Monday, October 20, 2014

FSO's, Self-Inspection and Classification

Facility Security Officers (FSO) should coordinate an annual self-inspection to ensure their organizations are equipped to conduct and capable of conducting continuous protection of classified information. A great tool FSOs or designated inspecting officers can use for preparing, conducting and documenting the self-inspection is DSS’ The Self-Inspection Handbook for NISP Contractors. The handbook identifies “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. The five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education,

(D) FOCI

(E) Classification

This section covering Classification will consist of multiple parts. Keep reading future newsletters and posts for the rest of the story.

Part I

First off, cleared defense contractor employees do not perform classification. That’s the government’s job. Classification is conducted by the Original Classification Authority (OCA). The OCA is a designated position that uses a six step process to identify whether or not something is classified, at which level of classification, for how long it is to remain classified, and communicate the decision.

Derivative classification in general terms includes, paraphrasing, incorporating, restating or regenerating classified information into a new form. Since contractors are not performing original classification, most of their work would involve using classified sources to create new classified products.

Cleared defense contractors are responsible for establishing security program to protect the classified information. The program should consist of protecting classified information in all instances according to guidance found in the classified contract and NISPOM. This guidance can include handling, storing, marking, training cleared employees, and etc.

So aside from protecting classified information, what roles do cleared contractors play in classification?

Derivative Classification

When classified information is used to derive a new product, the original classification should be carried over into the new product. Items assembled, copied, scanned, or reports made based on instructions or requirements found in the DD Forms 254, Statements of Work, and Security Classification Guides (SCG) are considered derived or derivative classification decisions.

Here are some questions and explanations from the DSS handbook.

4-102d Have employees received appropriate training before they were authorized to make derivative classification decisions for you company? Here’s where you provide a list of the trained employees and a sample of the training or other proof that required NISPOM topics are taught.

According to NISPOM paragraph 4-102d, cleared employees must receive derivative classification training prior to being authorized to make derivative classification decisions.

Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. According to NISPOM derivative classifiers should be trained “…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.”

Here's the important part, no training; no work. Appropriate NISPOM training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. FSOs must plan to train cleared contractor employees who perform derivative classification responsibilities.

More information on derivative classified training can be found here: http://dodsecurity.blogspot.com/2013/04/nispom-change-1-derivative.html

http://dodsecurity.blogspot.com/2013/05/derivative-classified-training-what.html

4-102d Are all derivative classifiers identified on the documents on which they made derivative classification decisions? This can be both demonstrated by providing the proof of training as well as actual derivative classification documents if appropriate.

One such training task ensures that the authorized employees apply proper markings to their products. Not only are classification markings required, but so is the proper documentation of who is actually performing the derivative classification. According to NISPOM paragraph 4-102d, cleared employees who are authorized to make derivative classification decisions are responsible for identifying themselves on the documents where they make those decisions. Identification instills discipline, control and accountability of derivative classification decisions.

Only authorized cleared employees are assigned as derivative classifiers and they must be identified as such. The identified employees must be provided with the appropriate derivative classifier training.

Proper identification occurs when authorized derivative classifiers apply their names and titles on the derived items. However, contractors can substitute using their names with some type of personal identifier that translates to an authorized name and position. The use of the personal identifier is usually allowed unless the government customer states otherwise.

When the alternative identifier is used, the organization should develop a designator that aligns with a person’s name and position. If the government customer or anyone authorized to view the classified information has any questions, the derivative classifier can be identified from the list. The contractor should maintain this list for at least the as long as the cleared employee is with the business organization.

Once derivative classifier training is complete, the FSO should provide documentation listing the trained employees and the training topics. A good idea is to keep the training available in case details of the training are needed. Once filed, this documentation can be shown to demonstrate compliance with the NISPOM. Whether the inspector is part of a self-inspection team or with industrial security representatives from DSS, the proof of training should meet the intent.


For more information about derivative or classification training visit www.redbikepublishing.com/training or see: 





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, October 13, 2014

NISPOM Based Questions


Try these NISPOM based questions. This study may help you prepare for the ISP Certification or the DoD's SPeD certification. These answers aren't in the NISPOM. Can you answer them anyway?






1. What are the appropriate steps to take in JPAS when a cleared employee no longer needs a clearance but will not leave the company?

a. Debrief from access, out process
b. Debrief from access, separate from JPAS
c. Separate from JPAS, out process
d. Out process only
e. Separate from JPAS only


2. Applicants will be required to change initial golden question to _____ unique golden questions.
a. 2
b. 3
c. 6
d. 4
e. 5


3. You must include information about all of the following EXCEPT on the SF86.
a. Parents
b. Cousins
c. Brothers
d. Sisters
e. Spouses


4. When must fingerprints be submitted?
a. For initial investigations and Periodic Review
b. For initial investigations only
c. For PR’s only
d. At the completion of investigation
e. Never







Scroll down for answers












1. What are the appropriate steps to take in JPAS when a cleared employee no longer needs a clearance but will not leave the company?
a. Debrief from access, out process
b. Debrief from access, separate from JPAS
c. Separate from JPAS, out process
d. Out process only
e. Separate from JPAS only'

2. Applicants will be required to change initial golden question to _____ unique golden questions.
a. 2
b. 3
c. 6
d. 4
e. 5

3. You must include information about all of the following EXCEPT on the SF86.
a. Parents
b. Cousins
c. Brothers
d. Sisters
e. Spouses

4. When must fingerprints be submitted?
a. For initial investigations and Periodic Review
b. For initial investigations only
c. For PR’s only
d. At the completion of investigation
e. Never



More study information can be found here:

                                                   
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Does a secret security clearance fulfill the requirements of a public trust clearance?



