Friday, December 4, 2020

Why Facility Security Officers and Security Specialists Protect Classified Material.


Facility Security Officers (FSOs) the security managers for cleared defense contractors, implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292.

You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:

     An original classification authority (OCA) is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA's. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.

 The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.

 The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.

    An original classification authority may determine a classification on anything that is owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.

    The information to be classified should fall into one of the following categories: Military plans, weapons systems or operations; Foreign government information; Intelligence activities, sources or methods or cryptology; Foreign relations or activities of the United States including confidential sources; Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism; U.S. programs for safeguarding nuclear materials or facilities; Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism; Weapons of mass destruction.

    The OCA also should determine that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and they are able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.

    The impact of disclosure is categorized from reasonably causing "damage" for CONFIDENTIAL information through "serious damage" for SECRET information to "seriously grave damage" for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.

    Cleared Defense Contractors protect information classified by the OCA's. Understanding the reasoning behind the classification is not critical, but it may give a better comprehension of the National Industrial Security Program. Such information could lead to better security measures or heightened awareness of the sensitive nature of classified information.  


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

A Career in Industrial Security-Charting the Course.

I receive a lot of emails from people who wonder how to get into the security field.  Many are looking for a career change and are curious about what kind of education and experience is needed to work as a security specialist in the defense and contractor industry.   Others are just starting out in life and looking for a job with challenges and opportunities the security field offers.   There are plenty of great opportunities in with large and small contractor companies providing the venue.  Here is what I have discovered about our industry and some of you may have other experiences and advice you can pass to those who ask about a career in security. 

     Industrial security is an outstanding field for someone with all ranges of experience to enter into.  Some have been hired at an entry level job and have received promotions and additional responsibilities.  Others have transferred full time to security after enjoying serving in an additional duty capacity.  Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company.  Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.

     Employees just entering the work force can benefit from entry level jobs.  These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system.  Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on.  Additionally, many employees attend university and other adult education opportunities while serving full time in the security field.  The experience, education, certification and security clearance gained while on the job prove very valuable.

    Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement.  Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED.  However, more and more job announcements require formal education to include college and a preference for security certification.  The defense security industry still provides a good career field to gain entry level experience and move up quickly.  Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification.  This will make the prepared ready for future positions and raises.

     For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines.  Some actually assume appointed FSO responsibilities as an extra duty and learn as they go.  Many of the defense contractor organizations are small and may only have one person in the security role.   The sole security manager may only work in one discipline such as personnel security.  Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.              

     Large Defense Contractors and Government agencies also provide entry level security jobs.  The job title is often security specialist and job descriptions allow for many experiences.  Some descriptions use words to the affect as the following:  “The candidate must be eligible for a security clearance.  Job responsibilities include receiving, cataloging, storing, and mailing classified information.  Maintain access control to closed areas.  Provide security support for classified information processing and destruction.  Initiate security clearance requests and process requests for government and contract employees conducting classified visits.  Implement security measures as outlined in NISPOM.”  Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job.  Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education. 

     Our industry is still a great place to learn and grow.  Career advancement and promotions are continually available for the prepared.  Opportunities continue to exist in companies large enough to provide increasing challenges and rewards.  Some may have to apply for jobs with other enterprises to reach their potential.  Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded.  Be sure to recommend our ISP Certification-The Industrial Security Professional Exam Manual to anyone you know who may be getting ready for a job interview.  Our intensive NISPOM study will prepare anyone for the upcoming interview.  Regardless of your professional goals, what are you doing to remaining competitive?     






 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, October 10, 2020

Becoming an FSO of Influence. How to grow with a growing company.


A few times I've had a similar conversation with a few leaders in the security industry. They had been experiencing the same reaction from their enterprize leadership and were frustrated to the point of looking for another job. Their joint frustration revolved around a lack of support for their security vision. They could not seem to get past the barriers in perception that they did much more than request and manage security clearances and facilities. This may be a common issue facing many FSOs throughout the National Industrial Security Program cleared defense contractor base. 

These issues could stem from from three possible challenges facing cleared defense contractor companies. The first is that the FSO has not developed a reputation of a corporate leader with effective strategies to ensure the organization is prepared to compete, win, and maintain classified contracts. The second is the cause of the first in that that the company has grown, and the original FSO may not possess the leadership skills necessary to continue engage as necessary. Finally, the security manager is not considered an executive function and falls under a corporate executive and outside of those performing on classified work (a corporate executive vs. a program manager.

