Friday, June 5, 2009

Studying for the Industrial Security Professional (SP) Certification

Reading the National Industrial Security Program Operating Manual (NISPOM) will certainly have one learning new jargon and acronyms necessary to becoming fluent in Industrial Security Professional language. Throughout the exam there are questions referring to roles of government agencies. Such questions concern which organization has oversight, which organization would a security manager report a particular incident to, or which organization inspects a certain security program. The answer could be any possibility such as government contracting agency (GCA), general services administration (GSA), Cognizant Security Agency (CSA), or any other acronym of a critical federal organization listed in the NISPOM.

Consider the letters CSA which stand for Cognizant Security Agency. This acronym appears 250 times throughout the NISPOM between chapters one and eleven. The multiple listings pretty much conclude that the CSA plays an important role in managing the National Industrial Security Program. This is also one of those acronyms that a potential Industrial Security Professional must know to successfully pass the Industrial Security Professional Certification exam.

Primary questions a security manager should be able to describe are: What is a Cognizant Security Agency (CSA)? How does the Cognizant Security Office (CSO) fit in? To answer those questions, we can go to the source. However, I will answer them here. The CSAs are four primary federal agencies. They have cognizance or oversight authority over their own federal organizations. The CSAs are the Department of Defense, Department of Energy, Nuclear Regulatory Commission and the Central Intelligence Agency. Each of the federal organizations has authority and oversight over their own organizations. Each agency can delegate oversight to any office within their federal organization or to another CSA. The CSAs have Cognizant Security Offices (CSO) that take care of administrative functions. The CSAs are identified with their CSOs as follows:

CSA: Department of Defense
CSO: Defense Security Services (DSS)

CSA: Department of Energy
CSO: Department of Energy Field Offices Safeguards and Security Divisions

CSA: Central Intelligence Agency
CSO: Contract Officer's Security Representative (COSR)

CSA: Nuclear Regulatory Commission
CSO: Offices within the Nuclear Regulatory Commission

For example, the Facility Security Officer in a contractor organization under the Department of Defense (DoD) follows guidance of their CSA, the Department of Defense. Oversight and administrative functions are assigned to the DSS. The DSS provides support to the contractor as well as conducts analysis to determine whether or not the organization is capable of providing continuous protection of classified information while following the guidance of the Department of Defense. This would work in similar circumstances within each federal agency. The CSA is primarily concerned with administering clearances and oversight. They support the stipulations of the GCA.
The GCA is appointed by a federal agency to handle all acquisition functions. They provide contract support between the government agency and contractor. In our DoD example, the GSA provides contractual support to the defense contractor from the DoD. The GCA also provides the stipulations of the contract include the statement of work, DD Form 254, and other guidance on how to perform the classified work. The GCA is also an approval authority for any classified performance taking place between agencies and governments. The GCA is concerned with supporting and administering specifics of a contract. The GCA provides the guidance that the CSA will monitor.
The GSA approves equipment used in support of the security and mission. Locks, security containers, overnight delivery services and etc are approved for use by the general services administration.
Let’s check your knowledge:

1. Which organization would provide direction as to how classified information is disseminated (USPS, Overnight delivery, courier):
a. GCA
b. NSA
c. GSA
d. CSA

Remember that all classified work is stipulated by the contract. The GCA is the organization responsible for providing the specifics of how to perform on the contract. The answers can be found in the statement of work, DD Form 254, or the security classification guide. Questions concerning performance and specifics of a contract will point to the GCA.

2. Which organization would an FSO report loss, compromise or suspected compromise?
a. CSA
b. GSA
c. CIA
d. GCA
The answer is CSA. The Cognizant Security Agency provides oversight of the contractor protecting the federal agency’s classified information. All questions concerning oversight belong to the CSA.

3. Which organization provides a list of authorized overnight delivery services?
a. CSA
b. GCA
c. NSA
d. GSA

Many questions concerning approved products or services belong to GSA.
Acronyms and jargon are part of any professional organization. The FSO, security manager, security specialist and ISP certified individuals not only understand the jargon, but how it applies to protecting classified information and implementing classified programs. The ISP candidate would do well to understand the broad and general roles of the GCA, CSA, GSA and other agencies identified in NISPOM.