Friday, September 30, 2016

NISPOM Summary Of Changes-Training


Red Bike Publishing authors are continuously searching for topics of interest for the facility security officer (FSO). Many articles have been free flow while more have reflected how to employ the Self-Inspection Handbook for NISP Contractors. We are about to introduce a new limited series of articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. This series of articles will filter and prioritize topics to be address. Topics that have already been covered in previous articles and simple administrative changes are filtered out and not addressed. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to the Initial Security Briefings and Refresher Training. Pasted below is the actual verbiage in its original format and edits, taken from the Summary of Changes.

Paragraph 3-106 3-107. Initial Security Briefings.

 Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a.      A threat awareness security briefing, including insider threat awareness in accordance with paragraph 3-103b of this Manual.

b.      A defensive security counterintelligence awareness briefing.

c.       An overview of the security classification system.

d.      Employee reporting obligations and requirements, including insider threat.

e.      Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual).

f.        Security procedures and duties applicable to the employee's job.

3-107 Summary:
This section is now moved to paragraph 3-107 and changes the names of briefings and adds new briefing and training requirements. The FSO should be prepared to conduct a gap analysis of current practices as compared to what is now required.  Once analyzed, the FSO should develop a plan to update policies, training, memorandums, and practices to ensure compliance.

3-107 Specifics
3-107a. The threat awareness briefing is now called the threat awareness security briefing. The name change is noted with the additional of insider threat awareness. This information is covered in an earlier article that you can read here. All corporate references to threat awareness briefings should be updated to reflect the change and insider threat awareness should be developed and incorporated into the training or provided as stand-alone training.

3-107b. The defensive security briefing is now called the counterintelligence awareness briefing. The name has changed, but no new training requirement is detailed other than the administrative name change.

3-107c. No change

3-107d. This sub paragraph adds insider threat reporting requirement as addressed in the earlier article.  Insider threat reporting is required for the insider threat program and as a sub element to insider threat awareness.

3-107e. This is a new sub paragraph that requires initial and annual refresher cybersecurity awareness training for all authorized IS users (whether or not classified systems). According to 8-101c, the cybersecurity awareness requirement is:

…all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP. The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access.

The contractor can design and determine the content. The content should include the topics of protecting access to the IS, protecting the content of the IS, recognizing attempts to gain unauthorized access to the IS, phishing, hacking, and other known adversary methods, countermeasures to protect the IS, and etc.

Many training resources address the following IS user responsibilities as described in NISPOM Paragraph 8-103c:

Employee users with access to IS should be trained to comply with the following requirements:
 (1) Comply with the ISs security program requirements as part of their responsibilities for the protection of ISs and classified information.
(2) Be accountable for their actions on an IS.
(3) Not share any authentication mechanisms (including passwords) issued for the control of their access to an IS.
(4) Protect authentication mechanisms at the highest classification level and most restrictive classification category of information to which the mechanisms permit access.
(5) Be subject to monitoring of their activity on any classified network and the results of such monitoring could be used against them in a criminal, security, or administrative proceeding.

Additionally, there are many resources available for those who do not have the means to develop their own cyber security training. The DoD has an excellent training site available for CAC and non CAC users at https://ia.signal.army.mil/login.asp.


3-107f. is formerly sub paragraph e and there are no new requirements.

Paragraph 3-107 3-108. Refresher Training. The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. See paragraph 8-103c of chapter 8 of this Manual for the requirement for IS security refresher training. Training methods may include group briefings, interactive videos, dissemination of instructional materials, or other media and methods. Contractors shall maintain records about the programs offered and employee participation in them. This requirement may be satisfied by use of distribution lists, facility/department-wide newsletters, or other means acceptable to the FSO.

3-108 Summary: This paragraph is renumbered to 3-108 and adds the IS Security Refresher Training requirement to the refresher training.

3-108 Specifics: A quick look at the manual reveals 8-103c does not describe IS Security Refresher training, but it does address user responsibilities. We feel that paragraph 3-107e describes to initial training and should be sufficient for refresher training. The refresher training can also consist of topics found in 8-103c to ensure coverage of employee responsibilities while using IS. The same resources cited earlier can be used for the cybersecurity refresher training.

Application
As written earlier, the FSO should perform a gap analysis of current practices vs. required practices. Once analyzed, the FSO should develop a plan to update policies, training, memorandums, practices and reference materials to ensure compliance.

Administrative Changes: This analysis should involve not only processes and procedures, but also referencing materials. For example, if training reflects a Refresher training requirement as Paragraph 3-107 and it is now 3-108, the reference material should be updated. Though this article does not address the administrative changes and paragraph realignments, the FSO should updated policies, procedures, instructions, training, and etc that makes specific references to the NISPOM. Where the references now differ (i.e. paragraph 3-107 is now 3-108) the referring materiel should be updated to reflect the changes.

New requirements: Where new training, policies or procedures are required, the FSO should ensure these are integrated into current practices. If processes and procedures are no longer required, they should be removed.

FSOs who need assistance can visit www.redbikepublishing.com for books such as the NISPOM and ITAR. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more that they can purchase, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization. 

Friday, September 23, 2016

Appointing the Threat Program Senior Official (ITPSO)


This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

Question:

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?

NISPOM Reference: 1-202b, 1-202c, 2-104

 1-202b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. This Insider Threat Program Senior Official may also serve as the FSO. If the designated senior official is not also the FSO, the contractor’s Insider Threat Program Senior Official will assure that the FSO is an integral member of the contractor’s implementation program for an insider threat program.

 1-202c. A corporate family may choose to establish a corporate-wide insider threat program with one senior official designated to establish and execute the program. Each cleared legal entity using the corporate-wide Insider Threat Program Senior Official must separately designate that person as the Insider Threat Program Senior Official for that legal entity.

 2-104 PCLs Required in Connection with the FCL. The senior management official, the FSO and the Insider Threat Program Senior Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106.

Discussion:

The best method for ensuring compliance is to begin the Insider Threat Program with the appointment in of an Insider Threat Program Senior Official. This appointment can be executed on corporate letterhead and signed by the authority responsible for approving such actions.

 The appointed individual could be the FSO, but if not the FSO, should include the FSO as the primary purpose of the ITP is to address the threat to national security. Who better to include than the person responsible for the security program to protect national security information.



The qualifications of the ITPSO follow:
  • U.S. citizen
  • Employee
  • Senior official
  • Security Clearance at the same level as the facility clearance to establish and execute an insider threat program

If FSO is not the designated official, the FSO is an integral member of the program

 The appointment letter can be a simple paragraph stating the following as provided by the CDSE in their Sample Insider Threat Program Plan:

 _(ITPSO Name)_______ is designated as the Insider Threat Program Senior Official (ITPSO) for __(Company Name)_.  As such, the ITPSO will lead the effort to establish policy and assign responsibilities for the Insider Threat Program (ITP). The ITPSO will lead the ITP as they seek to establish a secure operating environment for personnel, facilities, information, equipment, networks, or systems from insider threats.

The ITP applies to all staff offices, regions, and personnel with access to any government or contractor resources to include personnel, facilities, information, equipment, networks, or systems.

The ITPSO is responsible for daily operations, management, and ensuring compliance with the minimum standards derived from Change 2 to DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM).”

Cleared contractors under the NISP should time to review the NISPOM and the questions in The Handbook for further guidance on the ITP. The ultimate goal is to assign a ITPSO who will lead a team of trained ITP personnel to implement an effective insider threat program. The program begins with a plan and that plan begins with the designation of the ITPSO adn documenting the activity in writing.

EVIDENCE: Name of Senior Official in writing

Validation:
Provide a copy of the ITPSO appointment memorandum.

For insider threat awareness training and security awareness training, visit our page @:http://www.redbikepublishing.com/training/



Monday, September 12, 2016

ISP Certification Questions


Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.
Try these questions to see how you do:

1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees 
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor 
d. Host installation





Scroll down for answers:








1. Which response force could the CSA approve as a last resort?
a. Cleared contractor employees (NISPOM 5-906d)
b. Subcontracted guard force
c. Military police
d. Civil police
e. Proprietary security force

2. Need to know is generally based on:
a. Level of clearance
b. Block 13 of DD Form 254
c. Security Classification Guide
d. Contractual relationship (NISPOM 6-102)
e. As determined by CSA

3. Who has security oversight of contract employees who are long term visitors at government
installations?
a. GCA
b. CSA
c. Contractor (NISPOM 6-105c)
d. Host installation


According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP CertificationDoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

Friday, September 9, 2016

In Depth Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.

This is the second article under the topic of Insider Threat Training. The earlier article addressed the requirement to training, who to train and when. This article addresses what to train.

NISPOM 3-103b states: NISPOM 3-103b states: All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.

Specific Application:
Question: Does your training align with the requirements outlined in NISPOM 3-103 and CSA guidance?

This is a specific question to determine how well the NISP contractor has developed, documented, and presented insider threat training to compliment the Insider Threat Program (ITP) and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Let’s break down NISPOM Chapter 3-103b into its basic requirements. This will allow us to develop specific training plans to address the topics.

Importance of detecting potential insider threats by cleared employees and reporting suspected activity
Report all viable suspicious activity. First, NISP employees should recognize reportable activity and how to report it. The NISP organization should be able to demonstrate a reporting process that emphasizes the importance of recognizing, reporting and reacting to insider threat activity. This process should be well documented, taught to employees and readily available for inspections and reviews. This is something that should be tailored to the enterprise’s internal policies.

Methodology of adversaries to recruit trusted insiders

There are many methods an adversary can use to target and engage authorized and trusted employees. Some ways adversaries have used to get sensitive information include:

·         Elicitation-Subtle form of questioning where conversation is directed to collect information; it is different than direct questioning and harder to recognize
·         Eavesdropping-Listening in on conversations to get information.
·         Surveillance-Watching target unobserved and looking for exploitation opportunities
·         Theft-stealing classified information
o   There is a technology gap in many weapons systems where the US leads. The best way to close that gap is to steal information from or sabotage US efforts.
o   Acquiring information circumvents the research and development requirement. While R&D is an expensive effort, stealing R&D information is an attractive option.
·         Interception-acquiring classified information as it is transmitted (oral, electronic, hand delivery) to the authorized receiver.
·         Sabotage-destroying, interrupting or corrupting. It is accomplished through cyber-attacks, insider manipulation, and destructive activities.

Indicators of insider threat behaviors and procedures to report

Cleared employees should understand how to work with, store and protect classified information; regardless of type. As a result of good security awareness training, there and expectation placed upon these cleared employees that they will treat classified information per NISPOM requirements. Employees disregarding procedures should be noted and reported. Here are some indicators:
·         Keeping classified materials in an unauthorized location
·         Attempting to access sensitive information without authorization
·         Obtaining access to sensitive information inconsistent with present duty requirements
·         Using an unclassified medium to transmit classified materials
·         Discussing classified materials on a non-secure telephone
·         Removing classification markings from documents
·         Repeated or un-required work outside of normal duty hours
·         Sudden reversal of financial situation or a sudden repayment of large debts or loans
·         Attempting to conceal foreign travel
·         Failure to report overseas travel or contact with foreign nationals
·         Seeking to gain higher clearance or expand access outside the job scope
·         Engaging in classified conversations without a need to know
·         Working hours inconsistent with job assignment or insistence on working in private

The above are but a few indicators contrary to good security policy. Anyone displaying this activity should be reported as soon as possible.

Counterintelligence and security reporting requirements, as applicable

The 13 adjudicative guidelines used to evaluate an employee’s trustworthiness should also be used for continuous evaluation. Any employee displaying behavior that is contrary to the guidelines must be reported when that information constitutes adverse information.

Such incidents that constitute suspicious contact must be reported as well as incidents concerning actual, probable or possible espionage, sabotage, terrorism or subversive activities at any of a NISP contractor’s locations must be reported to Federal Bureau of Investigation with a copy to the CSA.

Here are some specific examples of what should be reported. We recommend a process in place to first notify the Facility Security Officer (FSO) (unless they are the problem) so that the FSO can notify, DSS, and where required, the FBI. Events or behavior that changes:
·         The status of the facility clearance
·         The status of an employee’s personnel security clearance

Events or behavior that indicate:
·         An employee poses a potential Insider Threat
·         Inability to safeguard classified information
·         Classified information has been lost or compromised

Once a NISP contractor has developed insider threat training as described above, it should be included in the self-inspection. The Self-Inspection Handbook has a section entirely devoted to the Insider Threat and required training. Implementing the training and measuring effectiveness can be evidenced in the questions below (also from the handbook).

EVIDENCE:
·         Explain how and when this requirement is fulfilled for new employees
·         Explain and provide annual training
·         Explain how you keep a record of employees insider threat training
·         Can you recall any of the following being addressed in briefings?
o   Risk Management
o   Job Specific Security Brief
o   Public Release
o   Safeguarding Responsibilities
o   Adverse Information
o   Cybersecurity
o   Counterintelligence Awareness
o   Insider Threat


How does your company verify that all cleared employees have completed the required insider threat awareness training, per NISPOM 3-103b and documented as in NISPOM 3-103c?

3-103c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is easy enough to demonstrate. Save a copy of the training and sign in sheets.

Validation:

1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.
2. Provide sign in sheet or other media to demonstrate that required employees have received the required training.
3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.
4. Ask cleared employees the following questions and document their responses:
            a. Who is an insider?
            b. What is an insider threat?
            c. How do you report an insider threat?
            d. How might a cleared employee demonstrate adverse behavior?
            e. Who is in charge of the Insider Threat Program?
            f. Name two methods an adversary might use to recruit and “insider”.


For more information, consider visiting our website at www.redbikepublishing.com. You can find industrial security themed books such as NISPOM, ITAR, Security Clearance and Contracts Guidebook; NISPOM based training presentations including insider threat training that you can download and present. For questions, you can email us at FSO@redbikepublishing.com.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, September 8, 2016

Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

The current series of articles will be temporarily reset while the author considers the new self-inspection guidelines and requirements, especially as addressed in section (Y) Insider Threat.

A cleared contractor under NISP is required to establish an Insider Threat Program (IPT); this IPT will be reviewed by the cognizant security agency (CSA) (Defense Security Services is the CSA for the Department of Defense). This IPT is emphasized in the Self-Inspection Handbook and NISPOM:

These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the Insider Threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy. [1-207b, 1-207b(1) NISPOM]

While the NISPOM requires all participants in the NISP to conduct their own self-inspections, to include an insider threat self-assessment, the Self-Inspection Handbook is designed as a job aid and designed to assist with developing a viable self-inspection program. This article focuses on how NISP participants can tailor the NISPOM requirements and Self-Inspection Handbook questions for their own organizations.

For the purpose of this article series, we’ll address the questions per the spirit of the Self-Inspection Handbook; first generally, then later with specific questions as the handbook leads.

General Application:

Question: Does your company implement insider threat training as outlined in NISPOM 3-103 and CSA guidance?

NISPOM 3-103 states:
Insider Threat Program Senior Official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees complete training that the CSA considers appropriate.
a. Contractor insider threat program personnel, including the contractor designated Insider Threat Program Senior Official, must be trained in:
(1) Counterintelligence and security fundamentals, including applicable legal issues.
(2) Procedures for conducting insider threat response actions.
(3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information.
(4) Applicable legal, civil liberties, and privacy policies.
b. All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is a broad question demonstrating the requirement that the company develop, document, and present insider threat training to compliment the ITP and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Did you get that? Not only is it required annually, but must be provided as initial security training as well.  A further analysis of the training requirements suggest that the insider threat awareness and annual refresher address the same issues; it’s just repackaged. As such a NISP contractor’s initial security briefing and annual refresher should be repackaged to demonstrate requirements. Either the insider threat topic is added or it is incorporated into existing training programs.

·         Requirements PRIOR to the recent changes to NISPOM:
o   The FSO provided initial security training and annual refresher training
o   The holder of classified information validated an employee’s access (clearance level) and need to know.

·         Requirements AFTER the NISPOM updates:
o   The FSO demonstrates that cleared employees have completed ITP awareness training before being granted access to classified information, and annually thereafter.

Contractors under NISP should develop and implement insider threat initialization and annual refresher training for all cleared employees.

Validation:

1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.

2. Provide sign in sheet or other medial to demonstrate that required employees have received the required training.

3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.


If your company needs insider threat training, consider purchasing, downloading, and presenting our Insider Threat Training presentation. It's designed with notes that you can read word for word or tailor for your enterprise.