Thursday, April 18, 2019

Derivative Classifier Training

NISPOM Derivative Classification Training
While some cleared defense contractors perform non-technical services, other cleared contractors conduct derivative classification in the performance of their contracts. 
Derivative classification in general terms includes, paraphrasing, incorporating, restating or regenerating classified information into a new form. Since contractors are not performing original classification, most of their work would involve using classified sources to create new classified products.

Here's the important part, no training; no work. Properly executed National Industrial Security Program Operating Manual (NISPOM) training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. Cleared contractors must plan to train cleared contractor employees who perform derivative classification responsibilities.

The NISPOM outlines requirements for derivative classification training. Where the original classification authority receives training on the classification decisions annually, NISPOM requires derivative classification training once every two years. According to the NISPOM, derivative classifiers train... in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years.  According to the Defense Security Services (DSS), contractors must train their cleared employees by December 31, 2013. Those without this training are not authorized to perform the tasks.

One such training task ensures that the authorized employees apply proper markings to their products. Not only are classification markings required, but so is the documentation of who is actually performing the derivative classification. According to NISPOM paragraph 4-102d, cleared employees who are authorized to make derivative classification decisions are responsible for identifying themselves on the documents where they make those decisions. Identification instills discipline, control and accountability of derivative classification decisions. 

Remember, only authorized cleared employees are assigned as derivative classifiers and they must be identified as such.

Proper identification occurs when authorized derivative classifiers apply their names and titles on the derived items. However, contractors can substitute using their names with some type of personal identifier that translates to an authorized name and position. The use of the personal identifier is usually allowed unless the government customer states otherwise. Trained and authorized derivative classifiers and facility security officers and staff can determine what government customer's requirements by reviewing the statement of work, DD Form 254, or other security and contracts requirements for further instruction. When in doubt, they can seek clarification and raise the question of personal identifier application through program channels.

Listen to our Podcast on Derivative Classifier Training
When the alternative identifier is used, the organization should develop a designator that aligns with a person’s name and position. If the government customer or anyone authorized to view the classified information has any questions, the creator can be identified from the list. The contractor should maintain this list for at least the as long as the cleared employee is with the business organization.

The contractor should consult the NISPOM for all training requirements and put a plan in place to develop and deliver the derivative classification training. After conducting the training, the contractor should document the event and include the training topic and the by name attendance list. The DSS will inspect training compliance during their inspection cycle.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, April 15, 2019

What is an FSO-An Interview with Jackie Bray

We recently interviewed Jackie Bray, an FSO with over 20 years experience, on some of the duties of an FSO and what makes an FSO successful. You can find her interview below:

Jackie explains that the National Industrial Security Program Operating Manual (NISPOM) and Industrial Security Letters are fundamental to an FSO's experience. The NISPOM is the "bible" for those creating programs to protect classified information. It provides the "how to" for protecting classified information that the FSO, program managers, and cleared employees working on classified contracts should possess.

The Standard Practice and Procedures should be a companion guide to the NISPOM. Where the NISPOM tells you what to do, the SPP will be the cleared defense contractors' response or demonstration of how they will implement NISPOM at their facility.

Jackie explains that in addition to the NISPOM, and the SPP, the FSO and those working on the classified contract should carefully read and discuss the requirements as found in the DD Form 254, Contract Security Classification Specification. The DD Form 254 instructs the contractor on the classification level of the contract, where the classified work should be performed, and many other requirements. Each classified contract should have an accompanying DD Form 254, so some cleared defense contractor facilities may have many 254's corresponding with the number of the classified contracts.

One task a new FSO should perform is to review all the 254's and conduct a self-inspection of the requirements on the 254 and how they are implemented according to the NISPOM. The self-inspection should include all areas of NISPOM as applicable to the cleared contractor facility. NOt every chapter of NISPOM will be implemented at the facility. However, the facility should be implementing those NISPOM chapters that reflect the DD Form 254 requirements. As a rule of thumb, NISPOM Chapters 1, 3, parts of 5 and  6 apply to all cleared defense contractors. However for cleared defense contractors that are authorized possession of classified information, other chapters may apply depending on classification level.

Jackie states that FSO's play a significant role in training employees on how to protect classified information. The FSO should be adequately training and be prepared to train the cleared employees to meet NISPOM requirements. NISPOM Training and FSO training such as security awareness, derivative classifier, insider threat, and more are key to successful security programs.

Find out more about the profession of the FSO from our podcast:








Thursday, April 11, 2019

Preventing Adversary Targeting; Reduce Your Acquistion Footprint


By: Jeffrey W. Bennett, SFPC, SAPPC, ISOC, ISP

A few years ago I wrote an opinion peace on the Washington Post article: Leaks in high-tech fighter? I wrote with the intent of providing insight to vulnerabilities and possible mitigations. This month out of curiosity, I decided to revisit the article. While I could not find a link to the original article, I have found many other articles providing more insight into the reasons why the Chinese were capable of producing the J-20 stealth fight that looked a lot like our F-35. 

The original article made many pointed remarks blaming government agencies, including the Department of Defense as not providing the proper oversight. While it is easy to blame those who own the stolen information (the federal government) one must also recognize that there is myriad regulations and guidance, designed to prevent unauthorize disclosure of classified information. The National Industrial Security Operating Manual (NISPOM) gives guidance on how to properly disseminate classified material to those with need to know and protect from unauthorized disclosure. The International Traffic In Arms Regulation (ITAR) instructs how to properly release technical classified and unclassified information to non-U.S persons.

If anyone were to ask whether or not policies to protect sensitive and classified information were in place, there would be a resounding yes, and plenty of it. The article even points out “government and its contractors appropriately controlled the export of classified technology to foreign companies”. What’s missing is how to apply these regulations to ever evolving information systems, storage, and well connected enterprise networks.

Years later learn even more about how the Chinese obtained the information. Evidence support that these may not be entirely “leaking” in the traditional sense. This “leaking” definition originally used may lead one to conclude that someone inadvertently or with malice provided information to Chinese actors. However, recent articles redefined this “leak’s” definition includes the traditional model, plus the additional action involving a 2007 hacking of Lockheed Martin in a complex cyber-attack operation.

Now, we see additional evidence of how the Chinese targeted the technology and walked away with valuable inside information. In the article Top Gun takeover: Stolen F-35 Secrets Showing Up In China’s Stealth Fighter, the Washington Post reports a complex cyber espionage operation that stole sensitive technology and F-35 secrets that were incorporated into the Chinese J-20 stealth fighter jet.
In another article Briton Arrested Over Alleged Plot To Leak F-35 Fighter Jet Secrets To China, a BRITISH man has been arrested for allegedly passing on top-secret military information on Britain's F-35 jets to China, illegally exposing classified UK military intelligence to Beijing.

There were many additional articles and publications covering the cases and facts leading up to the conclusion of a deliberate effort to target and acquire information on the F35. One could spend a lot of time using the various articles to put together pieces of a detailed espionage and cyber-attack story providing at least two avenues of approach to acquire sensitive U.S. data; exfiltrating data during a cyber-attack and targeting insiders.

Some actions Facility Security Officers (FSO) and other executives could take is to prevent the release of indicators that their organization is building specific weapon systems. This simply means, take action to reduce the adversary’s ability to build an acquisition footprint. While there are many more countermeasures, some effective measures include the following that may help prevent an adversary’s ability to target a contractor facility and its employees:
·       Require purchasing and subcontractors to practice blind buys when acquiring weapon system items from commercial manufacturers and vendors. For example, create new purchase order numbers and refrain from using actual government contract numbers.
·       Train key employees to send encrypted emails or eliminate key words from their communications that reveal involvement in weapon systems.
·       Segregate program and acquisition documents and protect them from unauthorized viewers. This segregation and authorization should extend to preventing the ability to hack into the enterprise network and access key weapon system documents.
·       Flow down requirements to subcontractors to implement the above recommendations.

It is clear that actors in China were able to build profiles on the acquisition of the stealth fighter. this profile building allowed for the stealing of technology from many attach vectors in the cyber and operator fronts. There are acquisition and programmatic activities that should be implemented to reduce the ability of a malicious actor from building a targeting profile on the organization and its trusted insiders.

Train your employees on the Insider Threat with a downloadable presentation http://www.redbikepublishing.com/fsocertification

Did you know that we can personalize NISPOM and ITAR for your employees? Just order your copy from Red Bike Publishing and email a dedication page. A perfect gift to keep your cleared employees informed.

ITAR http://www.redbikepublishing.com/itar/

NISPOM http://www.redbikepublishing.com/nispom/

Redefining an Export and Reducing Export Violations; An FSO's Opportunity


Order your copies from www.redbikepublishing.com/itar
A few years back I wrote an article referring to the practice random computer searches occurring as travelers returned to the United States from trips abroad. Now with technology improvements, time, and the shrinking of borders in this well-connected global economy, I thought it would be a great time to revisit the idea of, “what would an adversary with limited resources be able to exploit in our computers?”

This is an important question to ask as cyber-attacks are becoming more common. Now an adversary on foreign lands can gather military or dual use technical information governed by the international Traffic in Arms Regulation (ITAR) and commercial information covered in the Export Administration Regulations (EAR).

This cyber-attack activity should not be surprising to the well-educated security cleared employee. What may be surprising is the risk to protected sensitive information available on well-connected information systems. For example, Facility Security Officers, (FSO), those working in corporate law, and export compliance officers provide regular reminders and conduct training on requirements to protect sensitive information.  However, there may be a disconnect when it comes to applying the protection. The immediate go to measure is to protect the organizations enterprise network of computers from cyber threats and to remind employees that exports are not authorized without a license or exemption.

The U.S. Government encourages companies to pursue business with foreign enterprises and these opportunities are provide through requested licenses. However, exports are occurring where licenses may not exist. According to ITAR, an export is defined as:
1.     Sending or taking hardware out of the U.S. or transferring to a foreign person in the U.S.
2.     Disclosing (oral, email, written, video, or other visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad
3.     Providing a service to, or for the benefit of a foreign person, whether in the U.S. or abroad

Definition number 2 provides the most risk to our technical information if we consider that disclosure can be voluntary or unwitting. For example, if the movement of non-U.S. persons visiting a facility is not controlled, they may be able to exploit export controlled information appearing on a computer screen, overhead projection, left on a printer, and etc. Additionally, cyber-threat examples abound such as hacking into enterprise networks and exfiltrating sensitive information.

In 2012, John Reece Roth, a plasma physicist was sentence to prison for export violations. The charges included taking a laptop containing sensitive plans with him on a lecture tour in China. Despite warning not to do so, he brought his computer and sensitive information to China where sensitive information was vulnerable to exploitation.

The above story provides good reference points for security safeguards while travelling abroad. Recommended practices include getting approval for all presentations to non U.S. Persons, getting licenses for technical data expected to be released during the presentation, and bringing a “clean” computer that only stores information permitted for presentation.

So what’s missing?
This just reminds us to be cognizant of what kind of information we disclose to non U.S. persons. Whether or not we are in the U.S. or visiting overseas, we should be concerned with and adversary’s ability to conduct cyber-attacks anywhere and at any time.

Anytime an employee travels abroad, they may find themselves liberated from their computer at the host country’s customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute security specialists plan.

While an information system is employed at a defense contractor facility, sensitive information should be protected by firewalls, software, network defense, and other countermeasures to prevent cyber-intrusion. However, once the information system is removed, so is the protection.

A common practice is for employees to bring their laptops on business trips, vacation, to night school, and other locations. Our sense of security of being within the U.S. borders provides an added vulnerability to that sensitive information.

What could go wrong?
Consider that an employee may be providing a presentation in another country. The employee may be provided with a clean computer with only the presentation stored. Everything is done properly to ensure the employee and information are protected from unauthorized information disclosure.

In this case the laptop is removed from the facility for authorized work. However, since the laptop will be used within the United States borders, the employee is permitted to take his working laptop, with all the unclassified technical information he has been working on for the past few years.

Since the employees business is within the U.S., and will not be “releasing” the information to non-U.S. persons, there is no problem; or is there?
The employee may expect to connect to the internet at the airport, university, or other public Wi-Fi or other provider of the needed internet connection. Without the proper protections (which usually don’t travel with the employee) the information is almost as vulnerable as if the laptop were provided for international travel.

What can be done?
The best place to begin change is by facing the facts, global connectivity of the internet makes our sensitive information vulnerable to exploitation. Other people want your information. Even more eye opening is that an adversary with limited resources is better equipped through this connectivity to target and acquire information they seek. Defense contractors should assume the task of making targeted information very difficult to get.

Begin with developing a culture within your company that causes awareness of information vulnerabilities both within and external to the facility. Construct the behavior that recognizes and prevents unauthorized disclosure of economic, classified or sensitive information.

Consider any removal of information from the security of the enterprise network as vulnerable to export violation.
This culture should include a policy for removing company information systems containing sensitive information. Prior to employee travel, remove export controlled or other sensitive information or prepare special travel computers with only the information they need to conduct business at hand (make sure the information is authorized by license or agreement with the State Department or Commerce Department to prevent an exports violation).

NISPOM Based Questions For SPeD, Industrial Security Oversight Certification (ISOC), and ISP Study


Get your copy @ www.redbikepublishing.com
These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. 

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM

We've updated our manual for NISPOM Change 2. 
1.      Government representatives serving in an official capacity may visit a contractor facility in which of the following circumstances:
a.            Official capacity as inspectors
b.            When presenting appropriate identification
c.             Official capacity as auditors
d.            Official capacity as investigators
e.             All the above

2.      ______ issues protective measures and guidance on protection of ISs.
a.            GCA
b.            ISSO
c.             FSO
d.            CSA
e.             NISPOM

3.      Passwords length and content shall be according to guidance from the:
a.            FSO
b.            GCA
c.             CSA
d.            ISSM
e.             ISSO










Scroll Down For Answers

1.      Government representatives serving in an official capacity may visit a contractor facility in which of the following circumstances:
a.            Official capacity as inspectors
b.            When presenting appropriate identification
c.             Official capacity as auditors
d.            Official capacity as investigators
e.             All the above (NISPOM 6-103)


2.      ______ issues protective measures and guidance on protection of ISs.
a.            GCA
b.            ISSO
c.             FSO
d.            CSA (NISPOM 8-100)
e.             NISPOM


3.      Passwords length and content shall be according to guidance from the:
a.            FSO
b.            GCA
c.             CSA (NISPOM 8-303)
d.            ISSM
e.             ISSO


So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

                                             ___________________________________________________________________


Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

What is a "Code Word" Clearance



The term “code word clearance” is sometimes used by the general public and is often described as an “above TOP SECRET Clearance”. While the term might be a part of the public’s security clearance slang, it is not part of the cleared community’s vocabulary. Those in the security community can best answer this question by explaining how the security clearance is granted, and that access to classified information is granted based on a level of classification. Classified information spans Collateral, Sensitive Compartmented Information (SCI), and Special Access Program (SAP) information.

Collateral Classified Information
With collateral clearances, the cleared employee is provided access to CONFIDENTIAL, SECRET, or TOP SECRET information, and is granted after undergoing a security clearance investigation and adjudication to determine suitability. For collateral classified information, those granted Top Secret clearances can access Confidential, Secret and Top Secret information. Those granted Secret clearances can access Confidential and Secret, while those granted Confidential can only access CONFIDENTIAL information. However, collateral clearances do not include access to SCI or SAP information.

SCI or SAP Classified Information = code word clearance
The “code word” clearance requires a higher level or more thorough investigation. That is because the “code word” clearance is used when an employee is briefed into a program requiring SCI or SAP. With the SCI or SAP designation, the classified document marked not only with the collateral designation, but also with the code word. For example, at the Secret level, a document might be marked “Secret (Code Word)”. For cleared defense contractors, permission to be briefed into a program with a required a code word is dictated in the DD254. This document tells security and the employee the level of clearance and any higher briefings required to perform the work, such as SCI and SAP.
Approval to access SCI and SAP information is provided after the Single Scope Background Investigation (SSBI). The SSBI is typically required for Top Secret security clearances and the same investigation is used for SCI compartmentalization. Normally a Secret clearance does not require an SSBI. However, if access to SCI or SAP is required, then the SSBI will be necessary to access Secret (Code Word) information.

A Fun Fact about code word clearances
To put a “code word” into perspective, let’s consider the History Channel’s, “Project Blue Book”.  This show is based on a factual government classified program using the code word “Blue Book”.  Those working on the program had the required clearance, were briefed to the program and were the only ones who knew the project details.

The personnel security clearances (PCL) are granted after a lengthy investigation and adjudication process. The interim clearance can be granted within a few weeks and the final decision can take many months. This security clearance journey begins with the applicant completing the Questionnaire for National Security Positions, also known as Standard Form (SF-86). This is a lengthy form that requires the population of some very personal information to include family members, places lived, academic institutes attended, arrests, drug and alcohol incidents, debt, and more.

Train your employees on the Insider Threat with a downloadable presentation http://www.redbikepublishing.com

Did you know that we can personalize NISPOM and ITAR for your employees? 

Just order your copy from Red Bike Publishing and send us an email to incorporate a dedication page. Editor@redbikepublishing.com A perfect gift to keep your cleared employees informed.

ITAR http://www.redbikepublishing.com/itar/
NISPOM http://www.redbikepublishing.com/nispom/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Who Can View My SF-86




FSOS: THE FIRST TO REVIEW YOUR SF-86
The form is completed online and once complete, the applicant should review the form with the Facility Security Officer (FSO). The FSO is the first person to review all the sensitive information with the applicant. The FSO ensures the form is complete, accurate, and all waivers and signatures are applied. FSOs are not decisions makers in the security clearance process and therefore not authorized to pass judgement, make adjudicative calls, or decisions about the clearance request – they are simply reviewing for completeness.

AGENCY EMPLOYEES ARE NEXT
Employees of agencies within the security clearance process will then have access to the SF-86 and are required to handle the information in accordance with their responsibilities and according to the Privacy Act. These employees will access the SF-86 while conducting background investigations, reinvestigations, and continuous evaluations of persons under consideration for, or retention of, national security positions. These also include non-investigating employees conducting administration functions. These include contractor and government personnel security clearance employees, investigators, adjudicators and others who have authorization to conduct legitimate business.

MANY OTHERS MAY VIEW REDACTED DATA
Additionally the investigation conducted using information on the SF-86 can be used in studies and analyses to evaluate an agency’s effectiveness in applying investigative and adjudicative methodologies. Think about process improvement or reports to congress on government effectiveness.
According to the form itself: “The collection, maintenance, and disclosure of background investigative information are governed by the Privacy Act…. The information you provide on this form, and information collected during an investigation, may be disclosed without your consent by an agency maintaining the information in a system of records as permitted by the Privacy Act…”

The idea is that the data may be aggregated and used for other means – but that one individual’s data cannot be released, and their privacy violated. Because the Privacy Act governs the data on the security clearance questionnaire, even security clearance applicants themselves have to use the Privacy Act to obtain a copy of their report.
·         The following are those who might view the SF-86 in its entirety:
·         Department of Justice in performing their duties
·         Courts if litigation is involved for civil or criminal violations
·         Employees performing security clearance investigations

The following are those who might view information that is on the SF-86, but will not be able to associate the information with an individual:
·         Federal state local foreign tribal or other public authority as appropriate
·         Contractors, grantees, experts, consultants or volunteers as they cooperate in the investigation
·         News media or general public for factual information, but not PII
·         Congress, national archives, foreign governments, office of management and budget

DO I HAVE TO ALLOW MY DATA TO BE RELEASED?
Providing information is voluntary, but failure to complete the form will result in disqualification of the process. Since the form is the trigger, the starting gun is never fired and the runners never get off the starting line. If an SF-86 is not completed, the process is never started. Also, if an applicant does not provide all of the requested information it could negatively affect their eligibility for a national security position or access to classified information.
So, the answer to “Who can view my SF-86?” is: only those performing investigations and their support staff. Perhaps law enforcement and courts may view pertinent information during legal proceedings. While many individuals today are pushing for more oversight into the security clearance process, or even the right to view the SF-86 information provided by White House officials, it’s important to remember the privacy protections afforded in the White House also apply to the roughly four million ‘average’ security clearance holders.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".