Saturday, November 27, 2010

Professional Certification and Career Advancement

Industry Sponsored Certification

Certification says a lot about a professional. This individual has dedicated personal time and has committed to intensive study to improve their skills on the required topics. Supervisors and managers may set a goal for employees to reach a level of experience or even challenge them to seek a certification. Employees who have achieved a professional certification have experienced preference in job hiring, retention and promotion. Though a certification does not guarantee an employee such benefits, it does demonstrate a few important qualities to their management. Primarily, those certified convey a commitment to the profession, investment in the enterprise, and a high level of experience and knowledge.

Organizations that hire employees with certifications or encourage employees to become certified benefit from the experience. In many cases, employers pay for the certification exams and other fees related to the certification requirements. They recognize the dedication their employees demonstrate, experienced gained, and the marketability of the certified. Other benefits to the company include bragging rights and certifications can be included in company profiles. When applicable, defense contractors can mention employee certifications when listing capabilities and responding to requests for bids. For example, they can mention that the FSO “is board certified to protect classified information” and list the certification and source. Those who solicit bids also recognize certifications to include prime contractors and Federal agencies. Certifications are also good credentials for vendors who install security systems, guards, document destruction or provide other security services.

As leaders, FSOs can help security employees understand how to create incredible security programs. Focusing on training, interaction with other cleared employees, self-improvement and institutional education should be part of professional development. FSOs who write security evaluations for direct reports have an excellent opportunity to help them establish goals to become better at their jobs, more impactful in their careers and hopefully, groomed to become FSO's themselves. Challenging employees and team members to achieve personal and professional goals breeds success.

Industrial Security Professional Certification

The ISP Certification is one goal FSOs could take as a goal as well as encourage employees to achieve. The employee gains from such education and a prestigious career milestone. The organization also benefits from what the security employee learns and applies on the job. When employees study for the ISP Certification, they learn: how to read and apply the NISPOM, the importance of forming professional relationships with cleared employees, how the cleared contractor and the DSS representatives interact, and much more.

A leader also creates pride in the organization and employee by making them more competitive in their career and providing basis for professional pride. The path to the ISP Certification goals should not be taken alone. When employees are challenged with the goal, the manager can help by providing or allowing education as found on the DSS, professional organization or vendor websites. Studies on NISPOM topics are available on the internet as well as on site. If your team is large enough, consider helping them start a study group.

If the cleared contractor facility has multiple security employees, provide an opportunity to cross train. Security employees who work personnel security issues could work with document control and etc. FSOs could facilitate security employees from one discipline inspect another security section during the annual self inspection. Another idea is for the FSO to create an internal certification program. This helps integrate new employees into their jobs. A self-certification program would train an employee on performing individual tasks. The employee works under a mentor who verifies and documents the training. This training covers how the cleared contractor facility security employees practice document control, manage personnel security, provide classified contract support and etc. If such a program exists in your organization, consider using it for further cross training employees who concentrate only on one task. This will help them become more experienced and more prepared for the exam.

Employees may not feel comfortable asking for training, setting prestigious goals, or asking for funding for professional organizations or certifications. However, a supervisor who is aware of such opportunities can encourages the employee to become engaged.

Most applicable is the Industrial Security Professional (ISP) Certification sponsored by the NCMS (Society of Industrial Security Professionals). The certification exam is based on the National Industrial Security Program Operation Manual (NISPOM) and consists of 110 multiple choice questions 2. The first 100 questions come from the NISPOM and referenced regulations and forms. The last 10 questions are made up of select electives. Security administration and management, document security, information system security, physical security, personnel security, international security, classification, security education, audits and self assessment make up the certification’s core topics.

Though NCMS membership is made up of several thousand security specialists and FSOs, the ISP certification is open to non-members and includes security disciplines such as: personnel security, guards, document control, contracts management and all other disciplines. It is not only for those with security titles, just those who perform security functions while working with classified information and material. For example, a company president who also serves as FSO, an engineer, project manager, clerk, cleared security service provider, military service member, Federal employee or anyone else who can demonstrate that they protect classified information in the performance of their job. The ISP Certification is relatively new and is increasing in popularity and gaining momentum. You can find out more about NCMS and ISP Certification through their website or by searching “industrial security professional certification” or “ISP Certification” in your favorite search engine.

Other certification

There are many sources available for certification applicable to both the defense contractor and government security professionals. Some have more weight than others, but all require good preparation time. These certifications mentioned below are but a few of the most popular. All of them cannot be listed here and the intent is not to recognize one above the other. For convenience, we are listing four certification sources familiar to those who are experienced in the industrial security field. These are the more popular sources for the certifications listed most on business cards and titles.

Some other pertinent security certifications are provided through the American Society of Industrial Security International (ASIS). This organization is made up of more than 35,000 security practitioners, suppliers and service providers throughout the world. The scope of coverage is larger and less industry specific. As a professional organization, ASIS is enjoys a membership consisting of law-enforcement, military, government, defense industry, loss prevention, and other professionals. To meet the demand for a professional presence, ASIS sponsors three certifications meeting differing needs in the security industry. The Certified Protection Professional (CPP), Certified Professional Investigator (CPI) and Physical Security Professional (PSP) each provide professionalism and opportunities to excel in broad disciplines.

Wednesday, November 24, 2010

How FSOs use Security Metrics in a Cleared Defense Contractor Facility

Metrics are tools leaders use to assess the effectiveness of their programs. These metrics indicate success, failures or areas where significant improvement is needed. Metrics data is found in surveys, inspections, and reports and are pulled for the specific purpose of understanding where the program is. The other part is to understand where the organization should be and comparing it to the results.

FSOs should make metrics development and use a top priority. Chief security officers, chief information officers and other executive level security managers understand how to read metrics and use them to focus with pinpoint intensity on directing their security programs within their companies. Security managers in lower positions can use the same skills to gain influence in their companies. Because of the nature of compliance with government regulations, the task may be easier for FSOs to accomplish.

An FSO has readily available data to determine and communicate the effectiveness of the security program. Gathering available information, creating a detailed database and performing solid analysis will determine the program's success. Whether or not a security program is where it needs to be can be determined from information found in the following actions:

* Incidents, infractions, violations reports with compromise or suspected compromise
* Annual DSS reviews
* Annual self-inspections
* Professional and organizational certification
* Self-reporting statistics
* Security Awareness Training
* Security budget
* Contractual requirements

The above list is not all inclusive, but is readily available information directly affected by security or influences security decisions.

Incidents, infractions, violations and reports of compromise or suspected compromise as Metrics - These should be made at each occurrence and analyzed regularly. Reports indicating that compromise or suspected compromise has occurred are taken seriously and forwarded to the CSA. Many other reports of minor consequences are not required to be sent outside of the organization, but are extremely helpful as indicators of the organization's security health.

Annual DSS Reviews as Metrics - According to the NISPOM DSS is responsible for determining the frequency of annual inspections.

Inspections are typically conducted every 12 months, but circumstances can require more or less frequent visits 2. DSS inspects the facilities security program for the primary purposes of ensuring their programs provide the proper protection of classified information they are charged with protecting. Additionally, the inspection programs are designed to improve the effectiveness of the contractor's security program. At the conclusion of the inspections, the contractor is given a rating ranging from unsatisfactory to superior

Annual self-inspections as Metrics - The self-inspections offer other exceptional opportunities for FSOs to improve the security program as well as measure results from the previous DSS annual audit. The self-inspection is conducted by security personnel organic to the company. It is a requirement that affords the opportunity to look into procedures, review documentation, review incidents and conduct classified holding inventories among a few of the tasks. These self-inspections are typically conducted midway between the annual audits and help keep the security team focused on improvement and compliance.

Professional and Organizational Certification as Metrics - Quality and or other outside agency reviews are performed to qualify a company for a rating. These reviews are purposefully strenuous and thorough in an effort to discover the enterprise's business functions, policies and procedures. Depending on the inspection, each outside agency is invited to bring in experts to analyze a company's performance. The inspector visits every aspect of the organization, measuring the company's compliance, record keeping, improvements and other performance issues and makes a determination of whether or not they are worthy of the certification.

Security Awareness Training as Metrics - Attitudes toward security awareness programs are great indicators of the FSO's program. Comments that reflect a desire for or loathing of continuing security awareness education speaks volumes. Those who are conscious for the need to protect national security assets and classified information understand the need for training. Refresher training is a requirement identified in the executive orders, DoD and federal agency regulations including the NISPOM 4.

