Information for the CIO, CSO, FSO, ISSO and other security professionals. Understanding NISPOM and ITAR compliance is tough. With over 12,000 cleared defense contractors, a majority of those don't have a security staff. We'll hope to help fill the gap. From security clearances to performing on classified contracts, you can find help here.
Tuesday, October 22, 2013
Try these ISP Certification Test Questions
1. In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL1?
a. Trans 1
b. Trans 2
c. Trans 3, 4
d. Trans 5
e. Trans 6
2. Which entity is required to review and revise Contract Security Classification Specification when change occurs?
a. CSO
b. GCA
c. CSA
d. FSO
e. GSA
3. Which are appropriate page markings for a document classified at the SECRET level?
a. SECRET, TOP SECRET, SENSITIVE, CONFIDENTIAL
b. CONFIDENTIAL, SECRET, UNCLASSIFIED
c. CONFIDENTIAL, FOUO, TOP SECRET
d. UNCLASSIFIED, FOUO, SENSITIVE
e. All the above
Scroll down for answers
1. In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL1?
a. Trans 1 (NISPOM Chapter 8 Table 5)
b. Trans 2
c. Trans 3, 4
d. Trans 5
e. Trans 6
2. Which entity is required to review and revise Contract Security Classification Specification when change occurs?
a. CSO
b. GCA (NISPOM 4-103b)
c. CSA
d. FSO
e. GSA
3. Which are appropriate page markings for a document classified at the SECRET level?
a. SECRET, TOP SECRET, SENSITIVE, CONFIDENTIAL
b. CONFIDENTIAL, SECRET, UNCLASSIFIED (NISPOM 4-204)
c. CONFIDENTIAL, FOUO, TOP SECRET
d. UNCLASSIFIED, FOUO, SENSITIVE
e. All the above
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Wednesday, October 16, 2013
New ITAR Guidelines
The unofficial ITAR has been updated. The three affected
parts are: Part 120, Part 123 and Part 126. Some of the changes include
paragraphs that were formerly categorized as "reserved". The changes
equal 20 additional pages to a 5 x 6 book publication of the ITAR. That's
pretty significant. In fact Part 126.16 is such a paragraph formerly marked as
"reserved" and now is filled with 5500 words of text.
Let's take a look at the exemption to the Defense Trade
Cooperation Treaty between the United States and Australia. This paragraph
defines transfer, export, retransfer, reexport, Australian Community, United
States Community and other relevant terms. It also explains which exports
qualify for licensing exemptions. Though the information addresses transfer of
export controlled items between the US and Australia, this article is written
to provide a rule of thumb in handling
all cases of export controlled information, articles and services.
Paragraph 126.16 also addresses the export of Defense
Articles both classified and unclassified. For example, it reminds us that
"U.S.-origin classified defense articles or defense services may be
exported only pursuant to a written request, directive, or contract from the
U.S. Department of Defense that provides for the export of the classified
defense article(s) or defense service(s)."
Paragraph 126.16 j. further identifies the required
markings based on the classification level of the export and refers to the
National Industrial Security Program Operating Manual (NISPOM).
The lesson here is for government and contractors to
properly identify defense articles and information, proprietary data,
classified information, technical data, where it resides. Without proper
identification and protection, an unauthorized export could occur. The
unauthorized activity could be mistakenly exporting an item as exempt from
licensing where a license is actually required. Another example would be
providing export controlled information in a briefing when non-US persons
should be excluded from that briefing and so on.
To prevent unauthorized exports, follow the simple rule
of thumb. The government identifies and properly marks the information as
government owned, controlled, for official use only, critical technology and
etc. The contractor is bound to heed the protection requirements. This includes
contract sensitive, research and development, plans, drawings and other
government program items. The contractor must also identify customer furnished
equipment and treat any contract related items, by products and etc. with the
same level of sensitivity as identified by the government and other
contractors.
