Saturday, April 24, 2021

Security clearance eligibility and working for foreign companies


I've recently received many emails from people who are curious about security clearances and working for foreign owned companies. Though the volume of those questions have increased, I guess the topic is no longer surprising in content as it could have been many years ago.

Many years ago, we might automatically assume that working for a foreign owned company would be indicative of highly questionable practices, but maybe not any longer. 

Things have changed. More foreign owned companies are opening doors in the U.S. Internet opportunities open doors to employment. Working for foreign companies provides new opportunities regardless of boarders such as: investment, teleworking, and creative content services that allow artists to bid on customer jobs have made this more of a possibility. 

But the questions have been pretty vague and hard to answer. 

  • Am I allowed to work for a foreign company if I have a security clearance?
  • Will I be able to get a security clearance if I work for a foreign company?

The questions are vague because there are so many scenarios that the questions can reflect. Some scenarios include:

  • You are currently employed by a cleared defense contractor and have a security clearance and want to quit and work for a foreign owned company, and would one day like to return to working with a clearance. This scenario is very risky as you could lose out on future employment, but can be mitigated.
  • You do not have a security clearance, but may one day like to work on classified contracts in some capacity. However you want to apply to work for a foreign owned company. This scenario is less risky because you have nothing to lose other than the possibility of getting a clearance "one day".

There are many other scenarios and reasons describable and all are different and my answer would be, "It depends on the scenario". Additionally, it may depend on the security clearance level such as SECRET, TOP SECRET SCI, etc.

The bottom line is, can you be entrusted with national secrets because of  employment with a foreign owned company? Having a security clearance is a very important responsibility. The security clearance holder is responsible for protecting classified information and supporting the security program to protect that classified data. 

This opportunity is based on the adjudication process. Security clearance award is provided after the adjudication of the investigation results. Allegiance to the United States and Foreign Influence are two very important considerations that would have to be addressed prior to awarding the security clearance.

There are many ways to adjudicate risks under Allegiance to the United States, Foreign Influence and other adjudicative criteria. There are no automatic answers to these questions since it depends on the situation. Get all the facts prior to taking on such a job, determine your risk level, and develop a strategy to mitigate the risk to your security clearance. 

If you have questions about this or other security clearance topics, visit my consulting site https://www.jeffreywbennett.com or email me at editor@redbikepublishing.com 

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. 

Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances"

"How to Get U.S. Government Contracts and Classified Work"

"ISP(R) and ISOC Master Exam Prep"

 and training:  

NISPOM Fundamentals/FSO Training

Cleared Employee Training

Jeff is available to consult. Consulting Website"

Wednesday, April 21, 2021

Cleared Defense Contractor Performance and How to Protect Classified Information Fundamentals By: Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP

 


Cleared Defense Contractors use classified information during performance of contracts. The Department of Defense makes the rules and governs how the classified contractors protect classified material. The Federal Government has published a policy appropriately titled: The National Industrial Security Program Operating Manual (NISPOM). This page turner is sponsored by the Presidential Executive Order (E0)12829 for the protection of information classified under E.O. 12958, As Amended. Having poured over both publications and the updates, I can confidently assure you that they take this business very seriously.

    When specific work declares performance objectives on classified efforts, provisions of the applicable DD Form 254 and Security Classification Guide (SCG) shall govern. Both the DD 254 and SCG spell out what specific work a contractor can and cannot perform, what exactly is classified and how to protect it. Both of these documents not only should be available prior to execution but read and understood by all performing employees.

    Classified information is marked with CONFIDENTIAL, SECRET and TOP SECRET designations and must be afforded protection at the appropriate level. For example, unauthorized disclosure of CONFIDENTIAL information could reasonably be expected cause damage; SECRET could reasonably be expected to cause serious damage; and TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, cleared employees are required to ascertain the receiving party’s clearance level and need-to-know. 

   Facility security officers and industrial security professionals should develop measures to safeguard classified information at the highest level indicated. Employees should be trained to perform on these contracts based on NISPOM Guidance. This training includes:

Non Disclosure Agreement (SF 312)

Derivative Classifier

Security Awareness Initial and Annual Refresher

Insider ThreatJoin our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Controlled Unclassified Information


A buzz is sweeping the security community since the industry has been notified of the recent updates to DoD's CUI program based on the presidential memorandum with the subject, Designation and sharing of Controlled Unclassified Information (CUI). This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The CUI program is designed to promote proper safeguarding and dissemination of unclassified information.  

    Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) directives provide procedures for a more appropriate Information Sharing Environment.

    CUI is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.

    Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally, as with the classified information, sensitive information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.

    What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination, and provide required CUI training. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Wednesday, March 31, 2021

What Defense Contractors Should Consider Before Appointing FSOs




Becoming a cleared defense contractor (CDC) demands more than just a defense contractor getting a security clearance and performing on classified contracts. It's more to do with, what to do once the clearance is awarded; specifically, protecting classified information. This protection involves physical, classified processing, and information security. It's more than just buying safes, installing access controls and getting employees security clearances. Primarily, the CDC must appoint a Facility Security Officer (FSO) responsible for implementing a program to protect classified information.

To better answer frequently asked questions, I've written several times on the topic of selecting the right Facility Security Officer (FSO) qualifications. According to the National Industrial Security Program Operating Manual (NISPOM), the FSO must be a US Citizen and be cleared to the level of the facility (security) clearance (FCL); period. This provides a lot of room for a cleared facility to figure out how to get the job done. However, in the book, How to Get U.S. Government Contracts and Classified Work, the author identifies what additional qualifications cleared contractors should recognize prior to appointing or hiring the FSO.

Primarily, the FSO should understand how to protect classified information as it relates to the cleared contract, organizational growth, enterprise goals, and NISPOM guidance. The FSO should be able to conduct a risk analysis, express the cost, benefits and impact of supporting a classified contract under the NISPOM requirements and incorporate an environment of cooperation and compliance within the enterprise. Finally, they should be able to influence and compel the senior leaders to make good decisions, support compliance and integrate security into the corporate culture. After all, security violations not only cause damage to national security, but could also impact the organization with loss of contracts. The FSO is pivotal to the successful execution of classified contracts.

In larger cleared contractor organizations the FSO is a full time job held by a department manager or higher. This FSO is supported by a staff of security specialists who may manage classified contract administration, safeguarding classified documents, process classified information on information systems, security clearances and other disciplines. The FSO oversees the entire security program as executed by the competent staff. In a best case scenario, they will report to the senior officer of the organization.

In small business the FSO may be the owner, chief officer, vice president or other senior leader picking up an additional responsibility. This is more of a situation of selecting the most knowledgeable, capable or competent and is usually the best choice. However, these people are already very busy trying to meet cost, scheduling and performance objectives. They may be able to implement and direct a security program to protect classified information, but not the day to day job functions that can pull them away from critical tasks. Jobs such as document control, visit authorization requests, security clearance requests and etc can be delegated to other competent, organized and less busy employees.

When competing for classified contracts, the winning company must be eligible to receive a security clearance. Prior to performing on the contract, they should have a facility security clearance in place and appoint an FSO. The FSO is responsible for the security program, but not necessarily solely responsible for executing the day to day activities. Just as FSOs in large organizations have a staff of employees, the FSO of small organizations should delegate day to day activities to competent cleared employees.

If you need assistance with FSO or security training please contact me. Additionally, we have NISPOM fundamentals training perfect for studying and applying to your CDC facility. https://bennettinstitute.com/course/nispomfundamentals/


Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

It's always the insider who steals the classified information.


A former engineer with Boeing Company has pleaded guilty to possessing classified information in an unauthorized location. Does anyone want to guess where? Yes, that’s right, his house. He thought he could take the information home with him and work on it there. You can read more about the information in the article Boeing Engineer is found guilty.

    While many security managers are focused on good training and may think that they have it all under control, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.

    Let’s break this case down. Engineer has access to computer processing. He then downloads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it. This is an example of an insider threat with out malicious intent. Regardless of intent, his actions caused a lot of harm.

    Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The FSO probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.       

    This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?

    Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. FSOs could return to policies of two person rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.

    CDCs have the tough job of protecting classified material while under their control. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets.

    Update: More recently a former military officer and Pentagon employee has been sentenced for providing classified information to a Chinese national. Though this happened in a U.S. Government facility, lessons can apply to FSOs. For example, how do you control the movement of classified information? Establishing an Information Management System as required by NISPOM plays a big role. With an established IMS, the CDC can help control the duplication, removal, destruction and any status of classified information. An effective IMS coupled with limiting removable data recorders and providing random searches makes unauthorized use of classified information very difficult. 

Take time to train cleared employees, not only on how to perform specifically on the contract, but how to do so while protecting the classified information. A focus on the right type of performance training plus the insider threat, security awareness and derivative classifier training should provide the perfect package to help counter the insider threat to classified information.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

The fundamentals of protecting classified information and NISPOM

Cleared Defense Contractors use classified information during performance of contracts. The Department of Defense makes the rules and governs how the classified contractors protect classified material. The Federal Government has published a policy appropriately titled: The National Industrial Security Program Operating Manual (NISPOM). This page turner is sponsored by the Presidential Executive Order (E0)12829 for the protection of information classified under E.O. 12958, As Amended. Having poured over both publications and the updates, I can conf
idently assure you that they take this business very seriously.

    When specific work declares performance objectives on classified efforts, provisions of the applicable DD Form 254 and Security Classification Guide (SCG) shall govern. Both the DD 254 and SCG spell out what specific work a contractor can and cannot perform, what exactly is classified and how to protect it. Both of these documents not only should be available prior to execution but read and understood by all performing employees.

    Classified information is marked with CONFIDENTIAL, SECRET and TOP SECRET designations and must be afforded protection at the appropriate level. For example, unauthorized disclosure of CONFIDENTIAL information could reasonably be expected cause damage; SECRET could reasonably be expected to cause serious damage; and TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, cleared employees are required to ascertain the receiving party’s clearance level and need-to-know. 

   Facility security officers and industrial security professionals should develop measures to safeguard classified information at the highest level indicated. Employees should be trained to perform on these contracts based on NISPOM Guidance. This training includes:

Non Disclosure Agreement (SF 312)

Derivative Classifier

Security Awareness Initial and Annual Refresher

Insider Threat

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Another explanation of CUI


A buzz is sweeping the security community since the industry has been notified of the recent updates to DoD's CUI program based on the presidential memorandum with the subject, Designation and sharing of Controlled Unclassified Information (CUI). This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The CUI program is designed to promote proper safeguarding and dissemination of unclassified information.  

    Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) directives provide procedures for a more appropriate Information Sharing Environment.

    CUI is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.

    Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally, as with the classified information, sensitive information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.

    What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination, and provide required CUI training. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.

 

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Friday, March 5, 2021

Training and Goals for Cleared Defense Contractor Employees


Putting first things first. That has been a motto for many after reading books such as Franklin Covey’s 7 Habits of Highly Effective People or Reverend Rick Warren’s The Purpose Driven Life. Those and several similar motivational publications stress that everyone has the same amount of time in a day. What we do during that time helps us either make or goals or fail before we even get started.

   As leaders, FSOs can help cleared defense contractor employees understand how to create incredible security programs. Focusing on training, interaction with other cleared employees, self-improvement and institutional education should be part of professional development. FSOs and managers who write evaluations for direct reports have an excellent opportunity to help them establish goals to become better at their jobs, more impactful in their careers and hopefully, groomed to become FSO’s themselves. Challenging employees and team members to achieve personal and professional goals breeds success.

Security certifications such as ISP Certification and ISOC certification are goals cleared employees could take as a goal as well as encourage employees to achieve. The employee gains from such education and a prestigious career milestone. The organization also benefits from what the security employee learns and applies on the job. When employees study for the ISP Certification, they learn: how to read and apply the NISPOM, the importance of forming professional relationships with cleared employees, how the cleared contractor and the DSS representatives interact, and much more.

   A leader also creates pride in the organization and employee by making them more competitive in their career and providing basis for professional pride. When employees are challenged with the goal, the manager can help by providing or allowing education as found on the DCSA, professional organization or vendor websites. Studies on NISPOM topics are available on the internet as well as on site. If your team is large enough, consider helping them start a study group.

   Here are 2 good training ideas:

  1. If the cleared contractor facility has multiple security employees, provide an opportunity to cross train. Security employees who work personnel security issues could work with document control and etc. Also, consider allowing security employees from one discipline inspect anther security section during the annual self inspection.
  2. Another idea is for the FSO to create an internal certification program. This helps integrate new employees into their jobs. A self-certification program would train an employee on performing individual tasks. The employee works under a mentor who verifies and documents the training. This training covers how the cleared contractor facility security employees practice document control, manage personnel security, provide classified contract support and etc. If such a program exists in your organization, consider using it for further cross training employees who concentrate only on one task. This will help them become more experienced and more prepared for the exam.

