Friday, June 25, 2010

Life Imitates Thriller Art

I was watching a thriller movie that I had seen sometime in the 80's. It was as good as the first time I saw it. The scene played out where the police catch a bad guy in the act of espionage. As the good guys move in for the kill, the bad guy yell's out "Diplomatic Immunity" and holds up his credentials. We see our dejected investigators halted by those two powerful words. It's not until later after several minutes of good snooping to even better suspense music that our heroes save the day and the perpetrator is put away in spite of his diplomatic status.

Sometimes life imitates art. Just like in the thrillers that we watch or read, the evil doers seem to either be or think they are smarter than the good guys. They find loopholes that protect their crimes and there isn't a thing the good guys can do about it. Finally, at the last climatic moments, the good guys find the evidence they need to make a prosecution stick. Just as in the movie mentioned above.

A similar thriller plays out in a court room according to a January 22, 2010 Washington Examiner article called "Defense Official's Mom Introduces Him to Chinese Spy". According to the Article, James Wilbur Fondren provided three papers to a Taiwanese business man who paid a consulting fee. Unbeknownst to Mr. Fondren, the Taiwanese business man was a Chinese Spy.

Mr. Fondren’s defense brought up three issues. The first is that Mr. Fondren only provided classified information in one of the three papers. Two, the classified information was over-classified. Third, the classified information would have been public knowledge within hours of release.

Mr. Fondren gets to have his day in court and he is innocent until proven guilty. So, just for education purposes, let’s leave the case and look at the issues the defense brings up. We can take it on a point by point basis and provide valuable learning opportunities.

Pont one: Only part of the three articles provided classified information.

All classified information should be handled according to the National Industrial Security Program. For defense contractors, the National Industrial Security Program Operating Manual describes how cleared contractors should protect classified information.

Point two: The classified information was over-classified.

Depending on the source, up to 85% of classified information may be over-classified. That is a problem for the original classification authority (OCA) to resolve. Cleared contractors should only be concerned with how to protect classified information according to the markings provided by the OCA. Failure to protect classified information could result in various degrees of damage to national security.

Point three: The classified information was public knowledge within hours of the paper being written.

Until notified by the OCA, classified information will remain classified. If an open source reveals information a user knows is classified by an OCA, the holder is to continue to treat information according to classification markings. In other words, just because someone puts unclassified information in a book or posts it to a website, that information does not become unclassified. That is the OCA’s decision.

These three points should also apply when protecting technical information identified in the United States Munitions Lists (USML) as provided in the International Traffic In Arms Regulation (ITAR). Just because someone posts the technical information online or in a book doesn’t make it open source. That is always a Department of State Determination, not the perpetrator.

Art sometimes does imitate life. The above scenario could easily be the subplot of an international thriller. Some contractors may not completely understand how to protect sensitive information. They may try to find loopholes or shortcuts to meet their agendas. Good FSOs are training their cleared employees to do things the right way by following requirements found in NISPOM and ITAR. Some of the points I’ve used above came from real life situations that I’ve discovered while consulting or working as an FSO or Export Compliance Officer.

Saturday, June 19, 2010

Industrial Security Newsletter - iContact Community

Industrial Security Newsletter - iContact Community

Sign up for our newsletter. Everything you need to know about industrial security is here.

FSO's Can Conduct Effective NISPOM Annual Security Awareness Training; How To Pass DSS Requirements

My friend took up running a few months ago. He started out with just a short jog, but eventually is running four and a half miles with increasing speed. He challenges himself with each work out, getting better and better. Conversely, I have another friend who runs “Twenty minutes a day”. He gets dressed and plods his 20 minutes until he is done. In this example, both are running, but one is increasing endurance and speed. He’s getting better and more skilled. The other is just maintaining; going through the motions.

Our goal as security trainers is to teach cleared employees to protect classified information. We use the National Industrial Security Program Operating Manual Chapter 3 guidance as the standard. As leaders we want to implement and direct security programs that protect classified information as they relate to our cleared facilities. Trainers have two choices:

1. Challenge our employees to get better and more effective

2. Go through the motions and plod along with the minimum requirements.

Choice one is more challenging. It requires research and coordination. The trainer builds upon the foundation of the last training session. They also design each training session to relate to specific contract related tasks. For example, a complete training program can be designed around statements of work and the DD Form 254. Specific training tasks can be designed around Items 10, 11, and 13 of the DD Form 254 as it relates to the Defense Contractors requirements. This choice integrates cleared employee specific performance tasks with the NISPOM requirements of:

Choice two is the easiest. It just requires using the same training year after year and never increasing the skill level. Each year the trainer provides the same information defining the damage resulting from the unauthorized disclosure of Confidential, Secret or Top Secret is disclosed in an unauthorized manner. Training of this type tends to talk down to cleared employees that just may have a great understanding of security requirements. However, instead of providing greater security skill levels, the training never develops past the beginner level. In other words, the initial security training briefing is given year after year. The training just regurgitates NISPOM. It doesn’t provide the cleared employee with how to implement the NISPOM requirements in their day to day work.

