Friday, January 22, 2021

NISPOM Codifying, Guidance, Cleared Defense Contractors, and all those CFRs


The latest industry buzz is the “release of the new National Industrial Security Program Operating Manual (NISPOM)”. I’m putting air quotes in there, because an actual NISPOM has not been rewritten or re-released. There is no re-release of NISPOM, only a reorganization of the CFRs that duplicate National Industrial Security Program requirements. If you are expecting the release of a “new NISPOM”, such as a Change 3 or a total re-write, that has not occurred.

I encourage you to read further.

The genesis of all this buzz of a “new NISPOM” is listed here: https://www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf

Straight to the point

Conclusion:  No new NISPOM (just a few additions)

  •  32 CFR part 117 and 32 CFR part 2004 are redundant requirements
  • DoD will no longer publish the DoD Manual 5220.22, NISPOM as a DoD policy issuance in 32 CFR part 117.
  •  32 CFR part 2004, “National Industrial Security Program” is now the standing CFR
  • NISPOM Change 2 is still a requirement that Cleared Defense Contractor (CDC) must follow

Background

A quick read will review that there actually is no new NISPOM. This information just codifies (fancy legal term for: arrange (laws or rules) into a systematic code.) So, this is just a reorganization of laws to remove duplication and increase efficiency. What is unclear is that while the contractors are still required to follow the latest NISPOM, how the government communicates the NISPOM Change 2 requirement, when DoD Manual 5222.22 will no longer be published in its current form.

Streamlining requirements and one of the changes

I’ll focus on one of the most relevant and seemingly logical changes based on NISPOM roles.

You might know that the Director of National Intelligence (DNI) has had a large role in developing NISPOM. Primarily DNI oversees the protection of National Intelligence Information in the hands of the cleared defense contractors. Additionally, DNI has had executive roles In relation to the 2008 publication of E.O. 13467, “Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information.

DNI then became Security Executive Agent (SecEA), for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures governing the conduct of investigations and adjudications for eligibility for access to classified information and eligibility to hold a sensitive position.

Later in December 2016, DNI issued Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, to executive branch agencies or covered individuals with an effective date of June 12, 2017.

The SEAD 3 intent is to promote consistency in personnel security reporting requirements for all covered individuals. This ties in well to the DNI role in the NISPOM as well as the intent to strengthen the safeguarding of national security equities, such as national security information, personnel, facilities, and technologies.

In logical flow, it would just make sense that the NISPOM would include additional SEAD 3 requirements. 

Biggest Impact: Reporting based on 13 Adjudicative Criteria, SF-86, and SEAD 3  

SEAD 3 identifies required reporting of data elements that are contained in the Standard Form-86, “Questionnaire for National Security Positions” used in requesting security clearance requests. In other words, the guidance issued requires that cleared employees under NISP report information reflective of concerns in the 13 Adjudicative Criteria and other items listed in the SF-86. This has always been a NISPOM requirement. However, SEAD 3 requires these elements to be reported PRIOR to participation in such activities or otherwise as soon as possible following the start of their involvement. This doesn’t seem to be a new requirement, but an emphasis as many FSOs have been providing this requirement in security awareness training.

Now this may be an attention grabber

There is a strong argument that this requirement will raise the level of report in some benign situations such as foreign travel. Travel is usually a notification residing with the cleared defense contractor organization, but now may be a formal report to the cognizant security office or Defense Counterintelligence and Security Agency (DCSA). The SEAD 3 highlights that cleared employees obtain prior agency approval BEFORE conducting unofficial foreign travel.

This will require training, enforcement, and an actual reporting process from the cleared employee to DCSA. For example, DCSA should provide guidance for what should happen if a cleared employee plans a family cruise to Mexico and the Bahamas. How far in advance should the traveler request this approval, how do they request the approval, and how is the approval provided back to the CDC?

There are several other changes that don’t impact the majority of CDCs. There is clarification for those who are responsible TOP SECRET accountability, proscribed information, classified document retention, and those falling under FOCI. However, for the most part, these include clarifications and are potentially already being applied appropriately.

For more information on SEAD 3, check this out: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-awareness-briefing.pdf

What to do and not to do

Don’t wait for a new version of NISPOM…yet. While there is no “new NISPOM”, there are some clarifying comments. I recommend reviewing the clarifications included below to assess any changes that you might need to make in your security program to protect classified information.

I also recommend using current NISPOM for security training and ISP® and ISOC certification. Nothing has been changed, just “codified”.

Continue to apply the current NISPOM. As stated in the source CFA, contractors are expected to comply with Change 2 requirements. Eventually, there will either be a re-release or republishing of the NISPOM under a new title or an acceptance of the current publication.

************************************************************************

Additional reading: Clarifications of NISPOM requirements include the following:

§ 117.8: Reporting Requirements. § 117.8(a) General includes that contractors must submit reports pursuant to this rule, SEAD 3 and CSA guidance to supplement unique CSA mission requirements. SEAD 3 reporting establishes a single nationwide implementation plan for covered individuals, which for this rule provides reporting by contractors and their employees eligible for access to classified information. SEAD 3 requirements will be implemented for all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility. Contractor cleared personnel must be aware of risks associated with foreign intelligence operations and/or possible terrorist activities directed against them in the United States and abroad, and have a responsibility to recognize and avoid personal behaviors and activities that adversely affect their national security eligibility. NISP CSAs shall conduct an analysis of such reported activities, such as foreign travel or foreign contacts, to determine whether they pose a potential threat to national security and take appropriate action. Contractors will be responsible for collecting the foreign travel data from cleared employees, providing pre- and post-travel briefings to those cleared employees when necessary, and tracking and reporting those foreign travel activities of its cleared employees through the CSA designated system of record for personnel security clearance data.

§ 117.9(m) Limited entity eligibility determination (Non-FOCI) and, § 117.11(e) Limited entity eligibility determination due to FOCI. In accordance with 32 CFR part 2004, “NISP Directive,” provisions for granting two new types of limited entity facility clearance eligibility determinations (FCLs) to meet government requirements for narrowly scoped requirements for a companies to access classified information.

 § 117.11(d)(2)(iii)(A) Requirement for National Interest Determinations (NIDs): This paragraph provides for the implementation of the provisions of Section 842 of Public Law 115-232, which was effective on October 1, 2020, and eliminates requirements for a covered NTIB entity operating under an SSA to obtain a NID for access to proscribed information: Top Secret, Special Access Program, Communications Security, Sensitive Compartmented Information, and Restricted Data. This provision will allow covered NTIB entities to begin performing on contracts that require access to proscribed information without having to wait on a NID, and thus removing costly contract performance delays.

 § 117.15(e)(2) TOP SECRET Information: Permits specific determinations by a CSA with respect to requirements for TOP SECRET accountability (e.g., the CSA can determine that TOP SECRET material stored in an electronic format on an authorized classified information system does not need to be individually numbered in series provided the contractor has in place controls in place to address accountability, need to know and retention). As stated in this paragraph: “. . . Contractors will establish controls for TOP SECRET information and material to validate procedures are in place to address accountability, need to know and retention, e.g., demonstrating that TOP SECRET material stored in an electronic format on an authorized classified information system does not need to be individually numbered in series. These controls are in addition to the information management system and must be applied, unless otherwise directed by the applicable CSA, regardless of the media of the TOP SECRET information, to include information processed and stored on authorized information systems. Unless otherwise directed by the applicable CSA, the contractor will establish the following additional controls . . .”

§ 117.15(d)(4) Installation: Clarifies that an Intrusion Detection System (IDS) shall be installed by a Nationally Recognized Testing Laboratory (NRTL)-approved entity to make it clear that any NRTL-approved entity may do such

Start Printed Page 83305

installations. “The IDS will be installed by a NRTL-approved entity or by an entity approved in writing by the CSA . . .”

 § 117.7(b)(2) Senior Management Official: Clarifies responsibilities of the Senior Management Official of each cleared entity to better reflect the critical role and accountability of this position for entity compliance with the NISPOM. This change further emphasizes the essential role of the Senior Management Official with the entity's security staff to ensure NISPOM compliance.

§ 117.13(d)(5) Clarifies to the contractor that upon completion of a classified contract, the “contractor must return all government provided or deliverable information to the custody of the government. Such clarification ensures the contractor is not retaining official government records without specific authorization from the government customer. “(i) If the GCA does not advise to the contrary, the contractor may retain copies of the government material for a period of 2 years following the completion of the contract. The contract security classification specification, or equivalent, will continue in effect for this 2-year period. (ii) If the GCA determines the contractor has a continuing need for the copies of the government material beyond the 2-year period, the GCA will issue a final contract security classification specification, or equivalent, for the classified contract and will include disposition instructions for the copies


Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Saturday, January 2, 2021

Protecting classified security container combinations




 Here's an interesting scenario. Imagine you are walking the floor and talking to employees when you approach a security container and employees who controlled its access. As part of your inspection, you wanted to verify all documents were properly marked and stored appropriately. After asking for the custodian to open the container, he pulled out his cell phone and began scrolling. you asked what he had been looking for and he stated: "I can't remember the combination, but I'm sure that it's in here somewhere."

Whoa! Hold the presses. You immediately changed the combination, filed the necessary report, and investigated whether or not classified information was compromised (not necessarily in that order). You also provided a clear policy and training agenda and that problem disappeared. The story may be true or a similar situation may be familiar.   

But here's the question: Do your employees really understand how to protect classified information? Some novice cleared defense contractors and their employees may require extra and unrelenting training and diligence to make sure such situations never happen. More successful programs include security training conducted by managers and supervisors as they apply to the employee specific duties.

