Security Executive Blog: NCMS

Showing posts with label NCMS. Show all posts

Thursday, March 5, 2020

Questions for SPeD, ISOC and ISP Certification

Get your copy @ www.redbikepublishing.com

These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours

d. 12 hours

e. 86 hours

When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED

d. RESTRICTED

e. UNCLASSIFIED

Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission

e. All the above

Scroll for answer:

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours (NISPOM 5-408d)

d. 12 hours

e. 86 hours

When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED (NISPOM Appendix B4)

d. RESTRICTED

e. UNCLASSIFIED

Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission

e. All the above (NISPOM 1-104a)

So, how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

Check out our newest resource, on line testing. Simulates testing environments for the ISOC and ISP.

For practice purposes, download the electronic version of the NISPOM and use it to help search the answers to the provided test questions. Use a timer to count down 120 minutes for each practice exam.
Register for the exam here: https://www.classmarker.com/online-test/start/?quiz=jdm5dbdb6cb9c613

You can find additional certification training and resources at http://www.redbikepublishing.com/ispcertification/

NISPOM link

https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf

Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
--> --> Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

CMMC and Protecting Controlled Unclassified Information

The Defense Counterintelligence and Security Agency (DCSA) is responsible for evaluating vulnerabilities of classified information at a Cleared Defense Contractors (CDC) facility. This includes not only the policy to review a contractors capability to protect classified information, but now includes the handling and protection of items identified as well as controlled unclassified information (CUI).

If it appears that there are acronyms developed to cover concerns at an alarming rate, you are correct. The vulnerabilities of technology that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. We have critical program information, critical components, critical technologies, controlled unclassified information, and etc. Each one with similar yet different definitions and requirements. While we may have new names and acronyms, the fundamentals of protection remain.

As detailed above, it is evident that technology poured into products enhancing any capabilities must be protected above being in the public domain. Identifying sensitivities and required protections will make the difference between what will be added to flyer, sales pamphlet or website.

Information, raw data, files, etc. exists in many forms and this information has acronyms covering military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified technical information (UCTI).

A CDC has more to worry about than just classified information. Where they have the security classification guide to provide explicit instruction on how to protect classified information, there is no such guide covering the other categories. However, the CDC should go through an exercise to determine sensitive or critical unclassified information, as it is also useful during the vulnerability assessment from DCSA and the Cybersecurity Maturity Model Certification (CMMC) that evaluates how the contractor protects information residing on the networks.

This information should be identified by format and location as it resides in the organization or transit. This simply means identify information developed as a result of performing work on a defense contract (reports, designs, blueprints, etc.), where these products reside (cabinet, room, computer, network) and format (paper, software, system, cyber). At the very minimum, this information should be identified and a plan in place to protect from casual observation, from ending up on a screen at a seminar or on the public homepage.

Countermeasures should include security training, policies, and procedures that consider the following scenarios. We have defined these threats in earlier articles, but find they are useful for clarity and instruction in this situation:

Espionage

The unauthorized collecting, transmitting or stealing information for the purpose of aiding other governments, business or entities.

This espionage can include actions found in the Economic Espionage Sec. 1831 of Economic Espionage Act of 1996

Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;

(3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;

Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996

(a) Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly--

(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization

ITAR Violations

(a) Export means:

(1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or

(2) Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or

(3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or

(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or

(5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.

The lesson is that significant effort and thought should go into protecting the information that could otherwise be vulnerable. Just identifying the information reduces risk of uncertainty, developing countermeasures to protect it further quantifies and reduces significant risk. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information.

For unclassified U.S. defense information, the defensive measures depend primarily on incorporating the experience of those who practice the innovation and including them in the risk reduction process.

Ray DICE Man Semko developed a process called Defensive Information Countering Everything. This is his anchor point to assisting others implement the risk reduction cycle. Perhaps you can develop your own as you implement security at your facilities. Remember the risk reduction cycle, it applies to almost everything:

1. Identify assets

2. Determine impact if exploited

3. Assess risk

4. Implement countermeasures

5. Assess countermeasure effectiveness

6. Do it all over again.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, January 4, 2020

NISPOM, ISP and ISOC Study Questions

Get your copy @ www.redbikepublishing.com

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail

2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above

3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material

Scroll Down For Answers

1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA (NISPOM 5-402)

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail

2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above (NISPOM 5-403)

3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe (NISPOM 5-410)

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material

So, how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:

-->

Wednesday, November 20, 2019

How Security Clearances Work

People often ask the question: "How do I get a security clearance? Or how can my business get a security clearance?"

My first response is market yourself. There's nothing you can do about getting a security clearance until somebody sees value in your product or your service and sponsors the business for a security clearance.

Value is simply someone who has a tangible need for a particular product or service and they want to put you on contract already classified contract to be able to use your products or services.

There are many jobs that require security clearance or services and some of those jobs include janitorial services, engineering services, secretarial, you name it. There are many opportunities out there to get a security clearance. However, one cannot just get a security clearance in preparation for the work. The work offer comes first.

The first step is to be sponsored by a federal government entity, a government contracting agency (GCA) or an another contract or defense contract. Once a business entity has established a need, then they can be sponsored for a security clearance.

Government contractors are awarded classified contracts as part of doing business

A few years back, I was on a radio television radio talk show and I really didn't get to say too much because the talk show hosts went on and on about their surprise that the government allowed businesses to have security clearances and work on classified work and their opinion. In their opinion, there was no oversight and it was irresponsible to allow anybody other than a government entity to have classified information.

I spoke as much as I could on the topic but I was shouted down. There was no use in trying to address the irrational thought there, but I just wanted to let you know that yes civilian employees and civilian business entities can have a security clearance.

The way it works is the GCA, which is a federal government agency such as the department of defense or department of energy. They will have a contractual need to acquire services or products from contractors. But let's go back real quick. The GCA is a designated original classification authority, which means they are capable of classifying information. At the highest level, the U.S. President is the original classification authority. However, the president of the United States does not go through a security clearance investigation process. By their position they get to enjoy the benefits of having a security clearance so they can do their job as president.

They delegate their OCA responsibility to the department of defense, department of energy, CIA, FBI, all these other government organizations. The government organizations are the ones who deem what is classified. Contractors or civilian organizations do not do that. They are what is called derivative classification authorities. They can only use and produce things that are already classified.

Listen to the Podcast here:

https://dodsecure.buzzsprout.com/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Saturday, November 2, 2019

New Resource for NISPOM testing

Red Bike Publishing is excited about adding a new resource to assistant you with your NISPOM studies. It's an online test of 110 random NISPOM questions with a 2 hour time limit. Though this is not guaranteed to give you a passing grade, this can be used as a practice test for the ISP Certification or the ISOC certification exam.

Just visit the link and sign up for the online exam. All you need is to register for the practice test and have a pdf copy of NISPOM available and you are ready to go.

The practice exam has 110 multiple choice NISPOM questions and is timed for 120 minutes. You can take it up to 20 times in a six month period as you study for the actual exam day. Each time you test, the questions and answers will appear in random order. Give it a try.

For practice purposes, download the electronic version of the NISPOM and use it to help search the answers to the provided test questions. Use a timer to count down 120 minutes for each practice exam.
Register for the exam here: https://www.classmarker.com/online-test/start/?quiz=jdm5dbdb6cb9c613

You can find additional certification training and resources at http://www.redbikepublishing.com/ispcertification/

NISPOM link

https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf

Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:

Monday, September 2, 2019

NISPOM Based Certification Questions

Get your copy @ www.redbikepublishing.com

1.    Concerning a government contractor monitoring station with a response team cleared at the SECRET level, how many guards are required to respond to an alarm?
a.           At least two when at least one guard is cleared
b.           The amount sufficient to immediately investigate each alarm 
c.            At least five when at least one guard is cleared
d.           At least four when at least one guard is cleared
e.            At least three when at least one guard is cleared

2.    Who determines need to know at classified meetings?
a.           GCA

b.           Contract monitor

c.            Individual disclosing information 

d.           Visiting individuals

e.            FSA


3.    FSO’s may approve Automated Access Control Systems that meet the following standard(s):
a.           Chances of unauthorized access are no more than one in ten thousand
b.           Chances of authorized persons being rejected no more than one in five hundred
c.            Chances of authorized persons being rejected no more than one in one thousand
d.           A and c 
e.            None of the above

Scroll Down For Answers

1.    Concerning a government contractor monitoring station with a response team cleared at the SECRET level, how many guards are required to respond to an alarm? 

a.           At least two when at least one guard is cleared

b.           The amount sufficient to immediately investigate  each alarm (NISPOM 5-903)

c.            At least five when at least one guard is cleared

d.           At least four when at least one guard is cleared

e.            At least three when at least one guard is cleared

2.    Who determines need to know at classified meetings?

a.           GCA

b.           Contract monitor

c.            Individual disclosing information (NISPOM 6-102)

d.           Visiting individuals

e.            CSA

3.    FSO’s may approve Automated Access Control
Systems that meet the following standard(s):

a.        Chances of unauthorized access are no more than one in ten thousand

b.         Chances of authorized persons being rejected no more than one in five hundred

c.            Chances of authorized persons being rejected no more than one in one thousand

d.           A and c (NISPOM 5-313)

e.            None of the above

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages

Thursday, March 5, 2020

Questions for SPeD, ISOC and ISP Certification

CMMC and Protecting Controlled Unclassified Information

Saturday, January 4, 2020

NISPOM, ISP and ISOC Study Questions

Wednesday, November 20, 2019

How Security Clearances Work

Government contractors are awarded classified contracts as part of doing business

Saturday, November 2, 2019

New Resource for NISPOM testing

Monday, September 2, 2019

NISPOM Based Certification Questions