Saturday, December 24, 2016

Shipping Classified Information with Commercial Carriers

www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

When shipping classified information, the sender is responsible for requesting approval to use commercial carriers. The DSS or other Cognizant Security Agency (CSA) approves the use of commercial carriers. For overnight shipping, the Government Services Administration (GSA) provides a list of approved . 

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408. SECRET Transmission by Commercial Carrier. SECRET material may be shipped by a cleared commercial carrier that has been approved by the CSA to transport SECRET shipments.

Cleared Commercial Carriers

Department of Defense contractors may use government approved commercial carriers to transport SECRET and below. When SECRET is to be delivered, the carrier must be approved and cleared to the SECRET level. CONFIDENTIAL can be transmitted by an approved uncleared carrier. The deliveries are not authorized for international travel and can only be made within the continental US or within Alaska, Hawaii and each territory with Government Contracting Agency providing routing information.

When requesting commercial carrier support, the contractor should notify the CSA of the proposed classified material to be shipped, the point of origin and the destination. The CSA will review the information and make an approval decision. If approved, the sender should notify the consignee and the shipping activity of the shipment and provide details of the type of shipment, information about shipping seals, and projected time of arrival. Further coordination should be made with the intended recipient to expect the delivery of classified material along with a projected timeline and what they should expect to receive. If the shipment does not arrive within 48 hours the receiver should notify the sender

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408b. The contractor shall utilize a qualified carrier selected by the U.S. Government that will provide a single-line service from point of origin to destination, when such service is available, or by such transshipping procedures as may be specified by the U.S. Government.

 GSA Approved Overnight Delivery Service

SECRET and CONFIDENTIAL material may be sent using GSA approved companies. These services should not be used without DSS approval. When using an overnight delivery service, the FSO of the sending organization should alert the receiving organization that classified information will be arriving via overnight service. Though overnight carriers are approved through the GSA, the carrier companies do not need to hold a facility security clearance. The carriers are only required to meet requirements of tracking shipments.



Every precaution should be made to ensure that the overnight delivery will not arrive during a holiday or scheduled day off. The best method is to not deliver the day prior to a weekend or federal holiday unless the receiver is operating a mail room with cleared persons and the proper storage capability.

VALIDATION:

1. Produce request to CSA for commercial carrier use and the CSA response.
2. Produce receipts for classified shipments involving commercial carriers and / or GSA approved overnight shippers.
3. Provide policy and procedures for use of commercial carriers and / or GSA approved overnight shippers.
4. Provide documentation of signed receipts of classified information sent via commercial carrier and / or GSA approved overnight shippers.




               



Security Awareness, FSO and NISPOM Training



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 22, 2016

Determining Receiving Facility Security Clearance Level

Get your printed NISPOM at www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Those who possess classified information should determine security clearance and need to know before disclosing it. This is requirement for both cleared persons and cleared facilities. Where classified information is shipped from one CAGE code or facility to another, the shipper is responsible for ensuring the carrier and the receiving entity hare cleared appropriately and that the receiver is cleared and with the need to know to possess the classified information.

Question:
NISPOM 2-100
Is the facility clearance and safeguarding capability of the receiving facility determined prior to transmission of classified information?
2-100. … Contractors are eligible for custody (possession) of classified material if they have an FCL and storage capability approved by the CSA.
…b. FCLs will be registered centrally by the U.S. Government.

The cleared contractor possessing classified information is responsible for validating the appropriate personnel clearance level (PCL) and need to know before releasing classified information to that person. The same rational for shipping classified information from one cleared defense contractor (CDC) to another. The shipper should determine the proper clearance and need to know of the intended receiver. In other words validate facility clearance (FCL) level prior to shipping classified information.

This is performed through the Industrial Security Facilities Database (ISFD). According to the ISFD website, the ISFD provides users with a nationwide perspective on National Industrial Security Program related facilities, as well as facilities under DSS oversight in the DoD conventional AA&E program.

FSOs should have access to ISFD and other Defense Security Services databases in order to provide their employer with adequate security services.  See http://www.dss.mil/diss/isfd.html for more information.

Once registered an FSO or designated employee can access FCL information including clearance level, classified mailing addresses, and points of contact. Prior to sending classified information the sender can log in to ISFD, access the address, POC, and contact information, and coordinate the delivery and any inspection and receipting actions.

VALIDATION:
1. Demonstrate ability to log on to ISFD
2. Demonstrate proficiency with determining a CDC’s FCL

3. Demonstrate proficiency with finding a CDC’s address and POC information. 



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 8, 2016

Classified Shipping Receipts



This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The receipting action from receiving and transmitting classified information provides required tracing and accountability. Classified information should be documented as it enters and leaves each facility to reduce loss or compromise. Each facility that has a CAGE Code should have its own transmission process meeting NISPOM requirements. How is yours doing? Let’s find out.


Question: 

5-401

Are receipts included with classified transmissions when required?

5-401. Preparation and Receipting
a. …The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.

Receiving Classified Information

When classified information is transmitted, the NISPOM requires receipting action whenever SECRET and TOP SECRET information is transferred to or from a cleared contractor. However, it is a good practice to track deliveries and send receipts for outgoing CONFIDENTIAL information as well. Confirmation of receipt will help the sending contractor close the loop and account for their classified transfer. For the receiving contractor, the receipting action is it first step to internal visibility of newly introduced classified information. It should initialize the internal tracing of classified information and visibility to assist in recalling or retrieving classified information or identifying its location.

Classified information can arrive at a cleared contractor in many different ways including cleared contractor employee or government employee couriers, contractually related customers, secure fax, secure email, US Postal Service, overnight delivery services and other approved means of transmitting or disseminating classified information. Regardless of how classified material arrives, the contractor should provide the proper reception of classified material by authorized cleared employees. The receiver of classified material plays a role in both safeguarding classified material after it arrives as well as identifying discrepancies and security violations that may have occurred while the classified information is in transit.

Inventory Control

One possible solution for controlling the introduction, storage, and transmission of classified information is through an information management system (IMS) (SIMSSOFTWARE is an example). The IMS is a tool that could help track and find classified material at any time no matter how many classified documents or objects are stored. Additionally, cleared contractors could use the IMS as a centralized document control system. Used in tandem with a positive visitor control process, the contractor could direct the arrival of visitors, couriers, mail carriers, overnight delivery companies, and others who could potentially convey classified information to a centralized processing location. Through a process of document control, the cleared contractors can receive classified information, inspect it, sign receipts, document the contents, store, and make classified information available for authorized employee use. Without such controls, classified information could be vulnerable to unauthorized disclosure, loss, or compromise.

Inspecting and Documenting

Classified information (SECRET and above) should contain two copies of receipt. A good security practice allows for the sender to alert the receiver that classified material is being sent to their facility. Many times program managers, engineers or other technical employees are anticipating the delivery, but may not have all the details of delivery times and dates. However an FSO to FSO coordination can provide all the information of the transaction in advance.

The receiver should then check the receipt against the contents to ensure the item has been identified correctly and all items are accounted for. The properly filled out receipt should list the sender, the addressee and correctly identify the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, the inspector should ensure it contains no classified information. If the receipt contains a classified title, the sender may be able to coordinate for an unclassified title for internal use and treat the receipt according to the classification level.

The receiver should compare the classification identified in the receipt with that annotated on the inner wrapper and the actual classified material markings. This action validates that the classified contents are safeguarded and transmitted properly once the outer wrapping has been opened or removed. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities.

5-401b

Is a suspense system established to track transmitted documents until the signed receipt is returned?
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.


It is the sender’s responsibility to ensure classified information arrives at the intended destination. The sender should track the classified deliveries until they receive a receipt or verify arrival. A good practices is to schedule follow up dates in Microsoft Outlook Calendar, IMS, spreadsheet or other tools to validate reception of signed receipts. If the receipts have been returned, the sender can close the action. If not, they may need to send a request to the receiver. 

A good security program designed to protect classified material begins with the proper reception of classified information. Classified information should be delivered to an approved mailing address. Prior to delivery, the sender should contact the receiver and notify them of the intended delivery. The receiver should then prepare for the delivery and ensure that only the proper employee cleared to the appropriate level receives the classified delivery. The receiver should inspect the delivery for proper wrapping, address, and delivery method. After inspection, they should sign a receipt and return it to the sender. The inspector should then enter the classified items into an IMS. Once filed, they can make the information available for use to those with clearance and need to know.

 VALIDATION:


1. Demonstrate compliance through policy and procedure development and updates that include tasks to be accomplished during reception of classified information.

2. Save and file receipts for easy recall.

3. Develop and document inventory management for classified information that includes documenting receipt of classified information.

4. Include reception of classified information with job specific security awareness training.

5. Learn to correctly use information management systems for document control purposes, generate reports, and demonstrate compliance.

6. Develop process to trace and account for signed receipts and what to do when receipts are not returned.

Thursday, November 24, 2016

Preparing Classified Information For Shipment

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The transmission of classified information is an important concern. Classified information should be controlled as it enters and leaves each facility. Each facility that has a CAGE Code should have it’s own transmission process meeting NISPOM requirements. How is yours doing? Lets find out.

Question:


5-401 Is classified information properly prepared for transmission outside the facility?

Here’s what NISPOM says on the subject. Our narrative follows:

5-401. Preparation and Receipting
a. Classified information to be transmitted outside of a facility shall be enclosed in opaque inner and outer covers. The inner cover shall be a sealed wrapper or envelope plainly marked with the assigned classification and addresses of both sender and addressee. The outer cover shall be sealed and addressed with no identification of the classification of its contents. A receipt shall be attached to or enclosed in the inner cover, except that CONFIDENTIAL information shall require a receipt only if the sender deems it necessary. The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.
c. When the material is of a size, weight, or nature that precludes the use of envelopes, the materials used for packaging shall be of such strength and durability to ensure the necessary protection while the material is in transit.

The classification level should be the first consideration when determining how to disseminate classified information. Dissemination of TOP SECRET has more restrictions than does SECRET and CONFIDENTIAL. Likewise SECRET has more restrictions than CONFIDENTIAL. According to the NISPOM, classified information should be wrapped with opaque durable material such as cardboard, envelopes, or boxes. It should be transmitted in a way to prevent accidental and unauthorized disclosure and detect tamper.

Inner Layer

The NISPOM does not discuss whether or not seams of packages should be reinforced. A good practice is to cover seams with rip-proof opaque tape or other similar material.
Next, the preparer should mark the package on the top and bottom of all sides with the proper classification level.

Then they should add the “to” and “from” addresses with two copies of receipts either attached to the first layer or inside the first layer. The preparer should always coordinate with the intended receiver to notify of delivery and verify mailing addresses. If the package is being sent to a cleared DoD contractor, the address could be verified online through the Industrial Security Facilities Database (ISFD) available through the Defense Security Service (DSS) website.
DSS recommends hat the address on all inner wrappers contain the name and office symbol of the intended recipient to expedite accurate delivery.

Internal contents that come in contact with the wrapper could be imaged or observed in certain situations. To prevent this, the preparer can place wrapping paper, patterned paper, receipts or fold the documents in such a way that they cannot be read through the wrapping. DSS recommends using classification level cover sheets such as the Standard Form 703 (TOP SECRET), 704 (SECRET), or 705 (CONFIDENTIAL) can be used to prevent and adversary from reading or imaging the information during technical scanning.  However, though protecting the actual information being scanned, this could disclose the information as classified. If using cover sheets, be sure to use the SF appropriate for the classification level of information inside.

Outer Layer

The outer wrapper is the second line of defense for the classified information.
Once the classified information leaves the cleared facility, the level of protection is severely reduced. The wrapping requirements are similar to those of the inner wrapper and should be the same size to prevent looseness or movement that could fray or damage the inner wrapping’s seams. The outside label should not identify the recipient by name. Office numbers or symbols should be used to prevent associating a classified package with a particular person. When addressing shipment labels to contractors, the outer label should be addressed to “FSO” or “Security”. When addressing shipment labels to military agencies, the outer package labels should be “Commander”.

Additionally, addressing deliveries to an authorized department ensures the package is received by authorized persons. Providing a person’s name on the outside label could cause problems if they are not around to receive it and could result in returned packages.


Alternate wrappings

Large sizes, bulk, weight, mission requirements or other structural make up could prevent transmission of items by traditional means. These could be machines, vehicles, aircraft, missiles, or other cumbersome, odd shaped, heavy or odd sized items. Brief cases, canvas courier bags, hard cases, shipping crates, large tarps and other types of containers can serve as proper wrapping provided they are approved by DSS. The containers are a part of the process to provide multiple layers of protection, deny accidental access, detect tampering and ensure expedited transport.

VALIDATION:
·         Chose a designated location to prepare classified information for shipment
·         Publish comprehensive instructions, processes, and policies for sound security practices
·         Post reminders and instructions in designated areas
·         Use information management system or similar technology to keep pedigree of transmittal receipts

·         Demonstrate that processes are taught to authorized employees in security awareness training or refresher training


Thursday, October 27, 2016

NISPOM Chapter 5, physical protection of classified material at cleared contractor locations

In our continuing effort to bring you the latest in protecting national security, we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Our intent is to address major changes, excluding admin updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

The first topic in this article is NISPOM Chapter 5, physical protection of classified material at cleared contractor locations.

This begins where paragraph 5-303 is completely obliterated. No comment here except to say they drew the line in the sand in 2006 and finally erased it in 2016. Hopefully, four years to the month after expiration date these steel cabinets and sub-par containers are no longer an issue.


5-303. SECRET Storage. SECRET material shall be stored in a GSA-approved security container, an approved vault, or closed area. Supplemental controls are required for storage in closed areas. The following additional storage methods may be used until October 1, 2012:
a. A safe, steel file cabinet, or safe-type steel file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours.
b. Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock. The keepers of the rigid metal lock bar shall be secured to the cabinet by welding, rivets, or bolts so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container shall be held securely so their contents cannot be removed without forcing open the drawer. This type of cabinet will be accorded supplemental protection during non-working hours.

Paragraph 5-311 also removes reference to the era by-gone and rearranges sub paragraph structure.


The second topic is Chapter 9 Special Requirements.

Chapter 9 section 1 is completely removed and language concerning RD and FRD is re-written guidance in a new Appendix D. We will cover the specific changes when we write about appendix updates at a later date.

Similarly, Chapter 9 section 3 is completely removed and a new paragraph is added:

Paragraph 9-300. Background General. This section was prepared by CIA in accordance with reference (a) and is provided for information purposes only. It contains general information on safeguarding intelligence information. Intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes. General. National intelligence is under the jurisdiction and control of the DNI, who establishes security policy for the protection of national intelligence and intelligence sources, methods, and activities. In addition to the guidance in this Manual, contractors shall follow IC directives, policy guidance, standards, and specifications for the protection of classified national intelligence and SCI. Contractors are not authorized to further disclose or release classified national intelligence and SCI (including to a subcontractor) without prior written authorization of the originating IC element.

The NISPOM provides much less guidance on protecting national intelligence than previously provided. In this latest change, NISPOM recognizes the jurisdiction of the Director of National Intelligence and defers to DNI’s requirements. All definitions and guidance is removed and contractors are advised to follow Intelligence Community guidance and instructions concerning working with intelligence information. Contractors should also request guidance from the originating Intelligence Community element and receive it in writing prior to disclosing or releasing classified intelligence and SCI.

Contractors should closely work with the government contracting agency issuing the contract, the government program office, DNI guidance and instructions, DD Form 254, and security classification guidance to ensure proper handling and protection while working with national intelligence.

This completes the major updates to safeguarding classified information given through the NISPOM Conforming Change 2.

Cleared contractors who need assistance with NISPOM requirements can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, take a look at our print version of the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Friday, October 21, 2016

Summary of Changes in NISPOM Conforming Change 2, Marking Classified Material

In our continuing effort to bring you the latest to National Industrial Security Contractors (NISPOM) we feel it is important to include articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

As a reminder, our intent is to address major changes vice administrative updates. Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to how classification markings are applied. Throughout the article we write in actual verbiage from the “Summary of Changes” in its original format and edits.

Text in blue represents NISPOM Conforming Change 1 material and text in red is Change 2 material.

This brings us to NISPOM Paragraph 4-208. Markings for Derivatively Classified Documents.

a. CLASSIFIED BY Line. The purpose of the “Classified By” line is to identify the person who applies derivative classification markings for the document. If not otherwise evident, the line will include the agency contractor and, where available, the office of origin will be identified and follow the name and position or personal identifier of the derivative classifier.

This clarifies that the contractor performing derivative classification is identified and not the government agency the contractor supports. This further identification implies a few required steps. 1. The derivative classifier is indeed trained to make such a decision
2. The derivative classifier is responsible for proper classification markings
3. The derivative classifier can be held responsible for content
4. The derivative classifier can be later contacted for further information

The previous NISPOM Conforming Change 1 separated the two topics in subparagraph d and assigned the “CLASSIFICATION BY” Line to subparagraph a and “REASON CLASSIFIED” to subparagraph b. This clarification and separation of requirements further stress the importance of the contractor’s responsibility to understand classification instructions and responsibilities. The instructions should be specifically outlined in the DD From 254 and the accompanying security classification guide.

Additionally, the persons providing the derivative classification should be authorized to do so. The FSO should document derivative classifier training, those authorized to perform derivative classification, and ensure that cleared employees understand the classified work as required in contracting, programmatic, NISPOM, DD Form 254 and SCG documentation.

d. e. "CLASSIFIED BY" Line and "REASON CLASSIFIED" Line. As a general rule, a "Classified By" line and a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a "Classified By"line to identify the derivative classifier and a "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

e. "REASON CLASSIFIED" Line. As a general rule, a "Reason Classified" line will be shown only on originally classified documents. However, certain agencies may require that derivatively classified documents contain a "Reason Classified" Line to identify the specific reason for the derivative classification. Instructions for the use of these lines will be included in the security classification guidance provided with the contract.

REASON CLASSIFIED should only be applied to originally classified documents. As a rule, cleared defense contractors perform derivative classification when they generate classified material. However, there may be cases where cleared contractors produce originally classified documents. Where derivative classification occurs, contractors should not mark classified information with REASON CLASSIFIED unless required in the SCG.

This administrative update separates the once combined CLASSIFIED BY and REASON CLASSIFIED lines. For clarity, these lines have been provided new sub-paragraph numbers. Though an administrative and clarification update, we will cover this as it supports a major change to Paragraph 4-210b.

Paragraph 4-210b: b. E-mail and other Electronic Messages.
Electronically transmitted messages shall be marked in the same manner required for other documents except as noted. The overall classification of the message shall be the first item of information in the text and shall be displayed at the top and bottom of each message. A “Classified By” line, a "Derived From" line, a “Declassify On” line, is and portion markings are required on messages. Certain agencies may also require that messages contain a "Reason Classified" line in order to identify the specific reason for classification, which is carried over from the source document(s) or classification guide. Instructions for the use of such lines will be included in the security classification guidance provided with the contract documents.
4-210b removes the above crossed out verbiage to make it clear that REASON CLASSIFIED only applies to originally classified materially unless otherwise instructed to include on e-mail and electronic messages that represent derivative classification. The REASON CLASSIFIED is already addressed in 4-208e.

Paragraph 4-213. Marking Compilations. In some instances, certain information that would otherwise be unclassified when standing alone may require classification when combined or associated with other unclassified information. The determination that information requires classification by compilation will be based on specific guidance regarding compilation provided in a Contract Security Classification Specification or a security classification guide. If specific guidance is absent, the contractor will obtain written guidance from the applicable GCA.
When classification is required to protect a compilation of such information, the overall classification assigned to the compilation shall be conspicuously affixed. The reason for classifying the compilation shall be stated at an appropriate location at or near the beginning of the compilation.

The NISPOM Conforming Change 2 addition to paragraph 4-213 requires a specific source for determining the classification of the compilation. This information should be found in the SCG. For example, the top speed of a vehicle may be unclassified and the fact that the vehicle has good traction in mud may be unclassified. However, providing the top speed through mud might be classified and should be addressed in the SCG. If there is insufficient guidance, the contractor should contact the government program office and get clarification in writing. The contractor should also get guidance on how to treat the information until the program office provides the written guidance.

This completes the major updates to marking classified information given through the NISPOM Conforming Change 2. Next time we will cover safeguarding classified information.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. Additionally, try the Self-Inspection Handbook for NISP Contractors as a training and self-inspection aide. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more. You can purchase our NISPOM training, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.

Have a book ready to publish? Why not contact us? www.redbikepublishing.com/publish-with-us



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, October 10, 2016

NISPOM Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.


Try these questions to see how you do:




1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary
b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL 
e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA 
c. ISSM
d. FSO
e. DIA

4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO 
c. CSA
d. FBI
e. NSA






Scroll down for answers:






1. CONFIDENTIAL material may be stored the same as higher classification levels EXCEPT:
a. Supplemental controls are not necessary (NISPOM 5-304)
b. Storage in steel filing cabinets do not apply to the October 1 2012 requirement
c. Storage cabinets do not have to be GSA approved
d. None of the above
e. All the above

2. All of the following shall be transferred internationally through the CUSR EXCEPT:
a. NATO SECRET
b. NATO SECRET ATOMAL
c. COSMIT TOP SECRET
d. NATO CONFIDENTIAL (NISPOM 10-713)
e. NATO CONFIDENTIAL ATOMAL

3. It is the responsibility of the _____ to identify TEMPEST requirements.
a. CSA
b. GCA (NISPOM 11-101)
c. ISSM
d. FSO
e. DIA


4. Approval of the _____ is needed before installing supplanting access control devices.
a. CEO
b. FSO (NISPOM 5-312)
c. CSA
d. FBI
e. NSA

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP CertificationDoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

Friday, September 30, 2016

NISPOM Summary Of Changes-Training


Red Bike Publishing authors are continuously searching for topics of interest for the facility security officer (FSO). Many articles have been free flow while more have reflected how to employ the Self-Inspection Handbook for NISP Contractors. We are about to introduce a new limited series of articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. This series of articles will filter and prioritize topics to be address. Topics that have already been covered in previous articles and simple administrative changes are filtered out and not addressed. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to the Initial Security Briefings and Refresher Training. Pasted below is the actual verbiage in its original format and edits, taken from the Summary of Changes.

Paragraph 3-106 3-107. Initial Security Briefings.

 Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a.      A threat awareness security briefing, including insider threat awareness in accordance with paragraph 3-103b of this Manual.

b.      A defensive security counterintelligence awareness briefing.

c.       An overview of the security classification system.

d.      Employee reporting obligations and requirements, including insider threat.

e.      Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual).

f.        Security procedures and duties applicable to the employee's job.

3-107 Summary:
This section is now moved to paragraph 3-107 and changes the names of briefings and adds new briefing and training requirements. The FSO should be prepared to conduct a gap analysis of current practices as compared to what is now required.  Once analyzed, the FSO should develop a plan to update policies, training, memorandums, and practices to ensure compliance.

3-107 Specifics
3-107a. The threat awareness briefing is now called the threat awareness security briefing. The name change is noted with the additional of insider threat awareness. This information is covered in an earlier article that you can read here. All corporate references to threat awareness briefings should be updated to reflect the change and insider threat awareness should be developed and incorporated into the training or provided as stand-alone training.

3-107b. The defensive security briefing is now called the counterintelligence awareness briefing. The name has changed, but no new training requirement is detailed other than the administrative name change.

3-107c. No change

3-107d. This sub paragraph adds insider threat reporting requirement as addressed in the earlier article.  Insider threat reporting is required for the insider threat program and as a sub element to insider threat awareness.

3-107e. This is a new sub paragraph that requires initial and annual refresher cybersecurity awareness training for all authorized IS users (whether or not classified systems). According to 8-101c, the cybersecurity awareness requirement is:

…all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP. The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access.

The contractor can design and determine the content. The content should include the topics of protecting access to the IS, protecting the content of the IS, recognizing attempts to gain unauthorized access to the IS, phishing, hacking, and other known adversary methods, countermeasures to protect the IS, and etc.

Many training resources address the following IS user responsibilities as described in NISPOM Paragraph 8-103c:

Employee users with access to IS should be trained to comply with the following requirements:
 (1) Comply with the ISs security program requirements as part of their responsibilities for the protection of ISs and classified information.
(2) Be accountable for their actions on an IS.
(3) Not share any authentication mechanisms (including passwords) issued for the control of their access to an IS.
(4) Protect authentication mechanisms at the highest classification level and most restrictive classification category of information to which the mechanisms permit access.
(5) Be subject to monitoring of their activity on any classified network and the results of such monitoring could be used against them in a criminal, security, or administrative proceeding.

Additionally, there are many resources available for those who do not have the means to develop their own cyber security training. The DoD has an excellent training site available for CAC and non CAC users at https://ia.signal.army.mil/login.asp.


3-107f. is formerly sub paragraph e and there are no new requirements.

Paragraph 3-107 3-108. Refresher Training. The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. See paragraph 8-103c of chapter 8 of this Manual for the requirement for IS security refresher training. Training methods may include group briefings, interactive videos, dissemination of instructional materials, or other media and methods. Contractors shall maintain records about the programs offered and employee participation in them. This requirement may be satisfied by use of distribution lists, facility/department-wide newsletters, or other means acceptable to the FSO.

3-108 Summary: This paragraph is renumbered to 3-108 and adds the IS Security Refresher Training requirement to the refresher training.

3-108 Specifics: A quick look at the manual reveals 8-103c does not describe IS Security Refresher training, but it does address user responsibilities. We feel that paragraph 3-107e describes to initial training and should be sufficient for refresher training. The refresher training can also consist of topics found in 8-103c to ensure coverage of employee responsibilities while using IS. The same resources cited earlier can be used for the cybersecurity refresher training.

Application
As written earlier, the FSO should perform a gap analysis of current practices vs. required practices. Once analyzed, the FSO should develop a plan to update policies, training, memorandums, practices and reference materials to ensure compliance.

Administrative Changes: This analysis should involve not only processes and procedures, but also referencing materials. For example, if training reflects a Refresher training requirement as Paragraph 3-107 and it is now 3-108, the reference material should be updated. Though this article does not address the administrative changes and paragraph realignments, the FSO should updated policies, procedures, instructions, training, and etc that makes specific references to the NISPOM. Where the references now differ (i.e. paragraph 3-107 is now 3-108) the referring materiel should be updated to reflect the changes.

New requirements: Where new training, policies or procedures are required, the FSO should ensure these are integrated into current practices. If processes and procedures are no longer required, they should be removed.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more that they can purchase, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization.