Security Executive Blog: September 2019

Tuesday, September 17, 2019

An Interview with a Cold War Counter-Spy

We spoke with former Counter-Spy and Author John W. David about his experiences with cold war espionage and applying it to counter the insider threat. John has written two books, Rainy Street Stories and Around the Corner. Both are essays of his experiences with the cold war, terrorism, and espionage.

John offers several anecdotes and shares past experience of how he has recognized spies and those who would recruit insiders. He weaves relevant stories in the podcasts that are still applicable to a successful insider threat program. Listen to the podcast to hear two of many major points on running Insider Threat Programs.

Here are two points to get started:

1. Develop a culture of security by walking around.

Security managers should get away from their desks and meet the employees that can work as risk management and security force multipliers. The employees should be comfortable with the office staff and understand what expectations are. One of the primary results of a good insider threat program is ability to report credible information. Employees will feel most comfortable report information to someone they trust and who has their best interest in mind.

2. Provide insider threat training.

A trained employee base is a force multiplier. When employees are trained to recognize suspicious behavior and what to do about the observation, the entire team wins. John provides glaring examples of insider threat indicators that were ignored, leading to years of successful espionage. Training on the insider threat and teaching employees how to apply that training are key to success.

In summary, John points out that the security manager should be approachable to allow for reporting of any kind. Where an employee feels comfortable with reporting suspicious activities, the odds of actually reporting increase. The other factor is understanding what to report. A well informed and cooperative workforce can lead to an effective insider threat program.

Listen Here:

For more information, visit www.redbikepublishing.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, September 5, 2019

Four Tools Every Cleared Defense Contractor Needs

Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.

The CDCs are part of the National Industrial Security Program (NISP). The National Industrial Security Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guidance includes topics such as employee responsibilities, required training, continuous evaluation, maintaining security clearance, and much more. The Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS provides most DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information according to the NISPOM.

Cleared Defense Contractors have a big job not only performing on classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in the CDC’s toolbox and can be employed to help them remain in compliance and demonstrate their level of compliance.

1. National Industrial Program Operating Manual (NISPOM)

The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors of how to protect classified information. This printing of the NISPOM includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses a cleared contractor’s responsibilities including: Security Clearances, Required Training and Briefings, Classification and Markings, Safeguarding Classified Information, Visits and Meetings, Subcontracting, Information System Security, Special Requirements, International Security Requirements and much more.

2. International Traffic in Arms Regulation (ITAR)

“Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register…” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.”-DDTC

Companies that provide defense goods and services should understand how to protect US technology; the ITAR provides the answers. The International Traffic in Arms Regulation (ITAR) is the defense product and service provider’s guide book for knowing when and how to obtain an export license. This book provides answers to:

Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?

3. Self Inspection Handbook For NISP Contractors

The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It is not intended to be used as a checklist only. Rather it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find they have included various techniques that will help enhance the overall quality of your self-inspection. To be most effective it is suggested that you look at your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.

4. Training for Cleared Employees

a. Initial Security Awareness Training and Security Awareness Refresher Training

Initial Security Awareness Training and Security Awareness Refresher Training

The main presentation is great for initial training or for refresher annual security awareness training required of all cleared employees.

NISPOM requires the following training topics during initial training and refresher training:

Threat Awareness Security Briefing Including Insider Threat
Counterintelligence Awareness Briefing
Overview Of The Security Classification System
Employee Reporting Obligations And Requirements, Including Insider Threat
Cybersecurity awareness training for all authorized IS users

NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training.

b. Derivative Classifier Training

The NISPOM outlines requirements for derivative classification training to include… the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those without this training are not authorized to perform the tasks.

Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.

c. Insider Threat Training

This training program includes the NISPOM identified Insider Threat Training requirements. The NISPOM has identified the following requirements to establish an Insider Threat Program. Download and present the training here and meet the training requirements:

Designate an Insider Threat senior official
Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
Establish an Insider Threat Program group
Provide Insider Threat training
Monitor classified network activity
Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
Conduct self-inspections of Insider Threat Program.

d. SF 312 Briefing

This Training is for Newly Cleared Employees and should be given prior to Initial Security Briefings

Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.

As mentioned earlier, CDCs not only have to perform on classified contracts according to contractual requirements, but they are evaluated on how well they are protecting classified information. The tools mentioned above are designed to assist the CDCs in meeting requirements. Red Bike Publishing is pleased to be a partner in the NISP and provides tools to assist CDCs in their efforts. More information can be found at www.redbikepublishing.com

Wednesday, September 4, 2019

The Fine and Time Honored Art of Piggy Backing

After years of fighting what he had assumed as bad practice, a Facility Security Officer (FSO) confidently confided that he now welcomes “piggy backing” as acceptable. Entering a protected facility while using the credentials of another employee also known as “piggy backing” is now being proven an efficient means of enterprise ingress.

