Thursday, December 30, 2010 "red bike publishing"

Check out all of our books available on Thanks to our customers for making this possible. "red bike publishing"

Tuesday, December 21, 2010

Go Ahead, Take the ISP Certification Exam

Industrial Security Professional (ISP) Certification is growing in popularity. According to the Society of Industrial Security Professionals (NCMS), the number of ISP Certified members is increasing rapidly. That's great news for those in industrial security as we are now moving toward more credibility. This growth may be due to the recent ramping up of the program and emphasis placed by local level NCMS chapters. Also, as more people become certified, others maybe viewing their success as motivation and increasing their own confidence levels.

Seeing more and more peers meeting the qualifications and passing the exam may make it more of an attainable goal.

The test is not easy and neither are the qualifications to take the exam. Those with over five years of experience protecting classified information are eligible to take the exam. There are other qualifications and a visit to NCMS's ISP Certification website will provide all the information one needs about the program. NCMS also hosts a study course to help prepare candidates for the exam.

Why certify? Professionalism, respect of peers and a sense of pride for the individual and the company they represent. Certification demonstrates a willingness to grow and commit to the career. Studying for the ISP Certification exam is not to be taken lightly. Those who protect classified information are probably doing a great job protecting sensitive information in their cleared contractor facilities. However, passing the certification requires broader learning and experience.

Where a defense contractor may only maintain personnel clearances (PCL) and have approval for a non-possessing facility clearance (FCL), the test encompasses the entire National Industrial Security Program Operating Manual (NISPOM) and related forms and regulations.

For example, XYZ Contracting is a non-possessing facility and all classified work is performed at a Government location. The FSO's day to day operations focuses on ensuring employees' PCLs are up to date. In this situation they do not have experience with receiving and storing classified information, dissemination, classified processing on information systems, foreign ownership, control and Influence (FOCI), International Traffic in Arms Regulation (ITAR) and many other areas addressed in the NISPOM. They may be lacking the skills and know how to perform these functions.

However, there is hope. A good understanding of NISPOM can help. The good news is that the test does not require an acute knowledge of regulations, just the ability to find the answers to questions. A person well versed in how to find answers to security scenarios in the NISPOM can pass the test. Study groups and opportunities are available from NCMS, vendors and contractors. NCMS has a mentorship program offering a study group with a proven track record. There are also several companies offering training that can help students pass the exam. Additionally, the ISP Certification-The Industrial Security Professional Exam Manual; Or How to Study for and Pass the ISP Certification Exam is available at or as a terrific supplement to any study program. NCMS has recently announce a plan to increased its study group fee to $50.00 for members and $100.00 for non members. Other programs range from a few hundred to several hundred dollars. So far, Red Bike Publishing's book is the best priced and already has a proven track record.

Whatever study method or combination of study methods you use, make a plan to take the certification. Your career and professional growth may depend on it.

Friday, December 10, 2010

Those Security Reminders

Magnets are available
at Red Bike Publishing

Sometimes no matter how careful we are, we forget. It's not in our nature to multitask so much that we aren't aware of our surroundings, but we've been conditioned to do more with less. Work is frequently interrupted by phone calls, impromptu meetings, or overcome by events as coworkers and email compete for our time. We are doing more busy work, but may not be learning skills necessary to keep our focus.

Security specialists, compliance officers, FSOs and others in positions of responsibility are depended upon to keep situational awareness. Items and information of national security importance must be safeguarded to the standards of the National Industrial Security Program. This includes proper markings, storage, and protection when hand carrying, mailing or otherwise transmitting from one cleared facility to another.

Some FSOs can attest to keeping guardian intense focus on classified information. However cleared employees who perform the actual contract work may not always maintain the laser focus. The interruptions mentioned earlier can compete for their attention and possibly cause them to temporarily forget they are in possession of sensitive information or to spin the combination or shut the GSA approved security container.

When such incidents occur, investigations, security awareness training and after action reports can help to change behavior and improve the security environment. Also helpful are reminders that classified information is unsecure. These can be door hangers, desk tents, combination reminders and OPEN/CLOSED security container or safe magnets.

Door hangers can be put on inside of doors to remind room occupants that they are in possession of classified information. If an interruption occurs, the cleared employees are reminded before they leave the area that classified is out. Desk tents work the same way. Additionally, door hangers can be placed outside of a door to notify other employees not to enter a room where sensitive work is being conducted.

Combination reminder magnets help prevent violations by helping authorized users remember words that relate to a combination. Additionally, OPEN/CLOSED safe or security container magnets remind employees that the safe may be unsecured. A blazing red 2 x 6 inch magnet will do the job.

While the FSO is focused on developing programs to protect classified items, cleared employees may need reminders. Simple things can help maintain the right amount of awareness and prevent security violations.

Saturday, December 4, 2010

Friday, December 3, 2010

Books — Red Bike Publishing

If you are studying for ISP Certification or are just interested in becoming a more informed FSO or security specialist, check out our books.
Books — Red Bike Publishing

Saturday, November 27, 2010

Professional Certification and Career Advancement

Industry Sponsored Certification

Certification says a lot about a professional. This individual has dedicated personal time and has committed to intensive study to improve their skills on the required topics. Supervisors and managers may set a goal for employees to reach a level of experience or even challenge them to seek a certification. Employees who have achieved a professional certification have experienced preference in job hiring, retention and promotion. Though a certification does not guarantee an employee such benefits, it does demonstrate a few important qualities to their management. Primarily, those certified convey a commitment to the profession, investment in the enterprise, and a high level of experience and knowledge.

Organizations that hire employees with certifications or encourage employees to become certified benefit from the experience. In many cases, employers pay for the certification exams and other fees related to the certification requirements. They recognize the dedication their employees demonstrate, experienced gained, and the marketability of the certified. Other benefits to the company include bragging rights and certifications can be included in company profiles. When applicable, defense contractors can mention employee certifications when listing capabilities and responding to requests for bids. For example, they can mention that the FSO “is board certified to protect classified information” and list the certification and source. Those who solicit bids also recognize certifications to include prime contractors and Federal agencies. Certifications are also good credentials for vendors who install security systems, guards, document destruction or provide other security services.

As leaders, FSOs can help security employees understand how to create incredible security programs. Focusing on training, interaction with other cleared employees, self-improvement and institutional education should be part of professional development. FSOs who write security evaluations for direct reports have an excellent opportunity to help them establish goals to become better at their jobs, more impactful in their careers and hopefully, groomed to become FSO's themselves. Challenging employees and team members to achieve personal and professional goals breeds success.

Industrial Security Professional Certification

The ISP Certification is one goal FSOs could take as a goal as well as encourage employees to achieve. The employee gains from such education and a prestigious career milestone. The organization also benefits from what the security employee learns and applies on the job. When employees study for the ISP Certification, they learn: how to read and apply the NISPOM, the importance of forming professional relationships with cleared employees, how the cleared contractor and the DSS representatives interact, and much more.

A leader also creates pride in the organization and employee by making them more competitive in their career and providing basis for professional pride. The path to the ISP Certification goals should not be taken alone. When employees are challenged with the goal, the manager can help by providing or allowing education as found on the DSS, professional organization or vendor websites. Studies on NISPOM topics are available on the internet as well as on site. If your team is large enough, consider helping them start a study group.

If the cleared contractor facility has multiple security employees, provide an opportunity to cross train. Security employees who work personnel security issues could work with document control and etc. FSOs could facilitate security employees from one discipline inspect another security section during the annual self inspection. Another idea is for the FSO to create an internal certification program. This helps integrate new employees into their jobs. A self-certification program would train an employee on performing individual tasks. The employee works under a mentor who verifies and documents the training. This training covers how the cleared contractor facility security employees practice document control, manage personnel security, provide classified contract support and etc. If such a program exists in your organization, consider using it for further cross training employees who concentrate only on one task. This will help them become more experienced and more prepared for the exam.

Employees may not feel comfortable asking for training, setting prestigious goals, or asking for funding for professional organizations or certifications. However, a supervisor who is aware of such opportunities can encourages the employee to become engaged.

Most applicable is the Industrial Security Professional (ISP) Certification sponsored by the NCMS (Society of Industrial Security Professionals). The certification exam is based on the National Industrial Security Program Operation Manual (NISPOM) and consists of 110 multiple choice questions 2. The first 100 questions come from the NISPOM and referenced regulations and forms. The last 10 questions are made up of select electives. Security administration and management, document security, information system security, physical security, personnel security, international security, classification, security education, audits and self assessment make up the certification’s core topics.

Though NCMS membership is made up of several thousand security specialists and FSOs, the ISP certification is open to non-members and includes security disciplines such as: personnel security, guards, document control, contracts management and all other disciplines. It is not only for those with security titles, just those who perform security functions while working with classified information and material. For example, a company president who also serves as FSO, an engineer, project manager, clerk, cleared security service provider, military service member, Federal employee or anyone else who can demonstrate that they protect classified information in the performance of their job. The ISP Certification is relatively new and is increasing in popularity and gaining momentum. You can find out more about NCMS and ISP Certification through their website or by searching “industrial security professional certification” or “ISP Certification” in your favorite search engine.

Other certification

There are many sources available for certification applicable to both the defense contractor and government security professionals. Some have more weight than others, but all require good preparation time. These certifications mentioned below are but a few of the most popular. All of them cannot be listed here and the intent is not to recognize one above the other. For convenience, we are listing four certification sources familiar to those who are experienced in the industrial security field. These are the more popular sources for the certifications listed most on business cards and titles.

Some other pertinent security certifications are provided through the American Society of Industrial Security International (ASIS). This organization is made up of more than 35,000 security practitioners, suppliers and service providers throughout the world. The scope of coverage is larger and less industry specific. As a professional organization, ASIS is enjoys a membership consisting of law-enforcement, military, government, defense industry, loss prevention, and other professionals. To meet the demand for a professional presence, ASIS sponsors three certifications meeting differing needs in the security industry. The Certified Protection Professional (CPP), Certified Professional Investigator (CPI) and Physical Security Professional (PSP) each provide professionalism and opportunities to excel in broad disciplines.

Wednesday, November 24, 2010

How FSOs use Security Metrics in a Cleared Defense Contractor Facility

Metrics are tools leaders use to assess the effectiveness of their programs. These metrics indicate success, failures or areas where significant improvement is needed. Metrics data is found in surveys, inspections, and reports and are pulled for the specific purpose of understanding where the program is. The other part is to understand where the organization should be and comparing it to the results.

FSOs should make metrics development and use a top priority. Chief security officers, chief information officers and other executive level security managers understand how to read metrics and use them to focus with pinpoint intensity on directing their security programs within their companies. Security managers in lower positions can use the same skills to gain influence in their companies. Because of the nature of compliance with government regulations, the task may be easier for FSOs to accomplish.

An FSO has readily available data to determine and communicate the effectiveness of the security program. Gathering available information, creating a detailed database and performing solid analysis will determine the program's success. Whether or not a security program is where it needs to be can be determined from information found in the following actions:

* Incidents, infractions, violations reports with compromise or suspected compromise
* Annual DSS reviews
* Annual self-inspections
* Professional and organizational certification
* Self-reporting statistics
* Security Awareness Training
* Security budget
* Contractual requirements

The above list is not all inclusive, but is readily available information directly affected by security or influences security decisions.

Incidents, infractions, violations and reports of compromise or suspected compromise as Metrics - These should be made at each occurrence and analyzed regularly. Reports indicating that compromise or suspected compromise has occurred are taken seriously and forwarded to the CSA. Many other reports of minor consequences are not required to be sent outside of the organization, but are extremely helpful as indicators of the organization's security health.

Annual DSS Reviews as Metrics - According to the NISPOM DSS is responsible for determining the frequency of annual inspections.

Inspections are typically conducted every 12 months, but circumstances can require more or less frequent visits 2. DSS inspects the facilities security program for the primary purposes of ensuring their programs provide the proper protection of classified information they are charged with protecting. Additionally, the inspection programs are designed to improve the effectiveness of the contractor's security program. At the conclusion of the inspections, the contractor is given a rating ranging from unsatisfactory to superior

Annual self-inspections as Metrics - The self-inspections offer other exceptional opportunities for FSOs to improve the security program as well as measure results from the previous DSS annual audit. The self-inspection is conducted by security personnel organic to the company. It is a requirement that affords the opportunity to look into procedures, review documentation, review incidents and conduct classified holding inventories among a few of the tasks. These self-inspections are typically conducted midway between the annual audits and help keep the security team focused on improvement and compliance.

Professional and Organizational Certification as Metrics - Quality and or other outside agency reviews are performed to qualify a company for a rating. These reviews are purposefully strenuous and thorough in an effort to discover the enterprise's business functions, policies and procedures. Depending on the inspection, each outside agency is invited to bring in experts to analyze a company's performance. The inspector visits every aspect of the organization, measuring the company's compliance, record keeping, improvements and other performance issues and makes a determination of whether or not they are worthy of the certification.

Security Awareness Training as Metrics - Attitudes toward security awareness programs are great indicators of the FSO's program. Comments that reflect a desire for or loathing of continuing security awareness education speaks volumes. Those who are conscious for the need to protect national security assets and classified information understand the need for training. Refresher training is a requirement identified in the executive orders, DoD and federal agency regulations including the NISPOM 4.

Security Budget as Metrics - Security budget support or lack of support can either demonstrate a well received or unappreciated security program. In a functional security manager role, the intuitive FSO understands business, the company mission and how the role of protecting classified material fits. The FSO can provide risk assessment and speak intelligently of the procedures, equipment and costs associated with protecting classified information. They understand how to contract outsourced security resources to install alarms, access control and other protection measures. The FSO is also able to demonstrate a return on investment.

Contractual Requirements as Metrics - An FSO who has developed rapport, a reputation for integrity and considerable influence is instrumental in helping the company achieve its goals. Classified work is identified on the DD Form 254 and the statement of work. The FSO should understand associated costs inherent to the classified work identified in the contract and the DD Form 254.

Results of Metrics Data
A security manager can use such metrics or data and write a white paper, report, or provide a picture graph to employees, managers and executives for several purposes. Regardless of the report media, the objective should be to improve the state of security and communicate the results to the executives and share holders. Employees can be trained on recognizing proper procedures and preventing future occurrences by changing behavior. Managers can use the information to direct change in their employees to provide better security. Executives can use the information to identify programs or projects with probable risks and use the data for strategic planning. Finally, the shareholder; tax payers, board of director members, customers, and employees have a good understanding of their return on investment.

Wednesday, November 17, 2010

Classification Markings Should Increase Awareness Not Lethargy

Working on classified projects may seem intimidating at first. Overtime, the work quickly becomes routine and perhaps mundane. The cleared employee can quickly go from being impressed with their responsibilities and alert in their actions to a more relaxed attitude. Soon the classified items and the markings can become invisible and ineffective. Many modern examples of security violations include cleared employees leaving classified information unattended at their desks, lunch rooms and other unsecure areas. Such actions have led to possible compromise as safes have even been left open and unattended or accidentally removed from a cleared facility with classified information still inside. Even security employees have left safes unattended and have misplaced classified materials.


Though markings do relay intended information, they should not be the “stand alone” technique. Some industrial security specialists have added even more markings to already cluttered media hoping to prevent a user lapse in judgment. Once again the effectiveness begins to wear off. To counter the effects, the holder of the classified material must remain vigilant and aware of their surroundings and situation at all times. This is a proactive posture and requires a bit of imagination. Such security is accomplished with solid training and reminders of responsibilities while possessing classified information.


Simple acts such as maintaining a clean desk policy has helped to reduce security violations. In this situation, an employee removes everything from the tops of their working surfaces or desks except for the classified material. By doing that simple practice, a busy employee will be aware that any articles on the desk require extra diligence and must never be left unattended unless in an approved closed area. When no longer needed, classified information should be locked up in a security container or closed area. If a desk is empty, the cleared employee can also assume that there are no classified items out. This discipline creates an environment that reduces the chances of the employee leaving a classified item vulnerable to compromise if they forget to secure it prior to taking a break or leaving for the day. Also useful is the posting of a desk tent and door hanger with an important reminder that classified items are left out. As the employee leaves their work area, they will encounter the warnings on their desk or door handle.

In certain cases some classified materials may need to be stored separately from other classified articles. For instance, items with NATO classifications are stored in separate containers, drawers, shelving, etc to prevent unauthorized disclosure or possible compromise. Vigilance of classified markings pays off and is well worth the tough training that industrial security managers may undertake to learn to recognize such markings. When documents do need to be stored separately other access control systems prove very worthwhile.

Monday, November 15, 2010

Interpreting Requirements in the DD Form 254 and NISPOM

A cleared contractor can help reduce costs by preparing ahead of time. This is where an experience FSO can anticipate expenses, perform risk assessment while implementing NISPOM and advise on ways to reduce costs while being compliant. The more money saved on overhead expenses, the greater the overall company profit. The earlier into the process the assessment is conducted the better the company performs overall. Timing is the key as some of the security requirements depend on the approval of the CSA. Conducting the assessment or coordinating with DSS after the committing to the contract may place the contractor in the tough position of building “closed areas”, rooms for classified meetings, or ordering more GSA approved containers (safes) and meeting tough governmental compliance with short notice before being able to perform on the contract. Such late planning could prove costly.

The FSO works with managers and all within organization’s decision making process. This team consists of program managers, engineers, security, contract and other managers responsible for developing business with the prime contractor or GCA. This team, regardless of individual duty description or organization structure, speaks for the company and commits the company to perform as the contract specifies. As part of this group, the FSO provides information and guidance on protecting classified information in the process. This could translate into significant cost reduction.

Understanding how to advise and assist in the development of the DD Form 254 is fundamental. It provides the ground work for ensuring the GCA requirements are clear, applicable and understood. Since the government provides the protection requirements, getting in on the ground level development can only benefit the contractor.

Friday, November 5, 2010

Storing Classified Information Keeps Cleared Employees Honest

We’ve all been there, the calls coming in just as we reach our homes or late at night. Someone didn’t properly security classified information. Many times investigations conclude that classified information has not been compromised. However, time, energy and resources are spent to conduct investigations, find root causes and re-train.

To prevent the above situation, end of day checks serve as a precaution against leaving classified information unattended. The last cleared employee departing an area where classified material is used, stored, transmitted or is otherwise accessed, should follow a check list prior to leaving. The checklist leads the employee to inspect storage containers, tabletops, walking surfaces, printers, copiers, and computers to ensure that no residual classified material is left unattended. While the end of day check is vital when leaving classified areas unattended, they are not required when an area is manned 24 hours per day, seven days per week. This is according to National Industrial Security Operating Manual (NISPOM), section 5-102.

Though not required by NISPOM, government forms are available on line for use or just to serve as model in the strengthening of security programs. Companies are free to use these forms or create their own. The government forms are available online. One such form is the Activity Security Check List, Standard Form 701. Again, unless the contract or Government agency requires the use of a specific format, the company is free to adapt their own version. Regardless of the system used, the security checks are effective measures and have proven successful. Unsecured classified information would have otherwise been susceptible to compromise.

The biggest threat to national security doesn’t arrive with a burglar breaking in. Unattended classified information provides great opportunities for accidental or purposeful unauthorized disclosure. Chances are the classified information that is left out may be compromised by an uncleared employee or at least an employee with no need to know. Justice department websites are full of investigations and court cases involving trusted employees involved in the unauthorized disclosure of classified information. Improving end of day checks, employee security awareness training, and the reporting of security infractions and violations just makes it harder for the insider to steal, copy or otherwise remove classified information. Reduce opportunities; reduce risk.

How Defense Contractors can Earn the Cogswell Award; Or Earning an Excellence In the DSS Inspection

Nine recipients out of 13,000 cleared facilities nationwide earned the Cogswell Award this year. This award is the ultimate achievement for the security program at any cleared facility. How do winners do it? They develop a program that is worthy of such an achievement. Your company can do this too.

One requirement is to go “above and beyond” the requirements of the NISPOM. The hardest part is with institutional training and getting the rest of the organization on board with the security program. Setting security goals that everyone understands, creating an organization-wide security culture everyone can live with is extremely important. Institutional training also encourages your employees to report any and all security violations, suspicious contacts, and foreign travel, which will further enhance those efforts.

Being prepared for the annual security inspection by implementing a daily security management processes is the key to receiving a superior rating. An in-depth security process, which includes physical security, visitor control, and security education throughout the year will add to the success of your security program. Some methods include developing a monthly Security Newsletter, displaying Security Awareness Posters around your facility, and sending Security Related emails that remind employees about their Reporting Responsibility will put your security program above and beyond the requirements of the NISPOM. Self-inspections, end-of-day checks, well organized personnel files, current DD254s and proper JPAS records management system will boost your rating as well. In addition, an approved document control system (Information Management System) and a well-managed computer security program will demonstrate excellence to your DSS rep.

However, all of this preparation will be in vain unless you develop a partnership with your DSS rep. Taking the time to invite your DSS rep to your facility for an informal meeting and to introduce your staff will create a comfort zone when you have a security issue to discuss. It may also make the inspection a bit less stressful for you, because you have made the effort to get to know your rep. It is also important to demonstrate the complete support of your upper management for the security program. This can be accomplished by the display of proper locks, card access systems, front desk procedures for visitors, display of badges, and other visible signs that promote Security Awareness that would only be accomplished with full management support.

By developing a security program outlined in the NISPOM and approved by your DSS rep, the Cogswell Award is definitely a reachable goal for your company. Through DSS and your rep, you can obtain everything you need for your security program. You can also reach out to fellow security professionals and join security associations, such as NCMS and ASIS, to further enhance your security program and your security knowledge. Once you receive two consecutive superior ratings, your company is eligible to be nominated for the Cogswell Award by your DSS rep. The process is very rigorous and thorough, but entirely worth the effort!

The Defense Contractor FSO’s Well Rounded Security Training-Or How Contractors Prepare to Perform on Classified Contracts

Facility Security Officers (FSOs) are highly trained to meet the requirements of NISPOM. Training should reflect NISPOM requirements as reflected in the Contract Security Classification Specification (DD Form 254). If the FSO is in a non-possessing (no classified holding), the training requirements are baseline. However, possessing facilities have more requirements that the FSO should be prepared to meet. Objectives of the FSO Program Management Course are to prepare the FSO to implement and direct a NISPOM based security program in their cleared contractor facility. The training includes, but is not limited to the following topics:

Protecting classified material – The proper receipt, accountability, storage, dissemination and destruction of classified material. The FSO learns how to protect classified information in a cleared contractor facility.