The danger with this type of training is that the cleared employee may feel professionally insulted. Many have worked on classified contracts for years and have a tremendous understanding of their requirements. As they work on contracts, they gain valuable skills and are regularly challenged to protect classified information in unique and changing environments. They become quickly disheartened by having to attend training that spoon feeds information at a very basic level.

While in the Army, we were always trained to take the hard right over the easy wrong. Tough and challenging training takes work. It also may require an FSO to recognize that they are not always the subject matter expert. FSO’s do know NISPOM, but they are not the SME on individual contract requirements. An excellent way to provide training is to recruit trainers from the cleared employee ranks. The FSO can direct the training and the recruited SMEs can help others understand the application to specific contracts.

Clearly my friend will continue to train hard and increase his speed and distance. His efforts are concentrated on the training he needs to achieve his goals. FSOs can use the same intense focus to turn their training around. Consider implementing DD Form 254 and contract requirements with NISPOM procedures s to create a better organization of cleared employees capable of protecting classified work.


How to Prepare for the NCMS Industrial Security Professional (ISP) Certification Exam

Recently the NCMS (Society of Industrial Security Professionals) National Seminar organizers announced the incredible news that a record number of security professionals have taken and passed the Industrial Security Professional (ISP) Certification Exam. Their diligence and study planned have successfully led them to the distinguished title of Industrial Security Professional. We congratulate all the new ISPs; well deserved and we wish you continued success.

We’d like to encourage those who haven’t tested to develop a plan and take the exam. According to recent testimonies, ISP Certified individuals stated that they received promotions, raises and respect almost immediately. You can see these comments on the NCMS website. Additionally, resumes posted on the site are now requesting that candidates have the ISP designation.

According to the NCMS Website, there are a few minimum requirements potential candidates must meet before applying for the ISP Certification Exam. Those who meet these requirements have a better chance of passing the certification exam. Test candidates must have at least five years of experience in industrial security, working in security at least part time as part of their job description and a letter of recommendation from their supervisor. If they don’t have a supervisor, they can contact an NCMS chapter chair for further guidance.

Five years experience in industrial Security; working at least part time in security

You wouldn’t want to attempt this test without this level of experience. The test is designed to check a tester’s knowledge of NISPOM and how to protect classified information in cleared contractor facilities. Those who have five years experience have probably practiced the skills necessary to take the exam.

This requirement translates to protecting classified information according to NISPOM. This opens the door for engineers, program managers, security monitors and others who have spend considerable time working with and protecting classified information. There are exceptions to the industrial security part. For example, if you’ve protected classified information in any capacity, you may be eligible. Prior to taking my ISP Certification exam I had only my government security experience. Though it wasn’t NISPOM based experience, I requested and received NCMS’ approval.

Don’t confuse experience with the need to study.

Fortunately the ISP Certification Exam is an open book test of the NISPOM. No one is expected to know every word of the NISPOM, just how to find the appropriate answers. The exam is made of 110 questions with 100 of the questions relating to NISPOM and the remaining in an elective area. Even with the five years of experience, potential candidates should develop a study plan. Some recommendations include: joining the NCMS study group, creating a local study group and practicing how to quickly search NISPOM. 110 questions in two hours goes fast so practice often.

Some practical ways to prepare

Schedule a test date-You have a year once you schedule to take the online exam. Setting the date is the toughest part. But a ticking clock is sometimes a good motivator

Take part in security inspections-this helps familiarize you to possibly new areas of NISPOM.

Practice other industrial security disciplines-If you work in a large organization, expose yourself to other NISPOM security disciplines. For example, if you work in personnel security learn some things about document control.

Familiarize yourself with NISPOM structure-Go through the table of contents and familiarize yourself with chapters. Its easier to search for training requirements when you know that training is in Chapter 3. Searching a few pages in chapter 3 is easier than searching the entire NISPOM.

In conclusion, register for the exam, set a date, and begin a study program.

You can find study recommendations, practice questions and NISPOM links at