“With each employing needlessly scanning their badges, when someone else had already triggered the authorization at first seemed redundant.” said the FSO. “Now we know that there is so much more benefit. Now we see a realized cost savings involved as they now only trigger the device once, saving destructive wear and tear on locking and opening hardware. Also, holding the door open for multiple employees to enter simultaneously reduces the number of times the door is opened and closed, thus also creating cost savings for heating and air conditioning expenses”, he continued.

The progressive cleared defense contractor began a month long pilot program to test the theory of cost reduction and improved employee morale. He collected data from the enterprise information management system monitoring the installed security system. He also provided high fives to employees as they arrive in mass each morning.

At the end of the month the cost savings to heating and air conditioning system demonstrated that piggy backing does indeed reduce costs. Additionally, he describes how he gleefully counted smiles as happy employees passed through the main entrance. Based on the smiles and enthusiastic hand smacks he logically deducted that this change had indeed improved morale.

“We are now looking to additionally savings as we remove badge readers and door magnets as well as terminate the lease on the information management system. One person can now physically unlock the door and then hold it open to allow others to enter.”

He is hoping his revolutionary leap in logic will catch on and is planning to speak at security conferences such as ASIS International and NCMS in hopes of educating other risk and security managers.

“First, my organization, and then the rest. Who knows what global impact this simple act of allowing employees to piggy back might cause? I look forward to getting my message out.”

Monday, September 2, 2019

NISPOM Based Certification Questions

Get your copy @ www.redbikepublishing.com

These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

1.    Concerning a government contractor monitoring station with a response team cleared at the SECRET level, how many guards are required to respond to an alarm?
a.           At least two when at least one guard is cleared
b.           The amount sufficient to immediately investigate each alarm 
c.            At least five when at least one guard is cleared
d.           At least four when at least one guard is cleared
e.            At least three when at least one guard is cleared

2.    Who determines need to know at classified meetings?
a.           GCA

b.           Contract monitor

c.            Individual disclosing information 

d.           Visiting individuals

e.            FSA


3.    FSO’s may approve Automated Access Control Systems that meet the following standard(s):
a.           Chances of unauthorized access are no more than one in ten thousand
b.           Chances of authorized persons being rejected no more than one in five hundred
c.            Chances of authorized persons being rejected no more than one in one thousand
d.           A and c 
e.            None of the above

Scroll Down For Answers

1.    Concerning a government contractor monitoring station with a response team cleared at the SECRET level, how many guards are required to respond to an alarm? 

a.           At least two when at least one guard is cleared

b.           The amount sufficient to immediately investigate  each alarm (NISPOM 5-903)

c.            At least five when at least one guard is cleared

d.           At least four when at least one guard is cleared

e.            At least three when at least one guard is cleared

2.    Who determines need to know at classified meetings?

a.           GCA

b.           Contract monitor

c.            Individual disclosing information (NISPOM 6-102)

d.           Visiting individuals

e.            CSA

3.    FSO’s may approve Automated Access Control
Systems that meet the following standard(s):

a.        Chances of unauthorized access are no more than one in ten thousand

b.         Chances of authorized persons being rejected no more than one in five hundred

c.            Chances of authorized persons being rejected no more than one in one thousand

d.           A and c (NISPOM 5-313)

e.            None of the above

So, how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Gather, integrate, and report insider threat information

This article addresses the NISPOM based Insider Threat Program (ITP) compliance requirements and is inspired by questions from the Self Inspection Handbook for NISP Contractors. The article uses the handbook’s format to through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):

Does your program include a capability to gather, integrate, and report relevant and credible information, which falls into one of the 13 adjudicative guidelines indicative of a potential or actual insider threat?

EVIDENCE: Explain process to gather and integrate data and provide procedures

VALIDATION:

NISPOM Reference(s):

1-202a

a. The contractor will establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat, consistent with E.O. 13587 (reference (ac)) and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (reference (ad)), as required by the appropriate CSA.

One might ask the question of what is reportable as far as insider threat indicators. Aside from actually catching a culprit redhandedly sabotaging company resources or stealing government secrets, the employee is asked to report suspicious but credible observations. The Facility Security Officer (FSO) of the cleared defense contractor organization should develop a methodology for reporting insider threat behavior and training on how to recognize the behavior and then report it.

To do so, there is an existing methodology that leverages a current requirement. The “go to” for a resource for standardized process or policy of relevant and credible information is to follow the 13 Adjudicative Guidelines. Any one of these guidelines can serve as indicators of authorized employees with malicious intent.

