Thursday, December 17, 2009

How to Receive Classified Information

Classified information can arrive to a cleared contractor in many different ways. Whether delivered via courier, mail carrier, overnight carrier, classified electronic means, and etc. the FSO should have a process in place to control and protect classified information from reception to dissemination or destruction. The FSO should establish procedures for the proper reception of classified material. The receiver of classified material plays a critical role in both safeguarding classified material as well as identifies security violations that the sender may have committed.
FSOs can control the introduction and dissemination of classified information with a centralized document control system. The NISPOM requires that a cleared contractor have an information management system in place to control classified information. This can be accomplished with a centralized system to facilitate the proper introduction and control of classified information entering the facility. This system requires visitors, couriers, mail carriers, overnight delivery companies, and other means of classified transmissions to perform under the FSO’s established procedures. Without such controls, classified information is vulnerable to unauthorized disclosure, loss, or compromise.
The centralized reception and dissemination provides the FSO with a tool for the positive control of classified information. In certain circumstances, cleared facilities may have multiple delivery docks and mailing addresses. Classified information should only be addressed and delivered to the established classified mailing address. A good practice is to have the classified address and centralized processing location co-located Simply put, uncontrolled introduction of classified information can lead to accountability problems, potential security violations and compromises of classified material. Addressing this at annual security awareness training is a good way to ensure cleared employees understand.

Outer Layer-The first step to receiving classified information is to examine the outer layer for evidence of tampering or compromise of classified material. The inspector should look for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.
Next, review the shipping label for full approved classified mailing address, return address and which does not identify any recipient by name. Discrepancies should be addressed with the sender. Additionally, there should be no classification markings on the outer layer of the item. Inner Layer -The inner layer is inspected the same way as the outer layer for evidence of tampering or unauthorized disclosure. However, the inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. TOP SECRET and SECRET material should have a packing list or receipt of contents either on the outside or inside of the container. If no receipt is included, contact the sender. According to the NISPOM, CONFIDENTIAL information does not need a receipt included with the shipment. If a receipt is included, the signer should sign it and return it to the sender.
Compares the receipt against the label to ensure the item has been identified correctly. The receipt should contain information to direct the contents to the appropriate recipient. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, ensure it contains no classified information. If the receipt contains a classified title, contact the sender to see if it can be issued an unclassified title, reinvent an appropriate title, or prepare to store the receipt long term in an a GSA approved container because it is a classified item.
Once the material is received and the delivery inspected against the receipt, the FSO can input the information into a information management system. This database can be something as simple as logging the information into a notebook or through technology such as proprietary software sold on the market. Some companies and federal agencies have developed internal forms and examples are available on the internet. Once complete, put the classified information in the security container or other approved classified storage.

How to Wrap Classified Packages

How to Wrap Classified Packages
By: Jeffrey W. Bennett, ISP

The National Industrial Security Program charges cleared contractors with protecting classified information. This protection extends through all phases of contracts and throughout the duration of the classification. Protection also includes the reception, storage, dissemination, and destruction of the information.
Dissemination is a critical part of protecting classified information as the classified information leaves the control of the cleared organization. Whether couriered, mailed, or otherwise delivered, it is removed from a cleared facility and must be prepared in a way to protect the information from unauthorized disclosure.
Prior to sending out classified information the FSO should ensure that it is double wrapped with opaque paper to preclude casual observation of the classification markings and contents. The inner wrapper is marked with the proper classification, provided an address with sender and addressee indicated, and properly sealed on all seams. Additionally, a receipt should be included with the inner wrapping to indicate the contents, sender, and addressee. No classified information should appear on the receipt. Though the NISPOM directs SECRET and above deliveries to include a receipt, it is a good practice to also send a receipt with CONFIDENTIAL information. Receipts should be signed by the addressee once they inspect the delivery. The outer wrapper should not include a classification and should be addressed to the security department or FSO and the classified mailing address.

Always store and protect classified information properly. The information provided below can prove helpful as a checklist for transmitting classified information:

Stamp opaque envelop with highest classification and other required restrictive markings.
Label with recipient company name and address, ATTN: Recipient’s name or office, section, mail stop, etc.
Seal all seams with opaque tamper-proof tape
Include two copies of receipt inside or attached to inner opaque envelop

Label opaque envelop with classified mailing address ATTN: FSO
Seal with opaque tamper-proof tape covering all seams.
Classification or other restrictive markings are not annotated on outer envelope.

Friday, November 13, 2009

Changes to the National Industrial Security Program Impact Defense Contractors

Just five short years ago several changes came out almost simultaneously. The changes challenged the thinking of many security specialists because the ideas were so new. The proactive employees put plans into place that made the changes easier to implement within their organizations. The others found themselves implementing the changes at the last minute.
I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals) began preparing ways to educate Facility Security Officers and other JPAS users. Now, JPAS is required throughout the Department of Defense.
Remember the thick personnel files? FSOs maintained huge volumes of cleared employee information. SF86 applications, medical and information release forms, SF 312 forms and more were packed into manila folders and stuffed into bulging lateral cabinets. I remember hearing of one security professional stating that they had requested a new lateral filing cabinet. Their supervisor balked at such an expense and the employee argued the need for it. Fortunately another employee who kept up with changes in the NISP reminded the two of a then recent change; the FSO could no longer maintain SF 86 information once a security clearance determination had been made. As a result, the cleared employee files withered to a few pieces of paper and some of the lateral cabinets were emptied.
The point here is that new changes are bound to come because of amendments to Presidential Executive Orders or policy updates. FSOs and security specialists should begin a plan immediately to implement the new requirements. While incorporating the changes into the security program, prepare another report of the impact to your organization. Will the new requirements increase costs of doing business or are there significant cost reductions? Document the findings and keep management informed. Finally, prepare to hi-light significant changes for presentation during annual security awareness training.

Thursday, November 12, 2009

Need to Know-the Rest of the Story or Establishing Need to Know within the National Industrial Security Program

According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.

Identification and the Defense Contractor’s Rolodex

Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.

Friday, September 18, 2009

How Facility Security Officers and other Security Professionals Contribute to their Communities

One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.

Thursday, September 17, 2009

Why FSOs and Defense Contractors Protect Classified Information

FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.

Thursday, July 23, 2009

Defense Contractors, Consultants and NISPOM

Consultants are hired by a company to fill a need the organization is not prepared to meet. The consultants share office furniture, the water cooler and are hopefully made to feel as part of the team. In spite of being a well respected contributor to the cause, consultants do not always enjoy the same benefits of a regular employee. However, this difference should occur when working on classified contracts the consultant has been hire to perform on.
According to NISPOM 2-212 “A consultant is an individual under contract to provide professional or technical assistance to a contractor in a capacity requiring access to classified information. The consultant shall not possess classified material off the premises of the using (hiring) contractor except in connection with authorized visits. The consultant and the using contractor shall jointly execute a consultant certificate setting forth respective security responsibilities. The using contractor shall be the consumer of the services offered by the consultant it sponsors for a PCL. For security administration purposes, the consultant shall be considered an employee of the using contractor."
Simply stated, though a consultant is not a regular employee, the NISPOM considers them an employee of the company that they represent. The contractor is expected to maintain the consultant’s clearance and assign classified work as specified in a contract. As with other employees, the consultant should also attend annual security awareness training and follows set procedures for working with classified information. For example, suppose a consultant is required to attend a classified meeting at a government location. There should be no problem with them couriering classified information as long as visit request and authorizations are in place. That could be as simple as providing a visit request to the government facility through JPAS. However, consult with the Government organization’s security department for specific requirements.

Career Advice for Defense Contractor Security Specialists

I receive a lot of emails from people who wonder how to get into the security field. Many are looking for a career change and are curious about what kind of education and experience is needed to work as a security specialist in the defense and contractor industry. Others are just starting out in life and looking for a job with challenges and opportunities the security field offers. There are plenty of great opportunities in with large and small contractor companies providing the venue. Here is what I have discovered about our industry and some of you may have other experiences and advice you can pass to those who ask about a career in security.
Industrial security is an outstanding field for someone with all ranges of experience to enter into. Some have been hired at an entry level job and have received promotions and additional responsibilities. Others have transferred full time to security after enjoying serving in an additional duty capacity. Career growth occurs as the contract and company expands or the employee takes on more responsibilities after hiring on with another company. Security managers can also move to higher level security positions as chief security officer or corporate security officer as experience meets opportunity.
Employees just entering the work force can benefit from entry level jobs. These opportunities are great for building skills and filling a critical need while filing receipts, wrapping packages, checking access rosters, applying information system security, or bringing classified information into an accountability system. Those skills combined with learning to implement programs designed to safeguard classified information provides a great foundations to build careers on. Additionally, many employees attend university and other adult education opportunities while serving full time in the security field. The experience, education, certification and security clearance gained while on the job prove very valuable.
Taking a look at want ads and job announcement, one can see that education and certification is beginning to be more of a requirement. Past listings for entry level and some FSO jobs required only the ability to get a security clearance and having a high school diploma or a GED. However, more and more job announcements require formal education to include college and a preference for security certification. The defense security industry still provides a good career field to gain entry level experience and move up quickly. Being well entrenched in a good career provides the perfect environment and opportunity for simultaneous education and certification. This will make the prepared ready for future positions and raises.
For those starting their careers in smaller enterprises have a keen opportunity to perform in various security disciplines. Some actually assume appointed FSO responsibilities as an extra duty and learn as they go. Many of the defense contractor organizations are small and may only have one person in the security role. The sole security manager may only work in one discipline such as personnel security. Others have a larger scope, working with a guard force, information security, and compliance issues such as exports.
Large Defense Contractors and Government agencies also provide entry level security jobs. The job title is often security specialist and job descriptions allow for many experiences. Some descriptions use words to the affect as the following: “The candidate must be eligible for a security clearance. Job responsibilities include receiving, cataloging, storing, and mailing classified information. Maintain access control to closed areas. Provide security support for classified information processing and destruction. Initiate security clearance requests and process requests for government and contract employees conducting classified visits. Implement security measures as outlined in NISPOM.” Administrative, military, guard, and other past job experience may provide transferrable skills to allow a person to apply for the job. Once hired, the new employee learns the technical skills, they can quickly advance applying their other experiences and education.
Our industry is still a great place to learn and grow. Career advancement and promotions are continually available for the prepared. Opportunities continue to exist in companies large enough to provide increasing challenges and rewards. Some may have to apply for jobs with other enterprises to reach their potential. Others may be satisfied performing their valuable functions in an organization where their skills are valued and rewarded. Consider reading ISP Certification-The Industrial Security Professional Exam Manual. Our book provides excellent career advice and provides just the right review of NISPOM to prepare you for that important job interview. Regardless of your professional goals, what are you doing to remaining competitive?

Hiding In Plain Sight-OPSEC Procedures in a Defense Contractor Organization

While on vacation this summer I had the opportunity to bump into a famous actress. Actually, I didn’t even notice her until my wife pointed her out. But, there she was walking right past us in Dollywood, USA. At first, I did not recognize her because I really was not looking for her. Also, she had not been dressed in the fashion of her TV career. A moment later I asked my wife to continue with the children while I back tracked to get a better look.
I turned back and finally caught up with the actress and her group. Since I only wanted to verify my sighting and not bother her, I continued to walk past her, took a right and pretended to be lost. I looked around as if searching for something. After taking a discreet look I was able to finally recognize her as the TV personality. I then made my way back to my family smiling and nodding to the actress as I walked by.
“I’m not sure, but I think that was her,” I later told my wife. “Good sighting”.
Later that night, after returning to our vacation cabin my wife came running up to me.
“See, I knew that was her.” My wife held open a gossip magazine with the actress and her famous boyfriend in a photo walking along a resort beach.
In the picture, the actress had worn the same pink trucker hat and brown sunglasses we had seen her in earlier that day. I couldn’t believe it, it had been a good sighting.
“So, why didn’t you talk to her?” asked my wife.
“Well, I really didn’t know what I would say. Plus, I really think she just wanted to enjoy her holiday,” I replied.
I’ve been thinking of the event on and off since returning from our vacation. This actress had made an attempt at assuming a normal life on a normal vacation taken by normal people. However, instead of really blending in she stood out enough to be recognized by my wife (who has also been able to spot other celebrities at airports during our travels).
Our actress had attempted to blend in dressing in clothing to be somewhat incognito. However, the hat and sunglasses really made her stand out. Here in the south, many like to wear baseball caps. That day, few people wore hats. Those who did wore regular baseball caps and not the mesh type of trucker hats; especially not hot pink ones. The sunglasses were oversized and clashed with the hat (and outfit) and kind of made the appearance of someone doing everything wrong in an attempt to look like everyone else.
Not that I am a sound fan of fashion, but I am looking at this in an OPSEC or security point of view. Our actress attempted to have fun at a theme park while not drawing attention to herself or her celebrity status. However, her attempt to blend in may have failed because of her unusual dress.
Cleared professionals could learn a lesson from this story. Defense contractor and Government work should be performed in such a way not to bring attention to the operation. This applies for both classified and unclassified efforts. Practicing good OPSEC includes taking a look at your operations through the eyes of someone wanting to exploit your vulnerabilities. A good question to ask is “how would an adversary recognize our effort and how will they attempt to learn more about it?” Security managers should study the surroundings, situation, and environment to ensure performance on contracts, proprietary data and otherwise privileged information remains low key. Teach employees to work in a way to not draw unwanted attention.