Required cleared employee training – This instruction helps the FSO establish an ongoing training program designed to create an environment of security conscious cleared employees. The FSO learns to provide effective training to cleared employees, teaching them to properly protect the classified material and report questionable activity and violations. Such training includes initial security briefings and annual security awareness training.

Personnel security clearances – The FSO gains an understanding of the personnel security clearance request procedure, briefing techniques and maintenance of personnel clearances.

Facility clearance –The FSO learns how FCLs are established. They are also taught which records and activities are required to maintain the FCL.

Foreign Ownership Control and Influence (FOCI) – Organizations analyze foreign investments, sales and ownership on a regular basis. FSOs learn to interact with management and provide guidance and direction in preventing a foreign entity from unauthorized access to classified and export controlled information.

Exports compliance and international operations – International business opportunities abound in a global economy. FSOs receive instruction on how to prevent unauthorized disclosure of critical technology, controlled export and military classified information. Companies can thrive in such an environment provided they can advise or execute Departments of State and Commerce licenses and agreements as required.

Restricted areas – Setting up temporary environments for classified work. The restricted area is established to control temporary access to classified material. At the end of each work day, the classified material is returned to the approved classified holding area.

Closed areas – Government approved space is approved to store and work with classified material. This involves approved construction and limited accesses controls to prevent unauthorized disclosure during and after work hours.

Communications security (COMSEC) – Some contracts may require the establishment of a COMSEC account with the National Security Agency to facilitate secure communications via computer, telephone, facsimile machine or radio. This instruction provides basic information about how to perform under COMSEC requirements.

Duties of an FSO – The FSO should understand not only the job description, but how to communicate with management and fellow employees. Responsibilities include accountability while implementing and directing a security program to protect classified material and NISPOM requirements.

Contract security classification specification (DD Form 254) – This is the vital piece of the classified contract. The FSO cannot execute or allow access to a classified contract unless they possess the customer issued DD Form 254. The FSO also understands how the DD Form 254 is constructed and how to provide input to better meet security requirements.

Security classification guides – As the DD Form 254 provides authorization to execute a classified contract, the SCG provides the “how to” instruction. All employees performing classified work consult the guide to understand what is classified and how to provide the required protection.

Security administration and records keeping – This teaches the maintenance of facility and personnel security clearance information as well as all other accountability information management requirements. The FSO is expected to provide original documentation on Foreign Ownership Control or Influence, facility clearances, SF 312, training completion and classified inventory and disposition. Additionally, some records are not authorized for retention such as the completed Security Clearance application or SF 86 (as of 2006 they are destroyed once investigation is complete). The CSA reviews required documentation during the annual security inspection.

Sub contracting – The FSO will learn their role in subcontracting. Primary contractors are authorized to release classified information on a contractual basis. If approved to subcontract classified work, the contractor will provide a DD Form 254 to authorize the classified subcontract. They will also provide a security classification guide.

Wednesday, September 1, 2010

Wednesday, August 25, 2010

How to Get a Facility Security Clearance for Beginners

Before a defense contractor can perform on a classified contact, it must be approved for a security clearance. You might familiar with security clearances for people, but defense contractor facilities must also be approved for security clearances called a facility clearance (FCL). Having an FCL doesn’t mean that a particular building is approved for a clearance, but rather the determination is based on the entity. For example, a defense contractor facility may be a sole proprietorship, a limited liability company, corporation, university or other recognized establishment. It is the organization itself and not the building that gets the clearance.

A company cannot process itself for a clearance. The clearance is based on a legitimate classified contract from either a government entity or other prime contractor. A company can bid on a classified contract even if it does not possess an FCL. However, it must receive the FCL prior to beginning to work on the classified contract.

When a defense contractor has a legitimate need for a clearance, it is sponsored by the awarding government agency or prime contractor. This sponsorship begins the process of the clearance request. The sponsoring organization notifies Defense Security Services (DSS) who works with the defense contractor to complete the requirements for an FCL. To be eligible for a clearance, the defense contractor facility must first have a good reputation for doing business and be in good standing. DSS will research and evaluate the company. Meanwhile, the candidate company works with DSS to provide four remaining requirements.


A security agreement (DD Form 441) must be signed. This agreement describes the responsibilities that both the contractor and government have to protect classified information. For example, in the security agreement the government agrees to provide security clearances and the contractor agrees to follow the National Industrial Security Program Operating Manual (NISPOM).


Additionally, the defense contractor has to complete the certificate pertaining to foreign interests. Once the contractor completes the certificate, DSS will have a good indication of whether or not and how much a foreign entity might influence classified contracts. If the contractor falls under foreign ownership control or influence, the amount of influence will have to mitigated.


The defense contractor will also turn in documentation indicating how they are organized (corporation, sole proprietorship, LLC or other formation). DSS will use this information to determine how the contractor is managed and how decisions are made. DSS needs to know this information to determine how decisions concerning classified information are made.


Finally, an FCL is not granted until the required key personnel are granted a security clearance. According to NISPOM, the senior ranking officer in the company and the FSO must be granted security clearances. Other cleared personnel are granted clearances based on the minimum necessary to efficiently meet the needs of the classified contract.

In summary, defense contractors come in all shapes and sizes. The NISPOM provides the minimum requirements a defense contractor must meet to be able to be granted an FCL. Whether the contractor is organized as a single owner/employee, university or large corporation, they must meet all five criteria:

Have a contractual need and be in good standing

Sign a Security agreement

Provide a certificate pertaining to foreign interests

Be a real company organization in the US or territories

Key management personnel are granted clearances

FSO 101-How to manage the security of classified contracts

For defense contractors, there can be nothing more than winning a contract and providing a great product or service. For those cleared defense contractors, landing the classified contract improves their opportunities. However, these opportunities have more requirements that must be addressed. Contractors performing on classified contracts are required to protect this information according to the National Industrial Security Program (NISP).

The NISP was established in 1993 under Executive Order 12829. The purpose of the NISP is to protect classified information at the proper level whether it is in the hands of the U.S. Government or a defense contractor. The NISP provided reciprocal protection of the same information no matter which organization owned it. In other words similar classified information should be protected the same whether at a government or defense contractor location. The NISP provided the minimum standards for everyone to abide by. Even though some organizations may implement more rigorous security measures, they could not violate the minimum standards.

The NISP also directs the creation of the NISP Operating Manual (NISPOM). This is the government’s guidance for protecting classified information at Department of Defense contractor organization. Additionally, each government agency created its own security guidance reflecting requirements of the NISP.

Each government agency created security specialists positions to establish and enforce security measures to protect classified information. Similarly, the NISPOM requires a cleared contractor to appoint a Facility Security Officer (FSO). The defense contractor can hire a full time security employee or simply appoint an employee to the position as an additional duty. Whether operating as the security manager full time or on as needed basis, the responsibilities of the FSO ensure that classified information is protected.

For small contractors, this can be more challenging. I’ve visited some defense contractor facilities made up of five engineers in a small building doing great things. While focused on the eureka moment, they still are responsible for protecting both classified and unclassified government information. While large corporations can hire and train a group of security specialists, such protection may prove a difficult endeavor for very small defense contactors with a single point of contact FSO who has no experience with basic security concepts.

While on the surface this may prove difficult, there are ways to make the job more manageable. The first place to start is with the Defense Security Services (DSS) industrial security representative. They oversee the NISP implementation for the Department of Defense at cleared contractor facilities. They also help FSOs get the required FSO Program Management Course. DSS offers this online training for cleared facilities whether or not authorized to possess classified information. Training is available at DSS also offers bite size courses that can be completed in less than an hour on topics including: marking, transporting, safeguarding and disseminating classified information. A complete novice can learn the appropriate mind set in a short amount of time.

