How to Gain an Absolutely Unfair Advantage at Security Reviews

 


By: Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP

Demonstrating NISPOM compliance requires both an in-depth knowledge of NISPOM requirements and the ability to grasp administrative tasks.

For example, the cleared company’s Senior Management Official (SMO) and Facility Security Officer (FSO) implement the NISPOM within their organization to address risk to classified information. While these leaders oversee and execute NISPOM requirements, there may be issues with demonstrating how they are meeting compliance. With a bit of organization, compliance can be easily demonstrated with the correct artifacts and documentation.

In my newsletter, I tackle NISPOM compliance and lead with three pillars. One of which is a continuous study of NISPOM and application of FSO and NISPOM professional development; both critical to technically proficiency. The other resource is the Self-Inspection Handbook for NISP Contractors, which covers all NISPOM topics.

Using the handbook as a professional development and assessment strategy, let’s tackle how to demonstrate compliance under the “Procedures” topics.

One task is the identification of a Senior Management Official (SMO) who is responsible for overseeing the security and Insider Threat programs, reporting requirements and security operations.

Compliance is measured by the SMO's execution of their role and delegation of tasks. When Defense Counterintelligence and Security Agency (DCSA) conducts the security review, they will determine how SMO is exercising their role, approving procedures and resourcing programs.

The SMO appoints the FSO and the Insider Threat Program Senior Official (ITPSO) in writing. Additionally, the SMO should sign, endorse and require the implementation of the following NISPOM required procedures:

  • Insider Threat Program
  • SEAD-3 Reporting
  • Standards, Practices and Procedures (SPP)

These procedures should be tailored for the organization. Once they signed and implemented, they can be incorporated into training, presentations and available to employees. Appointment memos and policies can be signed and available to DCSA for review. However, let’s level up.

For example, one question asks, "Has the company developed and implemented an Insider Threat Program endorsed by the SMO". The answers are: YES, NO or NA. You can select an option and move to the next question.

However, I always recommend populating the narrative space with how the practices are implemented. That way the FSO can rehearse answers, provide written documentation and verbally demonstrate how requirements are met. Let’s proceed to the narrative.

How Implemented/Notes: _________________________________

This provides a white space for answers. Take the opportunity to write explanations as completely as possible. Most answers may translate to address DCSA’s Gold Standard Criteria, allowing the facility to possibly meet Commendable and Superior rating criteria.

For example:

How Implemented/Notes: “Our ITPSO developed a robust program policy and briefed it to the SMO who approved and signed it. The policy is available to each employee and referenced in Insider Threat Program training and Insider Threat Program Working Group training. Our organization also analyzes insider threat information with IXN Solutions or other third party vendor software"

Again, this narrative assists with the future DCSA review. However, it takes a well educated FSO to be up to the task. FSOs should incorporate professional development that provides increasing and measurable technical proficiency. This NISPOM foundation also provides understanding the application of The Self-Inspection Handbook for NISP Contractors. Attend professional development opportunities and use the handbook to verify education and compliance.

For professional development ideas visit NISPOM Central for more helpful hints and study resources, NISPOM books and NISPOM Training all available at NISPOM Central



Visit NISPOM Central for training resource

Comments

Post a Comment

Popular posts from this blog

Appointing the Threat Program Senior Official (ITPSO)

Image
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2 .   Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).   As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat . Question: Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)? NISPOM Reference: 1-202b, 1-202c, 2-104   1-202b. The contractor ...
Read more

How Contractors Get Facility Security Clearances

Having a Facility Clearance (FCL) makes a business attractive, but that desire does not provide the needed justification for obtaining a security clearance. The FCL is strictly contract based and demonstrates an enterprise’s trustworthiness. A company is eligible for a facility security clearance after the award of a classified contract. The FCL is a result of a lengthy investigation and the subsequent government’s determination that a company is eligible to have access to classified information. A company can bid on a classified contract without possessing a facility clearance, but is sponsored for a clearance after the contract is awarded. The interested company cannot simply request its own FCL, but must be sponsored by the Government Contracting Activity (GCA) or a prime contractor. Once the need to conduct classified work is determined, the next requirements are administrative. The company has to submit proof that they are structured and a legal entity under the laws of th...
Read more

Protecting CUI on work Computers

Image
It’s a common practice to allow employees to use enterprise computers outside of the enterprise. This has become more common where employees are increasingly working at home. Though a common practice, these occurrences are not always best practices. Anytime an employee leaves work with a company computer, the expectation is that all information is vulnerable. Malware, ransom ware “supply chain attacks”, hacking and other threats are prevalent. In many cases this can be controlled through applying NIST standards and strong cybersecurity measures. This article will focus on limiting use of loaned laptops and not on technical cybersecurity application. The organization should assign a strong risk assessment based on use prior to assigning company computers for at home use. This risk assessment should limit the information to be provided and for specific purposes. For example, if a user works on a specific project, then the laptop might only contain information for that specific use. The l...
Read more