Understanding how security fits into the organization is crucial. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. This could manifest through denial of requests for tools, resources, and capabilities that the workforce needs. Instead of considering workarounds, the FSO may naturally be inclined to say "no" instead of doing the hard and helpful work of performing a risk assessment and providing helpful solutions. Rather than assuming the role of "Dr. No" , the FSOs should possess the skill to develop policy that supports NISPOM requirements AND provides for the fulfillment of the classified contract's objectives, work products, and deliverables.

I've witnessed FSOs often respond to requests with "DSS (DCSA) won't allow it," or the more popular "it violates the NISPOM", only to have industrious cleared employees find a workable solution approved by the government customer, while going around the FSO. Think about what that does to the FSO's credibility and influence? They may never be consulted again and could have their office be reduced to, "just get us our security clearances and we'll take care of the rest".

FSO's should also understand that the security program is there for the cleared employees and not the other way around. The cleared employees perform on the classified contracts; the work that brings revenue to the company. The FSO brings the resources, guidance, consultation and tools to facilitate the performance on classified contracts.

For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rationale for change in policy, the FSO's may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company's business model or culture. A more succinct example is the FSO requiring the organization to provide monitored surveillance and alarms for the protection of SECRET documents already adequately secured in a GSA approved security container.

    

The second problem addresses the level of the hired or appointed FSO and the company grows from 50 to 300 cleared employees. The FSO for the 50 person company may just need clerical and administrative skills to provide security assistance to the few cleared employees working one or two classified contracts. In this case the company grows to 300 cleared employees, with 15 contracts, and is managing growth problems and opportunities. The growth requires a sound strategy that go beyond clerical skills.

In the third situation, the corporate office misunderstands the role of the FSO and assumes that they have limited leadership skills and roles. Suppose the FSO is experienced in leadership, but is buried under many levels of leadership and not able to influence decision making. They could make sensible recommendations based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.

    

Larger and very successful cleared defense contractors understand the needed balance. These companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.

    

Influencing Change

So, how does the described security manager create influence and credibility that counts? First of all, they should address their professions as risk managers. They should factor the contractual requirements, NISPOM, government contracting activity, and potential growth. A growing security requirement is expensive and resources should be planned for and budgets presented based on quantified risk and not fear tactics.

    

Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.

    

Presenting the security program does not have to be a frustrating event. If a security manager is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.


Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Security Through Walking Around-The Right Questions


I’ve recently fielded questions to some cleared employees. The intent was to generate discussion and get an assessment of how well they understood the National Industrial Security Program (NISPOM). I’ve received a variety of answers. The responses were intelligent, well thought out, but inaccurate. They demonstrated a lack of understanding based on popular culture and word of mouth.

 Keep in mind that out of all possible respondents less than a handful replied to each question. Additionally, the survey was in no way scientific. It was just a simple fielding of questions and not intended to be a representation of the industry in general. However, they do provide a sound training solution. How can one use such data to train the force? Well, thanks for asking.

Readers of this newsletter can use the same questions while conducting walk around security or otherwise conducting a security survey. Field these questions to your teams. If they respond correctly give loud and public praise. If they answer incorrectly you have just created a training opportunity. Proceed with diplomacy. Use the data you collect as a foundation to design future training. These responses go a long way in identifying weaknesses in the overall understanding of the National Industrial Security Program. These weaknesses could prove a vulnerability to your security program if not addressed properly.

Another application is to use the answers I provide here to bring about discussion or add to your security education agenda. Again, no scientific study here. However, certain broad assumptions can be made about general knowledge of the National Industrial Security Program.


Now, the questions and answers:

    1. Will your security clearances or the way we protect classified material be impacted by a new President?

Answers:

a. "The President can de-classify any classified information."

b. "There should be some sort of "transition" in place for business that overlaps 4-year Admin tenures."

c. "I don't foresee any significant changes."

The reality: In recent history two sequential presidents have provided separate executive orders directing how to protect classified information. Presidents have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification. 

Contractors and government agencies protect classified information based on the guidance from the executive orders. When changes occur, they affect storage capacity, employee manpower and resources toward re-marking or improving security. These resources are funded through overhead and impact profits. Organizations can project requirements and put a proactive plan in place to make necessary transitions easier.

2. Is a defense contractor allowed to advertise their facility security clearance level or post about it on social media?

"It depends on what level you're advertising. You should be able to advertise clearance levels."

The reality:

According to the National Industrial Security Program Operating Manual (NISPOM , the contractor cannot use their security clearance level to advertise for business.

NISPOM 2. General. An FCL is an administrative determination that a company is eligible for access to classified information or award of a classified contract.

 A contractor shall not use its FCL for advertising or promotional purposes

As the lead security education provider, the Facility Security Officer has to break through perceptions. Those cleared employees should grasp a good understanding of their responsibilities to protect classified information. The FSO’s can ask simple questions to gage the effectiveness of the training and discover areas in which to conduct training.

Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Managing Export Violations




Let’s test your knowledge of international operations. The following situation is pure fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question:

As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases . Besides, you have a very large staff and the process is pretty much routine until….

A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual, it should be a workable solution. Do you provide the visit request form? Why or why not?

In the course of business, it is not unusual for a foreign entity to request a visit to a U.S. company. Foreign business employees may desire to visit a U.S. contractor in furtherance of a contract. When the business is related to a classified contract, involves classified information or relates to a government to government agreed upon plant visit, the foreign entity requests the visit through their embassy. The only way these types of visits are authorized is through government to government channels. Unclassified visits are sent through commercial channels and are conducted through licenses with the Department of State or the Department of Commerce.

Visit requests submitted by a foreign entity pass through their government channels to the U.S. government for approval. The U.S. government agency having jurisdiction over the classified contract submits the request to the U.S. contractor for their approval. The request also includes guidance and limitations of the information and items the foreign national will be allowed to access. The contractor reviews the limitations and determines whether or not they concur with the request. The contractor has the final say of whether or not the foreign national will access their facility.

Security managers, exports compliance officers, technology control officers, etc will face more challenges as our market becomes global. In future topics we will discuss is once a visit is authorized, what does a contractor need to do in preparation for the visit? How does one prepare employees and the visiting foreign person from exporting unauthorized technical data?


Check out our book series: Security Clearance and Defense Contractorsd





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Export Compliance and Leadership


A few years ago I facilitated a short but very rewarding eight hour seminar on the International Traffic In Arms Regulation (ITAR) Overview. I am grateful to the staff at the University of Alabama in Huntsville and the North Alabama Trade Association for both sponsoring the event and allowing me to present. I found the course rewarding as I presented to a mixed audience of 30 professionals ranging from shipping and receiving specialists to executive vice presidents. The mix also consisted of professionals with various degrees of know-how as consultants, attorneys, technology control officers and those brand new to the field shared experiences and learned from one another. As a compliance officer in various disciplines, I have had the privilege of leading security and compliance teams and seminars on multiple topics

Though this was my first of hopefully many export regulations seminars, I noticed the similar need in the compliance field. Regardless of the discipline, compliance works best when driven from the top down. No matter the program a compliance officer intends to build or support, Influence is key when developing it whether security, privacy protection, safety, export, etc. Experience and technical savvy are great to have however, minus influence; the person is just an administrator playing catch-up in a crucial game.

Like other compliance disciplines, export compliance first and foremost helps companies and individuals successfully earn profits while playing by the rules. Our government encourages international business. The opportunities for lucrative business and growing employee experience pools make international trade an attractive endeavor. The benefits are huge as long as enterprises know the rules and are able to implement them into every program. The reality is that a license will most likely be granted when given the time and consideration required. Unfortunately, the routes people take to avoid licenses probably take more energy and export violations cause significant damage to our defense and economy

Influence comes in where the whole team understands the mission and each business unit and employee role. The compliance officer trains the company and keeps the empowered official abreast on licensing and technical assistance issues. They also establish trigger mechanisms to ensure international travel, business, or employment opportunities come to their attention early in any endeavor involving technology transfer. 

Check out our book series: Security Clearance and Defense Contractorsd




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, September 21, 2020

Conducting Effective Security Training



Some security training and briefings are very discouraging for the workforce. Many times, the training is the exact same video or presentation used year after year. This podcast and article discusses ways to improve training by making it applicable based on skill level. In other words, someone who has been working on classified contracts for five years or more already understands the three levels of classified information; so why not move on.

So, if you go to my website www.redbikepublishing.com, you might find training and tests that do ask those types of questions. That’s because many of my books and training products are specifically for security managers and includes certification study guides. It’s appropriate for me to ask administrative types of questions. It’s unfair to provide that type of training to the workforce. 

This topic is specifically about how to make your security training more effective for your work force. There are two types of training that I want to clarify. That is required training for security professionals and required training for the workforce. These training topics should be separate and distinguished. For example, an engineer performing on classified work may not need to know security form numbers. They may need to only understand that at the end of the day, they need to use the End of Day Checklist, so why quiz them on the form number (SF 701)?

So here are three problems I see with the current security training trend:
1. Lack of training resources
Security managers are tasked with training a work force, but without the ready resources to do so. Security managers often perform this task as an extra duty without time or resources to accomplish it. They are human resources, contracts managers, engineers, CEOs, and others, filling position to be compliant with security clearance requirements.

What is concrete is that there are various training topics required for cleared defense contractor employees, they include:

This is a huge responsibility. 

This training is easy in the beginning stages with the first two training topics. They are he high-level training and onboarding enough to get cleared employees “authorized” and prepared for the work. This is normally presented by the FSO for newly cleared employees and cover the basics of protecting classified information, what it is and how it’s classified, how to recognize it, how to report violations, and other fundamentals. 

New employees who are already experienced working on classified contracts elsewhere do not need the SF 312 briefing, but may need Initial Security Awareness training to orient them to security policies and procedures in their new work location.

2. One Size Fits all
There are many resources that busy security managers can draw upon to solve the problem of training the workforce. There are downloadable training topics available from vendors and government websites. The problem is, the training never grows up or ever requires growth from members of the cleared workforce. 

Year after year, we present the same presentation or video regardless of skill level. A person who has been working for 5 years or more as a cleared employee knows the three classification levels (TOP SECRET, SECRET, CONFIDENTIAL). Yet we keep feeding them baby food and insulting their intelligence with quizzes asking them the three levels while trying to trick them with a non existent fourth (UNCLASSIFIED).

3. Making a nation of Security Professionals
The very resources we use to present to our cleared force comes from security professional targeted websites. For example, Defense Counterintelligence and Security Agency trains security professionals and their courses are designed for that purposes. Many times because of problem statements 1 and 2, we are forced to use these canned presentations. In here the workforce is tested on their knowledge of security forms, how to conduct security investigations, and how to challenge classification. In fact they need to understand better that a cover sheet exists, how to recognize and report a violation, and who to talk to if something is over or under classified. The workforce does not usually take care of security administrative functions such as ordering security forms (security does), they don’t conduct investigations (security does), and they don’t contact the GCA, DCSA, ISOO, etc. (security does) so why force them to learn the intimate details.

The solution

There are a few simple ways for a security manager to improve the security training without incurring a huge resource burden.

1. Begin with the Contract Security Classification Specification or DD Form 254. 

This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts, you should understand the contents for each contract. The security manager may create training requirements based on the contract. The DD Form 254 addresses every security requirement for each classified contract and can be used as a roadmap for security training. In fact, almost each section is a training topic in and of itself. 

2. Incorporate workforce peers, supervisors and program managers. 

While the security manager will provide the training reflecting National Industrial Professional Operating Manual (NISPOM), the workforce will provide more work specific training tailored for the classified contract. 

Training will reflect how to write classified documents, assemble subsystems, collect raw data from sensors, or other specific work required by your contract.  They will also teach how to correctly mark, assemble, store and protect the classified work products. 

the FSO and supervisors should attempt to structure security training by experience level. The training does not necessarily need to be conducted as a presentation or assembly or in a canned computer setting. The security manager and employee supervisor can work together to develop training topics that can be validated in day to day work activities. 

Learn more about security training at www.bennettinstitute.com



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, June 2, 2020

The Importance of Classification Markings and the secrets they tell.



Cleared Defense Contractors, employees, and government workers review classified information, but may not understand how or why the markings are applied. Sure, it's obvious that the markings do warn of the classification level and how to protect it, but the markings also show so much more.
Classification markings are applied by the Original Classification Authority and provided for many reasons to include, warning of classification level, determining what is classified, the length of the classification duration, and who made the classification decision.
Marking classified material is a method of warning and informing of classification level, the exact information to be protected, of downgrading and declassification instructions, reasons for classification and sources of classification, and special access, control or safeguarding requirements. 
In classified documents, the classification level is applied to the front and back covers, top and bottom of pages, paragraphs, figures, tables and charts. They are placed in conspicuous locations on objects, computers and other types of media. This chapter demonstrates how to inspect classified items for proper markings and how to properly mark classified items originally created or derived. 