The next step is to determine which parts of the NISPOM apply. For the most part, Chapters 1, 2, 3, and parts of 5 apply to all cleared contractors. However other chapters may apply on a case by case basis. FSOs can make more effective use of time by developing security measures tailored to applicable parts of the NISPOM. For example, if a non-possessing contractor only maintains employee security clearances, there is not much call to apply security measures to protect classified information or processing. In this case the FSO would do well to ensure they are practicing personnel security as outlined in NISPOM and inspected by DSS. To help focus direction, the customer provides the cleared contractor with the how to perform on the classified contract in the DD Form 254 and the contract. The DD Form 254 specifically addresses the protection of classified information. If additional help is needed, the defense contractor can also contact a reputable consultant or join a professional organization.

Additional FSO duties may include exports compliance. This position is assumed by many FSOs and requires knowledge of defense items and services that require special permissions prior to export. The State Department has jurisdiction. The NISPOM does cover export compliance, but the International Traffic in Arms Regulations (ITAR) is the State Departments regulation. The ITAR provides in depth guidance.

The cleared contractor is responsible for implementing and directing the protection of classified information as it relates to NISPOM, DD Form 254, security agreements and contract as they apply to the cleared facility mission. The NISPOM provides the guidance. The FSO is the appointed responsible position to ensure the cleared contractor applies the NISP. This is a tough job, but there are resources available to make it a more focused and efficient effort.

Tuesday, August 3, 2010

Industrial Security Newsletter - iContact Community

Industrial Security Newsletter - iContact Community
Great article on performing security while walking around. Check the pulse of your security program while getting to know your employees.

Wednesday, July 28, 2010

Using the International Traffic in Arms Regulation for Export Compliance

International Traffic In Arms Regulation

Several years ago while serving as a defense contractor’s export compliance officer, I was approached by a business development manager. She stated that the company was pursuing a contract with a foreign country to provide a defense material. The material had both military and civilian application. In this case, they were pursuing a contract for the material with a civil application. She rationalized that since the transaction would not be a defense article, the company should not need to seek an export license.

Though there is guidance for what and how to export, many exports issues are unique and may not be fully understood by defense contractors. As examples, recently a company was fined for violating an export law by shipping a controlled chemical. In another case, a company was charged with providing technical drawings to a foreign country. A few years ago, Chinese officials downloaded technical information from an American defense contractor employee’s computer without his knowledge. The employee faced charges even though he did not willingly provide the data. He had brought the computer and technical information to China without approval. Lack of understanding in the above cases did not provide a good defense. The lesson is that though the US Government values international business, US companies must understand export laws and operate within them.

In the above cases, the individuals involved could have prevented violations had they understood how to identify technical data under export controls. Such information is available in the International Traffic in Arms Regulation (ITAR). The ITAR contains the United States Munitions List (USML). The USML is a listing and explanation of export controlled defense items and services. Also, those involved in the above offenses may not have understood the definition of export. An export can be defined as providing technical data to a non-US person. This can be done by shipping items, oral and written communications, messenger service and etc. It also includes bringing a technical item or service to another country, providing information on a paper and through multi-media presentations. Exports can also be made by a non US person viewing controlled information on an unattended computer screen. In all situations, US Persons should protect and control the defense products and services according to the ITAR.

The ITAR states, “Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register...”. This direct wording does not leave much room for any other interpretation. All US persons or organizations involved with making Defense articles or providing defense services must register with the State Department’s Directorate of Defense Trade Controls (DDTC).

Additionally, the Defense Federal Acquisitions Regulation (DFAR) states, “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.” It is in the company’s best interest to understand export laws and how it applies to the organization’s mission. The responsibility to identify export controlled information and provide proper protection falls exclusively on the organization. The company should provide due diligence and know when and how to seek export approval

Some defense contractors may not immediately understand these responsibilities. The primary resource for guidance concerning the export of defense goods and services is the ITAR. The ITAR walks a defense contractor through their responsibilities including:

Which defense contractors should register with the DDTC?

Which defense commodities require export licenses?

Which defense services require export licenses?

What are corporate and government export responsibilities?

What constitutes an export?

How does one apply for a license or technical assistance agreement?

Fortunately, I was able to refer the ITAR while consulting our business development manager. I was able to demonstrate that the item had a dual use application. Once use was civil and the other was military. In such situations, the State Department has jurisdiction. We were able to request and receive proper authorization to export the item. Export situations are unique. Always refer to the source (ITAR) and consider employing knowledgeable export compliance officers, attorney’s or consultants experienced in export of defense articles and services.

Friday, June 25, 2010

Life Imitates Thriller Art

I was watching a thriller movie that I had seen sometime in the 80's. It was as good as the first time I saw it. The scene played out where the police catch a bad guy in the act of espionage. As the good guys move in for the kill, the bad guy yell's out "Diplomatic Immunity" and holds up his credentials. We see our dejected investigators halted by those two powerful words. It's not until later after several minutes of good snooping to even better suspense music that our heroes save the day and the perpetrator is put away in spite of his diplomatic status.

Sometimes life imitates art. Just like in the thrillers that we watch or read, the evil doers seem to either be or think they are smarter than the good guys. They find loopholes that protect their crimes and there isn't a thing the good guys can do about it. Finally, at the last climatic moments, the good guys find the evidence they need to make a prosecution stick. Just as in the movie mentioned above.

A similar thriller plays out in a court room according to a January 22, 2010 Washington Examiner article called "Defense Official's Mom Introduces Him to Chinese Spy". According to the Article, James Wilbur Fondren provided three papers to a Taiwanese business man who paid a consulting fee. Unbeknownst to Mr. Fondren, the Taiwanese business man was a Chinese Spy.

Mr. Fondren’s defense brought up three issues. The first is that Mr. Fondren only provided classified information in one of the three papers. Two, the classified information was over-classified. Third, the classified information would have been public knowledge within hours of release.

Mr. Fondren gets to have his day in court and he is innocent until proven guilty. So, just for education purposes, let’s leave the case and look at the issues the defense brings up. We can take it on a point by point basis and provide valuable learning opportunities.

Pont one: Only part of the three articles provided classified information.

All classified information should be handled according to the National Industrial Security Program. For defense contractors, the National Industrial Security Program Operating Manual describes how cleared contractors should protect classified information.

Point two: The classified information was over-classified.

Depending on the source, up to 85% of classified information may be over-classified. That is a problem for the original classification authority (OCA) to resolve. Cleared contractors should only be concerned with how to protect classified information according to the markings provided by the OCA. Failure to protect classified information could result in various degrees of damage to national security.

Point three: The classified information was public knowledge within hours of the paper being written.

Until notified by the OCA, classified information will remain classified. If an open source reveals information a user knows is classified by an OCA, the holder is to continue to treat information according to classification markings. In other words, just because someone puts unclassified information in a book or posts it to a website, that information does not become unclassified. That is the OCA’s decision.

These three points should also apply when protecting technical information identified in the United States Munitions Lists (USML) as provided in the International Traffic In Arms Regulation (ITAR). Just because someone posts the technical information online or in a book doesn’t make it open source. That is always a Department of State Determination, not the perpetrator.

Art sometimes does imitate life. The above scenario could easily be the subplot of an international thriller. Some contractors may not completely understand how to protect sensitive information. They may try to find loopholes or shortcuts to meet their agendas. Good FSOs are training their cleared employees to do things the right way by following requirements found in NISPOM and ITAR. Some of the points I’ve used above came from real life situations that I’ve discovered while consulting or working as an FSO or Export Compliance Officer.

Saturday, June 19, 2010

Industrial Security Newsletter - iContact Community

Industrial Security Newsletter - iContact Community

Sign up for our newsletter. Everything you need to know about industrial security is here.

FSO's Can Conduct Effective NISPOM Annual Security Awareness Training; How To Pass DSS Requirements

My friend took up running a few months ago. He started out with just a short jog, but eventually is running four and a half miles with increasing speed. He challenges himself with each work out, getting better and better. Conversely, I have another friend who runs “Twenty minutes a day”. He gets dressed and plods his 20 minutes until he is done. In this example, both are running, but one is increasing endurance and speed. He’s getting better and more skilled. The other is just maintaining; going through the motions.

Our goal as security trainers is to teach cleared employees to protect classified information. We use the National Industrial Security Program Operating Manual Chapter 3 guidance as the standard. As leaders we want to implement and direct security programs that protect classified information as they relate to our cleared facilities. Trainers have two choices:

1. Challenge our employees to get better and more effective

2. Go through the motions and plod along with the minimum requirements.

Choice one is more challenging. It requires research and coordination. The trainer builds upon the foundation of the last training session. They also design each training session to relate to specific contract related tasks. For example, a complete training program can be designed around statements of work and the DD Form 254. Specific training tasks can be designed around Items 10, 11, and 13 of the DD Form 254 as it relates to the Defense Contractors requirements. This choice integrates cleared employee specific performance tasks with the NISPOM requirements of:

Choice two is the easiest. It just requires using the same training year after year and never increasing the skill level. Each year the trainer provides the same information defining the damage resulting from the unauthorized disclosure of Confidential, Secret or Top Secret is disclosed in an unauthorized manner. Training of this type tends to talk down to cleared employees that just may have a great understanding of security requirements. However, instead of providing greater security skill levels, the training never develops past the beginner level. In other words, the initial security training briefing is given year after year. The training just regurgitates NISPOM. It doesn’t provide the cleared employee with how to implement the NISPOM requirements in their day to day work.

The danger with this type of training is that the cleared employee may feel professionally insulted. Many have worked on classified contracts for years and have a tremendous understanding of their requirements. As they work on contracts, they gain valuable skills and are regularly challenged to protect classified information in unique and changing environments. They become quickly disheartened by having to attend training that spoon feeds information at a very basic level.

While in the Army, we were always trained to take the hard right over the easy wrong. Tough and challenging training takes work. It also may require an FSO to recognize that they are not always the subject matter expert. FSO’s do know NISPOM, but they are not the SME on individual contract requirements. An excellent way to provide training is to recruit trainers from the cleared employee ranks. The FSO can direct the training and the recruited SMEs can help others understand the application to specific contracts.

Clearly my friend will continue to train hard and increase his speed and distance. His efforts are concentrated on the training he needs to achieve his goals. FSOs can use the same intense focus to turn their training around. Consider implementing DD Form 254 and contract requirements with NISPOM procedures s to create a better organization of cleared employees capable of protecting classified work.


How to Prepare for the NCMS Industrial Security Professional (ISP) Certification Exam

Recently the NCMS (Society of Industrial Security Professionals) National Seminar organizers announced the incredible news that a record number of security professionals have taken and passed the Industrial Security Professional (ISP) Certification Exam. Their diligence and study planned have successfully led them to the distinguished title of Industrial Security Professional. We congratulate all the new ISPs; well deserved and we wish you continued success.

We’d like to encourage those who haven’t tested to develop a plan and take the exam. According to recent testimonies, ISP Certified individuals stated that they received promotions, raises and respect almost immediately. You can see these comments on the NCMS website. Additionally, resumes posted on the site are now requesting that candidates have the ISP designation.

According to the NCMS Website, there are a few minimum requirements potential candidates must meet before applying for the ISP Certification Exam. Those who meet these requirements have a better chance of passing the certification exam. Test candidates must have at least five years of experience in industrial security, working in security at least part time as part of their job description and a letter of recommendation from their supervisor. If they don’t have a supervisor, they can contact an NCMS chapter chair for further guidance.

Five years experience in industrial Security; working at least part time in security

You wouldn’t want to attempt this test without this level of experience. The test is designed to check a tester’s knowledge of NISPOM and how to protect classified information in cleared contractor facilities. Those who have five years experience have probably practiced the skills necessary to take the exam.

This requirement translates to protecting classified information according to NISPOM. This opens the door for engineers, program managers, security monitors and others who have spend considerable time working with and protecting classified information. There are exceptions to the industrial security part. For example, if you’ve protected classified information in any capacity, you may be eligible. Prior to taking my ISP Certification exam I had only my government security experience. Though it wasn’t NISPOM based experience, I requested and received NCMS’ approval.

Don’t confuse experience with the need to study.

Fortunately the ISP Certification Exam is an open book test of the NISPOM. No one is expected to know every word of the NISPOM, just how to find the appropriate answers. The exam is made of 110 questions with 100 of the questions relating to NISPOM and the remaining in an elective area. Even with the five years of experience, potential candidates should develop a study plan. Some recommendations include: joining the NCMS study group, creating a local study group and practicing how to quickly search NISPOM. 110 questions in two hours goes fast so practice often.

Some practical ways to prepare

Schedule a test date-You have a year once you schedule to take the online exam. Setting the date is the toughest part. But a ticking clock is sometimes a good motivator

Take part in security inspections-this helps familiarize you to possibly new areas of NISPOM.

Practice other industrial security disciplines-If you work in a large organization, expose yourself to other NISPOM security disciplines. For example, if you work in personnel security learn some things about document control.

Familiarize yourself with NISPOM structure-Go through the table of contents and familiarize yourself with chapters. Its easier to search for training requirements when you know that training is in Chapter 3. Searching a few pages in chapter 3 is easier than searching the entire NISPOM.

In conclusion, register for the exam, set a date, and begin a study program.

You can find study recommendations, practice questions and NISPOM links at

Thursday, April 29, 2010

How FSOs Develop a Risk Assessment Model to Protect Classified information

I’ve posted a few articles on risk assessment and using the risk assessment results to implement and direct a security program to protect classified information. I’ve even written about how risk assessment can help you determine whether or not you need alarms, cameras and other protective measures above what may be required of the NISPOM. However, what I have not written about is how to do a risk assessment.

You might recall in earlier articles that I’ve emphasized the importance of finding out what the threats to classified information are to your particular organization. One of my concerns is that a lot of FSOs may financially commit their companies to expensive endeavors that may not even be required. Industry standards and common practices may almost seem like requirements. To some, it may be unheard of not to have alarms, cameras or access control systems (door magnets and card readers). However, these are not required in NISPOM (except for intrusion detection systems as identified in NISPOM) and may even be unnecessary in many circumstances.

What’s needed is a risk assessment. If cameras and alarms are necessary, then provide the evidence to your company officers and get it in the budget. If not, provide the findings to your management to demonstrate your value at reducing unnecessary costs. They will appreciate your assessment and ability to provide realistic and useful input.

Risk assessments can be as scientific and involved as you need them to be. However, I prefer simplicity and am willing to accept the small risk of error that the simple assessment tool may bring. As simple as this design is, its value has always been tremendous. Again, a risk assessment is to be used to compliment requirements of NISPOM, not replace them. For example, classified information is ALWAYS required to be stored according to NISPOM, regardless of risk level you might identify.

Begin with a list of what you would like to protect. Classified information, product, employees and visitors, export controlled items and etc. These will go under the column called assets. These are what you as the FSO and/or senior security manager want to protect. The list can be as long or short as you want it to be, but should indicate the most important items you and your organization want to protect.

Next, what are the threats? Do you live in an area subject to theft, break ins, violence or severe weather? Is your company next to a transportation terminal involving explosives or dangerous chemicals? Is the organization in a high risk area for potential security violations? Does your company have poorly trained cleared employees? This information will go in the threat column.

The next column is the probability of occurrence. I like to use a scale of 1-5, 1 being the lowest level of probability and 5 being the highest. This column is for predicting the chances of the threat occurring. The next column is the level of impact, again using a scale of 1-5. Here you will predict the severity of the damage and impact to the asset.

In this example, I looked at three threats to classified information stored at a fictional cleared facility. The first threat is insider espionage. I gave it a score of 3 meaning that the probability of classified information getting out by way of an insider was high. The impact is a 5 meaning that the insider would know exactly what to take and may be able to do so without detection.

The next threat is a break in. I’ve determined that based on threat data and crime reports that spies have not been breaking into the company and gaining access to classified information. The impact of a break in will be relatively low as an outsider will be hard pressed to determine what to steal and where it is stored (outside of help from an employee or insider).

The next threat is severe weather. The probability of wind damage is pretty solid where we live and tornados form often. The probability of a tornado or high winds destroying a facility exists. The impact of the facility’s destruction is high and the scattering of classified information cannot be negated or predicted.

Based on my assessment, the number one threat is insider espionage. With a score of 15, I will ensure that my countermeasures primarily address this threat. My budget may be constructed to include employee training on how to identify the insider threat. I may also develop procedures to limit access to classified processing, copying, or other interaction with classified material.

The next priority is severe weather. With a total score of 8 I will focus my efforts on developing and rehearsing how to protect classified information when disaster strikes. I would also spend time identifying and training cleared employees on how to search for and recover classified information after a disaster.
I would not spend much of my budget or effort addressing the break in and theft of classified material.

Committing tens of thousands of dollars in alarms, cameras and access control to counter a small threat is not justified. However, if part of your assessment includes life and health safety (violence, theft of product and other non-classified threats) then yes, consider these measures.

This exercise was developed only to demonstrate how to meet risks to classified information in an intelligent manner. Again, this was just a snapshot. A real conclusion on the way ahead cannot be made until all assets and threats have been identified. Once finished, you will have a list of priorities in which to focus security efforts. From there you can develop your countermeasures and mitigate the impact of a threat. Keep assessing as you get new contracts and requirements and be sure to keep your management informed.

Tuesday, April 20, 2010

Should Cleared Employees Travel With Classified Information-FSOs Can Make Intelligent Assessments

I am writing this article just after a trip with multiple plane changes. I had travelled by air on many occasions, but this latest adventure had a new twist. Never in my life had I travelled without luggage and I must say it was quite liberating. It all started innocently enough and with a bit of routine. I am an experienced flyer and I had always begun each trip with a checklist to ensure I had packed everything and almost always load my car ahead of time.

However, this time was different. I packed my luggage with almost a careless flair. “Wouldn’t it be funny if I forgot my suitcase?” I had said to myself for no apparent reason. The next thing I remember is getting out of my car in long term parking and opening my suitcase. Remember, I am an experienced traveler and I am supposed to remember these things. Perhaps my experience caused me to have a forgetful or may cavalier attitude.

I promptly walked to my gate with purpose and a spring in my step. I had checked in online and had my boarding pass. No luggage; no reason to stop at the ticket counter. I had what I really needed in my carryon bag; my computer for the new book I’m writing, and some necessary paperwork for my business trip.

I continued with this feeling of freedom, thinking it was nice to get off the plane and go to my rental car. I didn’t even have to go to baggage claim. I just had to make a stop for clothes from the department store on the way to the hotel. Change of clothes purchased, I went to my hotel and prepared for the next morning’s meeting. On my way back home, I repeated the process: Checked in on line, printed boarding pass, passed through security and went straight to gate. Upon arrival I by passed baggage claim and drove home.

You can also help others experience a similar freedom by not travelling with sensitive or classified information. Sure, your cleared employees may have a million reasons for you to prepare classified information for travel. However there may be alternatives. Let’s take a look a risk first.

Fatigue and forgetfulness-Just like my example of an experience traveler, even those who protect classified information on a daily basis can become forgetful. Long hours, constant movement, cramped quarters, convenience breaks, restaurant visits and etc can contribute to fatigue or distractions that can cause someone to possibly lose their luggage (classified package). Other contributions include cancelled flights or other changes that cause longer layovers or possible overnight stays.

Alternatives-Cleared employees should consider other alternatives prior to travelling with classified information. For starters, ensure that the classified information is indeed necessary. If so, is it already located on site? If not onsite, can it be sent ahead of time via approved mailing or overnight delivery, or can it be transmitted through approved fax or email?

If classified information is not necessary according to the contract or if work can be performed without it; don’t bring it. If similar classified information is already onsite, use it. If there is enough notice, send the classified information ahead without having to burden your cleared employee with carrying it.
When applying these alternatives, be sure to coordinate with the receiving FSO or sponsoring organization. Classified information may have to be introduced into their facility via their policies. Also, if hard copies are needed or other administrative and time consuming measures are necessary to prepare the classified for use, make sure it is pre-arranged and approved.

Sometimes travel with classified or sensitive information is the only option. However, there may be opportunities for safe and security methods of transmitting classified information without using a courier or cleared employee. Conduct a risk assessment, review options and make an intelligent decision.

Tuesday, April 13, 2010

Are Alarms Always Required For Contractors and FSOs according to NISPOM?

The National Industrial Security Program (NISPOM) is THE guidance for Defense Contractor Facility Security Officers. However, it doesn’t always answer some questions these FSOs might have about protecting classified information. For example, suppose a defense contractor company has an Indefinite Delivery/Indefinite Quantity Contract. In that contract, the facility is required to store information classified at the SECRET level. Do they need an alarm?
In this scenario, the FSO has only had to request the security clearance of employees required to perform on classified work at another facility. To date, classified work had not been performed or stored at the cleared facility. So far, she has done an excellent job of managing the clearances and has received a COMMENDABLE in her last DSS review.
Now, a delivery order requires the storage of SECRET documents on site. Fortunately the FSO has been preparing for such an opportunity. She has recently purchased an approved security container adequate for holding the classified items. However, she isn’t sure whether or not the company needs to have an intrusion detection system (IDS).
So, does the cleared contractor storing SECRET information require an IDS? Do you think you know the answer?
Well, according to NISPOM, this situation does not require an IDS. SECRET information is only required to be stored in a GSA- approved security container. IDS is required for TOP SECRET and SECRET not stored in a GSA-approved container in a closed area. How many of you thought that IDS is always required?
This is where risk management comes in. IDS may be required, but not by NISPOM. However, if you live in a high crime area or life safety considerations require it, get the IDS. But only do so after assessing the risks. Many small companies do not have the vast security budgets of their larger colleagues. Many large companies may have CCTV, magnetic card readers, IDS systems and many other state of the art security measures as a “best practice” consideration. But many times, the return on investment may not be there if risks are low or non-existent.
An FSO can demonstrate value added by determining whether or not the need for IDS exists and then presenting the pros and cons to management. A terrible and costly mistake is to request security measures just because they are “industry standard”. Know what NISPOM says, implement NISPOM requirements, but make an intelligent determination for all other security

Thursday, February 4, 2010

How Contractors Get Facility Security Clearances

Having a Facility Clearance (FCL) makes a business attractive, but that desire does not provide the needed justification for obtaining a security clearance. The FCL is strictly contract based and demonstrates an enterprise’s trustworthiness. A company is eligible for a facility security clearance after the award of a classified contract. The FCL is a result of a lengthy investigation and the subsequent government’s determination that a company is eligible to have access to classified information.
A company can bid on a classified contract without possessing a facility clearance, but is sponsored for a clearance after the contract is awarded. The interested company cannot simply request its own FCL, but must be sponsored by the Government Contracting Activity (GCA) or a prime contractor. Once the need to conduct classified work is determined, the next requirements are administrative. The company has to submit proof that they are structured and a legal entity under the laws of the United States, the District of Columbia or Puerto Rico and have a physical location in the United States or her territories. The enterprise has to be in good business standing and neither the company nor key managers can be barred from participating in U.S. Government contracts.
The company being sponsored for a clearance should immediately obtain the federal regulations necessary to determine the government’s guidance for working with classified material. For Department of Defense contractors, the National Industrial Security Program Operating Manual (NISPOM) is the most frequently used. The sooner the contractor obtains their copy of the regulations, the quicker they will begin to understand their expected role in protecting the nation’s secrets.
A critical piece of the sponsorship program revolves around the Cognizant Security Agency (CSA) having a good understanding of the subject company and their mission. To do this, the CSA will need to review organizational structure and governance documentation to determine who can commit the company and make decisions. This information includes: articles of incorporation, stock records, corporate by-laws and minutes.
The senior company officer, FSO and other key management employees will be processed for a security clearance. The CSA may also want to see proof of citizenship and other information to determine eligibility for a clearance. The other officers and board members may be excluded from the security clearance process if they will not have influence over cleared contractor decisions.
Aside from corporate entity documentation, the CSA will collect and complete additional forms sometime during the FCL process. These forms include, but are not limited to the Department of Defense Security Agreement (DD Form 441), and the Certificate Pertaining to Foreign Interests (SF328). The CSA will advise the contractor on how to fill out the forms and answer any questions the contractor may have.
The DD Form 441 lists the responsibilities of both the cleared contractor and the government. The contractor agrees to implement and enforce the security controls necessary to prevent unauthorized disclosure of classified material in accordance with the NISPOM. The contractor also agrees to verify that the subcontractor, customer, individual and any other person has the proper need to know and possesses the security clearance necessary to access classified information. The Government will also instruct the contractor on the proper handling, storage and disposition of classified material usually in the form of the DD Form 254 (Figure 2-3). The Government also agrees to provide security clearances to eligible contractor employees.
The SF 328 is used by the contractor and the CSA to determine whether or not and to what extent the cleared contractor falls under Foreign Ownership Control and Influence (FOCI). The primary concern is always protecting classified information from unauthorized disclosure. In today’s changing world it is not unusual for a cleared company to be involved with international business. If classified contracts are under the control of a foreign entity, the classified information could be in jeopardy of unauthorized disclosure. Additionally, items that fall under the International Traffic and Arms Regulation (ITAR) could be in jeopardy of unauthorized export. If a contractor falls under FOCI, the CSA will evaluate their ability to mitigate the extent of foreign influence concerning classified information and approve, deny or revoke the FCL. Companies that are determined to fall under FOCI can still compete for classified work; however, there are measures to be taken to ensure that only U.S. persons control the scope of classified work.
The FCL is a determination that a legal entity is trustworthy and able to safeguard classified information. This FCL relates to an organization and not a physical location or building. For example, a cleared contractor organization can move locations and keep the FCL. The FCL remains in place until either party terminates it. If for some reason the contractor no longer needs access or is no longer eligible for access to classified material or either party terminates the FCL, the contractor must return or destroy any classified material to the GCA.

When is accountability of classified information required in NISPOM?

The FSO designs a policy to maintain strict control over classified material. The NISPOM requires control of classified information at the TOP SECRET level. However, all material entering the facility, produced, reproduced or entering the facility in any fashion should be brought into possession for control, audit and inventory purposes. The NISPOM does address the cleared contractor responsibility of maintaining an information management system to protect and control classified information. This control and accountability facilitates visibility of the classified material and allows for preventative measures against unauthorized disclosure or identification of security violations.
Once the material is received and the delivery inspected against the receipt, the FSO or security specialist can input the information into the information management system or in other words, a retrievable database. This database can be something as simple as logging the information into a notebook or through technology such as software sold on the market. Some companies and federal agencies have developed internal forms and examples are available on the internet.
The FSO is charged with protecting classified material and an accountability record is an excellent tool for controlling classified information introduced into the company. With the accountability record, document disposition is annotated with additional receipting action. Some accountability records track document dispositions from inception to dissemination on the same record. Contractors are not limited to a certain method of document control other than the ability to track the status of classified information the cleared facility possesses.
The benefit of creating a database using any of the input (title, document number, contract number, reception date, and etc) is great. The database will facilitate retrieving the classified material and be able to produce documentation and classified information within a reasonable amount of time as required by NISPOM. The use of a database to meet the information management system aids in tracking classified information offering increased protection and accountability.
An information management system can help facilitate an annual inventory of all levels of classified information. Because of the positive identification and control involved, inventories aid in the protection of classified information. If during the course of a normal inventory, a document is not readily found, a more thorough search takes place. Any part of the information management system record is part of a growing data warehouse that may prove beneficial in finding the misplaced product.

Should Only the FSO Have a NISPOM

Presidential Executive Orders established the National Industrial Security Program to provide cleared contractors guidance on protecting classified information. After all, the government has an obligation to protect what it owns, directs or controls. In this case, classified contracts and all associated classified information. The National Industrial Security Program Operating Manual (NISPOM) was developed to instruct cleared employees on how to request and maintain clearances, process and protect classified information and much more. Though the Facility Security Officer (FSO) implements and directs a security program to protect classified information, many of the functions of NISPOM are not executed by the FSO.
If the NISPOM applies to all, why not make it available to all? For example, it is the cleared employee who performs the classified work such as marking, wrapping, writing contracts, reading, assembling or deriving classified information or other functions of working with classified products. The FSO has oversight, trains, briefs, and ensures compliance. However, part of the security awareness training could involve showing employees how to consult the NISPOM. Same goes for providing marking and wrapping guides and tools necessary to work on the classified information.
If a manager approaches an FSO about an opportunity, the FSO should consult NISPOM; with them. Experience and credibility allows the FSO to guide the decisions. Also the FSO ensures there is a strong corporate policy based on the organizations business model and how it applies to NISPOM. In other words, not all the NISPOM applies to every cleared contractor. It is important to know that cleared contractors do not need to consult chapter 8 if they don't perform classified processing. For many, only NISPOM Chapters 1, 2, 3 parts of 5 and 6 apply.
Performing well on classified contracts is the business of cleared contractors. Being technically proficient by knowing NISPOM requirements for PERFORMING classified work may enable business to flow more efficiently. The FSO isn't always there, but the NISPOM requirements are. Consider initial training and annual security awareness training. They are both required, but most of the training happens on the job; manager to employee.
FSOs have their role and should assume it with authority. Reports, inspections, training, briefing, contractor to GCA or CSO relationships and etc are functions of the FSO. Other details are performed by the cleared employees performing on contract and the NISPOM and corporate policies are great tools. In that capacity, the NISPOM should be part of their library.
Also, consider small organizations where the FSO may be a senior executive, contracts manager, HR professional, engineer etc. Wouldn't it make good business sense to have the entire organization work as "force multipliers" for security or should that senior executive perform all the functions?
Employees should not run the security program, just to be enabled to make informed decisions about classified work. The FSO runs the security show, but the cleared employee performing on contracts is responsible for protecting it. Consider providing NISPOM, International Traffic in Arms Regulation (ITAR), Occupational Safety and Health Administration (OSHA) and other regulations for reference may also prove beneficial.