So who has access to your security containers? Do you limit it to only security personnel or do cleared program employees have it as well. This access depends on your program. Regardless of who has access, authorized employees having access to combinations or keys should be kept to the bare minimum amount necessary.

Agencies and contractors maintain administrative records and tight control for a sound security system designed to protect the classified information and to demonstrate effectiveness during security inspections. The security specialists also maintain a log of those with knowledge of combinations, change combinations, and fill out the Security Container Information Form, Standard Form 700. Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination is protected at that same level of the contents in the security container. If the contents are CONFIDENTIAL, then so is the combination. To ease in memorization, many who assign combinations use a six letter word or the first six letters of a longer word. 

Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers. Many have magnetic combinations reminders similar to telephone touch pads. For example the number 2 corresponds with ABC, three with DEF, etc. If the memorized word is CORKIE, then the combination is 26-75-43. When persons have access to multiple safes, they may commit security violations by writing the combinations down. Using combination word clues and providing an administrative security container helps reduce the risk of such violations.


So, see if you can answer this question.

How often should you change combinations according to the NISPOM?

The answer: Change combinations upon initial use, change in status of authorized users, compromise or suspected compromise of container or combination, when safe is left open or when required by FSO or CSA. Did anyone say "annually"? If so, better check the NISPOM.


 W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".


 


Security education, training and certification


 


 Have you taken the next step to being competitive in the government contracts arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam. 

Why earn a certification?

There are several reasons to achieve certification. One of which allows cleared defense contractor owners and employees to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United States...it is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

Industrial Security Oversight Certification (ISOC) is sponsored by the Department of Defense and information can be accessed at https://www.cdse.edu/certification/

Both certifications are based on NISPOM requirements. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.    

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make security a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization.


Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Frequently Asked Security Clearance Questions



By: Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP



  In our various roles as industrial security managers, we often field tough security questions. Good questions provide the opportunity to address security clearance and awareness issues that may not arise during formal annual training sessions. These questions usually come up as I walk around the facilities or speak with folks informally. Here are just a few:


1. Is everyone who asks guaranteed a security clearance?

   No, having a security clearance is not one of our inalienable rights. A security clearance is a determination of trustworthiness based upon an extensive background check conducted by some very professional and persistent investigators. The background checks help answer a person's ability to protect classified information based on the following criteria:

• Allegiance to the United States

• Foreign influence

• Foreign preference

• Sexual behavior 

 • Personal conduct

• Financial considerations

• Alcohol consumption

• Drug involvement

• Psychological conditions

• Criminal conduct

• Handling protected information

• Outside activities

• Use of Information Technology Systems


2. Is it true that the Government can deny a security clearance for something as simple as filing bankruptcy?

   Yes, a security clearance can be denied for many reasons uncovered during the investigation reflecting the 13 criteria mentioned above. Remember, a clearance determination is based on whether or not an employee is trustworthy. Events or actions that may subject someone to release classified material to unauthorized persons or prevent them from protecting it properly could lead to a security clearance denial.

 

3. Why should I earn a certification?

  Try using your favorite search engine to find a job in industrial security. You’ll find that employers are now looking for prospects with education and certification.

 

 4. What certifications are available?

   NCMS (Society of Industrial Security Professionals) offers the Industrial Security Professional (ISP) Certification to those who work with and protect classified material.

Job descriptions include:

• Facility Security Officer

• Security Specialist

• Document Custodian


ASIS International Offers the CPP and other certifications. Also certifications include: CISSP, OPSEC, etc.  

DoD also offers the SAPPC, SFPC, ISOC and many other security certifications.

Job descriptions include:

• Facility Security Officer

• Security Specialist

• Document Custodian

 

5. Why are so many people being arrested for stealing “secrets”?

   In recent news, contractors and government employees have been arrested for taking classified material from the workplace, releasing it to unauthorized persons, and conducting export violations.

In some cases, the employees did not have ill intent, but lacked training. More seasoned veterans of classified work have become “immune” to security procedures. For the most part, they have committed violations and infractions, but have not been arrested.

A few have conducted espionage. It is important that security managers review security violations and look for patterns and include the information as part of the security awareness training. Such information is an integral of developing a good security system designed to protect employee, corporate and national security.


6. My friend has a SECRET clearance just like me. However, she won’t talk with me about her SECRET stuff. What’s up with that?

   You may recall in your security awareness training that classified conversations are conducted in approved areas. Dinner dates, car pools, movie theaters, etc are not approved areas. Also, just because you have a security clearance doesn’t automatically make you able to access classified material. You also have to have a valid need to know.

   Develop relationships within your security professional network. Look for opportunities to help other professionals. Equally important are developing a positive relationship with those with whom you have security oversight. Be approachable so that they will trust you enough to ask the tough questions. Who knows, you may help prevent security violations.


 W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".