Guidance for Marking Classified Material 
Executive Order 13526 delivers guidelines for assigning classification levels to objects and information. The Government classifies information to provide proper safeguarding and prevent unauthorized disclosure, loss or compromise of classified information. The amount of classified information generated should be kept to the minimum needed to build any system or accomplish any mission. 
When receiving classified information, the FSO should check it against a receipt, inspect it for proper identification and markings and bring it into an Information Management System (IMS). If there are marking discrepancies, the receiver should rectify the situation by either sending it back or fixing the mistake themselves according to directions in the appropriate security classification guide (SCG). 
Security violations could occur if classified information is not marked properly. Suppose an engineer of XYZ Contractor goes to the company’s centralized document storage area and signs out a document classified as SECRET. According to company information management policy the user is to return the item to document control prior to the end of the work day, or when they leave the office. The engineer takes the document back to his office and works with it. After a while his eyes get tired and he grabs his day planner to check his schedule. 
He is reminded of an upcoming meeting with the social committee and begins to reflect on the near term company picnic. He gets up and walks to the window to look at proposed picnic location. While gathering his thoughts, he hears a knock at the door and walks over to open it. As he passes his desk his eyes glance at the document’s markings of SECRET on the top and bottom of the opened pages. He then closes the classified book and picks it up. With the book closed and firmly secure in his hands and the outside protected by a cover sheet he opens the door and sees his buddy from across the hall. They both have clearances, but are working on two different contracts. His buddy has no need to know of the contents of the book. 
In the example, the markings served to remind the engineer of the classified information in his possession and ensured that he maintained proper control and accountability. The marking also reminded the cleared employee of the responsibility of verifying clearance and “need to know” before disclosing classified information. 
Classified markings also convey what exactly needs protection. For example, a cleared employee reviews a classified document and is able to determine from the portion markings which information is TOP SECRET, SECRET or CONFIDENTIAL. This information is important as a cleared employee would need to correctly transfer the classification of any information derived from the document to incorporate into a new document (derivative classification). Additionally, if any UNCLASSIFIED information needs to be removed for a sanitized product, the information will be properly identified in the portion markings. 

We offer security training for security clearances and how to protection classified information @ https://www.bennettinstitute.com



Books Related to this article:


Wednesday, May 20, 2020

ISP and ISOC Certification Course for Free





We have a free ISP and ISOC Certification study course.  Prepare For The DoD's SPeD Industrial Security Oversight Certification And The Industrial Security Professional Certification.

This Training Contains Supplemental Study Information That Can Help You Pass The DoD / CDSE Security Professional Education Development (SPÄ“D) SFPC, SAPPC And ISOC Certification Exams And The NCMS ISP Certification Exam.

Some are reluctant to certify, but they just need the confidence earned through practice. Using practice tests to augment your certification exam preparation will help. This training is available for SPeD and ISP Certification 

Isn't It Time You Earned Security Certification? “(Your Name Here), ISP, SFPC, SAPPC, ISOC"–Imagine What Certification Can Do For You

Come visit:


https://bennettinstitute.com/course/ispisoctipis/



 

NISPOM course for free.




Bennett Institute has a new course and it's free. It's called introduction to the NISPOM. Come check it out. This course introduces the NISPOM so that the student can better grasp the elements of NISPOM. When finished, the student will have a better understanding of NISPOM and all the topics of Chapter 1. 

This is great training for:

  • Seasoned and new Facility Security Officers
  • Newly Cleared Defense Contractors
  • Cleared Employees 
  • Studying for Industrial Security Professional (ISP) and Industrial Security Professional Oversight Certification (ISOC). 


Come check us out.

https://bennettinstitute.com/course/nispomchapter1free/



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Understanding NISPOM Chapter 8 and Classified Information Systems



Excerpt from upcoming book featuring the topic of classified information systems.

Since much of the work that Cleared Defense Contractors (CDC) perform is on automated systems, it is important to understand how to protect classified information that resides on information systems (IS). NISPOM Chapter 8 Classified IS discusses just how to do so. The intent of this writing is to demonstrate that the protective measures for classified IS are very similar to those that are described in other NISPOM chapters. This is our explanation of how classified information should be protected equally, no matter what form it takes. In other words, SECRET hardware should be afforded the same protective measures as SECRET software.

I write this to demonstrate that a Facility Security Officer should not be intimidated by any IS security discussions; they are similar to protective measures employed for all forms of classified information. Some security managers may be intimidated by an IS discussion because of perceived lack of technical experience. Ether they do not work with information systems or they if they do, it is in a limited capacity. In these cases, they may turn over the entire process to the Information System Security Manager (ISSM) and remain hands off. However, it does not need to be that drastic. 

Hopefully this broad view writing provides enough information for a non-technical security manager to successfully supervise a security program to protect classified information on information systems. The trick is to consider the guidance in NISPOM chapter 8 just like the guidance that is applied in NISPOM chapter 5. NISPOM Chapter 8 is not much different if you just think about the classified information systems as part of your security program to protect classified information and it may appear less intimidating.

Hopefully your familiarity with the NISPOM will give you confidence and a better grasp of how to employ classified IS protection and measure your program’s effectiveness. Additionally, you may be able to use this information to better prepare for security certifications like Industrial Security Professional Citification and Industrial Security Oversight Certification.

We offer NISPOM training for security clearances, how to protection classified information and certification



Books related to this article:

Friday, May 1, 2020

NISPOM Fundamentals Training Protecting Classified Information

NISPOM Fundamentals Webinar

Red Bike Publishing is now hosting a webinar with multiple installations. We used to host it at Udemy, but are hosting our own training.

Take NISPOM Classes one chapter at a time

Currently we have each of the NISPOM Chapters 1-8 available. Each lesson is 1 to 2.5 hour long consisting of lectures, presentations and graded quizzes. Soon I'll be loading the rest, but you can start training now.

Or all at once as we have bundled these courses.

We now have the NISPOM Fundamentals course ready to go. This course combines chapters 1-8 and is updated regularly with additional chapters and content. Register now and have access to all updates. As we update, we will be charging more depending on the amount of content. However, if you register now, this registration will include all future updates at no additional cost.
The fundamentals of NISPOM is $350.00. However, for the next few days, we offer them for the introductory price of $150.00
Here's the link to join.

Great way to train for:

  • Newly cleared employees
  • New Cleared Defense Contractor leadership
  • New FSOs
  • Those studying for certification (ISP, ISOC, etc)
  • Students who want to learn more about NISPOM
We go through all the chapters and annexes.
  • Classification
  • Classified Processing on Information Systems
  • Reporting requirements
  • Closed areas
  • International
  • Classified meetings
  • Protection
  • Subcontracting
  • and much more 
  • It's all in one place

Register Here

My name is Jeffrey W. Bennett ISP, SAPPC, SFPC, ISOC. The acronyms after my name are DoD and other certifications I have received and are related to requirements for protecting classified information. For the past 20 years I have led security programs to protect classified information, served as an FSO, conducted risk assessments, and provided training for many, many security professionals.
I've taught this course over many years at the University of Alabama, Huntsville
I have also created a company called Red Bike Publishing (www.redbikepublishing.com) and have writing security books and training for the busy professional.

I want to help:

I've created a unique suite of training to increase your understand the NISPOM. We want to run it live with a select group and we choose you. 
The training can also be used to prepare for security roles and inspections. The training topics below include everything necessary for training the cleared employee workforce at the cleared defense contractor facility (CDC). Training topics also are part of the FSO certification program as well as resources for Industrial Professional (ISP) and Industrial Security Oversight Certification (ISOC).

All of our training is applicable for:

  • Training cleared employees 
  • Training Facility Security Officers and security personnel 
  • Security certification such as ISP and ISOC

Warning:

This is not a guarantee that anyone can study and pass the security certification. We don't promise a magic bullet to certification or passing a DCSA audit. Not everyone will be able to earn an excellence in an audit or a perfect score on an exam.

However, with that said,

If you follow our guidance in our webinar and books, your chances of being prepared for audits or certifications exams will improve greatly.

You will be equipped to know NISPOM better than most and understand how to apply it to your business, audits, and certification exams. You can start just like I did by just studying the NISPOM and having the skills to pass exams and sail through security issues and audits; just as I have done.

This information is what others wish they had known. If they had had this information, they may have that certification or earned that promotion or even excelled at the DCSA audit.


Study with us:

The training topics will soon include what is required of all cleared employees as below:
  • Initial training or for refresher annual security awareness training
  • Insider Threat
  • SF 312
  • Derivative Classifier 

This information is what others wish they had known. If they had had this information, they may have a clearance by now.

If you are like me, one of the people who come straight to the end of the letter to find the offer, here you go. I'm offering you a little information to clarify the security clearance process. We just want to offer you something of value.

Register Here