A review of the available 13 Adjudicative Guidelines can provide data points for a risk manager to build upon. The guideline topics and a simple description of each topic are provided so that behaviors can be identified and if credible, reported to Insider Threat Program Senior Official.

Employees can be trained to observe certain behavior and recognize them as triggers for whether or not to report. When an employee observes credible high risk behavior they should understand who to and how to report it.

Her the 13 Adjudicative Guidelines that should be employed to recognize reportable behavior.

Guideline A: Allegiance to the U.S.

A cleared employee should demonstrate unquestionable allegiance to the United States. Any behavior or other indications of involvement in, training to commit, support of, or advocacy of any activity that demonstrates loyalty to other countries should be reported. Examples of behavior could include questionable internet searches, club memberships, or charitable donations to organizations with allegiance to other countries that would bring demise on the United States.

Guideline B: Foreign Influence Foreign contacts and interests may be a security concern if a cleared employee demonstrates divided loyalties or foreign financial interests. The concern is they may be influenced to help a foreign person, group, organization, or government in a way that is not in the U.S. interests. The cleared employee could also be vulnerable to pressure or coercion by any foreign interest.

Guideline C: Foreign Preference

Here the cleared employee could be demonstrating behavior that could serve the interests of a foreign person, group, organization, or government that is in conflict with the national security interest.

Guideline D: Sexual Behavior

A cleared employee could be engaged in sexual behavior that involves a criminal offense. Or the behavior could indicate a personality or emotional disorder, reflects lack of judgment or discretion, or which may subject the individual to undue influence or coercion, exploitation, or duress. If in violation of Guideline D, the behavior could raise questions about an individual's reliability, trustworthiness and ability to protect classified information.

Guideline E: Personal Conduct

This is a catch all behavior. Cleared employees demonstrating any personal conduct or concealing information about their conduct. Such behavior creates a vulnerability to exploitation, manipulation, or duress.

Guideline F: Financial Considerations

A cleared employee who is financially overextended could be at risk of having to engage in questionable behavior to improve their situation. This behavior could reflect the other Guidelines.

Guideline G: Alcohol Consumption (

This is one of the more obvious and easier to recognize in most situations. Alcohol-related incidents at work, such as reporting for work or duty in an intoxicated or impaired condition or drinking on the job.

Guideline H: Drug Involvement

The use of illegal drugs or misuse of prescription drugs can raise questions about an individual’s reliability and trustworthiness, both because drug use may impair judgment and because it raises questions about an individual’s willingness to comply with laws, rules, and regulations.

Guideline I: Psychological Conditions

Certain emotional, mental, and personality conditions can impair judgment, reliability, or trustworthiness.

Guideline J: Criminal Conduct

Criminal activity creates doubt about a person’s judgment, reliability, and trustworthiness and calls into question a person’s ability or willingness to comply with laws, rules, and regulations.

Guideline K: Handling Protected Information

This can be accidental, repetitive, as well as malicious. Any situation where a cleared employee mishandles classified information should be addressed per the investigative findings. Forgetful employees can be trained, but problem employees demonstrating repetitive offenses may lose their clearances. Insider threats with malicious intents could be reported to law enforcement.

This behavior can be demonstrated through a long list of NISPOM or ITAR violations such as loading, drafting, editing, modifying, storing, transmitting, or otherwise handling classified reports, data, or other information.

Guideline L: Outside Activities

Any foreign, domestic, or international organization or person engaged in analysis, discussion, or publication of material on intelligence, defense, foreign affairs, or protected technology organization that analyzes, discusses, or publishes material. This can be held in close regard with Guidelines A and B as well as others, depending on motivation.

Guideline M: Use of Information Technology

Cleared employees should handle classified information appropriately and Guideline K demonstrates activity that violates of NISPOM guidance. Here, use of any classified or unclassified information technology system to gain unauthorized access to information or a system. This includes hacking into servers, emails, networks or computers.

The next step is to develop a method of investigating and reporting the behavior. One scenario is that an employee reports suspicious activity to the FSO per earlier NISPOM guidance. The FSO could receive the report and begin an inquiry based on NISPOM requirements. However, with recent NISPOM updates the FSO can now engage the Insider Threat Team as part of that inquiry. Credible violations of the Guidelines can at the very least result in addressing the protection of classified information or be raised to another level of addressing potential insider threat issues.

Ideas to demonstrate compliance:

Develop a reporting process for receiving credible reports of suspicious behavior

Document reports and investigations

Document results of investigations

Create and deliver training to employees

Document training

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages