Security education, training and certification

 

 Have you taken the next step to being competitive in the government contracts arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam. 

Why earn a certification?

There are several reasons to achieve certification. One of which allows cleared defense contractor owners and employees to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United States...it is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

Industrial Security Oversight Certification (ISOC) is sponsored by the Department of Defense and information can be accessed at https://www.cdse.edu/certification/

Both certifications are based on NISPOM requirements. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.    

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make security a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

NISPOM course for free.

https://bennettinstitute.com/course/nispomchapter1free/

Bennett Institute has a new course and it's free. It's called introduction to the NISPOM. Come check it out. This course introduces the NISPOM so that the student can better grasp the elements of NISPOM. When finished, the student will have a better understanding of NISPOM and all the topics of Chapter 1. 

This is great training for:

• Seasoned and new Facility Security Officers
• Newly Cleared Defense Contractors
• Cleared Employees 
• Studying for Industrial Security Professional (ISP) and Industrial Security Professional Oversight Certification (ISOC). 

Come check us out.

https://bennettinstitute.com/course/nispomchapter1free/

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Cleared employees, FSOs and Classified Work

This article continues the series describing what happens after the government grants you a security clearance. After receiving a job with a company or agency performing classified work, you’ll receive your onboarding training, which may have included the SF 312 Non-Disclosure Agreement, Initial Security Awareness, Derivative Classifier and other required training events and briefings. Even though the Facility Security Officer (FSO) brought you into the system, awarded your security clearance, and performed the required high-level training, there is still much more work to do to ensure you understand how to perform on classified contracts. The high-level training and onboarding is enough to get you “authorized” and prepared for the work. The rest of the preparation will come from other sources to include peers, supervisors and program managers. This training is usually provided on the job as you actually begin performing on the classified contract. This is how it might play out. The Government Contracting Agency (GCA) or program office flows down the classified work in the contract to the Cleared Defense Contractor (CDC). Part of the classified contract is the Contract Security Classification Specification or DD Form 254. According to the information on the DAMI website, the purpose of the DD Form 254 is to “…convey security requirements, classification guidance and provide handling procedures for classified material received and/or generated on a classified contract…” This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts, you should understand the contents for each contract. The DD Form 254 will explain the classification level that you will be working with. It is important to understand that this level will be at the same level or lower than your security clearance level. Therefore, you would need a Top Secret clearance to work on classified contracts at the Top Secret level or lower. The form may also state any additional classification concerns such as foreign government information, communications security (COMSEC) requirements, and more. The form also determines where you will perform the classified work. If the CDC facility has a possessing Facility Clearance (FCL), then you might perform work at that location. If the CDC facility has a non-possessing FCL, you will usually performed classified work at another location. For example, a cleared employee may not necessarily perform the classified portion of the work at their location based on guidance in the DD Form 254. As a result, any cleared employees have an office at their headquarters or company property, but perform classified work off-site at a government, research, or other cleared contractor location. While the FSO will provide the required NISPOM  security training reflecting National Industrial Professional Operating Manual (NISPOM), your supervisor may give you more work specific training as you perform on the classified contract. Your supervisor will teach you how to write documents, assemble subsystems, collect raw data from sensors, or other specific work required by your contract. They will also teach you how to correctly mark, assemble, store and protect the classified work products. In summary, after the FSO conducts preliminary security training and briefings, your supervisor or sponsor may guide you through more in-depth and contract specific security training, this time emphasizing your contract specific performance.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

New Cleared Employees, FSOs, and NISPOM

Once a security clearance is granted, the Facility Security Officer (FSO) will contact you and several things will happen real fast. Primarily, if you have been sitting in a temporary position while awaiting your clearance, things are about to get real.

The FSO will manage the security clearance under the umbrella of the cleared defense contractor’s oversight. This means that the FSO will maintain the facility security clearance (FCL) status administratively as well as meeting compliance requirements. They do this primarily training you and through that training, equipping you to protect classified information and perform work designated by the classified contract.

Just as the FSO is certified or provided FSO training, you will also receive required training from the FSO. The FSO manages the clearances, training, classified workspace, etc. and documents the all actions for future reviews by the Defense Counterintelligence Security Agency (DCSA). The training and briefings primarily begin with the non-disclosure agreement and continues throughout the cleared employee’s career with the company. Depending on time, resources and availability, the FSO and supervisors should attempt to structure security training by experience level. For example, newly cleared employees require more in-depth training than veteran security clearance holders recently hired at a defense contractor organization. All newly cleared and all new cleared employees regardless of experience should receive initial refresher training before gaining access to classified information.

Before you as a cleared employee can actually work on a classified contract, the FSO will ensure you meet three criteria; you sign the SF-312 Non-Disclosure Agreement, have a security clearance, and the need to know to access the classified information. The first step is the most difficult. The other two are fairly easy. Whoever possesses the classified information determines whether or not you should have access. If you are assigned to work on a classified contract, that contract relationship and the work assigned are part of the need to know process.

UNDERSTANDING A NON-DISCLOSURE AGREEMENT

As a newly cleared employee, you will be signing the agreement. Instead of just checking a box to agree, you should do your best to pay attention and understand exactly what it means to work with classified information and the great responsibility you will carry. The SF-312 briefing explains what classified information is, how the government designates it as sensitive, what the classification levels are, and what to protect from unauthorized disclosure. This is your first introduction on the topic. After this you will be provided a much more in-depth training called Initial Security Awareness Training.

INITIAL SECURITY AWARENESS TRAINING

The initial training will familiarize you with the National Industrial Security Program Operating Manual (NISPOM), the DD Form 254 Contract Security Classification Specification, and company policy as applied to protecting classified information both in the cleared facility and at other customer locations. You will also learn how to travel overseas and reduce your ability to be a security risk or target for exploitation as well as how to report espionage attempts. It also addresses counterintelligence issues, how to report security violations and disciplinary or possible penalties that can occur for committing a security violation.

INSIDER THREAT TRAINING

Here you will learn to recognize behavior consistent with sabotage or putting classified information at risk. They also learn who and how to report the observed adverse behavior. Insider Threat Training and Counterintelligence awareness briefings help employees learn to recognize behavior consistent with espionage, and who and how to report the observed adverse behavior.

DERIVATIVE CLASSIFIER TRAINING

This training is a matter of perspective between government and contractor classification roles. The government entity is an original classification authority and makes classification decisions, contractors do not. Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information. This training is required and will help you understand your role in marking classified information that is derived from original classified information.

EXIT BRIEFING

In case you eventually leave the cleared defense contractor organization, the FSO will remove your clearance from their oversight and provide you with an exit briefing. The FSO will discuss with you your responsibilities to continue to protect classified information. A new job, loss of contract, termination, retirement and removal of access are situations where FSOs should explain the responsibility of continuing to protect the classified information you accessed as an employee.

In summary, you as a newly cleared employee will go through another iteration of onboarding. This time emphasizing how you are integrated into not only the organization, but now the security program. As you integrate into the cleared organization, you should understand the security program and all information and tools which are in place. The FSO should be able to create, implement and direct successful protection of classified information – and that includes providing valuable employee training.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

What is an FSO-An Interview with Jackie Bray

We recently interviewed Jackie Bray, an FSO with over 20 years experience, on some of the duties of an FSO and what makes an FSO successful. You can find her interview below:

Jackie explains that the National Industrial Security Program Operating Manual (NISPOM) and Industrial Security Letters are fundamental to an FSO's experience. The NISPOM is the "bible" for those creating programs to protect classified information. It provides the "how to" for protecting classified information that the FSO, program managers, and cleared employees working on classified contracts should possess.

The Standard Practice and Procedures should be a companion guide to the NISPOM. Where the NISPOM tells you what to do, the SPP will be the cleared defense contractors' response or demonstration of how they will implement NISPOM at their facility.

Jackie explains that in addition to the NISPOM, and the SPP, the FSO and those working on the classified contract should carefully read and discuss the requirements as found in the DD Form 254, Contract Security Classification Specification. The DD Form 254 instructs the contractor on the classification level of the contract, where the classified work should be performed, and many other requirements. Each classified contract should have an accompanying DD Form 254, so some cleared defense contractor facilities may have many 254's corresponding with the number of the classified contracts.

One task a new FSO should perform is to review all the 254's and conduct a self-inspection of the requirements on the 254 and how they are implemented according to the NISPOM. The self-inspection should include all areas of NISPOM as applicable to the cleared contractor facility. NOt every chapter of NISPOM will be implemented at the facility. However, the facility should be implementing those NISPOM chapters that reflect the DD Form 254 requirements. As a rule of thumb, NISPOM Chapters 1, 3, parts of 5 and  6 apply to all cleared defense contractors. However for cleared defense contractors that are authorized possession of classified information, other chapters may apply depending on classification level.

Jackie states that FSO's play a significant role in training employees on how to protect classified information. The FSO should be adequately training and be prepared to train the cleared employees to meet NISPOM requirements. NISPOM Training and FSO training such as security awareness, derivative classifier, insider threat, and more are key to successful security programs.

Find out more about the profession of the FSO from our podcast:

SPeD Inustrial Security Oversight Certification

Industrial Security Oversight Certification
Red Bike Publishing is so happy to have helped hundreds of people study for security certification with Red Bike Publishing’s Unofficial Study Guide for ISP Certification and we appreciate all of your encouraging emails. With such success, we’ve had many requests asking Red Bike Publishing to write exam preparation material for Security Professional Education Development (SPēD) Certification. For a long time, we have struggled with how to meet the challenge.
Until now! Red Bike Publishing’s own Jeffrey W. Bennett, SFPC, SAPPC, and ISP just tested and qualified for the newest SPēD certification, Industrial Security Oversight Certification (ISOC).  He tested without additional preparation other than his NISPOM experience covering what he has learned from working in the NISP, writing articles and training programs, and keeping up to date with the Red Bike Publishing’s Unofficial Study Guide for ISP Certification.
That’s because an understanding of NISPOM is the fundamental skill set to pass the ISOC exam. Per the website, “The Industrial Security Oversight Certification (ISOC) is ideal for DoD, Industry, and federal members under the National Industrial Security Program (NISP).” The prerequisite certification is the Security Fundamentals Professional Certification (SFPC) and is also NISPOM based.
The ISOC assesses foundational knowledge in the following competencies (NISPOM topcis):
Industrial Security Basics Security Reviews and Inspections Security Systems and Requirements
Though Red Bike Publishing has not written any additional material for the ISOC certification, we are confident in sharing that Red Bike Publishing’s Unofficial Study Guide for ISP Certification can be used to help prepare for the ISOC exam. Our security books including NISPOM, ITAR and DoD Security Clearance and Contracts Guidebook, and FSO Tool Box training packages are also great resources and study prep for your security certification needs.

DSS Self-Inspection for Cleared Contractors-Inspection of Personal Effects

We are continuing our analysis of the DSS’ The Self-Inspection Handbook for NISP Contractors to determine requirements and best practices for meeting them.

Since Section M has multiple inspection points, we have broken them up into individual articles.  This update addresses using warning signs and inspections to ensure authorized introduction and removal of classified information. 

Question 5-103: Are signs posted at all entries and exits warning that anyone entering or departing is subject to an inspection of their personal effects?

 NISPOM 5-103 states “…The fact that persons who enter or depart the facility are subject to an inspection of their personal effects shall be conspicuously posted at all pertinent entries and exits.”

Security through Denial, Deterrence, and Detection

This notification is designed to both serve as a warning or deterrent to unauthorized introduction or removal of classified information. The actual inspection of personal effects serve denial and detection purposes.

These inspections and postings of signs should occur in strategic locations. The FSO should consider using them where they make the most sense, where they support classified contracts, and where they enhance job performance and not become a burden to the enterprise or national industrial security program. For example, the inspections should occur where access to classified material is more likely and not where access to classified material is not likely or remote at the very least. The inspections should occur in such a manner as to not impede traffic flow or classified performance.

Additionally, these inspections should be random and limited to business items and not personal items such as purses, wallets or undergarments. In all cases, coordinate with human resources and seek legal advice before implementing the program.

The Danger

The uncontrolled introduction of classified information can cause security violations and compromise of classified material.

The FSO should create company policy demonstrating how classified material is introduced and removed properly from the company and train cleared employees on the procedures. The intent is to establish an environment where all employees have a clear understanding of policy.

For example, the FSO can ensure that classified deliveries are to be made through the cleared contractor’s security department and not directly to the cleared employees. One trigger point to plan the reception of classified information is upon notification of a classified visit request.

Best Practices

At a minimum, ensure inspection signs are posted at all employee and visitor entries and exits. This broad scope captures the entire building access and egress possibilities where classified information can be introduced or removed.

Next, filter the flow of visitors. A follow on method of controlling the introduction of classified information is to restrict or direct the flow of visitor traffic into and out of the cleared facility. Cleared facilities may have multiple entry points and visitors should have access to only designated entry points. To help with maintaining control of the classified environment, FSO’s can employ information technology or human controls to direct pedestrian traffic into their facility. Access controls with biometric, pin card or data card access provide an excellent opportunity to flow all traffic through an authorized area.

When budget does not permit the purchase or subscription to expensive information technology, high security hardware such as door locks and crash bars are adequate to prevent entry into unauthorized doors.

When controls are in place, pedestrian traffic should file through a reception area where visitors are received warmly and reminded to check in with the security or reception desk for all classified deliveries.

Document Compliance and Best Practices

The VALIDATION should include, but are not limited to corporate policy letters, inventory of where inspection signs are posted, transcripts or slides from security awareness training, attendance rosters from training.

Authorized classified material should flow unimpeded to and from where classified work is performed. Security efforts should facilitate the authorized introduction of classified information, while denying, deterring, and detecting unauthorized attempts at introduction or removal. FSOs should ensure a strong security posture and train the force to work within the required environment.

For more information, see DoD Security Clearance and Contracts Guidebook.

NISPOM Based Study Questions for Security Certification

The following NISPOM Training is meant to augment your NCMS ISP Certification education, not replace it. Download NISPOM to your computer and try your experience against this open book practice test. So, here are some NISPOM based practice questions to help you prepare: 

1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA
c. CSA
d. FSO
e. None of the above







Scroll down for answers:






1. Prior to having access to COMSEC, _____ must have a final PCL at the appropriate level for the material of the account:
a. FSO
b. COMSEC custodian
c. Alternate COMSEC custodian
d. All the above (NISPOM 9-402a)
e. None of the above


2. Disclosure authorizations may manifest by which of the following:
a. Export license
b. Technical assistance agreement
c. Letter of authorization or exemption to export requirements
d. Manufacturing license agreement
e. All the above (NISPOM 10-200)

3. Which of the following is NOT required on a Visit Authorization Letter?
a. Contractors Name
b. Level of FCL
c. Name of person to be visited
d. Contractors Social Security Number (NISPOM 6-104)
e. Contractors Telephone Number

4. Which situation does not require use of IS security controls as logon authenticators when each person has access to work station and security container?
a. When work stations are stand alone (NISPOM 8-303c)
b. When each person has proper clearance level but not need to know
c. As long as each person has need to know
d. As long as each person has appropriate level of clearance and need to know
e. As long as each person can access closed area

5. The contractor should have approval of the _____ prior to requesting export authorization.
a. Contracts manager
b. GCA (NISPOM 10-201)
c. CSA
d. FSO
e. None of the above

If you want more, see our book Red Bike Publishing's Unofficial Guide to ISP Certification only at http://www.redbikepublishing.com

Most Helpful Customer Reviews

5 of 5 people found the following review helpful

So You Think You Know It All?

By Lisa M. Doman on November 18, 2008

Format: Paperback

Like many seasoned industrial security representatives, I feel like I know it all. I have been in this industry almost 25 years; I know where to look for answers, and I have my contacts. But one day it occurred to me just how much has changed during my career - enter the Internet, enter computer based training, enter instant security clearances (Interims), enter the JPAS/e-QIP interface, enter diminished contact with my cleared employees and visitors. Admitting that the contact with my cleared employees is not as intimate as it used to have to be, somehow I felt that I was loosing touch with my own skill set because of it. Jeffrey Bennett's book is very insightful into our industry, for he works with and supports, and motivates, this industry. You should consider buying the ISP Certification - The Industrial Security Professional Exam Manual, and spend 30 minutes with it each evening after work. Reinvigorate yourself. Give your imagination and professional growth some quiet stimulation. Remember. Refresh yourself. The best security education dollar you can spend, and not even leave home.

1 Comment  Was this review helpful to you?  YesNo

2 of 2 people found the following review helpful

ISP Preparations

By Jasmine C. on September 15, 2011

Format: Paperback

After receiving this book, I quickly skimmed through it prior to sitting down for a close study. My initial reaction was to wonder just how much information I could learn based on the fact that most of the book was dedicated to practice tests. When I finally took the time to sit down and read it, I was surprised at just how much information it contains. The book tells you how to prepare, to include learning all security disciplines, how to manage your time, and how to study the NISPOM. The practice tests are a great opportunity to time yourself, and help to identify areas of weakness. I truly recommend this book for anyone considering the ISP Certification... it is a great tool to have!

1 Comment  Was this review helpful to you?  YesNo

1 of 1 people found the following review helpful

Written by a security consult of twenty-two years of experience in military intelligence, contracting and security

By Midwest Book Review on February 11, 2009

Format: Paperback

Written by a security consult of twenty-two years of experience in military intelligence, contracting and security, ISP Certification: The Industrial Security Professional Exam Manual is a instructional resource created to provide career security specialists with what they need to know to protect our nation's secrets. The text offers practical advice for security professionals and a working understanding of the NISPOM and Presidential Executive Orders implementing the National Industrial Security Program, but the heart of ISP Certification is its four practice tests designed to probe the depths of one's knowledge. An absolute "must-have" for anyone in federal positions requiring a thorough knowledge of security procedures, and highly recommended for the libraries of federal agencies.

Comment  Was this review helpful to you?  YesNo

1 of 1 people found the following review helpful

ISP Certification - Industrial Security Professional Exam Manual

By Fred Twitty on May 8, 2010

Format: Paperback

As a retired US Army, Chief Warrant Officer Five (CW5), Counteringelligence Officer; former Special Agent, Defense Investigative Service (DIS); former Special Agent Defense Secuirty Service (DSS); former US Army Liaison Officer to Headquarters, Department of Defense (DoD), Alexandria, VA, Counterintelligence Division for Counterintelligence Issues, and former owner of a Small Veteran's Business, under a DoD contract to conduct Background Investigations for DoD Personnel Security Clearances, I consider this book to be brief and it makes the complex simple. This ISP Manual is a must for those preparing to take the ISP Certification Exam.

1 Comment  Was this review helpful to you?  YesNo

1 of 1 people found the following review helpful

A great knowledge base for understanding what it takes to be a protection professional

By S. Koryta on June 8, 2010

Format: Paperback

Mr. Bennett once again has assisted me in my endeavors as a security and protection professional. His book not only assists in helping you prepare for the ISP certification, it provides first hand insight and mentoring on how to advance your career goals in this complex field. In using his study guide, one can get a real understanding of how the certification process is and study to overcome the challenges of taking the exam. The one recommendation I can say is to combine it with the pocket edition, so you can take and read while on the metro to work.

Comment  Was this review helpful to you?  YesNo

1 of 1 people found the following review helpful

As soon as I started reading, I said Great Book!

By Diane Griffin on January 9, 2009

Format: Paperback

As a seasoned security professional, I found the Industrial Security Professional Exam Manual to be very clear, brief and consise.

The ISP manual is a must read for anyone anticipating taking the ISP exam. Whether you are a seasoned security professional or a newbie to the world of security, this book is a keeper.

Thank you for putting out such a Great Book

Diane Griffin
President/CEO
Security First & Associates LLC

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".