The next step would be selecting countermeasures such as:
marking the items, limiting access to US persons, or even enforcing need to
know should be established to limit any chance of unauthorized export,
"deemed" or otherwise. Confusion over whether or not something is
exportable, whether or not a license is required or the items are exempt is
eliminated when employees can easily identify what is export controlled.
For a printed copy of ITAR and the NISPOM, visit www.redbikepublishing.com
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Thursday, October 10, 2013
The Standard Form (SF) 312 is revised
NISOM |
The Standard Form (SF) 312 is revised
In July 2013 the SF 312,
Classified Information Nondisclosure Agreement, was updated to reflect language
from the 2011 Public Law 112-74, Financial Services and General Government
Appropriations Act and 2012 Public Law 112-199, Whistle blower Protection
Enhancement Act (WPEA).
The WPEA
(law) lays out protection in place for those employees who report instances of
fraud, waste and abuse and the language is being added to many forms include
non-disclosure agreement. Cleared employees are required to report adverse
information concerning themselves and other cleared employees. This adverse
information is anything that would question a person’s loyalty and ability to
protect classified material. Additionally, cleared employees should report any
information concerning changes in protective measures at a cleared facility
that would indicate classified information would not be adequately protected as
originally intended.
So, why
is the WPEA language included?
Reporting
adverse information is a requirement of all cleared employees who observe
questionable practices concerning an employee’s ability to protect classified
information. Though a daunting task, reporting this information is an
expectation levied on cleared employees. Adverse information reporting is part
of the continuous evaluation process and used to determine whether or not a
cleared person is still trustworthy of having access to classified information.
The WPEA
language might seem out of scope for a document requiring the continuous
protection of classified information. However, this language is not a warning
to employees reminding them of an obligation, but a legal requirement for
employers to protect employees who report instances of fraud, waste and abuse.
This reporting applies to derivative information reporting, classification
challenges and etc. Fraud, waste and abuse issues can be reported on processes,
machinery, costs and etc used within a national security structure. An employee
can better report what might be classified information concerning fraud, waste
and abuse within the classified channels. Without this language, an employee
may not know how report such instances.
So now what?
Include this language while providing NISPOM training.
Train your employees on the SF 312, security awareness, security refresher and
other training. Need ideas, check this out.
The revised SF 312 dated
7-2013 is posted in the General Services Administration (GSA) forms library on
their website and can be directly downloaded here.
There is no requirement to resign and execute a new SF 312, previously executed
forms are still valid.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
marcus evans ITAR Compliance WEST Conference
Executives from the Aerospace, Defense, Satellite and Similar Industries to Share Best Practices and Lessons Learned at the marcus evans ITAR Compliance WEST Conference
Navigating the Complexities of the Changing Compliance Structure through Improved Operational Communication, Language Interpretation and Jurisdictional Understanding
San Diego, CA– September 27, 2013– marcus evans, the world’s largest event management group, will host the ITAR Compliance WEST Conference, November 18-20, 2013 in San Diego, CA. Executives across the Aerospace, Defense, Satellite and similar industries will share their thoughts and practices for compliance with the ever-evolving export regulations. DRS Technologies, Raytheon, Northrop Grumman, Virgin Galactic, Lockheed Martin Space Systems Company, Maxim Integrated and many other will be discussing their challenges and efforts with past and future upcoming reforms efforts.
October 15, 2013, new rules are expected to go into effect changing the current status of exports. Positive steps have been made to increase efficiency and ease the impact of these recent and ever changing regulations and the marcus evans ITAR Compliance WEST Conference will tackle the latest obstacles and pressing issues in the industry while highlighting how organizations stay competitive in today’s global atmosphere.
Attending this marcus evans conference will enable executives to:
- Manage the transition from ITAR to EAR and review recent changes to the Export Control Reform Initiative
- Develop new compliance structure methods and data sharing techniques - Grasp new definitions and language found in the recently released regulations
- Review prior violations and corrections and identify best practices
- Explore upcoming regulation releases and what the future holds for ITAR Compliance
For more information on this conference or to get a complete list of speakers or sessions, please visit http://www.marcusevans-conferences-northamerican.com/ICW2013_PRelease or email Tyler Kelch, Media & PR Coordinator, tylerke@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Navigating the Complexities of the Changing Compliance Structure through Improved Operational Communication, Language Interpretation and Jurisdictional Understanding
San Diego, CA– September 27, 2013– marcus evans, the world’s largest event management group, will host the ITAR Compliance WEST Conference, November 18-20, 2013 in San Diego, CA. Executives across the Aerospace, Defense, Satellite and similar industries will share their thoughts and practices for compliance with the ever-evolving export regulations. DRS Technologies, Raytheon, Northrop Grumman, Virgin Galactic, Lockheed Martin Space Systems Company, Maxim Integrated and many other will be discussing their challenges and efforts with past and future upcoming reforms efforts.
October 15, 2013, new rules are expected to go into effect changing the current status of exports. Positive steps have been made to increase efficiency and ease the impact of these recent and ever changing regulations and the marcus evans ITAR Compliance WEST Conference will tackle the latest obstacles and pressing issues in the industry while highlighting how organizations stay competitive in today’s global atmosphere.
Attending this marcus evans conference will enable executives to:
- Manage the transition from ITAR to EAR and review recent changes to the Export Control Reform Initiative
- Develop new compliance structure methods and data sharing techniques - Grasp new definitions and language found in the recently released regulations
- Review prior violations and corrections and identify best practices
- Explore upcoming regulation releases and what the future holds for ITAR Compliance
For more information on this conference or to get a complete list of speakers or sessions, please visit http://www.marcusevans-conferences-northamerican.com/ICW2013_PRelease or email Tyler Kelch, Media & PR Coordinator, tylerke@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Wednesday, October 2, 2013
How to get ready for the DSS Inspection
NISPOM |
As
mentioned in an earlier article, NISPOM Change 1 requires Derivative
Classification Training and Record keeping Guidance. This guidance requires
that the cleared contractor provide cleared personnel with initial Derivative
Classification Training and follow up and at least once every 2 years. The
training topics are vital to the cleared contractor performing on classified
contracts. Properly trained employees
reduce the risk of unauthorized disclosure of classified information.
Currently
this training can be put in place at the cleared contractor’s initiative. The
sooner training is implemented the better. The Defense Security Services will
be publishing an Industrial Security Letter (ISL) that provides instruction for
conducting training including a “trained by” date to meet the requirements of
the recent NISPOM changes. Why not begin the training now and be prepared for
success before DSS gives the deadline for conducting training. Remember, if not
trained, cleared employees cannot perform on classified work requiring
derivative classification. That’s a lot of missed.
Remember
that DSS is in the business of auditing. They are more than capable of both
helping a company succeed with good training and working relationships, but
they are also just as equipped to find security violations. Failure to protect
classified information is a security violation. Failures are often caused by
mismarked materials.
For
example, after reviewing requirements of a DD Form 254 and statement of work, the industrial security
representative discovers that derivative classification work has been occurring
since the contract award a year prior. However, training records indicate that
the derivative classification training had only been conducted in the last two
weeks (while preparing for the inspection).
It wouldn’t be hard to deduce that there is a possible security
violation and perhaps a review of classified inventory is in order.
So,
how can you prepare to meet this challenge?
Cleared
contractors can refer to NISPOM paragraph 4-102 and develop training based on
the directed subjects. Document that training and schedule follow-up training
in two years. A good practice is to provide a copy of the training with
training signatures or certificates. That way DSS can determine who was trained
and whether or not the derivative classification training conformed to NISPOM
Change 1.
No
time to write training?
You
can find training though professional organizations, at the DSS website or here
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
Labels:
derivative classification,
DSS,
fso,
nispom,
training
Subscribe to:
Posts (Atom)