Security Budget as Metrics - Security budget support or lack of support can either demonstrate a well received or unappreciated security program. In a functional security manager role, the intuitive FSO understands business, the company mission and how the role of protecting classified material fits. The FSO can provide risk assessment and speak intelligently of the procedures, equipment and costs associated with protecting classified information. They understand how to contract outsourced security resources to install alarms, access control and other protection measures. The FSO is also able to demonstrate a return on investment.

Contractual Requirements as Metrics - An FSO who has developed rapport, a reputation for integrity and considerable influence is instrumental in helping the company achieve its goals. Classified work is identified on the DD Form 254 and the statement of work. The FSO should understand associated costs inherent to the classified work identified in the contract and the DD Form 254.

Results of Metrics Data
A security manager can use such metrics or data and write a white paper, report, or provide a picture graph to employees, managers and executives for several purposes. Regardless of the report media, the objective should be to improve the state of security and communicate the results to the executives and share holders. Employees can be trained on recognizing proper procedures and preventing future occurrences by changing behavior. Managers can use the information to direct change in their employees to provide better security. Executives can use the information to identify programs or projects with probable risks and use the data for strategic planning. Finally, the shareholder; tax payers, board of director members, customers, and employees have a good understanding of their return on investment.

Wednesday, November 17, 2010

Classification Markings Should Increase Awareness Not Lethargy

Working on classified projects may seem intimidating at first. Overtime, the work quickly becomes routine and perhaps mundane. The cleared employee can quickly go from being impressed with their responsibilities and alert in their actions to a more relaxed attitude. Soon the classified items and the markings can become invisible and ineffective. Many modern examples of security violations include cleared employees leaving classified information unattended at their desks, lunch rooms and other unsecure areas. Such actions have led to possible compromise as safes have even been left open and unattended or accidentally removed from a cleared facility with classified information still inside. Even security employees have left safes unattended and have misplaced classified materials.


Though markings do relay intended information, they should not be the “stand alone” technique. Some industrial security specialists have added even more markings to already cluttered media hoping to prevent a user lapse in judgment. Once again the effectiveness begins to wear off. To counter the effects, the holder of the classified material must remain vigilant and aware of their surroundings and situation at all times. This is a proactive posture and requires a bit of imagination. Such security is accomplished with solid training and reminders of responsibilities while possessing classified information.


Simple acts such as maintaining a clean desk policy has helped to reduce security violations. In this situation, an employee removes everything from the tops of their working surfaces or desks except for the classified material. By doing that simple practice, a busy employee will be aware that any articles on the desk require extra diligence and must never be left unattended unless in an approved closed area. When no longer needed, classified information should be locked up in a security container or closed area. If a desk is empty, the cleared employee can also assume that there are no classified items out. This discipline creates an environment that reduces the chances of the employee leaving a classified item vulnerable to compromise if they forget to secure it prior to taking a break or leaving for the day. Also useful is the posting of a desk tent and door hanger with an important reminder that classified items are left out. As the employee leaves their work area, they will encounter the warnings on their desk or door handle.

In certain cases some classified materials may need to be stored separately from other classified articles. For instance, items with NATO classifications are stored in separate containers, drawers, shelving, etc to prevent unauthorized disclosure or possible compromise. Vigilance of classified markings pays off and is well worth the tough training that industrial security managers may undertake to learn to recognize such markings. When documents do need to be stored separately other access control systems prove very worthwhile.

Monday, November 15, 2010

Interpreting Requirements in the DD Form 254 and NISPOM

A cleared contractor can help reduce costs by preparing ahead of time. This is where an experience FSO can anticipate expenses, perform risk assessment while implementing NISPOM and advise on ways to reduce costs while being compliant. The more money saved on overhead expenses, the greater the overall company profit. The earlier into the process the assessment is conducted the better the company performs overall. Timing is the key as some of the security requirements depend on the approval of the CSA. Conducting the assessment or coordinating with DSS after the committing to the contract may place the contractor in the tough position of building “closed areas”, rooms for classified meetings, or ordering more GSA approved containers (safes) and meeting tough governmental compliance with short notice before being able to perform on the contract. Such late planning could prove costly.

The FSO works with managers and all within organization’s decision making process. This team consists of program managers, engineers, security, contract and other managers responsible for developing business with the prime contractor or GCA. This team, regardless of individual duty description or organization structure, speaks for the company and commits the company to perform as the contract specifies. As part of this group, the FSO provides information and guidance on protecting classified information in the process. This could translate into significant cost reduction.

Understanding how to advise and assist in the development of the DD Form 254 is fundamental. It provides the ground work for ensuring the GCA requirements are clear, applicable and understood. Since the government provides the protection requirements, getting in on the ground level development can only benefit the contractor.

Friday, November 5, 2010

Storing Classified Information Keeps Cleared Employees Honest

We’ve all been there, the calls coming in just as we reach our homes or late at night. Someone didn’t properly security classified information. Many times investigations conclude that classified information has not been compromised. However, time, energy and resources are spent to conduct investigations, find root causes and re-train.

To prevent the above situation, end of day checks serve as a precaution against leaving classified information unattended. The last cleared employee departing an area where classified material is used, stored, transmitted or is otherwise accessed, should follow a check list prior to leaving. The checklist leads the employee to inspect storage containers, tabletops, walking surfaces, printers, copiers, and computers to ensure that no residual classified material is left unattended. While the end of day check is vital when leaving classified areas unattended, they are not required when an area is manned 24 hours per day, seven days per week. This is according to National Industrial Security Operating Manual (NISPOM), section 5-102.

Though not required by NISPOM, government forms are available on line for use or just to serve as model in the strengthening of security programs. Companies are free to use these forms or create their own. The government forms are available online. One such form is the Activity Security Check List, Standard Form 701. Again, unless the contract or Government agency requires the use of a specific format, the company is free to adapt their own version. Regardless of the system used, the security checks are effective measures and have proven successful. Unsecured classified information would have otherwise been susceptible to compromise.

The biggest threat to national security doesn’t arrive with a burglar breaking in. Unattended classified information provides great opportunities for accidental or purposeful unauthorized disclosure. Chances are the classified information that is left out may be compromised by an uncleared employee or at least an employee with no need to know. Justice department websites are full of investigations and court cases involving trusted employees involved in the unauthorized disclosure of classified information. Improving end of day checks, employee security awareness training, and the reporting of security infractions and violations just makes it harder for the insider to steal, copy or otherwise remove classified information. Reduce opportunities; reduce risk.

How Defense Contractors can Earn the Cogswell Award; Or Earning an Excellence In the DSS Inspection

Nine recipients out of 13,000 cleared facilities nationwide earned the Cogswell Award this year. This award is the ultimate achievement for the security program at any cleared facility. How do winners do it? They develop a program that is worthy of such an achievement. Your company can do this too.

One requirement is to go “above and beyond” the requirements of the NISPOM. The hardest part is with institutional training and getting the rest of the organization on board with the security program. Setting security goals that everyone understands, creating an organization-wide security culture everyone can live with is extremely important. Institutional training also encourages your employees to report any and all security violations, suspicious contacts, and foreign travel, which will further enhance those efforts.

Being prepared for the annual security inspection by implementing a daily security management processes is the key to receiving a superior rating. An in-depth security process, which includes physical security, visitor control, and security education throughout the year will add to the success of your security program. Some methods include developing a monthly Security Newsletter, displaying Security Awareness Posters around your facility, and sending Security Related emails that remind employees about their Reporting Responsibility will put your security program above and beyond the requirements of the NISPOM. Self-inspections, end-of-day checks, well organized personnel files, current DD254s and proper JPAS records management system will boost your rating as well. In addition, an approved document control system (Information Management System) and a well-managed computer security program will demonstrate excellence to your DSS rep.

However, all of this preparation will be in vain unless you develop a partnership with your DSS rep. Taking the time to invite your DSS rep to your facility for an informal meeting and to introduce your staff will create a comfort zone when you have a security issue to discuss. It may also make the inspection a bit less stressful for you, because you have made the effort to get to know your rep. It is also important to demonstrate the complete support of your upper management for the security program. This can be accomplished by the display of proper locks, card access systems, front desk procedures for visitors, display of badges, and other visible signs that promote Security Awareness that would only be accomplished with full management support.

