Tuesday, April 23, 2013

NISPOM Practice Questions for FSO, ISP or SPeD Certification



1.      When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:
a.            TOP SECRET
b.            SECRET
c.             REGISTERED 
d.            RESTRICTED
e.             UNCLASSIFIED

2.      Which of the following are considered a CSA?
a.            Department of Defense
b.            Central Intelligence Agency
c.             Department of Energy
d.            The Nuclear Regulatory Commission
e.             All the above 

3.      AUTHORIZATION FOR RELEASE TO indicates:
a.            Intelligence information that has been declassified
b.            Intelligence information that can never be downgraded
c.             Intelligence information that has been or can be disclosed to foreign nationals 
d.            Intelligence information that cannot be released to foreign nationals
e.             None of the above

4.      Which of the following actions are required before a prime contractor can release information to a subcontractor?
a.            Determine security requirements of the contract
b.            Ensure subcontractor has sufficient employees to safeguard classified information
c.             Grant subcontractor necessary clearance
d.            Evaluate closed area construction
e.             Develop subcontractor access control requirements




All done? Scroll down for answers





1.      When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:
a.            TOP SECRET
b.            SECRET
c.             REGISTERED (NISPOM Appendix B4)
d.            RESTRICTED
e.             UNCLASSIFIED

2.      Which of the following are considered a CSA?
a.            Department of Defense
b.            Central Intelligence Agency
c.             Department of Energy
d.            The Nuclear Regulatory Commission
e.             All the above (NISPOM 1-104a)

3.      AUTHORIZATION FOR RELEASE TO indicates:
a.            Intelligence information that has been declassified
b.            Intelligence information that can never be downgraded
c.             Intelligence information that has been or can be disclosed to foreign nationals (NISPOM 9-303e)
d.            Intelligence information that cannot be released to foreign nationals
e.             None of the above

4.      Which of the following actions are required before a prime contractor can release information to a subcontractor?
a.            Determine security requirements of the contract (NISPOM 7-101a)
b.            Ensure subcontractor has sufficient employees to safeguard classified information
c.             Grant subcontractor necessary clearance
d.            Evaluate closed area construction
e.             Develop subcontractor access control requirements


For more practice questions, see our practice guide @ www.redbikepublishing.com




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Saturday, April 20, 2013

NISPOM Change 1-Derivative Classification Decisions

What has changed?
According to NISPOM Change 1, the cleared defense contractor has the responsibility to provide training for cleared employees who make derivative classification decisions. Where NISPOM used to state that training is the FSO’s responsibility, Change 1 omits the FSO as the responsible party and identifies only the contractor entity. Mere oversight or purposeful instruction?

This designation represents an important distinction. Now the FSO can strengthen their role in the enterprise and ship from administrator to leader. It is great opportunity for the FSO to shift the training responsibility from performance to oversight.

Who should perform the training?
At a technical level, the derivative classification training is best provided by the subject matter experts actually performing on classified contracts, programs and projects.

For example, an experienced FSO or designated trainer with a strong security background may be the best choice for the initial security briefing. Initial security training covers the National Industrial Security Program and how to protect classified information in general. However, a security specialist or FSO may not be the best trainer as they may not understand intimate details of the contract requirements. In that setting, who then is best able to train a derivative classification decision maker, than the supervisor, chief engineer, program manager or other person performing the technical work?

Remember that NISPOM Change 1 identifies derivative information as …classification of information based on guidance, which may be either a source document or classification guide.

In essence, a derivative classifier is a cleared employee (engineer, program manager, technician, etc.) creating a document, end item, service or other function where they are performing based on a statement of work, DD Form 254, as instructed by customer and with classification guidance based on marked source documents or as provided in a security classification guide. This is a technical performance issue. If a cleared employee wears dual hats as a subject matter technical expert and FSO, they may be right for the training. However, if not, then the training could be the responsibility of the subject matter technical expert.

Why is this important?
The subject matter technical expert can give real world technical examples as well as hands on NISPOM training. This removes the training from a lecture to performance oriented training, providing the cleared employee with a fantastic opportunity to understand what is required of them as a derivative classifier.

The FSO, in turn, could focus on documenting the training for both compliance and enhancement. Here are three recommended responsibilities by position to reflect NISPOM Change 1:

FSO responsibility:
  • Require from managers a list of cleared employees authorized to make derivative classification decisions. This list can also act as justification for clearances and as a base line for future training.
  • Provide guidance to the subject matter experts to instruct identified cleared employees on the derivative classification responsibilities:
  • To identify themselves by name and position, or by personal identifier, on documents they derivatively classify.
  • To practice observing and respecting original classification decisions.
  • To carry forward the pertinent classification markings to any newly created documents.
  • To provide a listing of source material declassification instructions to reflect the longest period of classification among multiple sources as well as list the multiple sources.
  • To train derivative classifiers at least once every 2 years covering classification levels, duration of classification, identification and markings, classification prohibitions and limitations, sanctions, classification challenges, security classification guides, and information sharing.
  • To refrain from conducting derivative classification until they receive training.
  • Provide employees with derivative classification decison access to relevant classification guidance.

Subject matter expert trainer responsibility:
Perform derivative classifier training for identified cleared employees that tie Change 1 requirements as identified by the FSO, to classified contract performance standards. This training should include: 
  • Demonstrate how to read, understand and apply original classification decisions to derived products, providing date or event of declassification and source materials.
  • Provide information on classification levels, duration of classification, identification and markings, classification prohibitions and limitations, sanctions, classification challenges, security classification guides, and information sharing as it relates to the classified contract or project.

Supervisor responsibility:
  • Quality control and discipline of employee requirements-Supervisors are responsible for team development, performance and accountability. Training and performance can be tied to annual reviews and salaries. They are clearly the ones that ensure employees are performing to standard. Leaders provide incentives and discipline measures.
  • Identification of derived classification-Supervisors set the standard. Where the FSO teaches the National Industrial Security Program policies and procedures, the leaders instruct how to identify what needs to be protected. Technical documents, statements of work, DD Forms 254, security classification guides and other instructions provide the reference. Technically proficient leaders know what to identify and how to do so and help employees understand their own responsibilities.
  • Marking of derivative classification-Once derivative information is identified, and training is conducted, supervisors can hold teams accountable for performance.
  • Training-Supervisors don’t have to give the training, but they can require and enforce training. Once completed, they ensure proper documentation is provided to the FSO.
Implementing a security program to protect classified information is the FSO’s responsibility. However, they don’t have to do everything themselves. The enterprise is built upon teamwork and there are plenty of capable people who can get the job done.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, April 17, 2013

What FSOs can find in the new NISPOM Change 1

NISPOM With Change 1 Available at
www.RedBikePublishing.com

Well, it’s here, just this side of six years after the release; Change 1 to the National Industrial Security Program Operating Manual. Over the recent three years there have been draft versions of NISPOM submitted, reviewed and resubmitted, but for the most part the NISPOM has remained unchanged. A testimony to an efficient product or policy? Could be. Too many higher level executive order and policy changes? Maybe.

Though there has not been a major re-write or even revision, Change 1 does incorporate some important considerations, to include both domestic and international concerns. As programs and research efforts expand globally, Facility security officers (FSO) should know how to protect it in house and train cleared employees to do the same; this includes new markings and storage requirements.

The major revision is in NISPOM Chapter 4, Classification Markings, Paragraph 1, Derivative Classification. Primarily, changes clarify the definition of derivative classification, the process of derivative classification and the training required.

The definition of derivative information is now more concise:

Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.

And later clarified in Paragraph 4-102b:

Derivative classification includes the classification of information based on guidance, which may be either a source document or classification guide. The duplication or reproduction of existing classified information is not derivative classification.

But to better understand derivative classification, let’s compare it with original classification; at least for a baseline definition. Original classification occurs when information meets classification criteria as described in Executive Order 13526, “Classified National Security Information”. Classification is usually considered as events, programs or missions develop. The product of original classification is a security classification guide, classification markings and the DD Form 254.

Derivative classified information occurs when information is used that has already been determined classified and is provided in a new product such as report, item, or event. Information is already known to be classified. In this case a security classification guide or previously classified information is used to identify the existing classification level. The product of derivative classification are properly marked classified products.

A very simplistic way for contractors to apply this is to remember that contractors carry over classification markings on existing classified information. It’s the federal government’s responsibility to assign original classification. That means appointing an original classification authority to determine classification levels where none have previously existed.

Another timely clarification is that duplicating classified information by any means is not derivative classification. It’s just copying and creating another of the same. A new product or application using existing classification fits the description.

  • Writing a document using classified information from other classified sources; derivative.
  • Using classified specs identified in an SCG to create a product; derivative
  • A person in a designated government position determining classification levels based on criteria in EO 13526; original
  • Making copies of a classified document; copying


This clarification in NISPOM is necessary and just what FSOs need to complete their education and perform better under the NISP. Understanding roles and limitations leads to more informed cleared employees and a security program to provide excellent protection to classified information.

The new NISPOM with Change 1, March 28, 2013 is available at Red Bike Publishing. See it here. For more information on training cleared employees and working classified contracts see DoD Security Clearance and Contracts Guidebook.





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Friday, April 5, 2013

What Happens When Security Clearances are Denied

When an employee or potential employee is considered for a security clearance, the employer or sponsor requests a security clearance investigation. An investigation is performed to look into a person’s past and present to gather information. This information is evaluated to determine if the subject can be entrusted with sensitive information. CONFIDENTIAL and SECRET security clearances result in favorable determinations based on a National Agency Check with Law and Credit investigation and for TOP SECRET, the Single Scope Background Investigation.

The security clearance request process is finalized during the adjudication period. Here, decisions are made whether or not to grant a clearance based on investigation results as related to the whole person concept and in the best interest of national security. The adjudicator evaluates results to determine whether or not an applicant is suited to protect classified information.

There are 13 categories of behavior that could prevent a person from getting a clearance or prevent the continuance of a current clearance. Simply, the adjudicator evaluates at the investigation results and makes a decision. If there are indications that it is NOT in the best interest of national security grant a clearance, then a clearance will be denied or revoked.
Sometimes mistakes happen and investigations don’t provide a complete “whole person” profile. So, what can a person do when they have been denied or has had a security clearance revoked?

Executive Order 10865 provides a process that allows an employee the opportunity to appeal or turn around unfavorable security clearance adjudication. Where there was no earlier process or consistency in policy, this order provided standards for addressing security clearance denials or revocations.

Going back to the decision making stage, the adjudicator reviews the investigation and focuses on thirteen criteria. The goal is to determine whether or not an applicant can be trustworthy to adequately protect classified information. Here are the 13 topics:
  1. Allegiance to the United States
  2. Foreign influence
  3.  Foreign preference
  4. Sexual behavior
  5. Personal conduct
  6. Financial considerations
  7. Alcohol consumption
  8. Drug involvement
  9. Emotional, mental, and personality disorders
  10. Criminal conduct
  11. Security violations
  12. Outside activities
  13.  Misuse of Information Technology Systems
The adjudicator will consider the whole person concept. In other words, if the subject has violated one or more of the criteria, they may still be able to get their clearance. The adjudicator considers all mitigating circumstances before making a final decision. The circumstances include the following and are compared to each of the 13 topics:

  • The nature, extent, and seriousness of the conduct
  • The circumstances surrounding the conduct, to include knowledgeable participation
  • The frequency and the time elapsed since the conduct
  • The individual's age and maturity at the time of the conduct
  • The willingness to participate
So, what happens when the adjudicator considers all available information and denies or revokes a clearance?
The applicant can appeal. Perhaps all the information wasn’t provided, the investigation missed some mitigating circumstances. The applicant did not provide enough information or other oversight or omission occurred. If so, the applicant has another chance to present their case.

The process allows the applicant to go to court or have an administrative judge make a decision. In both cases, the adjudicator and applicant can present their cases for a judge’s decision. The judge will make a determination based on what is best for national security.

For those currently holding clearances, undergoing investigations or considering working in an industry where background investigations are conducted, act accordingly. If it is necessary to explain or mitigate questionable past or current behavior, gather information, witnesses and evidence that will support a decision to grant the clearance. The final decision will be made in the interest of national security and the applicant influence that decision.





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Thursday, April 4, 2013

7 Ways to Establish and Protect Restricted Areas


Currently, there are a little over 13,000 cleared defense contractor facilities supporting classified contracts. These contracts range from services to providing products. Some perform security clearance and classified contracts work at the contractor location and others at customer locations. Some are authorized to store classified material at the locations, while others perform on classified work elsewhere. Each cleared defense contractor is as unique as the statement of work and Contract Security Classification Specification(DD Form 254) requirements. What doesn’t change is the requirement to protect classified information while performing.

Many large and well known cleared facilities have centralized document control areas, open storage, rooms cleared for classified conversations, open storage, and large areas built especially for working on classified projects. In other words, their entire budget, success and capabilities are supported by infrastructure dedicated to performing on specific classified work.

Others do not have the space or budget to devote entire rooms to specific projects. How do they get their work done? Through the use of designated areas. Unlike dedicated areas, a designated area can serve many purposes and the National Industrial Security Program Operating Manual (NISPOM) refers to these workplaces as Restricted areas.

Restricted areas can be a conference room, closet, office or other place temporarily converted to classified use. Classified work is introduced and the room is restricted to those with security clearance and need to know. Once the work is complete and classified information is removed, it can go back to being a snack room, break area or office.

Here are some characteristics of a Restricted Area:
  •      Clearly identifiable when in used (non authorized users are warned about controls)
  •            Access controlled are established and authorized employees challenge all who enter to ensure clearance and need to know
  •      Physical barriers are not always needed, but some method of preventing classified conversation, objects, information and other products from unauthorized disclosure should be implemented
  •      Restricted areas are for temporary use of classified material and all classified material needs to be returned to the repository.
  •             Restricted areas are used when controlling access to classified material in a large area
  •      Only used during working hours


When establishing a Restricted Area, cleared employees should understand that while they are in control of classified information, they are responsible for determining classification and need to know. This means not only providing it to authorized persons, but keeping it away from accidental and intentional unauthorized disclosure. Here are 7 ways to make sure:

  1. Ensure cleared employees have access to the security classification guides so that they understand what is classified and how to protect it
  2. Develop a technology control plan to protect ITAR and export controlled technical data from unauthorized export to any non-us person employees and visitors
  3. Same technology control plan could be adapted for use as a classified information control plan to keep uncleared and non-need to know employees from exposure to program information
  4. Brief cleared and uncleared employees of their responsibilities under the technology and classified information control plans
  5. Establish access controls to protect information when work is being conducted
  6. Use a document control or accountability system to track the use of classified information. Though it’s not required, it’s a good idea to use a system of signing out and returning classified information to the repository.
  7. At the end of the day, sweep the Restricted Area and ensure all classified information has been removed. Check the document records to ensure it has been turned in, Security Container Check Sheet to ensure the safe is closed and complete end of day checks.


These 7 steps can be applied to protecting ITAR controlled, classified and proprietary information.

Establishing Restricted Areas assists with answering the challenge of working with limited resources. It’s not necessary to spend exorbitant amounts of money or tie up space full time to meet temporary work requirements. When done correctly, Restricted Areas make it possible to meet classified contract requirements without breaking the budget.

For more information on performing on classified contracts, establishing restricted areas and protecting ITAR controlled technical data, see our book DoD Security Clearance and Contracts Guidebook.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .
 Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM