Security education, training and certification

 

 Have you taken the next step to being competitive in the government contracts arena? If not, this article will provide information and tips based on a proven method of studying for and passing the exam. 

Why earn a certification?

There are several reasons to achieve certification. One of which allows cleared defense contractor owners and employees to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United States...it is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

Industrial Security Oversight Certification (ISOC) is sponsored by the Department of Defense and information can be accessed at https://www.cdse.edu/certification/

Both certifications are based on NISPOM requirements. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.    

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make security a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Self-Inspection of the Enterprise

As a continuation from the last article, let’s look at a few more security education questions. The last article discussed some time-proven practices to present and document NISPOM training for cleared employees. This article will look at required reports as security education will be reviewed during the scheduled DSS visit.

While answering these self-inspection questions, FSOs might consider interviewing cleared employees to gauge their 

understanding of requirements. The interview should also include opportunities for the employees to demonstrate how they execute policy. Knowledge of policy is not enough. FSOs should document a cleared employee’s response of what to do and how to perform when required as a means to demonstrate that knowledge. 

The following are some questions from the self-inspection handbook:

Are cleared employees debriefed at the time of a PCL’s termination, suspension, revocation, or upon termination of the FCL?

Just because a cleared employee is no longer provided access to classified information doesn’t mean all of their knowledge and experience is sanitized from their brains. It also doesn’t mean that they will completely understand what to do with that knowledge if challenged to reveal it. 

Knowledge is hard to control and even harder when the former employee is outside of the defense network. They are no longer under continuous evaluation and we don't know what the employee will do with all the great stuff stored in their head. The best thing an FSO can do is to debrief them, have them understand their continued responsibility to not disclose classified information and have them sign acknowledgement stating their understanding. FSOs should not leave this to chance. When at all possible, a face to face briefing is the best method.

Terminated employees can be a challenge. It’s very difficult to conduct a debrief interview with a person who feels wronged by the organization. But, it’s national security and classified information is at stake. FSOs should not be satisfied with an administrative actions, meaning, allowing an employee to leave without the actual face to face debriefing. This requires coordination with Human Resources and having them comprehend the importance of keeping the FSO abreast of hiring and firing actions. 

Document the debriefings with signatures and dates. This can be easily done by reminding them of their continued responsibility to protect classified information and having them sign and date.

Is there an effective procedure for submission of required reports to the FBI and to DSS? 

There are reports required of each office. However, the employees should understand that the first stop is the FSO. Not that the FSO should attempt to arbitrate issues, but many employers have policy stating that employees should not report company issues without the enterprise’s knowledge unless as a last resort. Many companies have policy dictating how to report information outside of the organization. There is no reason to violate this policy in most circumstances.

This reporting method should also be enforced for instances of:

Instances of fraud through the DoD Hotline-DSS inspects on the availability of posters in obvious areas. Bulletin boards make a great location as announcements are usually posted there. FSOs might also post them where required OSHA posters exist. Write up a map with all posters, flyers, pamphlets and other security education tools are available. Document their presence and show them to DSS during the review.

Cyber Intrusions-monitor and report all intrusions. Work out the analysis and reporting details with the IT and cyber professionals and ensure they know to report these intrusions. Document the events as well as when and what is reported.

Adverse information-Develop a culture where employees can report credible information about a cleared employee’s (including themselves) ability to protect classified information. Report and document all reports to demonstrate during the DSS audit.

Security Violations-save all reports of security violations and the results of investigations. For security violations that include loss, compromise or suspected compromise, these could include preliminary, initial, follow-up, final and culpability reports. Keep reports on file and any records of submissions to the cognizant security activity.

Suspicious contacts-cleared employees should understand to report any efforts to obtain illegal or unauthorized access to classified information or to compromise a cleared employee, contacts by a foreign intelligence officer from any country or information that a cleared employee may be targeted. Document training and any submitted reports.

Security awareness training includes checking on how the employees implement training as required by NISPOM. It’s one thing to show a presentation of required reports and debriefing employees. It’s another to have requirements woven into corporate policy and work instructions. Asking cleared employees to demonstrate their responsibilities or employing scenarios are great ways to check on knowledge. If actual events are reported to the FSO, they should be documented for review during the DSS visits.