Wednesday, December 23, 2015

Keeping the knowledge of security container combinations to a minimum.

In this weeks article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308.

5-308 Is the number of people possessing knowledge of the combinations to security containers kept to a minimum?

Not every employee needs the combination to the security container.

The combinations should be provided to those with the proper clearance and need to know. This is the maximum number of individuals who should have it, but a minimum standard as far as combination accountability. After all, the security container combination is classified at the same level as the highest level of information stored in the container. 

Clearance and need to know of the contents aside, maintaining control of combinations should include keeping access to the security container at a minimum amount necessary to manage good information security. For example, 10 cleared employees may need access to a document. However, these 10 cleared employees may not need access to the security container.

There are many ways to monitor and approve combination distribution.

One consideration might be shared container space. For example in the example of the 10 cleared employees above, the 10 may have classified documents collocated in the same security container with the classified documents of another group. All are classified at the same level, but not everyone has a need to know of each group’s information. Need to know would be approved for those who are granted the combination. These few would be granted need to know then given the combination. They could then distribute the contents as required.

Another consideration is classification of the combination. Not only is the classified information protected based on access and need to know, but the combination is also classified to the level of the information stored in the container. Therefore it also must be protected by verifying employee clearance level and need to know controls. If the combination is written, then the written combination should be marked properly and also stored in a security container. Protecting, documenting and accounting for the classified security container combination provides the controls necessary for proper information security. Combinations should be memorized. A good memory jogger is a word that matches the combination numbers. A combination reminder magnet helps.

Another consideration is availability. Out of the above example of 10 cleared employees, those granted with access should be available throughout the working day to open and close the container.

Though not an exhaustive list of examples, each of the above cases require thought. Out of the cleared employees, which have need to know of the information in the security container. Then providing and maintaining access to the combination at a minimum.

Where the classified combination is provided, it must be properly documented. The FSO should record the names of those to whom the combination is provided.

In cases where a cleared contractor involves a one-person operation, that person serves as the FSO for that entity. The single employee FSO is as critical as any other FSO. The main difference is that the single employee FSO is the only one who has access to safe or vault combinations and access control and alarm codes. If the employee dies or is incapacitated a backup plan is necessary to better protect the classified material. In cases of sole employees, the FSO will give the combinations to DSS or the home office if part of a larger organization

VALIDATION:                                                                                   
  • Determine who has access to the security container combination.
  • Document the process to limit access to the combination to the minimum necessary.
  • Interview those who have access to the container and document how they enforce need to know of the contents before distributing classified information.
  • Demonstrate that the combination is treated as classified information. Verify that if written or recorded, that it is marked correctly and stored in a GSA approved container.   
  • Demonstrate written policy that limits the number of those with access to the security container combination to the minimum necessary
  • Security awareness training is provided that enforces the protection of combinations as classified and with limited distribution.

Tuesday, December 1, 2015

NISPOM Based Questions







Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about.



1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail



2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above

3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material.



4. When escorting classified information transported in the airplane’s cargo area, plane _____ and deplane _____.

a. Before other passengers, after other passengers

b. After other passengers, before other passengers

c. After cargo is secured, before anyone

d. After engines start, before plane pulls to gate

e. After plane leaves gate, before plane pulls to gate











Scroll down for answers





1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA (NISPOM 5-402)

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail



2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above (NISPOM 5-403)



3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe (NISPOM 5-410)

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material.



4. When escorting classified information transported in the airplane’s cargo area, plane _____ and deplane _____.

a. Before other passengers, after other passengers

b. After other passengers, before other passengers

c. After cargo is secured, before anyone (NISPOM 5-413f)

d. After engines start, before plane pulls to gate

e. After plane leaves gate, before plane pulls to gate


So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, November 23, 2015

Unclassified Controlled Technical Information



What to protect; decisions, decisions. It seems that there are acronyms developed with the ingenuity and fluidity of American innovation. The same innovation that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. While new acronyms and technology protections are identified, reliance continues on fundamental protection measures that rarely change.

More and more evident is the growing volume of U.S. defense information categories that demand protection and are not necessarily classified. If not identified and protected, unclassified U.S. defense information could be accessed by unauthorized persons.

Unclassified defense information comes in many forms and acronyms includes military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified controlled technical information (UCTI).

Some U.S. defense information categories and definitions include:

  • Espionage
    • Gathering, transmitting or losing defense information 
    • Gathering or delivering defense information to aid foreign government 
    • Photographing and sketching defense installations 
    • Use of aircraft for photographing defense installations 
    • Publication and sale of photographs of defense installations 
    • Disclosure of classified information 
    • Economic Espionage Sec. 1831 of Economic Espionage Act of 1996
      • Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--
        • steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
        • without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;
        • receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;
      • Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996
        • Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly
          • steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
          • without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
          • receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization
      • ITAR Violations
        • Export means: 
          • Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or 
          •  Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or 
          • Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or 
          •  Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or 
          •  Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad. 

      The lesson is that significant effort and thought should go into protecting sensitive unclassified U.S. defense information. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information. Classified information handling instruction provides much stronger wording. For example, recipients of TOP SECRET, SECRET, and CONFIDENTIAL information are directed to protect this information with GSA approved security containers, security in depth, intrusion detection devices and much more depending on the classification level. In fact, there are entire manuals written depending on agency and their contractors. For the Department of Defense the National Industrial Security Program Operating Manual (NISPOM) provides a few hundred pages on how to protect classified information.

      However, for unclassified U.S. defense information the defensive measures depend primarily on the analysis and innovation of those holding it. True, the ITAR, EAR and some DoD publications speak to protection of sensitive unclassified information, but the guidance is high level and subjective. For example, the NISPOM limits access to classified information to security clearance and need to know and a time proven classification system. It also requires specifications for locks and security containers that protect classified information. On the other hand, sensitive unclassified information does not address background investigation or requirements for industry other than to prevent access by non-U.S. persons. Also, unclassified hard copy requires securing in a locked desk or drawer and shredding or ripping into pieces. These might be adequate in general terms but are subjective to the quality of desk and size of the shredded pieces as well as any credible threat.

      At this point it is good to consider the guidance as a minimum and plug in a risk analysis of the defense information within organization as the added ingredient. Once established, the FSO should develop a security awareness training program to assist with enforcing the message.

      Unclassified U.S. defense information should be protected with a well-designed security system. Though not classified, this information could impact national security if access by unauthorized persons. Therefore, it should be identified by title and location and limited not only to U.S. persons but also by need to know of the information.



      Stay plugged in for future articles and information on building that security program to protect sensitive unclassified U.S. defense information. Sign up for our newsletter to keep up to date.


      Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

      Monday, November 9, 2015

      Approval of Open Storage-The Self Inspection Handbook for NISP Contractors

      HTTP://www.redbikepublishing.com
      In this installation of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we’ll review the  National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-306b. Here is the question:                                          
               
      5-306b       Has DSS approval been granted for the open shelf or bin storage commonly known as “open storage” of documents in Closed Areas?

      Though we have covered the storage of classified information in earlier articles, this writing will address storage of classified information specific to these closed areas. See if you can find the differences.

      According to NISPOM paragraph 5-306b, open shelf or bin storage (hereinafter or “open storage” of SECRET and CONFIDENTIAL documents in closed areas requires Cognizant Security Agency (CSA) approval. Prior to approval, DSS will consider open storage of material and information system (IS) media based on the cleared contractor meeting the following:
      • Limited storage space required for storing classified information (product is too large to fit in a GAS approved security container); or, the performance of classified work (operational environment) requires open storage.
      • Access to the open storage area is limited to those with adequate security clearance and need to know of all information in the open.
      • The entrance doors to the area are equipped with GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740.
      •  For SECRET material, the area is protected by an approved intrusion detection system with a 30-minute response time, as well as security-in-depth (SID) as determined by DSS. For open storage areas lacking sufficient SID, a 5-minute response time is required.
      • For CONFIDENTIAL material, no supplemental protection or SID is required.
      •  The open storage area is within a facility, or specific portion of a facility, determined by DSS to have security-in-depth based on the following criteria:
      •  The contractor has documented the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, the contractor must review the effectiveness of these controls and report any changes affecting those controls to DSS.
      • At a minimum, the contractor has considered the following elements in their security-indepth assessment:
      • Perimeter controls
        • Badge systems when the size of the population of the facility render personal recognition impracticable
        • Controlled access to sections of the facility in which classified work is performed
        • Access control devices when circumstances warrant

      The difference between storage of classified information in a GSA approved storage contain and open storage could be addressed by considering the outer perimeter of the closed area as a “GSA approved container” requiring additional supplemental controls. Where the storage SECRET is adequate in a GSA approved security container (unless a risk assessment requires supplemental security), open bin storage of the same level of classification requires proper construction of the closed area plus the additional alarms and monitoring to provide the secure barrier.

      For example, XYZ Contractor may store SECRET and CONFIDENTIAL information for one contract in 5 drawer GSA approved security container. All documents, hard drives, and other classified media fit nicely and are checked out and turned in as appropriate.

      However, on another contract the classified material is large and bulky and will not fit in a GSA approved container.  The closed area is inside of an access controlled facility and constructed as outlined in the NISPOM. Additionally, access is limited to those with the appropriate security clearance and Need to Know of all classified information. At night the room is safeguarded with the intrusion detection and security in depth.

      RESOURCE:  ISL 2012-04 Open Shelf or Bin Storage under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html



      VALIDATION:

      Pose all closed area requests, justifications, and inspections where they can be easily and readily accessed for audit, inspection or review.

      Post all closed area approvals where they can be easily and readily accessed for audit, inspection, or review.

      Provide demonstration and documentation of specific layered and complementary security controls where open storage is approved. Consider the following:

      • Perimeter controls

      • Badge systems when the size of the population of the facility render personal recognition impracticable
      • Controlled access to sections of the facility in which classified work is performed
      • Access control devices when circumstances warrant
      Demonstrate and document the self-inspection review of the security controls and their effectiveness

      Document any report any changes affecting those controls to DSS for review, inspection, or audit.



                                                   

      Monday, October 5, 2015

      NISP Self Inspection Handbook-Closed Area Construction

      Welcome to National Industrial Security Program Operation Manual (NISPOM) 5-306 portion of the Defense Security Service’s (DSS) Self Inspection Handbook for NISP Contractors. This section covers closed area construction as identified in the NISPOM. 

      Here is the question:                                            

      5-306 Are Closed Areas constructed in accordance with the requirements of the NISPOM?

      Where the size or operational environment of the classified material may prove unsuitable for storage in a GSA approved security container or vault, a closed area might be the right solution. If a closed area is needed, DSS and the contactor should agree to the construction of the closed area as early as possible in the contract or a qualifying an existing as soon as the need arises. This is a great reason for a proactive FSO to be involved in classified contracts from cradle to grave. This includes reading requests for proposals, statements of work and engagement with  DD Form 254 reviews to determine classified material storage needs and address the any closed area considerations with DSS for consideration and approval.

      If a closed area construction is needed, the Cognizant Security Agency, DSS, is the approving authority. They will provide approval based on NISPOM 5-306 Section 8 requirements. These construction considerations include not only walls, floors, and ceilings, but anything that may be considered an opening or vulnerable areas. Construction should address deny, deter and detect protection measures. For example, the hardware should be heavy gauge and installed in such a way it cannot be removed. Walls should be built to deny entry through destruction, damaging entry methods, or wall section removal and any attempts should leave visible markings.  See NISPOM 508 for more specific construction details.

      With environmental (HVAC) and cyber concerns (network, wires, and cables) exist, false ceilings and floors abound. A common construction technique is to lower the ceiling with ceiling tiles and raise the floor to hide unsightly IT and other equipment. The closed area must be considered as wall to wall and ceiling to floor. This expands the area to well beyond the false ceiling and raised floors to the actual place where walls and floors / ceilings connect.  The space above the false ceiling and below the floor should be vetted as secure and when so, security integrity should be inspected for the life of use. Options for protecting hidden areas include alarms, viewing areas where tiles are clear or removable so that the areas can be viewed, periodically inspecting these hidden areas, and ensuring work orders involving closed areas are approved by the FSO.

      Additionally, access controls and personnel security must be in place to limit access and need to know. These access controls can be as simple as having a cleared person guarding the entrance with a check list of authorized persons or as complicated as technical devices or systems.

       

      Recommended closed area inspection cycle


       Nature of Classified Information

       Security-in-Depth

      Minimum
      Inspection
      Frequency
      Classified Information Systems with unprotected transmission lines above false ceiling or below false floor
      No

      Monthly

       

      Yes

       

      Every Six Months

       Open Storage of Classified Documents  

      No

      Monthly

      Yes

      Every Six Months

       
        Classified Hardware

      No

      Every Six Months

      Yes

      Annually


      There may be times when GSA security containers are just not enough. Operational requirements, size of classified material, work environment and other factors may require the construction of or re-use of a qualifying location as a closed area. When using closed areas, FSOs should apply and enforce physical security measures to deny, deter, and detect unauthorized access at any time. Reinforced doors, windows and other access points should be installed to prevent anyone from easily breaking in or going around current security precautions. FSOs should always coordinate with DSS or CSA as they are the approval agency of new construction, modifications, and repairs of closed areas. As always, the FSO should validate and document work. See Validation section for ideas.

      RESOURCES: 
       
       
      ISL 2006-02 Structural Integrity of Closed Areas under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

      VALIDATION:

      The required minimum inspection frequency must be approved by your Industrial Security Representative. The FSO should save all approval records and document inspections on the DSS Form 147, “Record of Controlled Areas.”                                                                                                          
      When building closed areas, the FSO should ensure pictures of progress are taken as evidence of compliance with construction requirements. 

      Create a binder, notebook, file or other record for all closed area transactions. Include in the file:

      ·         Closed area locations

      ·         Standard practices and procedures

      ·         Standard operating procedures

      ·         Written security requirements

      ·         Certifications and approvals

      ·         Specific annual security training requirements designed for classified contract and closed area use

      ·         Inspection details
                                                    

      Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

      Friday, September 11, 2015

      Will the fallout of the Ashley Madison hacking cause a security clearance backlash?

      There it is, all the names of the men and women who registered to have  "Discrete Affair".

      Harmless right? At first it might seem so, that is until the threat of blackmail and the secret is out. The invitations to register are enticing, and the promise of a secret affair with other like-minded  adults make the offer seem like an appealing proposal. That is until a group hacked the company and exposed the data base for the world to see. 

      What was once a hi-brow hook up is now touted as a wall of shame. Suddenly high profile people are now humiliated, losing jobs, credibility, and some have committed suicide. The likes of Josh Duggar and even the Ashley Madison CEO are losing what they have worked so hard to build up. Josh lost his legacy and the business world lost confidence in a company's leader who promised discretion. The cloak that once hid the appealing invitation to participate in the exclusive playground has been removed, exposing it for what it really is; a place for married people to engage in adultery.

      This article is by no means meant to pass judgement on these individuals, but to highlight the issue of possible blackmail and security clearances. Specifically,  the bad formula of person possessing the knowledge of national secrets plus something to hide equals security risk. I recall well my military service during the Cold War. I remember reading reports of service members and those in the intelligence community put on trial for acts of espionage resulting from adulterous affairs. Remember the old "honey trap" where a beautiful girl from the Soviet Union befriends a not so deserving victim? Her handlers then record the event and blackmail the unwitting participant into revealing secrets. Yep, a cleared person plus something to hide equals security risk.

      The Criteria

      Employees are awarded security clearance based on classified contract needs and after a lengthy investigation and adjudication process. This process is based on the 13 security clearance guidelines. They are listed below:

      (1) Guideline A: Allegiance to the United States
      (2) Guideline B: Foreign Influence
      (3) Guideline C: Foreign Preference
      (4) Guideline D: Sexual Behavior
      (5) Guideline E: Personal Conduct
      (6) Guideline F: Financial Considerations
      (7) Guideline G: Alcohol Consumption
      (8) Guideline H: Drug Involvement
      (9) Guideline I: Psychological Conditions
      (10) Guideline J: Criminal Conduct
      (11) Guideline K: Handling Protected Information
      (12) Guideline L: Outside Activities
      (13) Guideline M: Use of Information Technology Systems

      There are several guidelines that participating in the Ashely Madison offerings could cover. For the sake of brevity, we'll take a closer look at Guideline D: Sexual Behavior.

      The Concern. 

      Sexual behavior that involves a criminal offense, indicates a personality or emotional disorder, reflects lack of judgment or discretion, or which may subject the individual to undue influence or coercion, exploitation, or duress can raise questions about an individual's reliability, trustworthiness and ability to protect classified information. No adverse inference concerning the standards in the Guideline may be raised solely on the basis of the sexual orientation of the individual.

      In this case, married cleared employees may have registered on the website. According to an article at www.msn.com/en-us/news/technology/the-blackmail-of-ashley-madison-users-has-already-begun/ar-BBlXLTH, the blackmail has already begun. Cleared employees on the list could be vulnerable to this blackmail and if investigated, they may find their security clearances in question.

      According to the Office of Personnel Management, conditions that could raise a security concern and may be disqualifying include:

      (a) sexual behavior of a criminal nature, whether or not the individual has been prosecuted;
      (b) a pattern of compulsive, self-destructive, or high-risk sexual behavior that the person is unable to stop or that may be symptomatic of a personality disorder;
      (c) sexual behavior that causes an individual to be vulnerable to coercion, exploitation, or duress;
      (d) sexual behavior of a public nature and/or that which reflects lack of discretion or judgment.

      But this isn't always a clearance killer. 

      When adjudicators take a look at the "whole person" concept, there may be some conditions that could mitigate security concerns. These include:

      (a) the behavior occurred prior to or during adolescence and there is no evidence of subsequent conduct of a similar nature;
      (b) the sexual behavior happened so long ago, so infrequently, or under such unusual circumstances, that it is unlikely to recur and does not cast doubt on the individual's current reliability, trustworthiness, or good judgment;
      (c) the behavior no longer serves as a basis for coercion, exploitation, or duress;
      (d) the sexual behavior is strictly private, consensual, and discreet.

      Other implications

      The fallout is still on going. Some accounts "pretend" or otherwise were made using official government and business email. If these are further investigated, clearances could be suspended for violating Guideline M: Use of Information Technology Systems. 

      The point is, that just being on the hacked list may not in itself cause the denial or revocation of a security clearance. Cleared people have affairs and maintain their clearances. But problems arise when the affairs are discovered or the individual is susceptible to coercion, exploitation or duress. When these events cannot be mitigated, the of course the person is not trustworthy. However, these will be considered on a case by case basis and with the "whole person" in mind.


      Some preventative actions

      Cleared contractors would do well to include warnings against such online behavior during annual security awareness and other NISPOM required training. Reminders about continuous observation and maintaining a lifestyle to maintain a security clearance may just be what some cleared employees need to toe the line.


      Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".