Saturday, December 21, 2019

Facility and Personnel Security Clearances



Facility Security Clearances

A defense contractor is a business entity that has registered to contract with the US Government and has registered with the Central Contractor Registration. A Cleared Defense Contractor (CDC) is the designation of a U.S. Government Contractor facility that has been granted a Facility Clearance, authorizing them to perform on classified contracts. An uncleared defense contractor may bid on a classified contract without possessing an FCL. However, they must be cleared before getting access to the classified contract.

Many defense contractors may find it difficult to find and compete for classified contracts. They may have a unique skill that is hard to identify contracts requiring those skills. But this should not be a showstopper as uncleared defense contractor may partner with or team with an existing CDC for sponsorship. For example, suppose a major defense contractor is performing on a classified contract for engineering support. Their core competencies provide much needed results, but they are in need of a cleared widget maker to make a peripheral piece of hardware. The prime defense contractor is familiar with the excellent work performed by a small uncleared defense contractor. The company does not have a clearance, but the cleared contractor can award a subcontract and sponsor the winning company for a security clearance.

Personnel Security Clearances

Over the years I've been asked the same question: "Can you help me get a security clearance? My answer is both yes and know. If the individual either owns a business and is competing for a classified contract or has a contractual need for a Facility Clearance, then they are eligible to pursue a security clearance.  Likewise, if they work for a cleared defense contractor and require a security clearance to perform on classified work, then the answer is yes as well.

The security clearance process begins with awarding the security clearance first to the enterprise and then to the employee. All classified information is provided to newly established Cleared Defense Contractor (CDC) as a result of a classified contract. The cleared employees are granted access based on the contract, security clearance level, and need to know. 
The contractor and government have joint responsibilities with the PCL process as they do with the FCL process. When the FCL investigation is initiated, the employees should complete a Questionnaire for National Security Positions, also known as Standard Form (SF 86). Part of the process includes ensuring that the applicants are US Citizens. They should submit the application to the FSO who then submits applications. An investigation is conducted and the central adjudication facility (CAF) makes a determination. 

With the FCL established, you are ready to proceed with the process. The PCL process begins with the applicant completing the Questionnaire for National Security Positions or also known as the SF 86. The SF 86 is primarily the part of the process that the applicant can affect the speed of the approval. A properly filled out application form is the key. Incomplete or inaccurate information is the number one cause of clearance delays. Names, addresses, telephone numbers, and dates of birth for relatives should be gathered as background research. Fortunately, the SF 86 form is online and requires only filling out once and updating when reinvestigations are required. When a clearance is up for renewal, the applicant can log in their SF 86 and make updates.

Not everyone investigated is guaranteed a clearance. In some instances, a clearance can be denied, revoked or suspended. The employee's background is investigated thoroughly for the initial clearance and again every five to fifteen years while maintaining a clearance. In the event that a security clearance is denied, suspended or revoked, the CSO will also notify the FSO. The FSO will then deny access to classified material to that employee.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Steps to Getting the Facility and Personnel Security Clearance are available in our upcoming book tentatively titled Insider's Guide to Security Clearances. You can pre-order now.


Our EBook is a free gift. Please feel free to and please be sure to ask your friends to register athttp://www.redbikepublishing.com/contact/

The Security Clearance in 30 Seconds

Add caption
How are security clearances granted? Why does the Government grant them? How does the Government assign classification levels? Who is eligible? First of all, classified information must be protected. Part of the protection is to ensure only properly investigated and vetted cleared employees with need to know get access granted.
According to the latest Executive Order, employees should not be granted access to classified information unless they possess a security clearance, have a need to know to get it, received an initial security briefing and have signed a nondisclosure agreement. 

Some clarifications should be made concerning who actually gets them. Those granted include the businesses and their employees. Defense contractor are business entities and employees are the people who work there. When a defense contractor gets granted access to classified information, they are then called Cleared Defense Contractors (CDC). Once they have their clearance, then the employees will go through the process to become cleared employees.

