Security Executive Blog: cleared employee

Showing posts with label cleared employee. Show all posts

Friday, May 1, 2020

New Cleared Employees, FSOs, and NISPOM

Once a security clearance is granted, the Facility Security Officer (FSO) will contact you and several things will happen real fast. Primarily, if you have been sitting in a temporary position while awaiting your clearance, things are about to get real.

The FSO will manage the security clearance under the umbrella of the cleared defense contractor’s oversight. This means that the FSO will maintain the facility security clearance (FCL) status administratively as well as meeting compliance requirements. They do this primarily training you and through that training, equipping you to protect classified information and perform work designated by the classified contract.

Just as the FSO is certified or provided FSO training, you will also receive required training from the FSO. The FSO manages the clearances, training, classified workspace, etc. and documents the all actions for future reviews by the Defense Counterintelligence Security Agency (DCSA). The training and briefings primarily begin with the non-disclosure agreement and continues throughout the cleared employee’s career with the company. Depending on time, resources and availability, the FSO and supervisors should attempt to structure security training by experience level. For example, newly cleared employees require more in-depth training than veteran security clearance holders recently hired at a defense contractor organization. All newly cleared and all new cleared employees regardless of experience should receive initial refresher training before gaining access to classified information.

Before you as a cleared employee can actually work on a classified contract, the FSO will ensure you meet three criteria; you sign the SF-312 Non-Disclosure Agreement, have a security clearance, and the need to know to access the classified information. The first step is the most difficult. The other two are fairly easy. Whoever possesses the classified information determines whether or not you should have access. If you are assigned to work on a classified contract, that contract relationship and the work assigned are part of the need to know process.

UNDERSTANDING A NON-DISCLOSURE AGREEMENT

As a newly cleared employee, you will be signing the agreement. Instead of just checking a box to agree, you should do your best to pay attention and understand exactly what it means to work with classified information and the great responsibility you will carry. The SF-312 briefing explains what classified information is, how the government designates it as sensitive, what the classification levels are, and what to protect from unauthorized disclosure. This is your first introduction on the topic. After this you will be provided a much more in-depth training called Initial Security Awareness Training.

INITIAL SECURITY AWARENESS TRAINING

The initial training will familiarize you with the National Industrial Security Program Operating Manual (NISPOM), the DD Form 254 Contract Security Classification Specification, and company policy as applied to protecting classified information both in the cleared facility and at other customer locations. You will also learn how to travel overseas and reduce your ability to be a security risk or target for exploitation as well as how to report espionage attempts. It also addresses counterintelligence issues, how to report security violations and disciplinary or possible penalties that can occur for committing a security violation.

INSIDER THREAT TRAINING

Here you will learn to recognize behavior consistent with sabotage or putting classified information at risk. They also learn who and how to report the observed adverse behavior. Insider Threat Training and Counterintelligence awareness briefings help employees learn to recognize behavior consistent with espionage, and who and how to report the observed adverse behavior.

DERIVATIVE CLASSIFIER TRAINING

This training is a matter of perspective between government and contractor classification roles. The government entity is an original classification authority and makes classification decisions, contractors do not. Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information. This training is required and will help you understand your role in marking classified information that is derived from original classified information.

EXIT BRIEFING

In case you eventually leave the cleared defense contractor organization, the FSO will remove your clearance from their oversight and provide you with an exit briefing. The FSO will discuss with you your responsibilities to continue to protect classified information. A new job, loss of contract, termination, retirement and removal of access are situations where FSOs should explain the responsibility of continuing to protect the classified information you accessed as an employee.

In summary, you as a newly cleared employee will go through another iteration of onboarding. This time emphasizing how you are integrated into not only the organization, but now the security program. As you integrate into the cleared organization, you should understand the security program and all information and tools which are in place. The FSO should be able to create, implement and direct successful protection of classified information – and that includes providing valuable employee training.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, September 1, 2013

Security Education for both experienced and novice cleared employees

Why does everyone have to have the same training? Sure, every cleared employee receives the initial training and the annual refresher training, but do they have to be the same presentations? After all, we are not cut from the same cloth; we've got varying degrees of experience, right?

New Employees, New Clearance

Great questions and perhaps you have heard them from your employees. I know I have. In response, FSOs could consider dedicating more security awareness training to new employees who will have a security clearance for the first time. The rational is because they will be newly introduced to sensitive and classified government information under the National Industrial Security Program Operating Manual, they should learn the fundamentals:

The nature of classified material and how to protect itNotice of their responsibilities to protect classified information and the consequences of unauthorized disclosure
Recognizing and protecting U.S. and foreign government classified materialCriteria for authorizing access to classified information
Responding to classified information released to the public
Security chain of command and support structure for addressing security incidents and violations
Cleared employees on foreign travel
Defining CONFIDENTIAL, SECRET and TOP SECRET

Keep it fundamental and appropriate. For example, the newly cleared employee may not understand how to dial a combination or determine who to allow access to classified material. Without proper training, the newly cleared employees may make honest mistakes leading to security violations.

Cleared facilities with new employees who have already have security clearances

Cleared facilities with new employees who have already received security clearances still have a responsibility to provide the initial security briefing. The new employees may have experience protecting classified material, but there is no way to verify the type and strength of the experience. Unique contractual requirements may have specialized performance requirements. Therefore a modified security awareness briefing specific to the company policies as they relate to the NISPOM may be in order. This briefing may focus more on the specifics of performance on classified contracts and less on security fundamentals.

Annual Refresher Training

In addition to the initial security briefing, cleared contractors are required to provide annual refresher training. This training should build upon the NISPOM fundamentals and on the job training. The training covers the same topics as the initial security briefing with the addition of any new changes in the NISP since the last training event. These changes occur anytime an executive order is amended; DSS updates regulations, or any other administrative or procedural updates affecting cleared facilities and employees.

Closer to home, the additional subjects could include security requirements of new classified contracts, updated security hardware, software, alarms or procedures impacting the work force. The addition of newly constructed facilities; updated emergency procedures and local security policies and procedures; addition of classified computer processing or any other new classified work introduced to the organization are excellent topics for training

A good security program might document continuous training on a recurring basis; not just one session per year. Whatever the frequency, the training should be documented to demonstrate each cleared employee’s participation.

Take a lesson from schools, as students progress in knowledge, so do courses in technical difficulty. Employees have varying skill levels and should be trained accordingly. Keep training fresh and alive, know your audience and seek to improve their skills. It will make your security program easy to manage.

For more training ideas, see DoD security Cearances and Contracts Guidebook
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Sunday, March 24, 2013

Making NISPOM Initial Security Briefings Work

The National Industrial Security Program Operating Manual (NISPOM) lists cleared employee training. New employees are required to have Initial Security Briefings to ensure their understanding of the following topics:

A threat awareness briefing
A defensive security briefing
An overview of the security classification system
Employee reporting obligations and requirements
Security procedures and duties applicable to the employee's job

Why are these topics important? They give the cleared contractor a good idea of what is classified, why it is classified and how to protect it from unauthorized disclosure. Well trained and enabled employees drive the enterprise security program headed by the FSO.

The threat awareness briefing helps the cleared employee understand that there are people who want their information. These people have techniques and a modus operandi to get access to classified information. However, employees can apply this to export controlled, intellectual property and proprietary information. Employees should be trained to recognize attempts to access sensitive information by an unauthorized person.

A defensive security briefing is the next step. This training goes into detail about how an adversary might approach an intended victim to get sensitive information. The defensive security briefing teaches the cleared employee to be on the offense with active measures to protect classified knowledge and information. Employees should know how to react to requests and report all attempts to gain unauthorized access.

An overview of the security classification system provides the cleared employee with answers to how is information is classified, what criteria is used and how are decision disseminated. Some useful tools include security classification guidance, DD Forms 254, and classification markings.

Employee reporting obligations and requirements should provide resources for reporting certain types of information. The cleared employee should be given information of how to report espionage, sabotage, security violations, suspicious activity and etc.

Security procedures and duties applicable to the employee's job is the real meat. This helps the cleared employee with specific tasks related to protecting classified information they may actually work with on the job. Great tools include the DD Form 254, security classification guides, statement of work, requirements documents, work breakout schedules, engineering documents and etc. Where the FSO might train the first few requirements, a supervisor, program manager or lead engineer might take over this training. The key is to ensure a properly trained employee and document that training.

Training cleared employees to perform on classified contracts is the first step to a great industrial security program. NISPOM outlines required topics, but enterprising FSOs can make the training more applicable. The better employees understand their jobs, the better they can protect sensitive information they are entrusted with.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .

Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Subscribe to: Posts (Atom)

Sponsor us.

We offer advertising space on our Podcast, newsletter, website and blog, for $700.00 per year. Our products are targeted directly to your market; only those who are providing defense industry security subscribe to our newsletter.

Effective advertising positions your company for success. You’ll get:

Advertisement on our sites marketing exclusively to defense contractors

Announcement in Podcast http://dodsecure.buzzsprout.com and on podcast page. Podcasts are available on Apple, Amazon, Buzzsprout and more.

Linked banner @ http://www.dodsecurity.blogspot.com/

Linked banner in sponsor section of home page https://www.redbikepublishing.com/sponsors/

Linked banner in monthly email newsletter dedicated to training cleared contractors on protecting classified information.

Consider allowing us to provide a 1000 word article about your product to feature on our blog and newsletter for $500.00

If you would like more information, please contact us editor@redbikepublishing.com

Here is a wrap up of what we were able to do in 2020

We've outsourced a few tasks to provide better customer service. To provide better content for our security professional customers, we've funded the following efforts just for our newsletter and Podcast considerations:

• Upgraded email functionality for better newsletter distribution

• Upgraded website content

• Purchased high quality microphones and mixers for podcasts

• Purchased high quality cameras for YouTube videos and course content

• Upgraded to video conference capability with paid subscriptions

• Purchased software packages for better formatting

• Attended Podcast 2020 and brought back some tremendous lessons learned

• and much more.

We’ve completed the following milestones this year:

• 25% more newsletter subscribers with your services listed.

• Provided referrals to sponsors

• Released 36 articles in more than 24 newsletter editions

• Over 40 blog posts with thousands of visitors with your services listed

• Interviewed multiple people to provide over 20 podcast episodes. We've reached over 2000 downloads, which is huge considering our small niche. I hope you've had a chance to listen to Ray DICE Man Semko. Getting him on podcast was a huge success.

You will also be able to provide any articles, white papers or messages personalized to our audience. We could also include you or other employees in some strategic podcasts as well. Always looking for great guests.

Pages