As published in clearancejobs.com

Recently, a reader asked the following question: “If I have a current secret clearance, does that fulfill the requirements of the “public trust” clearance?” Before we answer the question, let’s look at public trust as a whole.
THE SHORT ANSWER

It depends. The security clearance process is part of the Public Trust evaluation. According to Standard Form (SF) 86 and SF 85 instructions and DSS publications some public trust positions require security clearances and some do not. So, the answer depends on the level of the public trust required. If a desired public trust requirement is for a low to moderate risk position or requires a clearance of SECRET or CONFIDENTIAL, then yes, the request for the SECRET clearance (SF 86) adjudication should cover the requirements and the applicant should not have to complete a new SF 85 or 85P. If the public trust position requires a higher security clearance, then the applicant would undergo another investigation and adjudication to cover the requirements of the higher clearance level.
BACKGROUND

A position of public trust is evaluated to determine the type of impact on the organization based on the sensitivity of the position and the risk of information the employee of the position might work with or otherwise possess. These positions are designated by an authorized manager based on low, medium or high risk.

Sometimes people mistakenly think that public trust and security clearances are two separate events or positions and the terms are often wrongly switched up. Though there are two different processes, both are under the same designation. The mistake is in thinking that there are two categories of clearances with public trust and security clearance topics. However, the term public trust encompasses both classified and unclassified position needs.
RISK LEVELS DEFINED

Understanding the risk level is fundamental to comprehend the public trust requirements. The public trust positions are designated according to amount of risk assumed.
  • Low risk public trust positions are for duties that have limited potential impact on the organization or mission.
  • Moderate risk public trust positions are designated for those positions with potentially moderate to serious impact on the organization or mission.
  • High risk public trust positions are for positions with exceptionally serious impact on the integrity or efficiency of the mission.

HOW RISK POSITIONS ARE FILLED

Public trust position investigations are conducted by the Office of Personnel Management (OPM). If a position is designated as being low, moderate or high risk, OPM investigates the employee for suitability to the level of risk. The higher the public trust position risk, the more detailed the investigation.

The process begins with the justification of the position. The authorized manager has already determined this when the position is created. Each employee that fills that position must have had an investigation or will have an investigation to qualify them for the level of public trust required. Once notified by an authorized person, the next step is for the employee to complete the correct Standard Form (SF).

There are different types of adjudications for public trust positions and each type of adjudication requires a different form. The SF 85 is the correct form for the low risk, the SF 85 or SF 85P for the moderate risk, and the SF 86 is for security clearances and high risk public trust positions. Each SF provides a basis of information used for the appropriate investigation for suitability of public trust. Whichever SF is used the applicant should accurately and completely fill each of the fields asking for form unique information. OPM investigators use the completed forms to research the subject and gather information necessary for the adjudicator to make a suitability determination.
A NOTE ABOUT SECURITY CLEARANCES.

Keep this in mind, compromise of SECRET information could cause serious and compromise of TOP SECRET information could cause extremely grave damage to national security. Does this determination sound familiar? The levels of damage described matches key words in the moderate and high risk definitions quoted earlier. Both complement each other and describe levels of risk and impact.

Not all sensitive duties require access to classified information. However, those employees requiring a security clearance fill out the SF that leads to more in-depth and appropriate investigation. For security clearances, it is the SF 86. This is an important distinction as the moderate risk public trust position normally requires the SF 85P. However, when a security clearance is required, the SF 86 is always used. The bottom line is that regardless of the risk level, when the National Security Adjudications grant access to all classification levels; TOP SECRET, SECRET, or CONFIDENTIAL, an SF 86 is required.

For example, if an employee is hired against a moderate risk position that requires a SECRET security clearance, the SF 86 investigation is more detailed and will fulfill all moderate risk adjudication information required of the SF 85P. In other words, the more in-depth investigation requirement will cover all lower level investigation requirements. The applicant will not need to complete both forms.
JOB TRANSFERS

If an employee is transferred, there is a degree of technical difficulty. When occupying a position of moderate risk where no clearance is required, the employee completed an SF 85P. If the same employee is transferred to a similar position and a SECRET clearance is required, they will have to complete an additional SF86 and undergo a different investigation. If, on the other hand, they transfer from a moderate risk position requiring a security clearance to a moderate risk position not requiring a clearance, the original SF 86 will suffice.

So, back to the original question, “Does a secret security clearance fulfill the requirements of a public trust clearance?” The answer is yes. A SECRET clearance is designated as part of the public trust process. The holder of the SECRET clearance is in a position of moderate risk and they require a security clearance. In this case an SF 86 investigation and security clearance adjudication will cover the requirements of the moderate to low risk positions.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".