Employees may not feel comfortable asking for NISPOM Fundamentals Training, setting prestigious goals, or asking for funding for professional organizations or certifications. However, a supervisor who is aware of such opportunities can encourages the employee to become engaged.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Saturday, February 20, 2021

Is Security Certification a New Year's Resolution?




Wow, New Year’s Eve has come and gone, and many of us are reflecting on our goals. It’s traditional to plan events as the calendar rolls over to a new year. It’s great to dream big and visualize these goals, it’s quite another to actually reach them. So let’s talk professional goals, the NCMS’ ISP Certification and CDSE's ISOC are great ones to strive for.


It’s one thing to dream and another to plan. The difference is what you do from the vision to make it a reality. Here are some deliberate actions you can use to help develop a plan to become ISP Certified.

1.  Begin at the NCMS, ISP Certification information website @ http://www.ncms-isp.org/ISP_Certification/index.asp. There you can find ISP Certification testimonials, brochures, application and other information about the certification. When you review the qualification, study and application information, begin with the end in mind. If your goal is to become ISP Certified
, gather all the data needed and determine the possibility. If the application, approval and study timeline is too timely, consider changing your goal the next year. The goal is to study the requirements and build a realistic plan to achieve your goal. Let preparation set the way and not a calendar date. Once you determine how long it will take to get prepared (6 months, 1 year, etc.) build a plan based on the date and work backward.

If your goal is ISOC certification, begin at the CDSE website

2. Understand the application process. There are minimum experience requirements that applicants must meet as well as administrative tasks built into the process. If an applicant does not meet minimum requirements, they can begin study, but will have to wait to meet those requirements before applying. This should be built into the timeline. Applicants who meet the minimum, should build in the administrative tasks into the timeline. This includes filling out applications, payment, getting approval to take the exam and setting up a test date.

3. Understand the testable topics. Gather the relevant test information from the website. Understand the requirements and get a feel of where you are professionally and any gaps you need to breach to bring your knowledge of NISPOM and ISP or ISOC  Certification categories to where it needs to be. It’s not necessary to be an expert in all areas or to be able to quote regulations and requirements. What’s important is a knowledge of where to find information in source documents and apply that knowledge to question based scenarios. In other words, understand where the information can be found and applied to the situation in a quick manner. For example, a person appointed as FSO may have substantial experience with personnel and contract security after working those areas exclusively for many years. However, they are still responsible for understanding information security as outlined in the NISPOM. This means that they will need to spend some time understanding where to find topic related information and answer questions in context.

4. The following are some things that you can do to prepare to fill those knowledge gaps:

a. Study the NISPOM and other reference document structure and understand where to find topic related information. Also, become familiar with key industry standard words found in the source documents. Some of these words are original classification authority, government contracting agency, DCSA, security clearance, cognizant security agency, and etc. The NISPOM and source documents are available in print and electrons and can be used in the exam. Understand where certain information can be found or how to search an electronic copy is a very good technique for real life and test based scenarios.

b. Join a study group. There you can study their material, ask questions and get feedback.

c. Find a mentor. They understand the stress of working full time and studying for a professional level exam. Mentors can calm fears, answer questions, put rumors to rest, and put the right perspective on stress, studying and life in general.

5. Set a date.  Once that date is set and approved, you have a certain amount of to take the test before having to reapply. Setting the date will keep you motivated to study and stay focused.

Dreaming is one this, but achieving is another. The best way to ensure success is to build a plan and follow it. Begin with the end in mind, understand the limitations, meet those limitation, set a date and stay focused. 





Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Monday, February 8, 2021

How FSOs can determine security budgets

A Facility Security Officer (FSO) should put careful consideration into the security budget. This is a primary opportunity in the continuing plan of building credibility. The manager who arbitrarily throws in a number with meritless base is sending the wrong message. However, a well thought out line item count based on risk management, company mission and NISPOM requirements is more apt to impress and build instant respect. The budget contribution should enforce and support a message the FSO is constantly communicating. The budget request should not be first time executives are introduced to figures.

Management support or lack of support of a security budget demonstrates either a well received or an unsupported security program. The intuitive FSO understands business, the company mission and how the role of protecting classified material fits. In that environment, the FSO provides a risk assessment based on the threat appraisal and speaks intelligently of the procedures, equipment and costs associated with protecting classified information. For example the FSO understands how to contract security vendors to install alarms, access control and other life safety and protective measures. The FSO is also able to demonstrate how the expense will benefit the company either in cost reduction or other tangible results.

The FSO presents the budget in a manner that all business units understand. For example, if part of the budget line is to provide access control there is a significant associated cost. Incorporating management involvement and support builds credibility and puts the company in a better position to provide the funding. Not only is a projected return on investment required, due diligence should be conducted. Sample questions and answers the FSO should be prepared to address are:

• Why is access control necessary? Prevents unauthorized persons from entering the premises and gives an extra layer of protection for classified and sensitive information.

• What happens if we do not implement access controls? The organization would have to commit persons to controlling the access to the company. At a manager’s salary of between $20.00 - $30.00 per hour, this could become expensive over time. The FSO could demonstrate the cost of the access controls against the time a manager takes to ensure someone provides visibility of the doors.

• What is the return on investment for access control? The intangible return on investment is the prevention of damage, injury, theft, and other risks inherent to unauthorized visitors. More tangible is the amount of energy saved while keeping the doors closed and saving energy. In one such study an FSO estimated a cost reduction of $12,000 per year cost reductions on the electric bill.

Other questions abound and the FSO should not hesitate to forward such questions to vendors. These vendors have statistics that they use as selling points for their products.
Speaking the language of business will serve the FSO well and ensure that executives understand the significance of a well supported security program. Security managers who just quote regulations or use “best practices” without putting much thought into the costs or talking points will quickly lose credibility. 

More information is available in the books below:

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Sunday, February 7, 2021

Receiving Classified Information into Accountability



I catch myself watching fun Youtube videos. Some of my favorites are watching consumers open my favorite products and orienting me on how to use them. The unpacking causes excitement and the by item unpacking and layout of what to expect helps me understand my product better. 

In the National Industrial Security Program Operating Manual (NISPOM), we have a similar package "reveal". Security specialists, document control professionals, facility security officers and others in possessing facilities may receive classified information, depending on the contract. Part of the receipt is the critical inspection of the package during the integration process. 

As they unwrap the package, the inspector is orienting themselves to better understand what they should be receiving. This begins by inspecting the package physically, then comparing the contents with the receipt. They are also searching for evidence of tampering or to otherwise to inspect that there has been no compromise of classified material since leaving the sender’s organization. 

Classified material is protected by a two layer wrapping job. Each layer consists of material that is impossible to see through such as: an envelope, paper, box or other strong wrapping material. To prevent opening, the seams of the layers are covered with anti-tampering rip proof tape to create a solid layer of covering. The initial inspection is more cosmetic as the inspector looks for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.

Next, review the address labels for approved classified mailing address, return address and which does not identify any recipient by name. The label is addressed to the “Commander” if a Government entity or the name and approved classified mailing address of the contractor facility. Additionally, check to see that there are no classification markings on the outer layer. The outer layer should is designed not to draw attention that it contains classified contents. Classification markings and named individuals on the outer layer are security violations because they direct unwanted attention.

The inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. Classified information should have receipts included. Receipts are not necessary with the shipment of CONFIDENTIAL material. Sign all receipts and return them to the sender.

The receiver then checks the receipt against the titles to ensure the item has been identified correctly. The receipt lists all the pertinent information to identify the contents. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by the correct and preferably unclassified title and appropriate quantity. The title should be unclassified. If not, then the receipt is to be protected at the classification level identified in the title. When practical, contact the sender to see if it can be issued an unclassified title or prepare to store the receipt long term in a GSA approved container.

The receiver then compares the classification identified in the receipt with that annotated on the inner wrapper. These will ensure the package is handled correctly once the outer wrapping has been opened or removed. The receiver of the classified item compares the classification marking on the contents with the wrapper and the receipt to once again verify the accuracy of the classified information and prevent unauthorized disclosure. 

Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities. The copies of receipts are filed away and the classified information is put into a database and the items are stored according to the classification.

See below for an inspection checklist.





Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".