Friday, June 5, 2009

Studying for the Industrial Security Professional (SP) Certification

Reading the National Industrial Security Program Operating Manual (NISPOM) will certainly have one learning new jargon and acronyms necessary to becoming fluent in Industrial Security Professional language. Throughout the exam there are questions referring to roles of government agencies. Such questions concern which organization has oversight, which organization would a security manager report a particular incident to, or which organization inspects a certain security program. The answer could be any possibility such as government contracting agency (GCA), general services administration (GSA), Cognizant Security Agency (CSA), or any other acronym of a critical federal organization listed in the NISPOM.

Consider the letters CSA which stand for Cognizant Security Agency. This acronym appears 250 times throughout the NISPOM between chapters one and eleven. The multiple listings pretty much conclude that the CSA plays an important role in managing the National Industrial Security Program. This is also one of those acronyms that a potential Industrial Security Professional must know to successfully pass the Industrial Security Professional Certification exam.

Primary questions a security manager should be able to describe are: What is a Cognizant Security Agency (CSA)? How does the Cognizant Security Office (CSO) fit in? To answer those questions, we can go to the source. However, I will answer them here. The CSAs are four primary federal agencies. They have cognizance or oversight authority over their own federal organizations. The CSAs are the Department of Defense, Department of Energy, Nuclear Regulatory Commission and the Central Intelligence Agency. Each of the federal organizations has authority and oversight over their own organizations. Each agency can delegate oversight to any office within their federal organization or to another CSA. The CSAs have Cognizant Security Offices (CSO) that take care of administrative functions. The CSAs are identified with their CSOs as follows:

CSA: Department of Defense
CSO: Defense Security Services (DSS)

CSA: Department of Energy
CSO: Department of Energy Field Offices Safeguards and Security Divisions

CSA: Central Intelligence Agency
CSO: Contract Officer's Security Representative (COSR)

CSA: Nuclear Regulatory Commission
CSO: Offices within the Nuclear Regulatory Commission

For example, the Facility Security Officer in a contractor organization under the Department of Defense (DoD) follows guidance of their CSA, the Department of Defense. Oversight and administrative functions are assigned to the DSS. The DSS provides support to the contractor as well as conducts analysis to determine whether or not the organization is capable of providing continuous protection of classified information while following the guidance of the Department of Defense. This would work in similar circumstances within each federal agency. The CSA is primarily concerned with administering clearances and oversight. They support the stipulations of the GCA.
The GCA is appointed by a federal agency to handle all acquisition functions. They provide contract support between the government agency and contractor. In our DoD example, the GSA provides contractual support to the defense contractor from the DoD. The GCA also provides the stipulations of the contract include the statement of work, DD Form 254, and other guidance on how to perform the classified work. The GCA is also an approval authority for any classified performance taking place between agencies and governments. The GCA is concerned with supporting and administering specifics of a contract. The GCA provides the guidance that the CSA will monitor.
The GSA approves equipment used in support of the security and mission. Locks, security containers, overnight delivery services and etc are approved for use by the general services administration.
Let’s check your knowledge:

1. Which organization would provide direction as to how classified information is disseminated (USPS, Overnight delivery, courier):
a. GCA
b. NSA
c. GSA
d. CSA

Remember that all classified work is stipulated by the contract. The GCA is the organization responsible for providing the specifics of how to perform on the contract. The answers can be found in the statement of work, DD Form 254, or the security classification guide. Questions concerning performance and specifics of a contract will point to the GCA.

2. Which organization would an FSO report loss, compromise or suspected compromise?
a. CSA
b. GSA
c. CIA
d. GCA
The answer is CSA. The Cognizant Security Agency provides oversight of the contractor protecting the federal agency’s classified information. All questions concerning oversight belong to the CSA.

3. Which organization provides a list of authorized overnight delivery services?
a. CSA
b. GCA
c. NSA
d. GSA

Many questions concerning approved products or services belong to GSA.
Acronyms and jargon are part of any professional organization. The FSO, security manager, security specialist and ISP certified individuals not only understand the jargon, but how it applies to protecting classified information and implementing classified programs. The ISP candidate would do well to understand the broad and general roles of the GCA, CSA, GSA and other agencies identified in NISPOM.

Tuesday, May 19, 2009

Books that should be in a security manager's library

There are several books that a security manager or facility security officer should have in their possession. No professional library is complete without these valuable resources. The books provide wonderful instruction on security systems, performing risk management, structuring a security department for success and managing classified information. I’ve read each of the books and will provide reviews as follows.

Managing the Security of Classified Information and Contracts, By: Jeffrey W. Bennett ISP I’m pleased to announce the upcoming release of Managing the Security of Classified Information and Contracts from CRC Press. This book is the only one of its kind written with defense contractors in mind. The facility security officer, contracts manager, senior officers, and cleared employee roles are defined. The reader will understand how to operate in a cleared contractor environment. This is a great overview of the National Industrial Security Program Operating Manual (NISPOM) and the acquisitions process. It is also a great resource for preparing for the Industrial Security Professional (ISP) certification exam and a great companion for ISP Certification-The Industrial Security Professional Exam Manual.

Security and Loss Prevention, By Philip Purpura Excellent resource! As a Facility Security Officer for a DoD contractor company, I find it to provide multiple layers of security or "security in-depth". This book offers insight from a retail environment that is very applicable to government and contractor security. Add this to your library.

The Security Clearance Manual: How to Reduce the Time it Takes to get your Government Clearance, By; William H. Henderson This book is timely and a gem. As an FSO, I find the information very helpful for answering security clearance related questions. Mr. Henderson's experience and know how give great insight in how the investigations work and what the subjects should expect. The persons undergoing background checks now have a clearer picture of what they can do to help get faster results. I highly recommend this book both to security specialists and to those obtaining security clearances.

Physical Security Systems Handbook: The Design and Implementation of Electronic Security Systems, by Michael Khairallah This book goes into great detail about security systems without being too simplified. My security background until recently had been in safeguarding information on a team of 22 security professionals. Recently I took a new job as the head of corporate security and had to develop new security systems. Of course I hired professionals to bid on the job, but I lacked experience to really understand what I needed. I consulted some colleagues and of course went to ASIS international for recommendations.
In the process, I was pleased to have discovered Physical Security Systems Handbook. It really helped me to work with the vendors to help them understand what I needed and better understand what they recommended. This book does an excellent job of breaking down the components of the security system (ie. strike plates, crash bars, cameras, alarms and etc). It also goes into great detail to show you how to survey existing systems and improve them. In my case, we had to start from scratch and this book helped me through the process.
If you have had similar experiences or are looking for study material for the CPP, ISP or other certifications, get this book.

Effective Security Management, Fourth Edition, by Charles A. Sennewald CPP Frankly this is an excellent book that teaches the tremendous role security plays. Contrary to some corporate environments, this book teaches that security should not be run from the background. Mr. Sennewald does an excellent job of demonstrating how security should be conducted in a corporate environment. For most, the lessons taught here will involve a change in culture that is desperately needed to allow the security function at an executive level position and allow the security executive to function at all levels.
The first chapters consider the security professional and the roles, structure and environment of the security organization at all levels of a corporate structure. The rest of the book shows how to conduct security surveys and perform risk analysis. It also spends considerable time teaching security as a profession and is heavy into how leaders should lead and conduct themselves professionally. Quality work!
After many years of working in the government, I had been looking for the ultimate "how to" book of how security should be structured. This book gets it and teaches it well.

The New School of Information Security, By: Adam Shostack This book commands attention! The authors bring to light current security practices, methods and decision analysis and their many shortcomings. The authors' thesis; to provide sound argument toward a more modern and effective way of implementing security practices. The ideas are easy to apply, but contrary to what is taught by security seminars and vendors selling security products.
While security seminars and education efforts teach cataclysmic results of security breaches, "New School" demonstrates the need for collecting data to assess the threat in a scientific manner. Shostack and Stewart champion going back to raw data to identify the threats and then develop programs to address those threats.
Aside from evidence related to loss, espionage or other threats, risk managers cannot effectively apply security measures. The authors indicate that breech data exists, but the holders are reluctant to share. However, the authors do a good job of proving that companies who publically admitted failure recovered quickly from any scandal or fallout from information or data breeches.
The authors know down the traditional walls of security training institutions. They preach good solid evidence behind decision making; otherwise security managers can not effectively determine whether or not the lack of threat is a result of new security measures or just plain luck.
The book is easy to read implement in all areas of security. The physical security, loss prevention, DoD contractor, and many others in and out of the security profession can adapt the principles to their business units.

Body of Secrets, By: James Bamford This book is well written and an easy read of one of the most fascinating agencies of all time. Mr. Bamford has performed exhaustive research into the workings of the super-secret NSA. Personally, I have a long history as an intelligence analyst during the Cold War and reading this book brings back a lot of memories of the history and working of the world at the time.

ISP Certification-The Industrial Security Professional Exam Manual, By: Jeffrey W. Bennett ISP If you are serious about advancing in your field, get this book. Learn the secrets to becoming influential, earning credibility and studying for the ISP Certification. Secret number one, you are a technical expert and know the business of protecting classified information. Let us help you prepare for the test. Our book helps you prepare for both your career and the ISP Certification Exam.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
Join our newsletter
Follow me on twitter
Linkedin Profile
Join the Linkedin Industrial Security Professional Group

Sunday, May 10, 2009

Establishing credibility as an FSO in a defense contractor

Recently, I had the opportunity to speak with a facility security officer who was ready to move on to another job. He was frustrated because he had not been able to get his senior leaders on board with the security plan. It seemed no matter what he had sent for approval, his policies were not taken seriously. Since I had only heard one side of the argument, I could not come to a conclusion about the root cause of his frustration. However, I do know that he is not alone as many FSO’s of small defense contractors face similar issues within their own companies.

Problems such as those mentioned above stem from two possible reasons in small defense contractor companies. The first is the FSO has not developed a reputation of understanding how to apply security measures to the way the company makes money. The second is that the senior officers have appointed a lover level employee to the FSO position.

Understanding how security fits into the organization is vital. Security managers who over-react or use unsubstantiated scare tactics can lose credibility quickly. They should present security programs in a way that makes business sense to the senior leaders. FSO’s should also understand that the security program belongs to the company and is not theirs. It is a business decision and not a personal success or failure. For example, a security practitioners may present security requirements above and beyond the NISPOM when they are not necessary. When challenged to justify expenses or rational for change in policy, the FSO’s may defend their decisions by recalling conference or training events and may take such requests as personal challenges. The experienced FSO understands that security decisions are based on careful risk assessment, and not on general or best practices that may not fit a company’s business model or culture.

The second problem addresses the level of the hired or appointed FSO. Suppose the FSO does make a sensible request based on threat assessment and NISPOM requirements. The program is presented professionally, but the management does not understand the role of the FSO as compliance officer and they are typically left underutilized. Perhaps they consider the FSO as a strictly administrative function. In these instances, the FSO has little input into the culture of the company and struggles to implement critical security measures.

Consider successful security models in Fortune 500 companies. They are larger and usually part of a mature corporate structure. Even larger defense contractors fit this category. Successful companies have security managers, chief security officers and compliance officers that are able to address security, privacy, and sensitive company information. These officers usually hold positions and responsibilities at the executive level as well as possess management skills and graduate degrees.

FSO’s in smaller DoD contractors have a unique challenge as far as the company culture and corporate structure. Perhaps the FSO was appointed from a lower management or assistant position. The management has mistakenly believed that the position is strictly administrative and is in place to request clearances and file away classified material. In other situations, these smaller companies grow larger with new contract requirements and responsibilities and work requirements grow with them. Those lower level employees are now faced with situations of growth, but their influence has not increased. The growth is happening and changes are made without their input, leaving them to play catch-up.

Look and act like senior leaders-So, how does the described security manager create influence and credibility that counts? First of all, they should observe the managers and imitate them. If management is dressed professionally, then the FSO should dress similar. If management requires professional and college education, the FSO should complete theirs.

Learn how the company earns money-Understand the acquisition and buying system and become an expert. When the security manager understands the contracts process, they can contribute and present the security program in such a way that everyone understands. Instant credibility is gained when management knows the security manager is on board with cost reduction and compliance.

Presenting the security program does not have to be a frustrating event. If an FSO is in a position lacking credibility and influence, then they should do whatever it takes to move to the next step. Establishing credibility is a must and it involves making the transition from an administrative clerk to a risk analyzing and compliance professional. Learning to look and act like management and demonstrating an understanding of the business cycle is key to making that move toward excellence.

Read more about this article and follow Jeff's other ariticles, newsletters and updates @
Jeffrey W. Bennett is the owner of Red Bike Publishing ( He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
Join our newsletter
Follow me on twitter
Linkedin Profile
Join the Linkedin Industrial Security Professional Group

Thursday, May 7, 2009

Preparing For Security Growth in a Defense Contractor Organization

Business growth affects the entire organization. The best thing that can happen in this case is for all the employees to be actively engaged in making the company successful. Each business unit doing its part to meet deadlines, supporting the contract or performing on the contract paves the way to overall success. The worst position for any unit to be in is failing to project the growth and causing a bottleneck in production.
When a defense contractor business grows, the engaged cleared facility security officer (FSO) is prepared for that growth. The constant development and maintenance of relationships with employees and key business units allows the FSO to forecast requirements for the storage of classified material, performance of classified work and the protection of the enterprises employees, products, and capital.
Preparing for growth involves the FSO not only training and hiring security employees, but accurately calculating classified inventory storage and work performance needs. Meeting legitimate growth is another area where an FSO should be injected into strategic planning. Contract opportunities present themselves in many variations. Classified projects, new facility or alternate locations with physical security needs and an increase in classified storage or volume are all concerns an FSO should be able to address. Such growth affects the security department and such input from the FSO benefits the organization in its entirety. However, if the FSO does not have credibility or influence, they will not be prepared to project the growth and will constantly be trying to catch up with the work. Such a posture costs plenty in company overhead.
Additional contracts or change in performance measures may require additional security personnel. A sudden growth in security storage, additional cleared projects, or added facilities, may necessitate more personnel to support the increased work load. Just as the organization lists job requirements FSO such as professional growth, management potential, technical competence, and skills, the FSO consider the same traits when preparing to hire additional help. Potential security professionals should not only be U.S. citizens with security clearances, but demonstrate competence in the tasks they are asked to do and a desire to perform. They should also have the ability to grasp and teach concepts of security to help keep the security fresh in the corporate culture.
The FSO and security specialists should work toward establishing operating procedures and a job performance description. New employees can become successful faster with formalized certification training. This training could reflect the companies policies as they support NISPOM requirements and the overall enterprise culture. It should be unique to the organization and lined with milestones that eventually allow new employees to work unsupervised after demonstrating an understanding of government regulations and company policy. During the education, the new employee can enroll in government provided on-line and residence training, lessons provided by company personnel and directly under their manager’s supervision. With a good training or certification plan in place, much of the employee’s success can be measured within the first 30 days.
New opportunities for growth can manifest through additional contracts, modification or renewal of current contracts. New requirements could call for additional facilities for the storage of classified material or the performance of unique work in closed areas. Whether constructing new buildings or modifying current facilities for unique classified work, the job calls for planning, budgeting, and compliance. The FSO is critical to forecasting the unique needs and regulatory requirements.
A successful, young company may not have all the facilities in place for future growth but should be constantly preparing for solutions. For example, suppose a defense contractor needs a conference room to host classified meetings. The FSO would research the requirements and estimated costs of such a conference room and present it to the executives and senior officers at a minimum. The FSO’s presentation would cover controls necessary to eliminate unauthorized disclosure. Such controls include: limited access to the room, the conference phone capabilities, the projectors, overhead ceiling panels, doors and other areas requiring protection measures and inspections. Finally approval form the cognizant security agency is necessary once the plan was complete.
The FSO also looks into their security organization to address internal growth. They would conduct research on where the largest growth potential concerning classified holdings would arise. Some resources or tools would be the database where classified information is logged. Such information would be used for a peek at where the company is in five years at the current growth rate.
Data base research can prevent hasty and inaccurate decisions. For example, an untrained employee may assume that growth would require additional storage shelves for paper documents. However, the security department may be generating and receiving more DVD media and fewer paper products as evidenced in receipts and file data.
The entire security department or one person FSO operation would dig deep to find information. Good databases can break down inventory by year, quarter, or any other necessary date range useful for projecting future needs. Such research could help identify classified information that can be destroyed or otherwise eliminated from storage. This would free space and save on future storage and inventory costs. Such a move can save tens of thousands of dollars annually in employee and storage costs.
As a manager of a vital business department, the FSO should be credible and influential. When an FSO does save on any costs by reducing overtime, saving electricity, or finding other alternatives while remaining compliant, these cost reductions should be reported. Understanding costs, contribution and business helps the FSO to gain credibility with executives who value their input.

Read more about this article and follow Jeff's other ariticles, newsletters and updates @
Jeffrey W. Bennett is the owner of Red Bike Publishing ( He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
Join our newsletter
Follow me on twitter
Linkedin Profile
Join the Linkedin Industrial Security Professional Group

Sunday, April 19, 2009

Performing Security Checks in Defense Contractor Organizations

Try this question out and see if you know what to do. Better yet, if you are a security manager or facility security officer, run the following scenario by your cleared employees: Your colleagues leave for lunch. On their way out, they inform you that you are going to be the only one left. Your facility is authorized to store classified materials. What will you check for prior to leaving? Which form will you sign?

The end of day security check lists play a critical role in protecting our classified items as well as personal, proprietary and company sensitive material. The end of day checklist is a procedure required in the NISPOM and other federal agency regulations. However, they could be implemented in any situation where privileged or sensitive items prove vulnerable to theft or espionage.

Though the checklist is signed daily, it should not be signed just for the sake of compliance or "checking the block". This signature should only be annotated as a result of completing the activity. "Check the block?" you might ask. Let me share with you a real life situation.

I had a discussion with a security employee who indicated that he signs the end of day checks because he is required to do so. I had observed him walking up to the SF 701 and checking the boxes indicating that the coffee pot had been turned off, the windows had been locked, the printer and desk tops had been cleared of sensitive items and the security container had been locked. Keep in mind, that he had performed no such checks.

I pressed him on the reasons he signed the check list, and he stated because he was required to do so "by the regulations."
"But why do you perform the checks," I had asked a second time.
"Because when the inspection comes due, I want to show we are in compliance.'
"But, you never actually performed the checks, you just signed the sheet."

Each and every end of shift, or prior to leaving an area where sensitive items would other wise be left unattended, ensure it is properly secured. This means checking desks, printers and trash cans for sensitive items; locking windows and doors; and implementing physical security. Each activity must be performed with equal enthusiasm as on the first day on the job. Use the check list as a guide and experience as a resource to protect sensitive information.

Our security roles can easily become routine if we lose focus. This lack of focus could lead us to forget why we perform. We are appointed to "implement and direct security programs to..." The second part of our description is the most important, "...protect classified information." Unfortunately too many people believe, " pass inspections."

Read more about this article and follow Jeff's other ariticles, newsletters and updates @
Jeffrey W. Bennett is the owner of Red Bike Publishing ( He is an accomplished writer of non-fiction books, novels and periodicals. Published books include: "ISP Certification-The Industrial Security Professional Exam Manual"-Red Bike Publishing

Visit our site often for in formation on the upcoming book "Managing the Security of Classified Information and Contracts".

About Red Bike Publishing: Our company is registered as a government contractor company with the CCR and VetBiz (DUNS 826859691). Specifically we are a service disabled veteran owned small business.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
Join our newsletter
Follow me on twitter
Linkedin Profile
Join the Linkedin Industrial Security Professional Group

Sunday, April 12, 2009

Manage Defense Contractor Security Training

What defines this room as approved for open storage?” I had asked while consulting on a project a few years ago.

I had been in the middle of an extreme security discussion. The whole time I realized that the security employees I consulted understood their responsibilities, but did not know why the security measures were in place or where to find the guidance.

“This area is approved for open storage. So, when we leave, we don’t have to set the alarm or spin the dial,” they said.

“So, does that mean your document control folks in the other area can leave their safe open as long as they shut the door?” I asked, picking up on their logic.

“No, they are not approved for open storage.” They have to lock the security containers in their office prior to leaving them unattended.

“Correct, classified items should be secured prior to leaving the area,” I replied. “However, an area approved for open storage should be secured before leaving. That means setting the alarms and “spinning the dial” prior to leaving for any length of time, not just after hours. Again, what defines open storage?” asked.

I could see they were having trouble with this one.

“Open storage is simply having the government’s permission to keep classified information on shelves or out in the open. But only as long as it is contained in an approved room that can be secured with a GSA approved lock and approved alarms. During working hours, supplanting access control devices such as badge readers with PIN numbers or bio readers are employed.”

“Exactly,” they replied.

“But you didn’t say that. You said that you could just shut the door and leave for lunch without locking it and setting the Alarm,” I countered.

“We can, because it’s approved for open storage,”

And round and round it went, my asking questions without getting the answer I was looking for. Clearly these folks had been taught to perform a certain task, but had not received “real” security training.

So, what’s the fix? Doing just what I recommended to the security manager. Industrial security is a complex profession. There are many moving parts that require in depth thinking and proactive protection measures based on threat assessment and OPSEC. Develop training and certification for your security employees. If your company is a defense contractor or government agency, set aside time to train security employees on the NISPOM and the President’s Executive Orders or agency policies. Develop employee certification that can be validated, especially concerning new employees. Only after they have proven that they understand how to support a security program designed to protect classified information should they be turned loose to do so.

Tuesday, March 31, 2009

Managing Classified Conversation

In the course of performing on defense contracts, exchange of classified information is inevitable. The movement of classified information outside of a secure environment is to be kept to a minimum and as a last resort. Prior to removing classified information, the holder should determine whether or not the classified information is necessary and whether or not the information may already be available. When classified information is necessary in the performance of the contract, the information should be sent via approved channels.
Once the classified information is on-site, it's time to get to work. When we talk about work, we are referring to conferences, classes, engineering, services or any other environment where classified information is used. Classified information is controlled at all times to include conversations. As the senior industrial security manager in Defense contracting companies, the FSO leads the security program designed to protect classified information and prevent unauthorized disclosure. While working in the secure environment, contractors protect classified information under their control and cleared employees protect classified information entrusted to them. Without this protection, national security could face varying degrees of damage depending on what information is disclosed and how it was used. Not only is information, objects, documents, etc to be protected, but classified conversations as well. These conversations are only to be conducted in authorized areas and will be covered later in this chapter.
Classified verbal communications should only occur in controlled environments. For example, classified conversations are authorized in controlled areas where access and need to know have been verified. These classified communications should never take place in hallways, around the water cooler, in public places or car pools where eavesdropping cannot be prevented or access and need to know cannot be verified. Just as the holder of classified documents verifies a receiver’s need to know and security clearances before handing them over, the same is true for releasing classified information in verbal form.
Prior to the start of a classified meeting either the government sponsor or the contractor representative should provide a security briefing notifying attendees of the classification of information to be discussed, whether or not taking notes is permitted and if so, how they will be controlled. For example, when classified notes are permitted, they will have to be properly marked, introduced into accountability and prepared for dissemination (hand carry with the attendee or mailed at a later date). The presentation is controlled to prevent the inadvertent and unauthorized release. Each attendee should also be reminded to remove any cell phones or other electronic devices.
When working on classified material in approved locations, keep in mind that uncleared persons in the area may be within voice range. Some companies and security managers may allow cleared employees to take classified work back to their cubicles and desks. They are able to protect the information from prying eyes, but eaves dropping cannot be prevented outside of a closed area. Additionally, even though everyone may be cleared, they could be on the phone with uncleared people and any conversations can be picked up.

Please see our website for more on this topic

Friday, March 20, 2009

Who gets the combination and where does it go?

On my first day as an FSO at a defense contractor, I came across a situation that I did not like very well. It was after walking the floor and talking to employees that I became introduced to a security container. As part of my inspection, I wanted to verify all documents were properly marked and stored appropriately. Upon asking for the custodian to open the container, he pulled out his cell phone and began scrolling. I asked what he had been looking for an he stated: "I can't remember the combination, but I'm sure that it's in here somewhere."

Whoa! Hold the presses. I immediately changed the combination and took possession of the security container in my office. I also providing a clear policy and training agenda and that problem disappeared. The story has been altered to change the exact situation, but the story may sound familiar to you. But here's the question: Do your employees really understand how to protect classified information? Some younger and less mature defense contractors may require extra and unrelenting training and diligence to make sure such situations never happen. The above example is a good demonstration of what could happen when the security program is only run through the FSO. More successful programs include training conducted by managers and supervisors as they apply to the employee specific duties.

So who has access to your security containers? Do you limit it to only security personnel or do cleared program employees have it as well. This access depends on your program. Regardless of who has access, authorized employees having access to combinations or keys should be kept to the bare minimum amount necessary.

Agencies and contractors maintain administrative records and tight control for a sound security system designed to protect the classified information and to demonstrate effectiveness during security inspections. The security specialists also maintain a log of those with knowledge of combinations, change combinations, and fill out the Security Container Information Form, Standard Form 700. Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination is protected at that same level of the contents in the security container. If the contents are CONFIDENTIAL, then so is the combination. To ease in memorization, many who assign combinations use a six letter word or the first six letters of a longer word.

Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers. Many have magnetic combinations reminders similar to telephone touch pads. For example the number 2 corresponds with ABC, three with DEF, etc. If the memorized word is CORKIE, then the combination is 26-75-43. When persons have access to multiple safes, they may commit security violations by writing the combinations down. Using combination word clues and providing an administrative security container helps reduce the risk of such violations. You can see my website as listed below for examples of these magnetic reminders.

So, see if you can answer this question. How often should you change combinations according to the NISPOM?
The answer: Change combinations upon initial use, change in status of authorized users, compromise or suspected compromise of container or combination, when safe is left open or when required by FSO or CSA. Did anyone say "annually"? If so, better check the NISPOM. 5-309. Changing Combinations

Thursday, March 12, 2009

The delivery

Security specialists, document control professionals, facility security officers and others receive classified information, depending on the contract. Part of the receipt is the critical inspection of the package throughout the unwrapping process. The inspector is searching for evidence of tampering or to otherwise to inspect that there has been no compromise of classified material since leaving the sender’s organization. Classified material is protected by a two layer wrapping job. Each layer consists of material that is impossible to see through such as: an envelop, paper, box or other strong wrapping material. To prevent opening, the seams of the layers are covered with anti-tampering rip proof tape to create a solid layer of covering. The initial inspection is more cosmetic as the inspector looks for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.
Next, review the address labels for approved classified mailing address, return address and which does not identify any recipient by name. The label is addressed to the “Commander” if a Government entity or the name and approved classified mailing address of the contractor facility. Additionally, check to see that there are no classification markings on the outer layer. The outer layer should is designed not to draw attention that it contains classified contents. Classification markings and named individuals on the outer layer are security violations because they direct unwanted attention
The inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. Classified information should have receipts included. Receipts are not necessary with the shipment of CONFIDENTIAL material. Sign all receipts and return them to the sender.
The receiver then checks the receipt against the titles to ensure the item has been identified correctly. The receipt lists all the pertinent information to identify the contents. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by the correct and preferably unclassified title and appropriate quantity. The title should be unclassified. If not, then the receipt is to be protected at the classification level identified in the title. When practical, contact the sender to see if it can be issued an unclassified title or prepare to store the receipt long term in an a GSA approved container.
The receiver then compares the classification identified in the receipt with that annotated on the inner wrapper. These will ensure the package is handled correctly once the outer wrapping has been opened or removed. The receiver of the classified item compares the classification marking on the contents with the wrapper and the receipt to once again verify the accuracy of the classified information and prevent unauthorized disclosure. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities. The copies of receipts are filed away and the classified information is put into a database and the items are stored according to the classification.

Jeffrey W. Bennett
Author of ISP Certification-The Industrial Security Professional Exam Manual
Join our newsletter
Follow me on twitter
Linkedin Profile
Join the Linkedin Industrial Security Professional Group

Monday, March 2, 2009

The Security Budget

An Facility Security Officer (FSO)should put careful consideration into the security budget. This is a primary opportunity in the continuing plan of building credibility. The manager who arbitrarily throws in a number with meritless base is sending the wrong message. However, a well thought out line item count based on risk management, company mission and NISPOM requirements is more apt to impress and build instant respect. The budget contribution should enforce and support a message the FSO is constantly communicating. The budget request should not be first time executives are introduced to figures.
Managements support or lack of support of a security budget demonstrates either a well received or an unsupported security program. The intuitive FSO understands business, the company mission and how the role of protecting classified material fits. In that environment, the FSO provides a risk assessment based on the threat appraisal and speaks intelligently of the procedures, equipment and costs associated with protecting classified information. For example the FSO understands how to contract security vendors to install alarms, access control and other life safety and protective measures. The FSO is also able to demonstrate how the expense will benefit the company either in cost reduction or other tangible results.
The FSO presents the budget in a manner that all business units understand. For example, if part of the budget line is to provide access control there is a significant associated cost. Incorporating management involvement and support builds credibility and puts the company in a better position to provide the funding. Not only is a projected return on investment required, due diligence should be conducted. Sample questions and answers the FSO should be prepared to address are:
• Why is access control necessary? Prevents unauthorized persons from entering the premises and gives an extra layer of protection for classified and sensitive information.
• What happens if we do not implement access controls? The organization would have to commit persons to controlling the access to the company. At a manager’s salary of between $20.00 - $30.00 per hour, this could become expensive over time. The FSO could demonstrate the cost of the access controls against the time a manager takes to ensure someone provides visibility of the doors.
• What is the return on investment for access control? The intangible return on investment is the prevention of damage, injury, theft, and other risks inherent to unauthorized visitors. More tangible is the amount of energy saved while keeping the doors closed and saving energy. In one such study an FSO estimated a cost reduction of $12,000 per year cost reductions on the electric bill.
Other questions abound and the FSO should not hesitate to forward such questions to vendors. These vendors have statistics that they use as selling points for their products.
Speaking the language of business will serve the FSO well and ensure that executives understand the significance of a well supported security program. Security managers who just quote regulations or use “best practices” without putting much thought into the costs or talking points will quickly lose credibility.

Wednesday, February 18, 2009

The Compliance Officer

Today I finished up a short but very rewarding eight hour seminar on the International Traffic In Arms Regulation (ITAR) Overview. I am grateful to the staff at the University of Alabama in Huntsville and the North Alabama Trade Association for both sponsoring the event and allowing me to present. I found the course rewarding as I presented to a mixed audience of 30 professionals ranging from shipping and receiving specialists to executive vice presidents. The mix also consisted of professionals with various degrees of know-how as consultants, attorneys, technology control officers and those brand new to the field shared experiences and learned from one another. As a compliance officer in various disciplines, I have had the privilege of leading security and compliance teams and seminars on multiple topics
Though this was my first of hopefully many export regulations seminars, I noticed the similar need in the compliance field. Regardless of the discipline, compliance works best when driven from the top down. No matter the program a compliance officer intends to build or support, Influence is key when developing it whether security, privacy protection, safety, export, etc. Experience and technical savvy are great to have however, minus influence; the person is just an administrator playing catch-up in a crucial game.
Like other compliance disciplines, export compliance first and foremost helps companies and individuals successfully earn profits while playing by the rules. Our government encourages international business. The opportunities for lucrative business and growing employee experience pools make international trade an attractive endeavor. The benefits are huge as long as enterprises know the rules and are able to implement them into every program. The reality is that a license will most likely be granted when given the time and consideration required. Unfortunately, the routes people take to avoid licenses probably take more energy and export violations cause significant damage to our defense and economy
Influence comes in where the whole team understands the mission and each business unit and employee role. The compliance officer trains the company and keeps the empowered official abreast on licensing and technical assistance issues. They also establish trigger mechanisms to ensure international travel, business, or employment opportunities come to their attention early in any endeavor involving technology transfer.

Wednesday, January 28, 2009

The Classified Visit

Let’s test your knowledge of international operations. The following situation is fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question:
As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases such as JPAS. Besides, you have a very large staff and the process is pretty much routine until….
A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual, it should be a workable solution. Do you provide the visit request form? Why or why not?
In the course of business, it is not unusual for a foreign entity to request a visit to a U.S. company. Foreign business employees may desire to visit a U.S. contractor in furtherance of a contract. When the business is related to a classified contract, involves classified information or relates to a government to government agreed upon plant visit, the foreign entity requests the visit through their embassy. The only way these types of visits are authorized is through government to government channels. Unclassified visits are sent through commercial channels and are conducted through licenses with the Department of State or the Department of Commerce.
Visit requests submitted by a foreign entity pass through their government channels to the U.S. government for approval. The U.S. government agency having jurisdiction over the classified contract submits the request to the U.S. contractor for their approval. The request also includes guidance and limitations of the information and items the foreign national will be allowed to access. The contractor reviews the limitations and determines whether or not they concur with the request. The contractor has the final say of whether or not the foreign national will access their facility.
Security managers, exports compliance officers, technology control officers, etc will face more challenges as our market becomes global. The next topic we will discuss is once a visit is authorized. What does a contractor need to do in preparation for the visit? How does one prepare employees and the visiting foreign person from exporting unauthorized technical data.

Tuesday, January 20, 2009

Assessing the security climate

I’ve recently fielded questions to some cleared employees. The intent was to generate discussion and get an assessment of how well they understood the National Industrial Security Program. I’ve received a variety of answers. The responses were intelligent, well thought out, but inaccurate. They demonstrated a lack of understanding based on popular culture and word of mouth.

Keep in mind that out of all possible respondents less than a handful replied to each question. Additionally, the survey was in no way scientific. It was just a simple fielding of questions and not intended to be a representation of the industry in general. However, they do provide a sound training solution. How can one use such data to train the force? Well, thanks for asking.

First of all, followers of this blog and the subsequent newsletter can use the same questions while conducting walk around security or otherwise conducting a security survey. Field these questions to your teams. If they respond correctly give loud and public praise. If they answer incorrectly you have just created a training opportunity. Proceed with diplomacy. Use the data you collect as a foundation to design future training. These responses go a long way in identifying weaknesses in the overall understanding of the National Industrial Security Program. These weaknesses could prove a vulnerability to your security program if not addressed properly.

Another application is to use the answers I provide here to bring about discussion or add to your security education agenda. Again, no scientific study here. However, certain broad assumptions can be made about general knowledge of the National Industrial Security Program.

Now, the questions and answers:

1. Will your security clearances or the way we protect classified material be impacted by the new administration?

a. "The President can de-classify any classified information."
b. "There should be some sort of "transition" in place for business that overlaps 4-year Admin tenures."
c. "I don't foresee any significant changes."

The reality: In recent history two sequential presidents have provided separate executive orders directing how to protect classified information. Presidents Clinton and Bush have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification.

Contractors and government agencies protect classified information based on the guidance from the executive orders. When changes occur, they affect storage capacity, employee manpower and resources toward re-marking or improving security. These resources are funded through overhead and impact profits. Organizations can project requirements and put a proactive plan in place to make necessary transitions easier.

2. Is a defense contractor allowed to advertise their facility security clearance level?
"It depends on what level you're advertising. YOu should be able to advertise clerance levels."
The reality:
According to the National Industrial Security Program Operating Manual (NISPOM , the contractor can not use their security clearance level to advertise for business.

NISPOM 2-100. General. An FCL is an administrative determination that a company is eligible for access to classified information or award of a classified contract.

c. A contractor shall not use its FCL for advertising or promotional purposes

As the lead security education provider, the Facility Security Officer has to break through perceptions. Those cleared employees should grasp a good understanding of their responsibilities to protect classified information. The FSO’s can ask simple questions to gage the effectiveness of the training and discover areas in which to conduct training.