in any endeavor involving technology transfer.

Some ideas for success international busines includes:


  • Identifying qualifying technology for export control. 
  • Marking export controlled documents and items
  • Training employees to properly work with export controlled information
  • Understanding that export occurs in briefings, writings, patents, instruction and not just through services or shipped products
  • Establishing public release policy to prevent unauthorized export

For more practice questions, see our  ITAR @ www.redbikepublishing.com






Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Sunday, March 24, 2013

Combating the Insider Threat


More information here

Insider threat briefings abound, but very few actually identify protection measures against an enterprise insider threat from within the enterprise. Many training opportunities do a good job at describing the threat and the need to prevent such occurrences, but seldom are the right measures identified. Here are four proven ways to protect classified contracts and sensitive company information:
  1. Consult your employees and provide proscribed protective measures found in policy and guidance such as National Industrial Security Program Operating Manual (NISPOM)  and the International Traffic in Arms Regulation (ITAR). This is going to be as simple as interpreting what needs to be protected, what to protect and how to protect classified contract work per written contractual and policy guidelines. Establish rules of engagement with cleared employees, getting their understanding and agreement.
  2. Equally important is to protect proprietary and other sensitive information that may not have established protective measures in place. In this case, the security manager would for a working group consisting of security and knowledgeable employees. Here, the group would determine what was sensitive, identify protection measures and apply them to a written policy.
  3. Train your employees to identify threats. Cleared defense contractors are required to provide security training to their employees annually. Here, they provide updates to security requirements and engage cleared employees with their responsibilities as outlined in NISPOM and industry standards.
  4. Also important is to train on protecting the proprietary information, intellectual property and other sensitive information per policy established by the group. Here, the group has already staffed the policy and received approval from the enterprise to enforce the policy.
  5. Inform your employees-Provide policy, memos and guidance to influence behavior. Then inform the company employees that active measures are in place to identify and punish (or incarcerate) any insider threatening the enterprises information and national secrets. Forewarned is forearmed and the insider threat will be reduced.
  6. Reduce the insider threat opportunity with protective measures. Many protection measures are in place to prevent unauthorized access from those outside the enterprise. Gates, guards, card readers, alarms and other measures protect the castle from those desiring to storm it. But what about the trusted messenger who leaves with the keys to the kingdom. Efforts such as the following are geared toward protecting sensitive information from walking out:
    • Identify and label sensitive information and who is authorized access
    • Consulting measure number 1 before releasing it to anyone
    • Insider identification training
    • Inspections
    • Online activity tracking
    • Email observation
    • Firewall (limiting employees physically and virtually) sensitive items from access to those without need to know

Consider forming working groups with enterprise members outside of the security discipline. Get the subject matter, human resources, legal and program experts together to discuss the issues and come up with solutions. We’ve identified some solutions here, but there are others. Use this as a starting point to inject some energy into stopping employees gone wild.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Making NISPOM Initial Security Briefings Work


The National Industrial Security Program Operating Manual (NISPOM) lists cleared employee training. New employees are required to have Initial Security Briefings to ensure their understanding of the following topics:


  • A threat awareness briefing
  • A defensive security briefing
  • An overview of the security classification system
  • Employee reporting obligations and requirements
  • Security procedures and duties applicable to the employee's job


Why are these topics important? They give the cleared contractor a good idea of what is classified, why it is classified and how to protect it from unauthorized disclosure. Well trained and enabled employees drive the enterprise security program headed by the FSO.

The threat awareness briefing helps the cleared employee understand that there are people who want their information. These people have techniques and a modus operandi to get access to classified information. However, employees can apply this to export controlled, intellectual property and proprietary information. Employees should be trained to recognize attempts to access sensitive information by an unauthorized person.

A defensive security briefing is the next step. This training goes into detail about how an adversary might approach an intended victim to get sensitive information. The defensive security briefing teaches the cleared employee to be on the offense with active measures to protect classified knowledge and information. Employees should know how to react to requests and report all attempts to gain unauthorized access.

An overview of the security classification system provides the cleared employee with answers to how is information is classified, what criteria is used and how are decision disseminated. Some useful tools include security classification guidance, DD Forms 254, and classification markings.

Employee reporting obligations and requirements should provide resources for reporting certain types of information. The cleared employee should be given information of how to report espionage, sabotage, security violations, suspicious activity and etc.

Security procedures and duties applicable to the employee's job is the real meat. This helps the cleared employee with specific tasks related to protecting classified information they may actually work with on the job. Great tools include the DD Form 254, security classification guides, statement of work, requirements documents, work breakout schedules, engineering documents and etc. Where the FSO might train the first few requirements, a supervisor, program manager or lead engineer might take over this training. The key is to ensure a properly trained employee and document that training.

Training cleared employees to perform  on classified contracts is the first step to a great industrial security program. NISPOM outlines required topics, but enterprising FSOs can make the training more applicable. The better employees understand their jobs, the better they can protect sensitive information they are entrusted with.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .




 Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Monday, March 4, 2013

Try these questions from Red Bike Publishing's Unofficial Guide to ISP Certification

Red Bike Publishing's Unofficial
Guide to ISP Certification

1.      All of the following must be included in the authorization letter for hand carrying classified material on a commercial aircraft EXCEPT:a.                 Traveler’s Social Security Numberb.                Description of traveler’s ID
c.                 Description of material being carried
d.                 Identify points of departure, destination, and known transfer point
e.                 Location and telephone number of CSA

2.      Contractors shall limit the number of PCL requests to:a.                 One third of the company
b.                KMPs and direct reports
c.                 That which is necessary to operate efficientlyd.                 Meet future requirements for classified contracts
e.                 That which is specifically outlined on the DD Form 254

3.      The _____ is responsible for providing overall policy direction for the NISP.
a.                 Nuclear Regulatory Commission
b.                Central Intelligence Agency
c.                 Defense Security Services
d.                 National Security Council
e.                 Secretary of Defense

4.      Among other requirements, the destruction records for TOP SECRET must contain the _____ and be kept for _____.
a.                 Date of destruction, two years b.                SSN of destroyer, two yearsc.                 Name of destroyer, one year
d.                 ID material destroyed, one year
e.                 Date of Classification, five years

5.      Which types of door locking devices are approved for access to closed area doors?
a.                 Key operated pad lock
b.                Handprint reader
c.                 Deadbolt key lock
d.                 Swipe card reader
e.                 All the above


Scroll down, but don't peek until you're ready. See how you do:



1.      All of the following must be included in the authorization letter for hand carrying classified material on a commercial aircraft EXCEPT:
a.                 Traveler’s Social Security Number (NISPOM 5-411)
b.                Description of traveler’s ID
c.                 Description of material being carried
d.                 Identify points of departure, destination, and known transfer point
e.                 Location and telephone number of CSA

2.      Contractors shall limit the number of PCL requests to:
a.                 One third of the company
b.                KMPs and direct reports
c.                 That which is necessary to operate efficiently (NISPOM 2-200d)
d.                 Meet future requirements for classified contracts
e.                 That which is specifically outlined on the DD Form 254

3.      The _____ is responsible for providing overall policy direction for the NISP.
a.                 Nuclear Regulatory Commission
b.                Central Intelligence Agency
c.                 Defense Security Services
d.                 National Security Council (NISPOM 1-101a)
e.                 Secretary of Defense

4.      Among other requirements, the destruction records for TOP SECRET must contain the _____ and be kept for _____.
a.                 Date of destruction, two years (NISPOM 5-707)
b.                SSN of destroyer, two years
c.                 Name of destroyer, one year
d.                 ID material destroyed, one year
e.                 Date of Classification, five years

5.      Which types of door locking devices are approved for access to closed area doors?
a.                 Key operated pad lock (NISPOM 5-801e)
b.                Handprint reader
c.                 Deadbolt key lock
d.                 Swipe card reader
e.                 All the above




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Traditional Security Tools in Unique Ways-Moving from Security to Risk Management Part 2




See More Ideas in DoD Security ClearanceAnd Contracts Guidebook
In part two of the series Using Traditional Security Tools in Unique Ways-Moving from Security to Risk Management we’ll look at a few more ideas. In part one we looked at security training, clean desk policy and posting reminders of work in progress. In this article we’ll look at documenting the use of security containers and end of day checks.

Document the opening and closing of security containers-So, here's the
question, other than helping determine who opened the security container, who closed it and who checked it, what real use is it?

Such a form is an inspectable item in the government, but other than that, how does industry use it to improve enterprise security posture. As a standalone tool, we rely on professionals to actually fill it out correctly.
When they do, what information does the form actually provide? If an insider plans a malicious event, they won't fill it out.

Out of the box: Hey, it’s in NISPOM, but there are other applications. Consider using the SF 702 to compare unauthorized attempts to open
a container? You can actually check the electronic locks for successful and unsuccessful attempts to open the lock, and then compare it to the SF 702 or compatible form.

End of day checks-These definitely help cut down chances of leaving classified information out. I've seen end of day checks consisting of designated employees on a rotational duty to check the status of classified information before they leave.

Out of the box: Remember as the designated checker or last to leave, always ask "does anyone have any classified out?" as a reminder to lock it up before they leave. Another helpful reminder is to let the last person at work know that they are indeed the last person. Sometimes people don’t realize that they are the last ones at work and inadvertently leave classified information out, forget to lock the security container or even leave the coffee pot on.

Many times cleared employees may be tempted to perform work to check the block. End of day checks can be a mundane exercise or a conscious way to keep everyone safe and classified information secure. If you have any comments or suggestions of ways to think outside the box, feel free to provide them to editor@redbikepublishing.com




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM