Tuesday, July 23, 2013

An Elite Club: The Special Access Program


As published by clearancejobs.com 
http://news.clearancejobs.com/2013/04/04/an-elite-club-the-special-access-program/

A Special Access Program (SAP) is established to control access, distribution, and provide protection for sensitive classified information beyond that normally required. This is a high state of enforced need-to-know, and only a minimum number of cleared employees are given access to SAP information. For example, those with SAP access have clearances at the SECRET and TOP SECRET levels. Conversely, not all those cleared for SECRET and TOP SECRET have access to SAP information.

An authority grants access to SAPs based on need-to-know and eligibility for SECRET, TOP SECRET or SCI security clearances. What makes SAP access unique is the need-to-know. To better understand the concept, consider school clubs. Schools provide opportunities for exceptional students to join any number of available clubs including running, robotics, chess, and debate. Though these clubs are unique in themselves, they have one determining and similar qualification: membership is open only to those enrolled in the particular school.

Not all children can attend the school of their choice. Instead, they must meet fundamental requirements such as, be zoned for that school, pass tests and continue to be promoted to the next grade. Once vetted, student body members are eligible for invitation into a club meeting their skills and qualifications. It isn’t until someone approves their entry into an organization above and beyond the school’s primary function that they obtain that access.
These students are then scouted for certain abilities based on records already established from enrollment into the school system. After meeting some simple pre-requisites, they become part of the club and have access to meetings, events and projects occurring during normally-scheduled class time.

Similarly, the National Industrial Security Program Operating Manual (NISPOM) states that SAP access is a determination made by the granting authority (club sponsor). In other words, all employees cleared to the SECRET and TOP SECRET levels are fundamentally eligible for SAP access. All they need is an invitation by someone who has determined their need-to-know.

Suitability and loyalty are the most predominant criteria – and for good reason. Those with SAP access are entrusted with protecting highly sensitive information. So, candidates who are proven suitable and loyal are then:

1. Nominated by someone with need to know;

2. In possession of or processed for a SECRET or TOP SECRET security clearance with investigation completed within the last 5 years;
3. Awarded a favorable clearance adjudication based on the current Standard Form 86 (SF-86), “Questionnaire for National Security Positions” submitted for within the past 12 months. If the SF-86 is older than 12 months, it can either be updated using the original form or a current SF 86C, “Standard Form 86 Certification”; (Sometimes a pen and ink change is sufficient, so keep those completed SF 86s in a safe place. You may need them again.)

4. Setup to take a random CI-scope polygraph examination, if required;

5. Required to sign a DoD-approved SAP program indoctrination and non-disclosure agreement. This agreement ensures the applicant:

· Accepts all obligations of protecting classified information;

· Acknowledges receipt of security indoctrination. The indoctrination hi-lights obligations and future obligations and enforcing access and need to know;

· Is advised of implications to national security in the event of unauthorized disclosure, unauthorized retention, or negligent handling of SAP information to those without access and need to know;

· Submits all writings for security review if they contain any SAP information or descriptions of activities related to SAP information. If the case, then the US Government responds to submission of material within a reasonable time, not to exceed 30 working days from date of receipt;

· Understands that personal repercussions for breaches of the agreement can result in termination of access, removal from a position of special confidence and trust and that the United States has the right to prosecute for any statutory violation;

· Accepts that all information based on access will remain the property of the United States Government; and

· Understands that all conditions and obligations imposed by the Agreement apply when access is granted and for all time afterward.

So, what about those without a clearance? If an uncleared employee possesses skills that can be useful on a SAP, they can be provided access. This begins with the successful adjudication of a clearance based on the described background investigation. This is completely up to the granting authority. Additionally, it is possible for cleared employees with interim clearances and even foreign nationals to be granted SAP access based on the needs of the program and the granting authority.

The SAP access determination isn’t very hard to understand if you keep it in perspective. There are no additional investigations needed beyond what is required for SECRET, TOP SECRET and Sensitive Compartmented Information. This is the result of reciprocal investigation requirements established by executive orders. Once cleared, a validated need to know is the final requirement.

Just keep the example of the school club in mind. Not everyone in school can become part of the club. Though only those attending that school are eligible, not all students can become members. Membership is open only those who have expressed aptitude and interest, then they are vetted to the organization. Similarly, to have access to SAP information a candidate must have an investigation adjudicated for SECRET and TOP SECRET clearances. But not all employees cleared to those levels will have access, only those who are invited and allowed by the granting authority.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, July 21, 2013

The Top Secret Control Official and the FSO

Certain topics should be provided during TOP SECRET (TS) Personnel Security Clearance (PCL) initial security briefings and annual follow up training to complete the holder’s education. After all, the higher certification lends to tougher standards and more accountability. Full and complete training will enhance national security by empowering the holder to protect information appropriately.
Clearance
A Single Scope Background Investigation (SSBI) is necessary to ensure an employee is trustworthy and can be awarded a TOP SECRET Clearance. The SSBI investigates a subject’s periods of employment, residences and education institutions attended. Other areas subject to investigation include searching criminal and financial records. The investigators may contact those with social and professional knowledge of the applicant, and divorced spouses.
Access
Though the SSBI for the final TOP SECRET clearance will take up to a year or longer, employees with a clean record can still have access to TOP SECRET information. This is made possible through a temporary or interim clearance as long as there is no immediate evidence of adverse information. The interim TOP SECRET clearance is the approval allowing the employee to have access to TOP SECRET information, Restricted Data, NATO Information, and Communication Security information at the SECRET and CONFIDENTIAL level. Access to compartmentalized and program information is an altogether different process based on the SSBI, but final access determination is made by the granting authority.
Markings
A designated original classification authority makes classification determinations based on demonstration of the level of damage to national security per guidelines found in Executive Order 13526- Classified National Security Information. The OCA classifies information meeting requirements as CONFIDENTIAL, SECRET or TOP SECRET, depending on whether potential impact of compromise is rated as: damage, severe damage or extremely grave damage in that order.
Classified information should be conspicuously marked on the top and bottom of object surface areas. For documents, they should be applied to the top and bottom of each page, on portions, graphs, illustrations and photographs. Markings include not only the classification level, but also the CLASSIFIED BY: information lines. Coversheets should be applied when removed from storage. Hardware labels should be color coded to indicate classification level; orange for TOP SECRET, red for SECRET, blue for CONFIDENTIAL, and green for UNCLASSIFIED.
Countermeasures
Since the unauthorized disclosure of TOP SECRET information could cause extremely grave damage to national security, the National Industrial Security Program Operating Manual (NISPOM), DoD Manual 5200.01 and other applicable agency regulations require users to implement more stringent countermeasures. These include denying access through accountability, infrastructure and information assurance. These countermeasures are applied as long as the information remains at the TS level or until downgraded, declassified or destroyed.

Accountability
Cleared contractors that are granted a TS Facility Clearance (FCL) and are authorized to maintain a TS inventory are required to appoint a TOP SECRET control official (TSCO).  All transactions involving TS require access and accountability records. This requirement is for the lifecycle of the TS information and includes reception, transmission, destruction and storage.  Additionally, the contractor is required to perform an annual accountability inventory unless a waiver for the requirement is on file.
For example, all TOP SECRET information and material is documented by numbering them in a series. This allows the contractor and owner of the classified information to know exactly how many there are and what to look for during inventory. Any incoming material, copies generated or faxes transmitted are documented with the number and accounted for by the TOP SECRET control official using the numbering and a continuous receipt system.  
Receipt
All classified material should be delivered only to the persons authorized for receipt. In the case of TOP SECRET material, that person is the TSCO. Cleared contractors should implement practices that ensure that classified material, regardless of delivery method, is received directly by authorized personnel. Once received, the receiver should examine the classified information for evidence of tampering and compare the contents with the receipt. Once received and inspection completed, the TSCO will sign and return the receipts to the sender, closing out the sender’s requirements to account for that TOP SECRET item.
Storage
After documenting the TOP SECRET material’s arrival, the TSCO is responsible for safeguarding it in a GSA-approved security container, an approved vault, or an approved closed area with supplemental controls. These controls include:
a. Intrusion Detection Systems as described in the NISPOM Chapter 5, Section 9 (rather lengthy, so study up). Tamper alarms are necessary for TOP SECRET storage.
b. Cleared contractors with security guards approved as supplemental protection prior to January 1, 1995, can continue to use them. In that case, they are required to patrol every 2 hours for TOP SECRET.
c. In some cases the supplemental controls may not be required. For example, where the CSA determines that the GSA approved security containers and approved vaults are in facilities with security in depth and they are secured with a locking mechanism meeting Federal Specification FF-L-2740.
TOP SECRET Transmission Outside a Facility. The cleared contractor is not authorized to transmit any TOP SECRET material outside of the cleared facility. Only the government contracting activity that provided authorization to work with the TOP SECRET material can authorize the transmission with written permission. Employees should always go through the Facility Security Officer and TSCO before attempting to transmit any TOP SECRET material. For two reasons; to ensure written authorization is on hand, and to account for the status of all existing or to be reproduced TOP SECRET material. When written authorization is provided, TOP SECRET material may be transmitted by the following methods within and directly between the United States and its territorial areas.
a. The Defense Courier Service.
b. A designated courier or escort cleared for access to TOP SECRET information.
c. By electrical means over government cognizant security agency-approved secured communications security circuits, that meets NISPOM standards, the telecommunications security provisions of the contract, or as otherwise authorized by the government contracting activity.
Transmission of TOP SECRET material outside the United States and its territorial areas can be accomplished with the Defense Courier Service, Department of State Courier System, or a courier service authorized by the government contracting activity.
Reproduction
The TSCO should be involved with any activity involving TOP SECRET material including reproduction. Again, not only will they ensure that it is authorized and/or contract related, but they will assign the control number for the new document and account and receipt all activities including its creation, storage, transmission or destruction.  These records should be maintained for at least two years.
Retention
According to the NISPOM, cleared contractors can usually retain contract related classified material for a period of 2 years after completion of the contract unless otherwise directed by the government contracting activity. But what if the classified material is still needed beyond that time? The contractor should ask for and receive written authorization identifying the classified information they wish to retain. TOP SECRET material is requested in a list of specific documents or if permitted by the government contracting activity, by subject matter and approximate number of documents.
Destruction Records.
As with other lifecycle activities concerning TOP SECRET material, destruction should be documented in a receipt and with a clear indication of what material was destroyed, by whom, the date, and signed by the individual and witness. These destruction receipts should be on hand for two years. The TSCO and those authorized to destroy the material are required to know, through their personal knowledge, that such material was destroyed.  
There are many responsibilities required of those in charge of classified information. Make sure you know what those responsibilities are. Failure to follow guidelines and national security policy could cause your company to lose contracts. Excelling in security responsibilities leads to award winning performance. For career and performance enhancement ideas, visit www.redbikepublishing.com





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


Monday, July 8, 2013

Try These ISP Certification Practice Questions from NISPOM

1.      When requesting the retention of CONFIDENTIAL material beyond two years, the contractor can identify it by approximate number of documents and ____.
a. General subject matter
b. Author’s name
c. Media type
d. Title
e. Date of creation
2.      Pulverizing may only be used to destroy these kinds of products.
a. Paper
b. Metal
c. Plastic
d. Rubber
e. Computer
3.      Which cleared employee, identified by position, ensures that IS security education is developed and presented?
a. CSA
b. GCA
c. FSO
d. ISSM
e. FBI
4.      The Director of National Intelligence prescribes the sections of NISPOM that address _____ and _____ including _____.
a.        Operations, intelligence sources, procurement
b. Intelligence sources, methods, SCI
c. SAP, Intelligence sources, means
d. Organization, classification, procurement







Scroll down to see how you did...



1.      When requesting the retention of CONFIDENTIAL material beyond two years, the contractor can identify it by approximate number of documents and ____.
a.            General subject matter (NISPOM 5-701a2)
b.            Author’s name
c.             Media type
d.            Title
e.             Date of creation

2.      Pulverizing may only be used to destroy these kinds of products.
a.            Paper (NISPOM 5-705)
b.            Metal
c.             Plastic
d.            Rubber
e.             Computer

3.      Which cleared employee, identified by position, ensures that IS security education is developed and presented?
a.            CSA
b.            GCA
c.             FSO
d.            ISSM (NISPOM 8-103
e.             FBI

4.      The Director of National Intelligence prescribes the sections of NISPOM that address _____ and _____ including _____.
a.            Operations, intelligence sources, procurement
b.            Intelligence sources, methods, SCI (NISPOM 1-101b)
c.             SAP, Intelligence sources, means
d.            Organization, classification, procurement


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

THE BOOK THAT STARTED INDUSTRIAL SECURITY PROFESSIONALS STUDYING

Whether protecting classified information at a cleared defense contractor facility or federal agency, Red Bike Publishing’s Guide to ISP Certification-The Industrial Security Professional is for you. If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study this book to practice, practice, and practice. It can help you prepare for the test.

Using practice tests to augment your ISP exam preparation will help. This book is the only one featuring four complete test length practice exams available for the ISP Certification.

It teaches insightful study tips designed to show you how to: form study groups, network, seek out opportunities, learn your way around the NISPOM and includes four exam length practice tests. According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Again, this is the most important resource offering the largest volume and most comprehensive study questions available.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

How to Prepare Your Company for Security Clearances

As published by clearancejobs.com

Defense contractors provide goods and services while performing on government contracts. They are also designated by their identifying Commercial and Government Entity (CAGE) Codes. Besides having a sought after skill, service or product, defense contractors can also perform on classified and unclassified contracts. This article discusses classified contracts and how defense contractor enterprises are granted security clearances.

A facility security clearance (FCL) is provided to a defense contractor as a result of a contract requiring performance on a classified effort. Though the contractor does not have to possess an FCL prior to bidding on a contract, it is necessary perform on the classified effort. A defense contractor can bid on and win the contract as long as they are eligible to apply for and receive the FCL. Once they win the contract, the rewarding activity provides justification for the security clearance.

A defense contractor is not able to request its own security clearance in preparation for classified work, in anticipation of classified work, or to make the enterprise more marketable; there is just no system in place for that process. Responsible classification management begins with justification of the security clearance for facilities and employees. If a defense contractor is required to perform on a classified contract, the Government Contracting Activity (GCA) or prime contractor provides the request. After the GCA or prime contractor submits the sponsorship letter, the contractor can begin the process of applying for the clearance.

Once sponsored the DSS, GCA and contractor work together to meet following security clearance request requirements:

  • CAGE Code 
  • Sign Department of Defense Security Agreement
  • Complete a Certificate Pertaining to Foreign Interests
  • Provide Organization Credentials
  • Identify Key Management Personnel clearances


Department of Defense Security Agreement (DD Form 441) is a security agreement between the US Government and defense contractor and documents each party’s responsibilities for protecting classified information.

The contractor agrees to implement and enforce the security controls necessary to prevent unauthorized disclosure of classified information in accordance with the National Industrial Security Program Operating Manual (NISPOM). The contractor also agrees to provide classified information only to those possessing need to know and a valid security clearance.

The U.S. Government agrees to provide facility and personnel security clearances to the defense contractor. They will also notify the cleared contractor of the security classification level assigned to classified information. The government also agrees to not over classify material, to notify the contractor of any changes in the classification level and to instruct the contractor on the proper handling, storage and disposition of classified material. The Government will also assess the contractor’s ability to protect classified material. For the DoD, this is done through an audit or review performed by Defense Security Services (DSS).

The DD Form 441 is a requirement prior to a defense contractor getting their facility security clearance. Once complete and approved, the form is maintained at both the contractor location and DSS and is subject to DSS review. The agreement is legally binding and designates responsibilities of each party to follow procedures established by NISPOM.

Certificate Pertaining to Foreign Interests (SF 328)-Cleared contractors are evaluated to determine whether or not they fall under Foreign Ownership Control or Influence (FOCI) and to what degree. The primary concern is always protecting classified information from unauthorized disclosure. As with determining the amount of control a company officer or board member has over classified contracts, the same holds true of foreign entities with which a company may become involved.

In today’s changing world it is not unusual for a cleared company to be involved with international business. If a contractor falls under FOCI, DSS will work with the GCA to evaluate the contractor’s ability to mitigate the extent of foreign influence concerning classified information and approve, deny or revoke the FCL.

Organization-the enterprise must be in good business standings and have a history of demonstrating a good reputation and ethical business practices. The company should prove that they are structured and a legal entity under the laws of the United States, the District of Columbia or Puerto Rico and have a physical location in the United States or territories. DSS uses this information to better determine how the company is structured and which positions are capable to influence classified processing. Required information includes the following as applicable to the type of business: Articles of Incorporation, Stock Records, Minutes of Board Meetings, and Corporate by-laws; Federal Tax ID Number; and reports filed with the Securities Exchange Commission. More information may be requested.

Key Management Personnel (KMP)-These are management or senior leaders who influence decisions regarding classified contracts. KMPs can be members of the board of directors, vice-presidents, directors or other upper level managers. Also, neither the company nor key managers can be barred from participating in U.S. Government contracts. The minimum security clearances required are for those holding senior officer and Facility Security Officer positions.

The FCL is also tied to the personnel security clearance (PCL) process. A company cannot have an FCL unless key employees are eligible for a PCL Subsequently, PCLs cannot be granted without the FCL. The Key Management Personnel are required to have clearances for the FCL, with the remainder of employees requested as needed.

For more information, see the DSS website for the security clearance checklist and starter package http://www.dss.mil/isp/fac_clear/fac_clear_check.html




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, July 4, 2013

NISPOM Derivative Classifier Training


Derivative classification is a required training event. Defense contractors who use classified source material to generate a new product perform derivative classification. According to the National Industrial Security Program Operating Manual (NISPOM) all derivative classifiers must receive this training every two years.
Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information. Derivative classification includes the classification of information based on guidance, which may be either a source document or classification guide.

Order your training here:





Derivative decisions are made through:
Incorporating-Programs that assemble classified parts or use integration of classified processes assemble those already classified parts into a new classified 
product. This product’s classification level is derived from the incorporation of those classified parts
Restating-A cleared defense contractor takes analyzed data and writes it in a way for lay people to understand the performance is performing derivative classification. According to XXX SCG, the analyzed data is classified. The classification markings are carried over to the presentation or paper.
Paraphrasing-a researcher analyzes classified reports from three sources to create a consolidated report as part of a contractual requirement. Instead of copying the report word for word, they shorten it, documenting only the relevant facts.

Generating-Using classification instructions (SCG, DD Form 254, contract) as part of the process to build a classified product. This could be an end item, a report, test results and etc. The newly classified item is derived from instructions identifying classified characteristics, processes, parts or information.
Why is this training important?
Change 1 to the National Industrial Security Program Operating Manual (NISPOM) outlines requirements for derivative classification. Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. and at least once every two years. According to NISPOM derivative classifiers should be trained…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.
Here’s the important part, no training, no work. Proper training and documentation is the difference between performing on classified work and not being able to meet contractual requirements.

What you’ll receive:
over 40 slides with required training topics
notes pages to read while presenting
Comprehensive quiz
Printable certificate fir recording names and training event
Does your business have time to focus on training requirements?

Defense contractors and cleared contractors with one to a few hundred employees may have FSOs designated in addition to regular duties. COOs, engineers, CFOs, HR and other professionals don’t have time to create and execute training while performing on contract.

That’s where Red Bike Publishing can help.

An FSO can spend several hours designing training. At $35.00 per manager work hour, that could end up costing at least $150.00, not including the costs associated with brining the FSO off a contract to perform out of scope work. Our low cost, high value training package allows you to concentrate on your core competencies while we provide your required training. Our NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training. Just download our slides and lead the discussion, the notes are already filled out and ready to read.

NISPOM Training $49.95




FSOs have a huge responsibility to protect classified information. As such, these FSOs may be owners, engineers, human resources or appointed employees with other additional duties. If you are an appointed FSO with other duties, you might be just too involved running your company to create a training program.


Red Bike Publishing can help. We’ve created an easy to use presentation that you can download and deliver. Notes are available straight from the NISPOM. You can read them word for word or you can tailor the presentation to meet your organizational needs. Once complete, you’ll meet the National Industrial Security Program (NISPOM) and Defense Security Services (DSS) training requirements.


NISPOM Derivative Classifier Training


When you invest with this training program you will receive a link for the main presentation . Topics include NISPOM requirements:

Classification Level
Duration Of Classification
Identification And Markings
Classification Prohibitions And Limitations
Sanctions
Classification Challenges
Security Classification Guides (SCG)
Information Sharing


$49.95





You focus on core competencies while we focus on ours
Cleared contractors have to follow NISPOM requirements to keep their security clearances. They have to keep their security clearances to perform on classified contracts. Wouldn’t it be nice to be able to let someone else take care of your training needs?
Again, the training you download addresses NISPOM required topics. All you have to do is deliver to cleared employees. You can read it word for word, tailor the information for your mission, or simply let employees read the presentation themselves. It’s that easy.
If you would like more information about NISPOM training send an email to editor@redbikepublishing.com with your first name and email address.
Properly documented training is needed and this training meets the requirements.
Order your now and keep your employees working.



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".