The Personnel security Clearance (PCL) is related to a Facility security Clearance (FCL) held by the cleared contractor they work for. Respectively, the defense contractor businesses are required to have a FCL prior to performing on classified contracts. What does this mean? It means the cleared contractor and cleared employee has been thoroughly investigated and properly vetted before even being considered eligible to receive classified information. The need to know aspect further defines which classified information is provided based on criteria such as contract or work requirements. The point is not anyone with a clearance gets access to classified information. It’s based on clearance level and their need to know.

Additionally, not anyone can just apply; it’s based on a classified contract. The company must be sponsored for a clearance by a Prime Contractor or Government Contracting Activity (GCA). The FCLs are granted to defense contractor facilities and PCLs are awarded to their employees; both granted only after an investigation and adjudication. Therefore, think of the process as the administrative determination that an entity and person is eligible from a national security basis for access to classified information.
There are several steps involved and for this article, we've listed them below:
  • Registering as a defense contractor
  • Getting sponsorship of facility security clearance
  • Requesting personnel security clearances 
  • Appointing required employee positions
  • Following guidance in the NISPOM and how to protect classified information. 
After the security clearance is granted, the CDC has some additonal work to do to prepare for classified contracts. For example, once a facility clearance is granted, a Facility Security Officer (FSO) must be appointed to manage the security of classified contracts. 


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, December 14, 2019

Frequently Asked Security Clearance Questions


Opportunities abound in the defense industry where every job discipline requires a security clearance to perform on the contracts. Classified contracts require services that include staffing, janitorial, graphic design, accounting, finance and more. Technical experience is needed as well with mechanics, software designers, engineers, program managers and their support.

For the unfamiliar the security clearance process may seem daunting. The lack of information of how to get started, the required forms, interviews, waiting, and expectations can make the entire experience out of the individual's control. However, there is a well-established and efficient process that the government undertakes and you can be in as much control of the experience as possible.

A Little Background

Whether or not in college, gainfully employed outside of the defense industry, or starting a business, as the reader, you are interested in gaining a security clearance and starting a profession with the more than 13,000 Cleared Defense Contractors (CDC) making up the industrial base. Though you may be aware of the opporutnities, you may be wondering how to get started and I usually get asked the following question:

How do I get a clearance so I can get a classified job?
It's a great question, but it can't be answered easily as asked. The clearance comes after the job requirements. The question is often asked and in the form asked, skips right by the most fundamental question of whether or not an individual qualifies for a clearance and what is the process for getting a clearance. I will attempt to answer the first question by providing answers to the other two questions:

Can I get a security clearance?
Yes, the security clearance process is open to U.S. Citizens. If after a thorough investigation you are deemed trustworthy, you may be granted a question. However, not just anyone can apply; see the next question.

How do I get the clearance?
By applying for a job that requires a security clearance or starting your own company and winning classified contracts.

How long does it take to get a clearance?
This could take a few months to over a year depending on the investigation and adjudication of findings. The investigation is very in depth and depends a lot on information the applicant proides on the SF-86 application.

There is so much more, so keep following. We have an eBook available that can assist. Just register for our newsletter full of security clearance articles and advice and we'll send it. Here's the link: http://www.redbikepublishing.com/contact/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing.
He is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training"

He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. 

Monday, December 9, 2019

Getting Ready For NISPOM, FSO and ISP Certification

Study for certification with our latest study guide.


http://www.redbikepublishing.com/ispcertification/





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

You Need A Security Clearance



Check out our new video and then pre-order your book on security clearances.

http://www.redbikepublishing.com/insidersguide/








Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, December 7, 2019

Planning for the Facility Security Clearance (FCL)

http://www.redbikepublishing.com/dodsecurityclearancesandcontracts/


Once a defense contractor is granted a facility clearance, they can begin to prepare to perform on the classified contract. This preparation could identify potential additional costs. The costs associated with performing on classified contracts will vary by contract and depends on whether or not the Cleared Defense Contractor (CDC) is a possessing or non-possessing facility. The possessing facility is one that performs classified work at the CDC location and may require the storage of classified documents or material on site. 

Depending on the contract, this could involve purchasing multiple security containers or acquiring large storage areas for oversized material such as weapons systems or computers. For non-possessing facilities, this does not require the storage of classified information at the CDC. However, the organization will provide cleared employees to perform classified work at locations other than at the home facility. 

The FSO can help reduce costs associated with protecting classified information by being involved and preparing as early in the acquisition process as possible. This is where an experience FSO can anticipate expenses, perform risk assessment while implementing National Industrial Security Program Operating Manual (NISPOM), and advise on ways to reduce costs while being compliant. The more money saved on overhead expenses, the greater the overall company profit. The earlier into the process the assessment is conducted the better the company performs. 

Conducting a cost impact study or coordinating with the GCA and CSO later than necessary may place the contractor in the tough position of last minute work and higher associated expenses while building closed areas, ordering more GSA approved containers (safes), and meeting tough governmental compliance with short notice.

One good idea is for the FSO to form a working team to consider the costs. These could be program managers, engineers, security, contract and other managers responsible for developing business with the prime contractor or government agency. This team would consider the contract, security requirements, have decision authority and the ability to commit the company to the developing security plan. The FSO contributes by providing information and guidance on protecting classified information in the process and such planning could translate into significant cost reduction.

Understanding how to advise and assist in the development of the Contract Security Classification Specification (DD Form 254) and Security Classification Guides (SCG) brings the CDC into the planning process early and can benefit the government and the CDC by reducing time and resources. It provides the ground work for ensuring the customer security requirements are clear, applicable, and understood. Since the government provides the protection requirements, getting in on the ground level development can only benefit the contractor.

The FSO can use the DD Form 254 requirements as a baseline in assessing the current state of security to determine whether or not the company has enough classified storage space, the right type of storage space, whether or not alarms are needed and other physical security needs to support the contract, and the adequate security or support staff is on hand. Other performance requirements may indicate the need for classified computer processing, upgrading facility and personnel clearances, and increasing storage level and capability.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, November 20, 2019

How Security Clearances Work


People often ask the question: "How do I get a security clearance? Or how can my business get a security clearance?"


My first response is market yourself. There's nothing you can do about getting a security clearance until somebody sees value in your product or your service and sponsors the business for a security clearance. 

Value is simply someone who has a tangible need for a particular product or service and they want to put you on contract already classified contract to be able to use your products or services. 

There are many jobs that require security clearance or services and some of those jobs include janitorial services, engineering services, secretarial, you name it. There are many opportunities out there to get a security clearance. However, one cannot just get a security clearance in preparation for the work. The work offer comes first. 

The first step is to be sponsored by a federal government entity, a government contracting agency  (GCA) or an another contract or defense contractOnce a business entity has established a need, then they can be sponsored for a security clearance. 


Government contractors are awarded classified contracts as part of doing business


A few years back, I was on a radio television radio talk show and  I really didn't get to say too much because the talk show hosts went on and on about their surprise that the government allowed businesses to have security clearances and work on classified work and their opinion. In their opinion, there was no oversight and it was irresponsible to allow anybody other than a government entity to have classified information. 

I spoke as much as I could on the topic but I was shouted down. There was no use in trying to address the irrational thought there, but I just wanted to let you know that yes civilian employees and civilian business entities can have a security clearance. 


The way it works is the GCA, which is a federal government agency such as the department of defense or department of energy. They will have a contractual need to acquire services or products from contractors. But let's go back real quick. The GCA is a designated original classification authority, which means they are capable of classifying information. At the highest level, the U.S. President is the original classification authority. However, the president of the United States does not go through a security clearance investigation process. By their position they get to enjoy the benefits of having a security clearance so they can do their job as president. 

They delegate their OCA responsibility to the department of defense, department of energy, CIA, FBI, all these other government organizations. The government organizations are the ones who deem what is classified. Contractors or civilian organizations do not do that. They are what is called derivative classification authorities. They can only use and produce things that are already classified. 

Listen to the Podcast here:

https://dodsecure.buzzsprout.com/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, November 2, 2019

New Resource for NISPOM testing

Red Bike Publishing is excited about adding a new resource to assistant you with your NISPOM studies. It's an online test of 110 random NISPOM questions with a 2 hour time limit. Though this is not guaranteed to give you a passing grade, this can be used as a practice test for the ISP Certification or the ISOC certification exam.

Just visit the link and sign up for the online exam. All you need is to register for the practice test and have a pdf copy of NISPOM available and you are ready to go. 

The practice exam has 110 multiple choice NISPOM questions and is timed for 120 minutes. You can take it up to 20 times in a six month period as you study for the actual exam day. Each time you test, the questions and answers will appear in random order. Give it a try.

For practice purposes, download the electronic version of the NISPOM and use it to help search the answers to the provided test questions. Use a timer to count down 120 minutes for each practice exam.

Register for the exam here:  https://www.classmarker.com/online-test/start/?quiz=jdm5dbdb6cb9c613

You can find additional certification training and resources at http://www.redbikepublishing.com/ispcertification/

NISPOM link 

https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf


Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:


Wednesday, October 23, 2019

New Safe Decorating Ideas Satire


We recently spoke with Rhonda of Safe Renewal about their new business model of restoring security containers and giving them bold new lives.
“We prefer to call them safes as opposed to security container”, she reminds me again. “The word, safe just provides a more comforting tone than the more clinical description of GSA Approved Security Container. Because we are providing a “safe” place to keep classified documents.”
In fact she shows me a banner with the Safe Renewal mission printed in fancy lettering: Refurbishing old safes for new purposes.
Safe Renewal is looking for customers, in the Facility Security Officer (FSO) discipline who would like to provide security containers a zippy new look.
“The traditional metallic and gray safes are so drab. That’s why I found it very hard to work in the FSO and security environment. Drab grays, oranges, blues, and reds, traditionally reflective of classified environments and markings always made me feel, well, blue.” 
Rhonda seems to reflect pensively for a moment, before adding. “That’s when I found my purpose, my calling, my mission to restore vibrant colors and cheery environments where I can.”
She then discusses how she has acquired old broken containers and using various media, restores them to showroom appeal.
She relates how they artistically apply paints and adhesive textures to carefully cover the original surfaces areas making them appear new and restored. 
“We recently acquired some battered safes during a liquidation sale. A cleared defense contractor went under and sold everything. By the time we got there most of it was gone except for a few broken ones nobody wanted. It was nice of them to provide the combination of 25-50-25, by the way. We are able to put some putty and paint over some holes that were drilled into it. We also put on new locks to replace broken ones. Now they are as good as new.”
Awestruck, I inquired about sales.
“Well, we just opened, so nobody has bought those safes yet. We are still awaiting orders for folks to have us refurbish their drab ones, but nothing yet. We hope to begin advertising in security newsletters and professional organizations so that we can meet our potential customers. It would be great to get a government contractor, work with GSA, or partner with Defense Counterintelligence and Security Agency (DCSA). Hopefully business will kick in soon; I just don’t want to lose hope or have someone else steal our business model.”
She continues to explain her strategy. All in all it is pretty detailed and seems to leave nothing out. Her future plans include speaking at security training events such as ASIS International and NCMS in hopes changing the safe landscape. “We want to replace and refurbish safes one CDC and one FSO at a time Imagine a rainbow trail linking all the CDCs together. Don’t you think this is just the type of cooperation DCSA is looking for?” 

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Using anecdotes to convey your security message.


The skill of storytelling is one of the most successful methods of conveying a message. Public speakers, teachers, and mentors draw on personal experience to relate to their audiences. Performed with skill and confidence a story can enhance training by making tasks teachable and relatable to the audience. However when the message is misrepresented or poorly delivered with bad storytelling, the messenger becomes the focus as they lose credibility and the good message is obscured.
Storytelling for the purposes of this article does not necessarily mean creating a work of fiction or spinning a tale. The term storytelling is used as an example to assist with creating a logical flow of tasks conducted to complete a function. For example, a bad story teller may say, “protect classified information or else you could be fired or worse.” A good story teller will convey the task of introducing, using, storing, and destroying classified information throughout its lifecycle in a logical sequence. They could do so with such relevance that it is easily applied within the company culture.
The Story Setting
The speaker who speaks with or trains and audience of peers or having similar skill sets, gain almost instant credibility. The same profession, the same topic, and the same faces most often makes it unnecessary to cultivate a relationship from scratch. Everyone already has something in common as they share like interests. This setting can occur in a professional organization or club where everyone has a similar skill set or hobby.
On the other hand, a speaker who discusses topics to an audience of various expertise may have a harder time relating to their audience. For example, a college night school teacher may have an audience of skilled laborers of various disciplines and the only thing they have in common is the text book. In these instances, the speaker relies on their expertise in the subject matter and anecdotes to make the subject material relevant or teachable. It would be ridiculous for this speaker to try to engage in a topic they know nothing about. They will simply lose credibility the first time they misuse an anecdote.
Applying Story Telling to NISPOM 
Beyond supporting a common corporate culture, a Facility Security Officer (FSO) could have difficulty conveying a message of protection to those who use classified information for a more specific purpose if they do not discover common ground. While the FSO is an expert at NISPOM, the engineer or practitioner is an expert at how the classified information is used. So what can an FSO do to create common ground and use that common ground to develop training anecdotes?
I’ll use a personal story. A few years ago I was invited to speak at an NCMS local chapter event. I wanted to discuss program protection, but went in heavy on explaining National Industrial Security Program Operating Manual (NISPOM) requirements. The briefing charts I developed just dripped with NISPOM requirements and I used the requirements to demonstrate the application and need form program protection planning. I thought I had a good presentation, but wanted to verify with a colleague. 
His assessment was truth, but not what I wanted to hear. His explained that my message was wrong and I risked losing my audience. What I had inadvertently done was assert myself as a NISPOM expert when in reality I should be showcasing my program protection experience. He rightly pointed out that the room would be full of NISPOM experts that could argue any NISPOM topic interpretation to the detriment of my presentation. He further explained that the NISPOM could be our common ground, but the majority of the presentation should reflect my program protection expertise and get buy in on NISPOM interpretation. Thankfully I listened, resulting in a successful presentation and great question and answer sessions.
Establishing Credibility
FSOs are the experts at NISPOM and how to apply the classification management guidance at the cleared contractor facility. Cleared contractor facilities are required to designate a capable person to conduct the duties of the FSO. This can be interpreted as the requirement to pick an existing employee to perform the additional duties as an FSO. It can also be interpreted as the requirement to hire an additional person to conduct full time duties as an FSO.
Appropriate message
The primary purpose of the FSO should establish their credibility with applying NISPOM guidance to the defense contractor facility. In some situations where the FSO is a designated task bestowed upon an existing executive, engineer, or other professional, the FSO may be an expert in the development of a weapon system. They are an expert in the weapons system and may be able to beautifully weave security anecdotes into the fabric of weapon system development. In this situation, it would be a mistake not to showcase the expertise as a system engineer to relay the importance of apply security task to protecting classified information on the specific system. Every attempt should be made to discuss intimate details of performance, cost, and schedule and convey the security message while doing so. Being an expert in security and weapon system development and telling the story accurately using technical language and engineer speak will help fellow weapon system designers better apply security to protect classified and export controlled information.
On the other hand, a non-technical FSO attempting to lecture the engineer on specific details of the unfamiliar task of developing software would not be wise. Any attempt to do so could result in loss of credibility as terms might become misused or tasks communicated in a way to insult the professional. In this case the non-technical FSO could conduct security training and security tasks with the frame of reference that they are the experts at NISPOM guidance and the engineers are the weapon system and development experts. Together as a team they can develop an effective security program to protect classified information. 
In the second scenario the FSO can establish credibility as a security expert and create captivating stories using the common ground of working in a cleared defense contractor facility and the facility’s core culture. Where the audience is made up of scientists and engineers, there is no need for an FSO to attempt to discuss areas they are not an expert in. This could unfortunately provide an opportunity for the audience to argue the FSO’s level of understanding of the weapon system outside of the scope of the security discussion.  

The art of storytelling should be used in communicating the security message to help make it easily digestible to cleared employees. Storytelling is simply finding and using common ground to establish training or develop a culture in a relatable and logical flow. This is a great skill to practice and develop to help implement security programs to protect classified information.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, September 17, 2019

An Interview with a Cold War Counter-Spy

We spoke with former Counter-Spy and Author John W. David about his experiences with cold war espionage and applying it to counter the insider threat. John has written two books, Rainy Street Stories and Around the Corner. Both are essays of his experiences with the cold war, terrorism, and espionage.

John offers several anecdotes and shares past experience of how he has recognized spies and those who would recruit insiders. He weaves relevant stories in the podcasts that are still applicable to a successful insider threat program. Listen to the podcast to hear two of many major points on running Insider Threat Programs.
Here are two points to get started:

1. Develop a culture of security by walking around.
Security managers should get away from their desks and meet the employees that can work as risk management and security force multipliers. The employees should be comfortable with the office staff and understand what expectations are. One of the primary results of a good insider threat program is ability to report credible information. Employees will feel most comfortable report information to someone they trust and who has their best interest in mind.

2. Provide insider threat training.
A trained employee base is a force multiplier. When employees are trained to recognize suspicious behavior and what to do about the observation, the entire team wins. John provides glaring examples of insider threat indicators that were ignored, leading to years of successful espionage. Training on the insider threat and teaching employees how to apply that training are key to success.

In summary, John points out that the security manager should be approachable to allow for reporting of any kind. Where an employee feels comfortable with reporting suspicious activities, the odds of actually reporting increase. The other factor is understanding what to report. A well informed and cooperative workforce can lead to an effective insider threat program.


Listen Here:
For more information, visit www.redbikepublishing.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, September 5, 2019

Four Tools Every Cleared Defense Contractor Needs



Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.

The CDCs are part of the National Industrial Security Program (NISP). The National Industrial Security Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guidance includes topics such as employee responsibilities, required training, continuous evaluation, maintaining security clearance, and much more. The Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS provides most DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information according to the NISPOM.

Cleared Defense Contractors have a big job not only performing on classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in the CDC’s toolbox and can be employed to help them remain in compliance and demonstrate their level of compliance.

1. National Industrial Program Operating Manual (NISPOM)

The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors of how to protect classified information. This printing of the NISPOM includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses a cleared contractor’s responsibilities including: Security Clearances, Required Training and Briefings, Classification and Markings, Safeguarding Classified Information, Visits and Meetings, Subcontracting, Information System Security, Special Requirements, International Security Requirements and much more.
2. International Traffic in Arms Regulation (ITAR)
“Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register…” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.”-DDTC  
Companies that provide defense goods and services should understand how to protect US technology; the ITAR provides the answers. The International Traffic in Arms Regulation (ITAR) is the defense product and service provider’s guide book for knowing when and how to obtain an export license. This book provides answers to:

Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?
3. Self Inspection Handbook For NISP Contractors
The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It is not intended to be used as a checklist only. Rather it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find they have included various techniques that will help enhance the overall quality of your self-inspection. To be most effective it is suggested that you look at your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.

4. Training for Cleared Employees

a. Initial Security Awareness Training and Security Awareness Refresher Training

Initial Security Awareness Training and Security Awareness Refresher Training

The main presentation is great for initial training or for refresher annual security awareness training required of all cleared employees.

NISPOM requires the following training topics during initial training and refresher training:

  • Threat Awareness Security Briefing Including Insider Threat
  • Counterintelligence Awareness Briefing
  • Overview Of The Security Classification System
  • Employee Reporting Obligations And Requirements, Including Insider Threat
  • Cybersecurity awareness training for all authorized IS users
NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training.

b. Derivative Classifier Training

The NISPOM outlines requirements for derivative classification training to include… the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those without this training are not authorized to perform the tasks.
Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.

c. Insider Threat Training

This training program includes the NISPOM identified Insider Threat Training requirements. The NISPOM has identified the following requirements to establish an Insider Threat Program. Download and present the training here and meet the training requirements:
  • Designate an Insider Threat senior official
  • Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
  • Establish an Insider Threat Program group
  • Provide Insider Threat training
  • Monitor classified network activity
  • Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
  • Conduct self-inspections of Insider Threat Program.

d. SF 312 Briefing

This Training is for Newly Cleared Employees and should be given prior to Initial Security Briefings

Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate
SF-312 Briefing describing what exactly is on the form and why they are signing it.

As mentioned earlier, CDCs not only have to perform on classified contracts according to contractual requirements, but they are evaluated on how well they are protecting classified information. The tools mentioned above are designed to assist the CDCs in meeting requirements. Red Bike Publishing is pleased to be a partner in the NISP and provides tools to assist CDCs in their efforts. More information can be found at www.redbikepublishing.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".