Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.
The CDCs are part of the National Industrial Security Program
(NISP). The National Industrial Security Program Operating Manual (NISPOM)
provides guidance on how to perform on classified contracts. The guidance
includes topics such as employee responsibilities, required training,
continuous evaluation, maintaining security clearance, and much more. The
Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS
provides most DoD agency oversight and compliance reviews. They perform
vulnerability assessments and determine how well a CDC protects classified
information according to the NISPOM.
Cleared Defense Contractors have a big job not only performing
on classified contracts, protecting classified information, but also
documenting or validating compliance. The following tools should be in the
CDC’s toolbox and can be employed to help them remain in compliance and
demonstrate their level of compliance.
1. National Industrial Program Operating Manual (NISPOM)
The National Industrial Security Program Operating Manual
(NISPOM) is
the Department of Defense’s instruction to contractors of how to protect
classified information. This printing of the NISPOM includes the latest from
the Defense Security Services to include an Index and Industrial Security
Letters. The NISPOM addresses a cleared contractor’s responsibilities
including: Security Clearances, Required Training and Briefings, Classification
and Markings, Safeguarding Classified Information, Visits and Meetings,
Subcontracting, Information System Security, Special Requirements,
International Security Requirements and much more.
2. International Traffic in Arms Regulation (ITAR)
“Any person who engages in the United States in the
business of either manufacturing or exporting defense articles or furnishing
defense services is required to register…” ITAR “It is the contractor’s
responsibility to comply with all applicable laws and regulations regarding
export-controlled items.”-DDTC
Companies that provide defense goods and services should
understand how to protect US technology; the ITAR provides the answers. The International Traffic in Arms Regulation (ITAR)
is the defense product and service provider’s guide book for knowing when and
how to obtain an export license. This book provides answers to:
Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?
Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?
3. Self
Inspection Handbook For NISP Contractors
The
National Industrial Security Program Operating Manual (NISPOM) requires all
participants in the National Industrial Security Program (NISP) to conduct
their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a
job aid to assist you in complying with this requirement. It is not intended to
be used as a checklist only. Rather it is intended to assist you in developing
a viable self-inspection program specifically tailored to the classified needs
of your cleared company. You will also find they have included various
techniques that will help enhance the overall quality of your self-inspection.
To be most effective it is suggested that you look at your self-inspection as a
three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.
4. Training
for Cleared Employees
a. Initial Security
Awareness Training and Security Awareness
Refresher Training
Initial
Security Awareness Training and Security
Awareness Refresher Training
The main presentation is great for initial training or for
refresher annual security awareness training required of all cleared employees.
NISPOM requires the following training topics during initial
training and refresher training:
- Threat
Awareness Security Briefing Including
Insider Threat
- Counterintelligence
Awareness Briefing
- Overview
Of The Security Classification System
- Employee
Reporting Obligations And Requirements, Including Insider Threat
- Cybersecurity
awareness training for all authorized IS users
NISPOM Training contains requirements
for the Annual Security Awareness and Initial Security Training.
b. Derivative
Classifier Training
The NISPOM outlines requirements for derivative classification training
to include… the proper application of the
derivative classification principles, with an emphasis on avoiding
over-classification, at least once every 2 years. Those
without this training are not authorized to perform the tasks.
Contractor personnel make derivative classification
decisions when they incorporate, paraphrase, restate, or generate in new form,
information that is already classified; then mark the newly developed material
consistently with the classification markings that apply to the source
information.
c. Insider Threat
Training
This training program includes the NISPOM identified Insider Threat Training requirements.
The NISPOM has identified the following requirements to establish an Insider
Threat Program. Download and present the training here and meet the training
requirements:
- Designate
an Insider Threat senior official
- Establish
an Insider Threat Program / Self-certify the Implementation Plan in
writing to DSS.
- Establish
an Insider Threat Program group
- Provide
Insider Threat training
- Monitor
classified network activity
- Gather,
integrate, and report relevant and credible information; detect insiders
posing risk to classified information; and mitigate insider threat risk
- Conduct
self-inspections of Insider Threat Program.
d. SF 312 Briefing
This Training is for Newly Cleared Employees and should be
given prior to Initial Security Briefings
Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.
Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.
As mentioned earlier, CDCs not only have to perform on
classified contracts according to contractual requirements, but they are
evaluated on how well they are protecting classified information. The tools
mentioned above are designed to assist the CDCs in meeting requirements. Red Bike
Publishing is pleased to be a partner in the NISP and provides tools to assist
CDCs in their efforts. More information can be found at www.redbikepublishing.com
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment