Saturday, January 27, 2018

Printers and Copy Machines are Information Systems

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Contractors depend heavily on reproducing, printing, or otherwise providing hard copy documents as contract deliverables or work products. Printers, copiers, and fax machines now have memory storage and are more information systems by nature than just “copy machines”. The NISPOM has been updated to address how to use and categorize equipment with storage capability.

Question:
Does the equipment used for classified reproduction have any sort of memory capability? If yes, the equipment may require accreditation as an Information System (IS).

Answer: 
The concern is that unless a copier with storage capability is treated as an Information System classified information residing in the storage could be at risk if improperly disposed of. According to the Self-Inspection Handbook for NISP Contractors, any reproduction device that has memory storage may have to be accredited as an Information System.
In many classified environments, hundreds of thousands of pages of reports are printed to meet contractual requirements in the printer's lifetime. Test data, program presentations, critical design reviews, statements of work, period of performance reports, are but a few sensitive documents subject to reproduction. These days, date is commanded to be sent from the drive of one classified computer to the printer, copy machine, or fax machine only to be stored on their drive. Over the years, this information can collate into quite a voluminous library of intimate programmatic details. The good news is that it is protected inside of a classified environment and many facility security officers understand very well how to protect classified information systems.

However, for the uninitiated, a little more training may be required. The understanding that a printer is simply an intellectually dumb machine passively making copies is what the Defense Security Services is attempting to impact. Some are familiar with tales of investigative journalists procuring recycled copy machines and printers only to access the hard drives. Years of sensitive government and personal information were surprisingly revealed as a demonstration of just how foolish it was to recycle these machines without destroying for wiping the hard drives.

Any machine that processes classified information and has storage or memory capability should be considered an information system and therefore accredited prior to use. The accredited system and components will now come under more scrutiny and accountability to prevent improper disposition.


Validation:
Inspect and inventory all printers, copiers, fax machines and other office equipment that process classified and sensitive information.
Review accredited IS against the inventory of office equipment and ensure qualifying systems and components are included in the accreditation.
Develop a plan that identifies and demonstrate future disposition of items no longer required (destruction, recycling, etc.)

Ensure cleared employees understand the information system requirements through training and briefings.

For more security ideas, training, and books, visit www.redbikepublishing.com

Wednesday, January 10, 2018

Debt and Your Security Clearance

Debt and Your Security Clearance

By: Jeffrey W. Bennett, SAPPC, ISP
Bad decisions affect the ability to get a security clearance. When it comes to financial mistakes, those bad decisions can linger for years to come. There are many life situations that can cause debt, that are of not fault of the debtor. Some of these situations include military deployment, relying on others to manage finances, finicky housing markets, and bad investments. Those who suffered under massive debt after the housing market burst asked, “How will my bankruptcy impact my clearance?” A quick study of security clearance decisions can provide an answer.
Adjudicative Guideline F; Financial addresses when a person lives above their means or fails to pay debts. They could exhibit poor self-control, lack of good judgement, or just show lack of willingness to follow to rules and regulations. This behavior raises questions about loyalty, reliability, and ability to protect classified information. Here are five specific examples of financial issues resulting in clearance denial or revocation.

I Just Don’t Pay Taxes

Applicant’s debts include failing to pay federal and state taxes and required child support. The unpaid taxes were incurred when the applicant failed to file income tax returns in a timely fashion for many years.
Though the applicant states he is trying to pay debts, he could not provide evidence of responsible behavior, nor could he provide copies of signed tax returns. Additionally, though he has agreed to repay his federal tax debt he has not provided evidence that he is in compliance with the plan. Clearance denied.

Multiple Deployments to a Combat Zone

An applicant owed thousands to the federal government for several years of unpaid taxes. Though the federal tax payments were deferred while he served, the state taxes were not. Though he claims to have paid his debt, he couldn’t show proof. Additionally, he and his wife chose to pay their children’s college tuition instead of the tax debt.
The applicant was denied a security clearance because of his bad decision to prioritize other payments above his obligation to the taxes he owed.

The Housing Bubble Popped

The applicant had almost a million dollars in delinquent debts that he attributed to the housing market crash. Though he owned several pieces of property they were valued lower than when he purchased them.
The applicant filed bankruptcy, but then decided to cancel and sold a house to pay off some of his debts. His debts include time share accounts, a home equity loan, and credit cards.   Some of the debts were resolved through debt forgiveness and some were paid or settled for lesser amounts.  However, the applicant failed to show that he had resolved two of the credit card debts.
The judge ruled against the applicant. Having debts forgiven is not the same as personally paying the debts. The applicant also showed poor judgment in many of his financial decisions. The applicant had not had effective financial counseling and there are no clear indications that his problems are under control.

Temporarily Unemployed

The applicant traces his financial difficulties to his having a disagreement with his supervisor and leaving his job, thinking that he could do better, but was not able to find good work. He got behind in his bills.
Though he eventually found work, he did not follow a plan to repay his debts and continued to acquire more debt. As a result, he failed to sufficiently mitigate the security concern and was denied a clearance.

If I Ignore It, It Will Go Away

Applicant held a significant and tardy debt to the U.S. Department of Education (USDE) for two student loans. He chose not to repay these debts, hoping that it “would just go away”.
Eventually he made arrangements to start paying off this debt when he “decided it was not going to go away.” He also knew that he had to get his “finances straight” because of his “job and security clearance”.
Additionally, the applicant had an unpaid phone bill and ignored payments for over a year until he made arrangements to pay those debts. However, in the SF86 he responded “no” to the question, “Are you currently over 90 days delinquent on any debt(s)?” He also failed to provide a list of debts. Clearance denied.

Takeaway: Live Within Your Means and Seek Help

Though unexpected significant life and market changes can affect your financial situations, it does not always impact your security clearance. In many cases those who were in sudden significant debt due to no fault of their own, but lived within their means, attempted to pay the debt, and sought debt counseling were granted clearances.  Those who ignored the debt and lived beyond their means were not granted clearances.
Read the full article here

Could Drinking Cost a Security Clearance?

Could Drinking Cost You a Security Clearance?
By: Jeffrey W. Bennett, SAPPC, ISP
Alcohol consumption is one of the 13 adjudicative guidelines because of the possible impact of questionable judgement, failure to control impulses and the applicant’s reliability and trustworthiness. These concerns are serious and could impact national security where they involve someone working with sensitive or classified information. After reviewing case studies, it’s not too difficult to see the impact of alcohol use on people’s lives.
Consider the following cases that demonstrate how alcohol consumption can impact security clearances. There are many more recorded, but these few will give an idea. Two cases demonstrate denial of security clearances, while one shows how the applicant adequately demonstrated mitigation and a security clearance is granted.

“I can handle it”

Applicant has had numerous alcohol-related driving arrests. She paid fees and fines, and completed probation.  However, she did not seek help in dealing with her issues with alcohol. At a later date, the applicant was involved in an accident while driving under the influence of alcohol (DUI).  She was found guilty of DWI and sentenced to 180 days, paid fines and had probation.
After the last incident, she finally sought help with alcohol counseling. The counselor noted that the applicant met the diagnosis of alcohol use disorder in early remission and that her participation in therapy and continued abstinence are positive indicators. However, the applicant does not abstain from drinking, against the counselor’s recommendations, and said that she feels she is in control and if there is a social event she will drink. The judge felt the applicant had not properly mitigated the concerns and denied the applicant a security clearance.

Completed some requirements

An applicant was refused a security clearance based on Guideline G, Alcohol Consumption. Later he appealed the decision stating he had adequately mitigated the behavior. The judge reiterated the facts for the appeal that demonstrated public drunkenness and driving while intoxicated. For a two-year period, the applicant actually did attend counseling for alcohol problems and was diagnosed with alcohol dependence. He reported it was in full remission. However, less than a year later he was convicted of impaired driving.
The judge supported the denial of a security clearance because of the evidence that the applicant continued to consume alcohol and become intoxicated. Though the applicant was attending counseling, he also continued to drink and drive. The applicant’s behavior demonstrated that he had not done enough to mitigate the concerns.

Just need to let off some steam

Applicant took three days off work to drink as his way of dealing with stress. There was enough other evidence of alcohol use for the judge to make the finding that the applicant was abusing alcohol. One consideration is habitual or binge consumption of alcohol to the point of impaired judgment, regardless of whether the individual is diagnosed with alcohol use disorder. The security significance of the drinking episode is significant even though it did not result in an arrest or other involvement with law enforcement officials.

I’m just trying to get it right

The final applicant in this article developed a drinking problem after getting in trouble at work. He was terminated and while at home started drinking. He became dependent on alcohol and by the time he got a new job, his dependence on alcohol led to problems on his new job.
After many attempts to stop on his own, he recognized that he had a drinking problem and sought treatment. He had several relapses during treatment, but continued to be honest with counselors and his employer and continued to get help.
While he had several relapses, the judge considered the fact that he was committed to abstinence, had not consumed alcohol in two years, and is being supported by Alcoholics Anonymous and his family. In this case the judge determined the applicant had mitigated concerns and granted the request for a security clearance.
Alcohol consumption can contribute to making bad decisions that puts classified information at risk. Therefore, decisions against a security clearance may be made even if an applicant has never been charged or arrested for an alcohol related event. Abusing alcohol has proven a sufficient finding to deny a clearance. Where the applicant recognized the problem, sought treatment, and had a recent history of abstinence, the judge determined the security risk under the guideline was sufficiently mitigated.
Read the complete article here
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

ISP and Security Certification





If you are serious about advancing in your field, get security certification. 


Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enrol, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

We've updated our manual for NISPOM Change 2. Have a go at some new questions. 


Try these questions to see how you do:

1.      The _____ shall identify the recipient government’s DGR and appoint a U.S. DGR.
a.            COR
b.            CSA
c.             FSO
d.            GCA
e.             State Department

2.      Which of the following are appropriate portion markings found on classified documents?
a.            SECRET, TOP SECRET, CONFIDENTIAL
b.            S, TS, C, U 
c.             UNCLASSIFIED, TS, CONFIDENTIAL
d.            FSO, TS, C, U
e.             All the above

3.      The National Agency Check with Local Agency Check and Credit Checks is required for:
a.            CONFIDENTIAL, L, and SECRET PCLs 
b.            TOPSECRET, Q, and SCI access
c.             TOP SECRET
d.            A and c
e.             SECRET only

4.      The Secretary of Energy or the Chairman of the Nuclear Regulatory Commission are responsible for prescribing that portion of the manual that pertains to information classified under reference:
a.            A
b.            B
c.            
d.            D
e.             E


Scroll Down for Answers





1.      The _____ shall identify the recipient government’s DGR and appoint a U.S. DGR.
a.            COR
b.            CSA (NISPOM 10-401c)
c.             FSO
d.            GCA
e.             State Department


2.      Which of the following are appropriate portion markings found on classified documents?
a.            SECRET, TOP SECRET, CONFIDENTIAL
b.            S, TS, C, U (NISPOM 4-206)
c.             UNCLASSIFIED, TS, CONFIDENTIAL
d.            FSO, TS, C, U
e.             All the above

3.      The National Agency Check with Local Agency Check and Credit Checks is required for:
a.            CONFIDENTIAL, L, and SECRET PCLs (NISPOM 2-201b)
b.            TOPSECRET, Q, and SCI access
c.             TOP SECRET
d.            A and c
e.             SECRET only

4.      The Secretary of Energy or the Chairman of the Nuclear Regulatory Commission are responsible for prescribing that portion of the manual that pertains to information classified under reference:
a.            A
b.            B
c.             C (NISPOM 1-101e)
d.            D
e.             E

So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,



DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".