Security Executive Blog: March 2020

Thursday, March 5, 2020

Questions for SPeD, ISOC and ISP Certification

Get your copy @ www.redbikepublishing.com

These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours

d. 12 hours

e. 86 hours

When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED

d. RESTRICTED

e. UNCLASSIFIED

Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission

e. All the above

Scroll for answer:

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours (NISPOM 5-408d)

d. 12 hours

e. 86 hours

When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED (NISPOM Appendix B4)

d. RESTRICTED

e. UNCLASSIFIED

Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission

e. All the above (NISPOM 1-104a)

So, how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

Check out our newest resource, on line testing. Simulates testing environments for the ISOC and ISP.

For practice purposes, download the electronic version of the NISPOM and use it to help search the answers to the provided test questions. Use a timer to count down 120 minutes for each practice exam.
Register for the exam here: https://www.classmarker.com/online-test/start/?quiz=jdm5dbdb6cb9c613

You can find additional certification training and resources at http://www.redbikepublishing.com/ispcertification/

NISPOM link

https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf

Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
--> --> Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

CMMC and Protecting Controlled Unclassified Information

The Defense Counterintelligence and Security Agency (DCSA) is responsible for evaluating vulnerabilities of classified information at a Cleared Defense Contractors (CDC) facility. This includes not only the policy to review a contractors capability to protect classified information, but now includes the handling and protection of items identified as well as controlled unclassified information (CUI).

If it appears that there are acronyms developed to cover concerns at an alarming rate, you are correct. The vulnerabilities of technology that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. We have critical program information, critical components, critical technologies, controlled unclassified information, and etc. Each one with similar yet different definitions and requirements. While we may have new names and acronyms, the fundamentals of protection remain.

As detailed above, it is evident that technology poured into products enhancing any capabilities must be protected above being in the public domain. Identifying sensitivities and required protections will make the difference between what will be added to flyer, sales pamphlet or website.

Information, raw data, files, etc. exists in many forms and this information has acronyms covering military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified technical information (UCTI).

A CDC has more to worry about than just classified information. Where they have the security classification guide to provide explicit instruction on how to protect classified information, there is no such guide covering the other categories. However, the CDC should go through an exercise to determine sensitive or critical unclassified information, as it is also useful during the vulnerability assessment from DCSA and the Cybersecurity Maturity Model Certification (CMMC) that evaluates how the contractor protects information residing on the networks.

This information should be identified by format and location as it resides in the organization or transit. This simply means identify information developed as a result of performing work on a defense contract (reports, designs, blueprints, etc.), where these products reside (cabinet, room, computer, network) and format (paper, software, system, cyber). At the very minimum, this information should be identified and a plan in place to protect from casual observation, from ending up on a screen at a seminar or on the public homepage.

Countermeasures should include security training, policies, and procedures that consider the following scenarios. We have defined these threats in earlier articles, but find they are useful for clarity and instruction in this situation:

Espionage

The unauthorized collecting, transmitting or stealing information for the purpose of aiding other governments, business or entities.

This espionage can include actions found in the Economic Espionage Sec. 1831 of Economic Espionage Act of 1996

Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;

(3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;

Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996

(a) Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly--

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization

ITAR Violations

(a) Export means:

(1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or

(2) Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or

(3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or

(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or

(5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.

The lesson is that significant effort and thought should go into protecting the information that could otherwise be vulnerable. Just identifying the information reduces risk of uncertainty, developing countermeasures to protect it further quantifies and reduces significant risk. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information.

For unclassified U.S. defense information, the defensive measures depend primarily on incorporating the experience of those who practice the innovation and including them in the risk reduction process.

Ray DICE Man Semko developed a process called Defensive Information Countering Everything. This is his anchor point to assisting others implement the risk reduction cycle. Perhaps you can develop your own as you implement security at your facilities. Remember the risk reduction cycle, it applies to almost everything:

1. Identify assets

2. Determine impact if exploited

3. Assess risk

4. Implement countermeasures

5. Assess countermeasure effectiveness

6. Do it all over again.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Subscribe to: Posts (Atom)

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages

Thursday, March 5, 2020

Questions for SPeD, ISOC and ISP Certification

CMMC and Protecting Controlled Unclassified Information