By developing a security program outlined in the NISPOM and approved by your DSS rep, the Cogswell Award is definitely a reachable goal for your company. Through DSS and your rep, you can obtain everything you need for your security program. You can also reach out to fellow security professionals and join security associations, such as NCMS and ASIS, to further enhance your security program and your security knowledge. Once you receive two consecutive superior ratings, your company is eligible to be nominated for the Cogswell Award by your DSS rep. The process is very rigorous and thorough, but entirely worth the effort!

The Defense Contractor FSO’s Well Rounded Security Training-Or How Contractors Prepare to Perform on Classified Contracts

Facility Security Officers (FSOs) are highly trained to meet the requirements of NISPOM. Training should reflect NISPOM requirements as reflected in the Contract Security Classification Specification (DD Form 254). If the FSO is in a non-possessing (no classified holding), the training requirements are baseline. However, possessing facilities have more requirements that the FSO should be prepared to meet. Objectives of the FSO Program Management Course are to prepare the FSO to implement and direct a NISPOM based security program in their cleared contractor facility. The training includes, but is not limited to the following topics:

Protecting classified material – The proper receipt, accountability, storage, dissemination and destruction of classified material. The FSO learns how to protect classified information in a cleared contractor facility.

Required cleared employee training – This instruction helps the FSO establish an ongoing training program designed to create an environment of security conscious cleared employees. The FSO learns to provide effective training to cleared employees, teaching them to properly protect the classified material and report questionable activity and violations. Such training includes initial security briefings and annual security awareness training.

Personnel security clearances – The FSO gains an understanding of the personnel security clearance request procedure, briefing techniques and maintenance of personnel clearances.

Facility clearance –The FSO learns how FCLs are established. They are also taught which records and activities are required to maintain the FCL.

Foreign Ownership Control and Influence (FOCI) – Organizations analyze foreign investments, sales and ownership on a regular basis. FSOs learn to interact with management and provide guidance and direction in preventing a foreign entity from unauthorized access to classified and export controlled information.

Exports compliance and international operations – International business opportunities abound in a global economy. FSOs receive instruction on how to prevent unauthorized disclosure of critical technology, controlled export and military classified information. Companies can thrive in such an environment provided they can advise or execute Departments of State and Commerce licenses and agreements as required.

Restricted areas – Setting up temporary environments for classified work. The restricted area is established to control temporary access to classified material. At the end of each work day, the classified material is returned to the approved classified holding area.

Closed areas – Government approved space is approved to store and work with classified material. This involves approved construction and limited accesses controls to prevent unauthorized disclosure during and after work hours.

Communications security (COMSEC) – Some contracts may require the establishment of a COMSEC account with the National Security Agency to facilitate secure communications via computer, telephone, facsimile machine or radio. This instruction provides basic information about how to perform under COMSEC requirements.

Duties of an FSO – The FSO should understand not only the job description, but how to communicate with management and fellow employees. Responsibilities include accountability while implementing and directing a security program to protect classified material and NISPOM requirements.

Contract security classification specification (DD Form 254) – This is the vital piece of the classified contract. The FSO cannot execute or allow access to a classified contract unless they possess the customer issued DD Form 254. The FSO also understands how the DD Form 254 is constructed and how to provide input to better meet security requirements.

Security classification guides – As the DD Form 254 provides authorization to execute a classified contract, the SCG provides the “how to” instruction. All employees performing classified work consult the guide to understand what is classified and how to provide the required protection.

Security administration and records keeping – This teaches the maintenance of facility and personnel security clearance information as well as all other accountability information management requirements. The FSO is expected to provide original documentation on Foreign Ownership Control or Influence, facility clearances, SF 312, training completion and classified inventory and disposition. Additionally, some records are not authorized for retention such as the completed Security Clearance application or SF 86 (as of 2006 they are destroyed once investigation is complete). The CSA reviews required documentation during the annual security inspection.

Sub contracting – The FSO will learn their role in subcontracting. Primary contractors are authorized to release classified information on a contractual basis. If approved to subcontract classified work, the contractor will provide a DD Form 254 to authorize the classified subcontract. They will also provide a security classification guide.