Monday, February 24, 2014

How to study for the ISP Certification using the Self-Inspection Handbook for NISP Contractors.


In our security community, I see a lot of questions about studying for the ISP Certification. Some ask for additional ideas to augment good study groups formed in NCMS (Society of Industrial Security Professionals). These questions facilitate great response from ISPs to help the student prepare for their certification exam.

Of the many reasons candidate testers might have for requesting additional study is to gain more experience and practice what they already know. It’s true that one of the testing pre-requisites is five years of experience protecting classified information or otherwise working in the national industrial security program (NISP) environment. However the five years of experience doesn’t necessarily mean that the candidate is executing all National Industrial Security Program Operating Manual (NISPOM) tasks. The tester is responsible for answering questions from the entire NISPOM though they may only personally touch small portions of NISPOM in all of those five years.

Additional study, test practice and rehearsal help build confidence. Some ideas I have already recommended is to broaden the scope of security tasks by taking on additional jobs, developing study questions based on NISPOM, or for mentors to get permission to allow outside NISP contractors to train in their facility (for example, an FSO of a non-possessing facility training with an FSO in their possessing facility).

Another idea I would like to recommend is to use Defense Security Services (DSS) produced Self-Inspection Handbook for NISP Contractors as a training guide.  The handbook requires demonstration of tasks involving the entire NISPOM. Where DSS recommends FSOs to inspect only items appropriate for their own facilities, I recommend just the opposite.  FSOs can now focus study efforts to areas of the NISPOM outside of their scope. 

The following exercise will help candidates research NISPOM and provide examples of demonstrated performance:



1. Download Self-Inspection Handbook for NISP Contractors

2. Save the PDF file as a word document

3. Delete all NISPOM reference

4. Review all tasks appropriate to your facility. Research NISPOM and validate whether or not your facility is compliant. This exercise will help enforce what you already know.

5. Study tasks listed outside of your focus. For a non-possessing FSO, this might mean all chapters other than 1-

6. Read the task, attempt to find the reference in NISPOM and document the NISPOM requirements. Next, write down your ideas of how you would interpret the requirements. This exercise helps you learn which NISPOM chapters are associated with certain NISP tasks. With enough practice, you can quickly find NISPOM references and answer questions with the speed required on test day.


Use the Self-Inspection Handbook for NISP Contractors help guide additional study to augment the great training you are already getting. For more helpful hints and study resources, see Red Bike Publishing’s Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, and NISPOM Training topics.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, February 21, 2014

What Kind of Security Training Should FSOs Give to Uncleared Employees?

It’s true, cleared defense contractors have uncleared employees. In larger organizations, these employees may work in shipping and receiving, maintenance, human resources and other non-program development areas. The organization should develop policy and training to incorporated into the procedures to protect classified information.

How would an uncleared employee have access to classified information?

Hopefully never, but mistakes happen when such instances are not identified. Cleared employees could possibly find unattended classified information, unlocked security containers or stumble into classified conversations.

Sometimes classified information is delivered to the wrong recipient, absent minded cleared employees might leave classified information on a printer or in the common areas and cleared employees may have approved classified meetings but forget to verify clearance and need to know. Things happen and damage control as a last resort is all too prevalent in these situations. An FSO with properly trained uncleared employees may have an easier time investigating whether or not classified information is compromised when everyone reacts properly.

This NISPOM training may include:

What national security information is-an uncleared employee should understand that unauthorized distribution of classified information effects national security. A properly trained uncleared employee would therefor alert the FSO or other responsible person if they discover unattended classified information. They will also understand not to read unattended classified documents or identify themselves as uncleared before cleared employees begin classified conversations.

What classified information looks like-coversheets, proper markings and other information identifies that an item is classified. The uncleared employee can be trained to easily recognize classified information and know what to do when they come across it.

What to do if coming across classified information-classification markings help identify classified information, the level of classification and who classified it. The internal controls would identify what the uncleared employee should do if coming across an unidentified document or other classified item.

Using the above training tips can help prepare for the self-inspection process as training and interviewing uncleared employees is part of the self-inspection. DSS has provided sample questions that you can ask when interviewing uncleared employees:

What is classified information?

How would you know if something was classified?

If you found unprotected, classified information, what would you do?

Have you ever heard classified information being discussed?

Have you ever come into possession of classified materials? How?




So, as you build your security program to protect classified information, don’t forget your uncleared employees. They can be the missing link to preventing unauthorized disclosure.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, February 19, 2014

How FSOs Evaluate Their Security Programs



The Self-Assessment Handbook for NISP Contractors provided by the Defense Security Services (DSS) provides an excellent way for a cleared defense contractor to prepare for the annual DSS inspection, form the enterprise self-inspection policy and assess the status of the organization's security plan to protect classified information. This is a great tool for many as it's probably the only way to measure aside from the inspection that counts.

When I served in the Army, we had plenty of opportunities to assess our war fighting capability. One of those opportunities was provided by headquarters as an "assistance" visit. This usually preceded the much dreaded Inspector General (IG) inspections. These assistance visits were painful, but gladly received as we could have a "freebie" inspection before enduring the one that counted.

My rule of thumb for these assistances visits was for everyone to do the proper work all the time. I never allowed any soldier to work overtime in preparation. I wanted an honest assessment of the actual work being performed. This left our success and ultimate responsibility squarely on my ability to measure the standards and evaluate our unit's execution before the IG came around.

Part of the assessment in the Army days and while serving more recently as an FSO is to develop and document processes, then measure those processes in an audit. As a leader, you can carry a clipboard and ask basic questions designed to check the block. Or, you might take the more successful route of asking open ended questions and allowing employees to demonstrate their processes.

As Defense Security Services recommends, good questions will facilitate good answers. It's like to old 80's adage "Garbage In; Garbage Out". You basically get what you ask for.

General Interviewing Techniques include the following from the guide:

All questions should be asked in the present and future sense. Here's an example: "If you are reviewing a classified document and you have to take a break, what do you do with the classified information?"

Talk in a conversational tone and maintain eye contact. Again, put the clipboard away and just talk to the employees. Develop the questions based on the mission of the group you are interviewing. If you are interviewing an engineer who regularly creates derivatively classified documents, then develop conversations to determining how she might arrive at a derivative classification decision.

Let people tell their story. Ask open ended questions (using who, what, where, when, why, and how). In the above example you might ask "Show me a document that you derived using classified information." After they provide the document, review it with them and walk through the process.

Avoid leading questions. This is great, just like the show LA Law where the defense attorney yells: "Objection, leading the witness". A leading question might be: "So, you report to security every time you hand carry classified information into the company; don't you?" all the time nodding your head waiting for the right answer. 


Keep good notes for future reference and document corrective actions. The intent is to capture the processes the employees are using and make a determination about whether they have had the proper NISPOM training, using approved processes and if they actually protect classified information. The self-inspection guide is a great resource to evaluate employee application for security policies. This is your only "freebie", so use it to your advantage.

For more information about evaluating your security program see our book DoD Security Clearance and Contracts Guidebook


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, February 6, 2014

NISP Enhancements Revisited

Defense Security Services (DSS) has new guidance on security enhancements and ratings that cleared defense contractors can earn. According to the publication 2013 DSS Vulnerability Assessment Rating Matrix Vulnerabilities and NISP Enhancement Categories there are 10 enhancements or opportunities to demonstrate protection of classified information beyond baseline National Industrial Security Program Operating Manual (NISPOM) standards.

Before contractors can receive credit for NISP enhancements, there are a few ground rules or fundamental areas that must be address. 

Back to the basics is a good mantra to follow here. A cleared defense contractor must first demonstrate the capability of protecting classified information before earning enhancements. For example, a cleared facility that has significant findings in the topic of Export Control or Foreign Ownership Control and Influence (FOCI) will not get enhancement credit in the FOCI topic until they overcome the deficiencies. 

Another rule is that the NISP enhancement must relate directly to the National Industrial Security Program. An example where a security measure would not count is where the security office volunteers to walk employees to their cars during hours of darkness. Though this is a great service and goes to enhance the employees' quality of life and safety, it has nothing to do with NISP and will not count as a NISP enhancement. 

NISP enhancements must be validated during the security assessment as having an effective impact on the overall NISP program in place at the company. In other words, the NISP enhancement must be measurable and documented at the point of the assessment. For example, a cleared facility might having a  policy requiring the accountability of CONFIDENTIAL information might qualify as a NISP enhancement. After all, in the collateral world, accountability is only required for TOP SECRET. However, if in spite of this great accountability, several documents can't be accounted for, there is no indication of the policy having an effective impact.

Credit for NISP enhancements will be granted for activities beyond baseline NISPOM requirements even if required by program/contract. This means if a government or contractor customer requires CONFIDENTIAL information to be transmitted with process reserved for TOP SECRET information; the serving contractor gets the NISP enhancement. The motivation doesn't matter here; it's the results that count.

An enhancement directly related to a NISPOM requirement cited for a vulnerability may not be granted. In other words, if a security weakness exists where a countermeasure is required to meet that weakness, the countermeasure doesn't count. Back at our earlier example of using TOP SECRET controls to protect CONFIDENTIAL information. This is a NISP enhancement as it goes above and beyond NISPOM. However, if there is vulnerability requiring the additional security measure, then it may not count as a NISP enhancement.

If there are other effective enhancement activities in a specific category unrelated to a specific vulnerability in that category the enhancement credit may still be granted. For example, developing procedures to enforce need to know. NISPOM guidance does a lot to direct how to protect classified information by protecting it according to classification level and making it available to those with the proper clearance. Need to know is mentioned but a few times. Access rosters, contract verification or other need to know enforcing measures may just qualify as a NISP enhancement.


The DSS vulnerability assessment ensures that classified information is protected according to the NISP. Once the baseline is established, then credit for enhancements can be given. The cleared contractor should be able to demonstrate that their security program meets the criteria. The cleared contractor can then build upon that foundation to demonstrate going above and beyond NISPOM requirements. 

For more ideas on passing the DSS review and NISP enhancements see our book DoD Security Clearance and Contracts Guidebook.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, February 5, 2014

How to take a test; any test

There are a few rules of thumb when it comes to taking tests. These rules are almost constant and really have no technical bearing to the tested information. However, where used logically, these tips will increase chances of correctly answering questions you might not fully know the answer to.

Here are some recommendations:

Tip #1 Stop studying at a reasonable time before the test. You know that time before a test when your  head is spinning and studying does nothing but confuse you. It's that time when looking at reference material is nothing more than white noise; it never makes it to your brain. Instead, take a break. Just as an athlete tapers down her training before a race, give your brain a break. An overloaded brain before an exam is just as detrimental as a tired and aching body before a race.

Tip #2  Take a few deep breaths before you get started. This will increase oxygen flow to your brain and help you concentrate. After all, you are going to be reading 110 questions and sorting through approximately 600 answers.

Tip #3  Read questions at a comfortable pace. Don't go too fast, you might overlook something.

Tip #4  Read carefully. Some answers may seem correct at first glance, but watch for traps, some answers aren't as they appear.

Tip #5  Be aware of questions with EXCEPT, NOT, UNLESS and other similar words. Where you usually look for the positive answer, these setups require opposite answers. Refer to tips 3 and 4 to make sure you don't get caught in this trap.

Tip #6  Don't read too much into questions. We can overanalyze anything. If you are confident with your answer, go with your gut. Don't talk yourself out of a positive answer.

Tip #7  Remember tip # 3, don't spend too much time on any one answer. Taking too long can jeopardize your test. Skip the question and come back to it later. Chances are, there are many, many answers upcoming that you can answer quickly and build your test taking confidence. Focusing on hard questions only shakes your confidence and ruins the timeline.

Tip #8  Can't answer the question? Try to illuminate dumb answers. C'mon, there will be at least one and if you're lucky, two to three really dumb answers. If you have 5 answers and you can throw out three questions, the process of illumination gives you a 60% chance of picking the right answer.

Tip #9 - I read once that you should treat each answer as a separate true or false question. I haven't tried this technique, but it just might work.

Remember, the ISP Certification exam is an online, open resource, searchable exam. There are lots of opportunities to pick the right answer. Use these 8 tips to get you started. For more information, see our book, Red Bike Publishing's Unofficial Guide to ISP Certification.





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Can we learn from the non DoD Industry about protecting national security?

 It seems like we should be able to. The lessons are obvious, but the application may not always be so clear. The same threat methodology applied credit cards, customer data bases, and financial transaction websites exist for the defense industry. The products may be diverse, but the result is usually the same; very sensitive information is released and those slow to react are in the business of performing damage control.

Last December, Target shoppers were disheartened to discover that their private information became available to bad guys as a result of some pretty detailed scheme to get that information. Now these shoppers 'credit information is vulnerable, threatening possibilities of data theft many times over. Many, such as my family, suddenly found ourselves in possession of newly issued credit cards as our banks cancelled suspect credit cards in response to the data breech.

According to the article in the Wall Street Journal, Target Says Hackers Used Credentials from Vendor, it wasn't even Target's mistake. Further reporting determined that a vendor for Target transactions actually were the targets of the hacking. They were the ones exposed and leaking the Target customers' sensitive information.

In another article in the same issue of The Wall Street Journal, Cruel Letter Shows Big Data Gone Bad is taking heat for mailing information to"Mike Seay Daughter killed in  car crash." Once again, Office Max was not the culprit of hacking, but the victim of an irresponsible vendor hired to mail information, using a poorly vetted mailing list.

Those in the defense industry understand the responsibility of protection sensitive information at all locations.  Whether prime contractors or 5th level subcontractors, the requirement to protect sensitive information falls equally at each location. Classified, OPSEC, personal Identifiable information, for official use only and other sensitive information protection is a defense contracting and acquisitions requirement. What is not dictated is the exact countermeasure to use leaving each location to apply their best practices in an ala carte approach to applying any of a list of approved protection measures. 

The application here is that the prime contractor may not be the primary target of scams to get sensitive information. As learned in these Wall Street Journal reports, hackers may target vendors and subcontractors that are easier to get to than the perhaps better prepared prime contractors. The defense chain is only as strong as the weakest link. The same sensitive information should be protected with equally effective countermeasures, training, and awareness no matter where it resides.

Facility Security Officers and security professionals should review contracts requirements imposed by customers to determine protection requirements. As such, don't just read the DD Forms 254, but engage the entire contract to include statements of work for all acquisition transactions. This includes design, engineer and security specifications. How else will one truly understand what is required by the customer? At the same time, what requirements does the organization flow down to teaming vendors and subcontractors?

Specifying security requirements leaves less to chance. If Target either specified how vendors shall protect customer information, OR worked only with vendors that are known to protect customer information with the same strict controls as they themselves employ, the data breech may have never happened. Until each teaming unit employs the same protection measures to protect the same information, there will always be a weaker link. 


For more ways of setting up a security system in a Cleared Defense Contractor, see Red Bike Publishing's book, DoD SecurityClearance and Contracts Guidebook


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".