Friday, January 20, 2017

Insider Threat Program Results


The first part of the template demonstrates outlines the purpose, policies, and demonstrates the contractor understands the ITP requirements.  The organization identifies themselves by name and lists the responsibilities of the ITP and positions within that organization. The remainder of the plan should spell out the ITP logistics:

A. Written designation of ITPSO.

B. The ITPSO responsibilities as addressed in NISPOM Change 2. Responsibilities include:
·         Self-certify the Insider Threat Program Plan in writing to DSS (Suspense has passed).
·         Provide copies of the Insider Threat Plan upon request and will make the plan available to the DSS.
·         Establish an Insider Threat Program based on the organization’s size and operations.
·         Provide Insider Threat training for Insider Threat Program personnel and awareness for cleared employees.
·         Demonstrate user activity monitoring on classified information systems in order to detect activity indicative of insider threat behavior.
·         Produce procedures to access, gather, integrate, and provide for reporting of relevant and credible adverse information across the contractor.
·         Demonstrate system or process to identify patterns of negligence or carelessness in handling classified information.
·         Conduct and document self-inspections of the Insider Threat Program.
·         Oversee the collection, analysis, and reporting of information across the company to support the identification and assessment of insider threats.
·         Provide proof of implementing and documenting all ITP assessments and reports to the Senior Management.

C. Insider Threat Training.
·         Provide documentation of ITPSO Training completed by November 30, 2016 and within for recently appointed ITPSO within 30-days of being assigned responsibilities.
·         ITP Personnel Training.
o   Provide to all contractor personnel assigned ITP duties within 30-days of being assigned duties and refresher training each year as long as they continue to serve.
o   Provide insider threat awareness training to all cleared employees before being granted access to classified information, prior to May 31, 2017, and each year as long as they maintain their clearance.
o   Incorporate Insider Threat Awareness into annual refresher training

D. Insider Threat Training Records Management.
·      Maintain training attendance records, certificates, or other documentation that verify completed initial and refresher training for review during DSS security vulnerability assessments.

E.  Insider Threat Reporting Requirements. Develop reporting requirements that capture:
·         Adverse information regarding cleared employees.
·         Suspicious contacts
·         Actual, probable or possible espionage, sabotage, terrorism, or subversive activities at any of its locations
·         Information determined to be any possible or potential successful penetration of a classified information system


You may notice that the above summarization follows the DSS Template, requirements in the NISPOM Change 2, pattern in the Self-Inspection Handbook for NISP Contractors, and other resources. Though not required in particular format, the information DSS is looking for remains consistent. Using the above format may suffice with proper documentation of compliance. Refer to the strategically placed hyperlinks for NISPOM, publications, and downloadable training that can help meet NISPOM and DSS requirements.

Sunday, January 15, 2017

NISPOM Questions

Get your copy @ www.redbikepublishing.com



If you are serious about advancing in your field, get ISP certified. Some are reluctant to take the test, but they just need the confidence earned through practice. Here's a way to get 440 practice questions.

First, to meet minimum test requirements an applicant should have five years experience working in the NISPOM environment. If that’s you, then you are a technical expert and know the business of protecting classified information.

Second, study the NISPOM and use sample questions to practice, practice, and practice. It can help you prepare for the test. Using practice tests to augment your ISP exam preparation can help. According to reader comments and emails to the author, many who have bought our book, NISPOM flashcards, and ISP Test Tips to augment their preparation have performed very well on the exam.

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

Try these questions to see how you do:

1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2. When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

d. KMPs and all security personnel

e. All the above









Scroll Down For Answers









1. Violations of export control regulations subjecting classified information to possible compromise by foreign nationals shall be reported to the:

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2 When sending a report for changes in cleared KMPs, what information must be included:

a. Level of clearance and when cleared; date and place of birth; social security numbers; citizenship; status of exclusion from access

b. Special accesses; citizenship; date of employment; date of birth and current address; date of facility clearance

c. Date of employment; clearance level and date; citizenship; social security number; status of exclusion from access

d. Special accesses; date and place of birth; social security number; date of employment; status of exclusion from access

e. Special access, level of clearance, citizenship

3. Which entities must be cleared to the same access level as the FCL?

a. Senior management official and KMPs

b. FSO and KMP’s

c. FSO and senior management official

e. All the above


So how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification, DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.



Preventing OPM-Like Sensitive Information Spillages

In September 2016, the Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress finally released what we’ve all been waiting for, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Wow, about time.

In a recent CSO Online article, The OPM breach report: A long Time Coming , Taylor Armerding summarizes congressional report and the national frustration with the entire fiasco. In fact, both report and article titles pretty much sum up how America feels about the Chinese exfiltration of personal data.

If you want to know the details of the event, please read the article and report as both are fascinating.  They explain very well how this incident will impact security cleared US citizens for generations; literally.

Readers in our career field (those of you reading this article) who are Facility Security Officers for cleared defense contractors, government employees, or other security practitioner under the national industrial security program (NISP) may experience additional frustrations in addition to those shared by the referred report and article.

Frustrations expressed from other sources:


My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there---James Comey, Director of the FBI

“(The SF-86) gives you any kind of information that might be a threat to ) the employee’s) security clearance.”---Jeff Neal, Former DHS official

Frustrations not nationally expressed:

The additional frustrations is grounded on the fact that the Office of Personnel Management conducts security investigations, collects very personal information from interviews and reports, contracts investigators who communicate the information, and stores the information. The data collected on each person and the compilation of that information warrants a robust security policy to protect personal identifiable information.

Keep in mind, OPM is one of the agencies that require industry to undertake intense security training in protecting PII, practicing cybersecurity, reporting security violations, detecting and denying insider threat, and so on. While cleared defense contractors are complying with training requirements, undergoing security reviews, and demonstrating security programs to protect classified information on information systems, compliance with DFARS requirements concerning computer networks, OPM was negligent in practicing what they preached.

The report lists OPMs failures to protect the network and sensitive information and slow reaction to both the attack and reporting requirements.  Additionally, while contractors are required to conduct investigations of security violations, determine cause, and as necessary, practice disciplinary action, no one has been fired as a result.

Imagine what would happen if a defense contractor networked was hacked and the following information was infiltrated:

Employee information including:
·         Current and past addresses
·         Security violations
·         Mental health counseling
·         Alcohol and drug dependency
·         Marital problems
·         Credit history

Get the picture? The employees would sue and the oversight agencies would review and report circumstances. Chances are that the responsible parties would be terminated.

According to the report, the cyberattack issue was detectable, preventable, and actionable, but OPM failed on all three.

Lesson for FSOs and security practitioners
Become cyber-aware…become involved in cybersecurity. It’s not necessary to become an expert, just understand. Many FSOs are great at the physical security requirements for PII, classified information, export controlled and other tangible items requiring clearance and / or need to know enforcement. It’s not too much of a leap to relate physical security requirements to that of protection of information on networks or stand alone computers.

Our profession has to become more involved in cybersecurity other than advising “don’t open attachments”, “only conduct company business on the computer”, and the standard slogan heavy or bumper sticker appropriate language. FSOs should become informed of how to respond to different threat categories and access points and provide cutting edge security awareness and security refresher training.

Applying the knowledgeable security focus:
Read, learn, discuss with IT and network professionals how the importance of programs to deny, deter, detect, observe, and report cyberattacks.  Here are some physical security fundamentals that can be applied for immediate cybersecurity action:
Though the reader may not be an expert, they can form a team from IT and all business units to accomplish the task.  This is the same exercise physical security and loss prevention practitioners’ use; or at least they should:

Determine what needs to be protected

Identify sensitive information on the enterprise network. Every business unit has a piece in the puzzle; program managers, accounting, personnel, contracts, etc.  Involve all aspects of the enterprise in the exercise.

Determine where the information exist

Is the information on an internal or external network? Which one(s) On a standalone computer? Document all locations

Determine who needs access to the information

Limit access to the networks, folders or locations based on who is authorized to use it.
Do program managers need financial information related to other contracts? Does the CFO need intimate software development details? If yes, ensure they have access, if not deny access.

Determine threats to the information

The obvious threats are the trusted employees and external hackers. These categories are the bare minimum necessary to cataloging the threat. Ask, how can the internal threat access information? How can the external hacker access the information?

So far so good right? Well, it becomes more technical from here and it where you might need an advisor, consultant or other help.

Determine how to deny, detect, report, and monitor systems for cyberattacks.
This requires skill to buy the right technology or hire the right employees.

Document all actions and provide report to senior management.
Programs do not live long without senior management buy in. Since we recommend forming a team, use the team concept to develop and maintain momentum. Provide recommendations to the key management personnel, get approval, and have them champion the program to senior objects. Change management may be in order.

Hopefully, this article provides thought provoking and imagination stoking ideas to help develop a security system that includes cyber consideration. The referred report demonstrates and quantifies an active adversary with a demonstrated history of attacking high level government agencies; as well as the poor action of those responsible for preventing access to sensitive information. None are immune, but all are responsible. Our profession exists in the defense industry. Our national security depends on doing everything we can to be aware of, train for, and respond appropriately to all threats.