Why Facility Security Officers and Security Specialists Protect Classified Material.

Facility Security Officers (FSOs) the security managers for cleared defense contractors, implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292.

You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:

     An original classification authority (OCA) is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA's. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.

 The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.

 The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.

    An original classification authority may determine a classification on anything that is owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.

    The information to be classified should fall into one of the following categories: Military plans, weapons systems or operations; Foreign government information; Intelligence activities, sources or methods or cryptology; Foreign relations or activities of the United States including confidential sources; Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism; U.S. programs for safeguarding nuclear materials or facilities; Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism; Weapons of mass destruction.

    The OCA also should determine that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and they are able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.

    The impact of disclosure is categorized from reasonably causing "damage" for CONFIDENTIAL information through "serious damage" for SECRET information to "seriously grave damage" for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.

    Cleared Defense Contractors protect information classified by the OCA's. Understanding the reasoning behind the classification is not critical, but it may give a better comprehension of the National Industrial Security Program. Such information could lead to better security measures or heightened awareness of the sensitive nature of classified information.  

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Becoming an FSO of Influence. How to grow with a growing company.

A few times I've had a similar conversation with a few leaders in the security industry. They had been experiencing the same reaction from their enterprize leadership and were frustrated to the point of looking for another job. Their joint frustration revolved around a lack of support for their security vision. They could not seem to get past the barriers in perception that they did much more than request and manage security clearances and facilities. This may be a common issue facing many FSOs throughout the National Industrial Security Program cleared defense contractor base. 

These issues could stem from from three possible challenges facing cleared defense contractor companies. The first is that the FSO has not developed a reputation of a corporate leader with effective strategies to ensure the organization is prepared to compete, win, and maintain classified contracts. The second is the cause of the first in that that the company has grown, and the original FSO may not possess the leadership skills necessary to continue engage as necessary. Finally, the security manager is not considered an executive function and falls under a corporate executive and outside of those performing on classified work (a corporate executive vs. a program manager.

Understanding how security fits into the organization is crucial. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. This could manifest through denial of requests for tools, resources, and capabilities that the workforce needs. Instead of considering workarounds, the FSO may naturally be inclined to say "no" instead of doing the hard and helpful work of performing a risk assessment and providing helpful solutions. Rather than assuming the role of "Dr. No" , the FSOs should possess the skill to develop policy that supports NISPOM requirements AND provides for the fulfillment of the classified contract's objectives, work products, and deliverables.

I've witnessed FSOs often respond to requests with "DSS (DCSA) won't allow it," or the more popular "it violates the NISPOM", only to have industrious cleared employees find a workable solution approved by the government customer, while going around the FSO. Think about what that does to the FSO's credibility and influence? They may never be consulted again and could have their office be reduced to, "just get us our security clearances and we'll take care of the rest".

FSO's should also understand that the security program is there for the cleared employees and not the other way around. The cleared employees perform on the classified contracts; the work that brings revenue to the company. The FSO brings the resources, guidance, consultation and tools to facilitate the performance on classified contracts.

For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rationale for change in policy, the FSO's may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company's business model or culture. A more succinct example is the FSO requiring the organization to provide monitored surveillance and alarms for the protection of SECRET documents already adequately secured in a GSA approved security container.

    

The second problem addresses the level of the hired or appointed FSO and the company grows from 50 to 300 cleared employees. The FSO for the 50 person company may just need clerical and administrative skills to provide security assistance to the few cleared employees working one or two classified contracts. In this case the company grows to 300 cleared employees, with 15 contracts, and is managing growth problems and opportunities. The growth requires a sound strategy that go beyond clerical skills.

In the third situation, the corporate office misunderstands the role of the FSO and assumes that they have limited leadership skills and roles. Suppose the FSO is experienced in leadership, but is buried under many levels of leadership and not able to influence decision making. They could make sensible recommendations based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.

    

Larger and very successful cleared defense contractors understand the needed balance. These companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.

    

Influencing Change

So, how does the described security manager create influence and credibility that counts? First of all, they should address their professions as risk managers. They should factor the contractual requirements, NISPOM, government contracting activity, and potential growth. A growing security requirement is expensive and resources should be planned for and budgets presented based on quantified risk and not fear tactics.

    

Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.

    

Presenting the security program does not have to be a frustrating event. If a security manager is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.

Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Conducting Effective Security Training

Check out our podcast

Some security training and briefings are very discouraging for the workforce. Many times, the training is the exact same video or presentation used year after year. This podcast and article discusses ways to improve training by making it applicable based on skill level. In other words, someone who has been working on classified contracts for five years or more already understands the three levels of classified information; so why not move on.

So, if you go to my website www.redbikepublishing.com, you might find training and tests that do ask those types of questions. That’s because many of my books and training products are specifically for security managers and includes certification study guides. It’s appropriate for me to ask administrative types of questions. It’s unfair to provide that type of training to the workforce. 

This topic is specifically about how to make your security training more effective for your work force. There are two types of training that I want to clarify. That is required training for security professionals and required training for the workforce. These training topics should be separate and distinguished. For example, an engineer performing on classified work may not need to know security form numbers. They may need to only understand that at the end of the day, they need to use the End of Day Checklist, so why quiz them on the form number (SF 701)?

So here are three problems I see with the current security training trend:

1. Lack of training resources

Security managers are tasked with training a work force, but without the ready resources to do so. Security managers often perform this task as an extra duty without time or resources to accomplish it. They are human resources, contracts managers, engineers, CEOs, and others, filling position to be compliant with security clearance requirements.

What is concrete is that there are various training topics required for cleared defense contractor employees, they include:

• SF 312 Non-Disclosure Agreement briefing

• Initial Security Awareness training

• Annual Security Awareness Training

• Derivative Classifier training

• Insider Threat Training 

• other required training events and briefings

This is a huge responsibility. 

This training is easy in the beginning stages with the first two training topics. They are he high-level training and onboarding enough to get cleared employees “authorized” and prepared for the work. This is normally presented by the FSO for newly cleared employees and cover the basics of protecting classified information, what it is and how it’s classified, how to recognize it, how to report violations, and other fundamentals. 

New employees who are already experienced working on classified contracts elsewhere do not need the SF 312 briefing, but may need Initial Security Awareness training to orient them to security policies and procedures in their new work location.

2. One Size Fits all

There are many resources that busy security managers can draw upon to solve the problem of training the workforce. There are downloadable training topics available from vendors and government websites. The problem is, the training never grows up or ever requires growth from members of the cleared workforce. 

Year after year, we present the same presentation or video regardless of skill level. A person who has been working for 5 years or more as a cleared employee knows the three classification levels (TOP SECRET, SECRET, CONFIDENTIAL). Yet we keep feeding them baby food and insulting their intelligence with quizzes asking them the three levels while trying to trick them with a non existent fourth (UNCLASSIFIED).

3. Making a nation of Security Professionals

The very resources we use to present to our cleared force comes from security professional targeted websites. For example, Defense Counterintelligence and Security Agency trains security professionals and their courses are designed for that purposes. Many times because of problem statements 1 and 2, we are forced to use these canned presentations. In here the workforce is tested on their knowledge of security forms, how to conduct security investigations, and how to challenge classification. In fact they need to understand better that a cover sheet exists, how to recognize and report a violation, and who to talk to if something is over or under classified. The workforce does not usually take care of security administrative functions such as ordering security forms (security does), they don’t conduct investigations (security does), and they don’t contact the GCA, DCSA, ISOO, etc. (security does) so why force them to learn the intimate details.

The solution

There are a few simple ways for a security manager to improve the security training without incurring a huge resource burden.

1. Begin with the Contract Security Classification Specification or DD Form 254. 

This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts, you should understand the contents for each contract. The security manager may create training requirements based on the contract. The DD Form 254 addresses every security requirement for each classified contract and can be used as a roadmap for security training. In fact, almost each section is a training topic in and of itself. 

2. Incorporate workforce peers, supervisors and program managers. 

While the security manager will provide the training reflecting National Industrial Professional Operating Manual (NISPOM), the workforce will provide more work specific training tailored for the classified contract. 

Training will reflect how to write classified documents, assemble subsystems, collect raw data from sensors, or other specific work required by your contract.  They will also teach how to correctly mark, assemble, store and protect the classified work products. 

the FSO and supervisors should attempt to structure security training by experience level. The training does not necessarily need to be conducted as a presentation or assembly or in a canned computer setting. The security manager and employee supervisor can work together to develop training topics that can be validated in day to day work activities. 

Learn more about security training at www.bennettinstitute.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Cleared employees, FSOs and Classified Work

This article continues the series describing what happens after the government grants you a security clearance. After receiving a job with a company or agency performing classified work, you’ll receive your onboarding training, which may have included the SF 312 Non-Disclosure Agreement, Initial Security Awareness, Derivative Classifier and other required training events and briefings. Even though the Facility Security Officer (FSO) brought you into the system, awarded your security clearance, and performed the required high-level training, there is still much more work to do to ensure you understand how to perform on classified contracts. The high-level training and onboarding is enough to get you “authorized” and prepared for the work. The rest of the preparation will come from other sources to include peers, supervisors and program managers. This training is usually provided on the job as you actually begin performing on the classified contract. This is how it might play out. The Government Contracting Agency (GCA) or program office flows down the classified work in the contract to the Cleared Defense Contractor (CDC). Part of the classified contract is the Contract Security Classification Specification or DD Form 254. According to the information on the DAMI website, the purpose of the DD Form 254 is to “…convey security requirements, classification guidance and provide handling procedures for classified material received and/or generated on a classified contract…” This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts, you should understand the contents for each contract. The DD Form 254 will explain the classification level that you will be working with. It is important to understand that this level will be at the same level or lower than your security clearance level. Therefore, you would need a Top Secret clearance to work on classified contracts at the Top Secret level or lower. The form may also state any additional classification concerns such as foreign government information, communications security (COMSEC) requirements, and more. The form also determines where you will perform the classified work. If the CDC facility has a possessing Facility Clearance (FCL), then you might perform work at that location. If the CDC facility has a non-possessing FCL, you will usually performed classified work at another location. For example, a cleared employee may not necessarily perform the classified portion of the work at their location based on guidance in the DD Form 254. As a result, any cleared employees have an office at their headquarters or company property, but perform classified work off-site at a government, research, or other cleared contractor location. While the FSO will provide the required NISPOM  security training reflecting National Industrial Professional Operating Manual (NISPOM), your supervisor may give you more work specific training as you perform on the classified contract. Your supervisor will teach you how to write documents, assemble subsystems, collect raw data from sensors, or other specific work required by your contract. They will also teach you how to correctly mark, assemble, store and protect the classified work products. In summary, after the FSO conducts preliminary security training and briefings, your supervisor or sponsor may guide you through more in-depth and contract specific security training, this time emphasizing your contract specific performance.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

New Cleared Employees, FSOs, and NISPOM

Once a security clearance is granted, the Facility Security Officer (FSO) will contact you and several things will happen real fast. Primarily, if you have been sitting in a temporary position while awaiting your clearance, things are about to get real.

The FSO will manage the security clearance under the umbrella of the cleared defense contractor’s oversight. This means that the FSO will maintain the facility security clearance (FCL) status administratively as well as meeting compliance requirements. They do this primarily training you and through that training, equipping you to protect classified information and perform work designated by the classified contract.

Just as the FSO is certified or provided FSO training, you will also receive required training from the FSO. The FSO manages the clearances, training, classified workspace, etc. and documents the all actions for future reviews by the Defense Counterintelligence Security Agency (DCSA). The training and briefings primarily begin with the non-disclosure agreement and continues throughout the cleared employee’s career with the company. Depending on time, resources and availability, the FSO and supervisors should attempt to structure security training by experience level. For example, newly cleared employees require more in-depth training than veteran security clearance holders recently hired at a defense contractor organization. All newly cleared and all new cleared employees regardless of experience should receive initial refresher training before gaining access to classified information.

Before you as a cleared employee can actually work on a classified contract, the FSO will ensure you meet three criteria; you sign the SF-312 Non-Disclosure Agreement, have a security clearance, and the need to know to access the classified information. The first step is the most difficult. The other two are fairly easy. Whoever possesses the classified information determines whether or not you should have access. If you are assigned to work on a classified contract, that contract relationship and the work assigned are part of the need to know process.

UNDERSTANDING A NON-DISCLOSURE AGREEMENT

As a newly cleared employee, you will be signing the agreement. Instead of just checking a box to agree, you should do your best to pay attention and understand exactly what it means to work with classified information and the great responsibility you will carry. The SF-312 briefing explains what classified information is, how the government designates it as sensitive, what the classification levels are, and what to protect from unauthorized disclosure. This is your first introduction on the topic. After this you will be provided a much more in-depth training called Initial Security Awareness Training.

INITIAL SECURITY AWARENESS TRAINING

The initial training will familiarize you with the National Industrial Security Program Operating Manual (NISPOM), the DD Form 254 Contract Security Classification Specification, and company policy as applied to protecting classified information both in the cleared facility and at other customer locations. You will also learn how to travel overseas and reduce your ability to be a security risk or target for exploitation as well as how to report espionage attempts. It also addresses counterintelligence issues, how to report security violations and disciplinary or possible penalties that can occur for committing a security violation.

INSIDER THREAT TRAINING

Here you will learn to recognize behavior consistent with sabotage or putting classified information at risk. They also learn who and how to report the observed adverse behavior. Insider Threat Training and Counterintelligence awareness briefings help employees learn to recognize behavior consistent with espionage, and who and how to report the observed adverse behavior.

DERIVATIVE CLASSIFIER TRAINING

This training is a matter of perspective between government and contractor classification roles. The government entity is an original classification authority and makes classification decisions, contractors do not. Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information. This training is required and will help you understand your role in marking classified information that is derived from original classified information.

EXIT BRIEFING

In case you eventually leave the cleared defense contractor organization, the FSO will remove your clearance from their oversight and provide you with an exit briefing. The FSO will discuss with you your responsibilities to continue to protect classified information. A new job, loss of contract, termination, retirement and removal of access are situations where FSOs should explain the responsibility of continuing to protect the classified information you accessed as an employee.

In summary, you as a newly cleared employee will go through another iteration of onboarding. This time emphasizing how you are integrated into not only the organization, but now the security program. As you integrate into the cleared organization, you should understand the security program and all information and tools which are in place. The FSO should be able to create, implement and direct successful protection of classified information – and that includes providing valuable employee training.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Questions for SPeD, ISOC and ISP Certification

Get your copy @ www.redbikepublishing.com

These NISPOM based questions could be helpful in passing the NCMS ISP Certification and the DoD's SPeD Certification exams including the most recent Industrial Security Oversight Certification (ISOC).

Taking practice tests is a great way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM.

We've updated our manual for NISPOM Change 2.

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours

d. 12 hours

e. 86 hours


When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED

d. RESTRICTED

e. UNCLASSIFIED


Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission

e. All the above


Scroll for answer:

The dispatching company security officer must provide the receiving security officer with _____ advance notice of the couriers expected date and time of arrival.

a. 48 hours

b. 72 hours

c. 24 hours (NISPOM 5-408d)

d. 12 hours

e. 86 hours



When completing the Request for Visit, the anticipated level of classified information involved include all the following EXCEPT:

a. TOP SECRET

b. SECRET

c. REGISTERED (NISPOM Appendix B4)

d. RESTRICTED

e. UNCLASSIFIED

Which of the following are considered a CSA?

a. Department of Defense

b. Central Intelligence Agency

c. Department of Energy

d. The Nuclear Regulatory Commission



e. All the above (NISPOM 1-104a)

So,  how did you do? These questions and more can be found in Red Bike Publishing's Unofficial Guide to ISP Certification,                                
DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book used our techniques to augment their preparation have performed very well on certification exams.

                                           

Check out our newest resource, on line testing. Simulates testing environments for the ISOC and ISP.

For practice purposes, download the electronic version of the NISPOM and use it to help search the answers to the provided test questions. Use a timer to count down 120 minutes for each practice exam.
Register for the exam here:  https://www.classmarker.com/online-test/start/?quiz=jdm5dbdb6cb9c613

You can find additional certification training and resources at http://www.redbikepublishing.com/ispcertification/

NISPOM link 

https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodm/522022m.pdf

Just select the “edit” tab and then “find”. Then type the key word or phrase from the test question to help find the answers.

Sample screen shot:

Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
--> --> Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

The Adjudicator's Role in Security Clearance Decisions

When an uncleared employee is hired to perform on classified contracts, the Facility Security Officer (FSO) requests a security clearance investigation. If a new employee already has an active security clearance, then the action is administrative; just a transfer.

In the case of a security clearance request, the applicant completes and submits the SF-86 with the security officer’s assistance and the investigation begins. Next, the adjudicators apply the “whole person” concept to determine suitability and make a security clearance decision.

The applicant has some control over the timeliness of the application and duration of investigation when they put in the effort to prepare ahead of time with all the references necessary to answer questions accurately and completely. Additionally they can also gather references that may help the adjudicators understand whether or not any derogatory information can be overcome.

Any answers to the questions indicating a risk should be explained in as much detail as possible. Where there is doubt or question, the applicant should err on the side of over explaining instead of under explaining answers. Aside from artifacts explaining situations, the applicant may seek legal advice to assist in completing the document.

If an applicant is indeed concerned that past events may lead to the denial of a security clearance, they should provide as much information as possible explaining or demonstrating that the events are in the past, will not be repeated, completely overcome with rehabilitation, and successfully an non-issue as far as motivation to do it again, ability to be coerced or exploited, or a temptation to do again.

The adjudicators consider the following as they try to make a decision as to whether or not the applicant will be a national security risk. They make security clearance decisions based on interest to national security. Consequently, the applicant is required to demonstrate they are not a threat to national security and should provide artifacts demonstrating that though they may have been a risk to national security at one point, that risk has been mitigated.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Frequently Asked Security Clearance Questions

Opportunities abound in the defense industry where every job discipline requires a security clearance to perform on the contracts. Classified contracts require services that include staffing, janitorial, graphic design, accounting, finance and more. Technical experience is needed as well with mechanics, software designers, engineers, program managers and their support.

For the unfamiliar the security clearance process may seem daunting. The lack of information of how to get started, the required forms, interviews, waiting, and expectations can make the entire experience out of the individual's control. However, there is a well-established and efficient process that the government undertakes and you can be in as much control of the experience as possible.

A Little Background

Whether or not in college, gainfully employed outside of the defense industry, or starting a business, as the reader, you are interested in gaining a security clearance and starting a profession with the more than 13,000 Cleared Defense Contractors (CDC) making up the industrial base. Though you may be aware of the opporutnities, you may be wondering how to get started and I usually get asked the following question:

How do I get a clearance so I can get a classified job?
It's a great question, but it can't be answered easily as asked. The clearance comes after the job requirements. The question is often asked and in the form asked, skips right by the most fundamental question of whether or not an individual qualifies for a clearance and what is the process for getting a clearance. I will attempt to answer the first question by providing answers to the other two questions:

Can I get a security clearance?
Yes, the security clearance process is open to U.S. Citizens. If after a thorough investigation you are deemed trustworthy, you may be granted a question. However, not just anyone can apply; see the next question.

How do I get the clearance?
By applying for a job that requires a security clearance or starting your own company and winning classified contracts.

How long does it take to get a clearance?
This could take a few months to over a year depending on the investigation and adjudication of findings. The investigation is very in depth and depends a lot on information the applicant proides on the SF-86 application.

There is so much more, so keep following. We have an eBook available that can assist. Just register for our newsletter full of security clearance articles and advice and we'll send it. Here's the link: http://www.redbikepublishing.com/contact/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing.
He is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training"

He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. 

Using anecdotes to convey your security message.

The skill of storytelling is one of the most successful methods of conveying a message. Public speakers, teachers, and mentors draw on personal experience to relate to their audiences. Performed with skill and confidence a story can enhance training by making tasks teachable and relatable to the audience. However when the message is misrepresented or poorly delivered with bad storytelling, the messenger becomes the focus as they lose credibility and the good message is obscured.

Storytelling for the purposes of this article does not necessarily mean creating a work of fiction or spinning a tale. The term storytelling is used as an example to assist with creating a logical flow of tasks conducted to complete a function. For example, a bad story teller may say, “protect classified information or else you could be fired or worse.” A good story teller will convey the task of introducing, using, storing, and destroying classified information throughout its lifecycle in a logical sequence. They could do so with such relevance that it is easily applied within the company culture.

The Story Setting

The speaker who speaks with or trains and audience of peers or having similar skill sets, gain almost instant credibility. The same profession, the same topic, and the same faces most often makes it unnecessary to cultivate a relationship from scratch. Everyone already has something in common as they share like interests. This setting can occur in a professional organization or club where everyone has a similar skill set or hobby.

On the other hand, a speaker who discusses topics to an audience of various expertise may have a harder time relating to their audience. For example, a college night school teacher may have an audience of skilled laborers of various disciplines and the only thing they have in common is the text book. In these instances, the speaker relies on their expertise in the subject matter and anecdotes to make the subject material relevant or teachable. It would be ridiculous for this speaker to try to engage in a topic they know nothing about. They will simply lose credibility the first time they misuse an anecdote.

Applying Story Telling to NISPOM 

Beyond supporting a common corporate culture, a Facility Security Officer (FSO) could have difficulty conveying a message of protection to those who use classified information for a more specific purpose if they do not discover common ground. While the FSO is an expert at NISPOM, the engineer or practitioner is an expert at how the classified information is used. So what can an FSO do to create common ground and use that common ground to develop training anecdotes?

I’ll use a personal story. A few years ago I was invited to speak at an NCMS local chapter event. I wanted to discuss program protection, but went in heavy on explaining National Industrial Security Program Operating Manual (NISPOM) requirements. The briefing charts I developed just dripped with NISPOM requirements and I used the requirements to demonstrate the application and need form program protection planning. I thought I had a good presentation, but wanted to verify with a colleague. 

His assessment was truth, but not what I wanted to hear. His explained that my message was wrong and I risked losing my audience. What I had inadvertently done was assert myself as a NISPOM expert when in reality I should be showcasing my program protection experience. He rightly pointed out that the room would be full of NISPOM experts that could argue any NISPOM topic interpretation to the detriment of my presentation. He further explained that the NISPOM could be our common ground, but the majority of the presentation should reflect my program protection expertise and get buy in on NISPOM interpretation. Thankfully I listened, resulting in a successful presentation and great question and answer sessions.

Establishing Credibility

FSOs are the experts at NISPOM and how to apply the classification management guidance at the cleared contractor facility. Cleared contractor facilities are required to designate a capable person to conduct the duties of the FSO. This can be interpreted as the requirement to pick an existing employee to perform the additional duties as an FSO. It can also be interpreted as the requirement to hire an additional person to conduct full time duties as an FSO.

Appropriate message

The primary purpose of the FSO should establish their credibility with applying NISPOM guidance to the defense contractor facility. In some situations where the FSO is a designated task bestowed upon an existing executive, engineer, or other professional, the FSO may be an expert in the development of a weapon system. They are an expert in the weapons system and may be able to beautifully weave security anecdotes into the fabric of weapon system development. In this situation, it would be a mistake not to showcase the expertise as a system engineer to relay the importance of apply security task to protecting classified information on the specific system. Every attempt should be made to discuss intimate details of performance, cost, and schedule and convey the security message while doing so. Being an expert in security and weapon system development and telling the story accurately using technical language and engineer speak will help fellow weapon system designers better apply security to protect classified and export controlled information.

On the other hand, a non-technical FSO attempting to lecture the engineer on specific details of the unfamiliar task of developing software would not be wise. Any attempt to do so could result in loss of credibility as terms might become misused or tasks communicated in a way to insult the professional. In this case the non-technical FSO could conduct security training and security tasks with the frame of reference that they are the experts at NISPOM guidance and the engineers are the weapon system and development experts. Together as a team they can develop an effective security program to protect classified information. 

In the second scenario the FSO can establish credibility as a security expert and create captivating stories using the common ground of working in a cleared defense contractor facility and the facility’s core culture. Where the audience is made up of scientists and engineers, there is no need for an FSO to attempt to discuss areas they are not an expert in. This could unfortunately provide an opportunity for the audience to argue the FSO’s level of understanding of the weapon system outside of the scope of the security discussion.  

The art of storytelling should be used in communicating the security message to help make it easily digestible to cleared employees. Storytelling is simply finding and using common ground to establish training or develop a culture in a relatable and logical flow. This is a great skill to practice and develop to help implement security programs to protect classified information.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".