Sunday, July 19, 2015

Correcting How Hollywood Portrays Cleared Contractors

© Mhieronimus | - Hollywood Sign Photo

I recently had the fortune of being on a radio talk show for security professionals. This show has an audience of approximately 10,000 listeners with varied corporate and law enforcement security experience. However, very few of the audience members work in the defense contractor industry or under the National Industrial Security Program.  

I had wanted to be a guest on the show since I had heard about it earlier this year. I had found them in a google search and discovered that they had covered the National Industrial Security Program (NISP) with some college students. The conversation, though serious, proved light as the talk show hosts engaged the guests and audience in an entertaining manner. They actually made NISP seem very interesting.

I had to ask myself, "When was the last time a security briefing, training, or seminar was engaging, serious, and comical at the same time?"

That was the question on my mind as I listened to the interview. The students did a great job talking about the security clearance topics. The most entertaining part of the show was listening to assumptions the hosts had about security clearances and protecting classified information. I thought I could help with those concerns and volunteered to be on the show. Like most good security managers, the show vetted Red Bike Publishing, our books, and credentials and decided to invite me on the show.

I went in with the understanding that this was their show and I was a guest. I probably would not get much time to speak as they did have a show to do. I felt my job was to complement the show by engaging their comments, concerns, and issues the best I could from a NISP point of view. I also realized this was a good opportunity to educate a broader security audience.

The concerns they shared showed a fundamental misunderstanding of how government contracting, classified contracts, andsecurity clearances work. This fundamental misunderstanding is often shared by those not in the know and often manifests in the movies and TV shows we watch today. For example, on an episode of Hawaii Five-0, a husband had stolen classified information off his wife's laptop computer at home while she slept. What?

Without fully understanding the NISP, the general public could draw conclusions that cleared employees keep classified information on laptops and bring them home at night. The Hawaii Five-0 character stated words to the effect of, "he broke into her laptop and stole her security clearance". Wait, what?.

You may have noticed similar discrepancies, but that's ok. It's Hollywood where monsters, fairies, and magic exists. Additionally, the nightmarish mishandling of classified information in the hands of incompetent people burdened by an overbearing bureaucrat is also wrongly portrayed. Not to forget also, most Hollywood movies feature defense contractors as evil and villainous, but we know different.

In spite of the Hollywood nightmare, cleared employees are trained to understand how the NISP works and how classified information is really protected.

Similar misunderstandings revealed themselves during the radio show. Here are some question topics that arose and that many FSOs and security managers may face. How would you have responded?

1. Wouldn't it make more sense to clear everyone to the TOP SECRET level and protect everything at TOP SECRET? 

This is the assumption that all classified information CONFIDENTIAL through TOP SECRET should be treated as TOP SECRET.

2. When private companies are working on their classified products, who knows how it is protected and if there is enough protection? 

This is the assumption that classified information is generated by everyone and there is on oversight by anyone. This also discounts the government contracting process.

3. Bad guys are constantly attacking our computers and taking our classified information

This assumes that classified information is processed on open computers and networks and takes us back to the Hawaii Five-0 scenario.

4. People with security clearances are doing what they want with no oversight

This assumes that the security clearance investigation, whole person concept adjudication, and continuous evaluation process do not exist.

There were so many other issues, too many to cover for this article.

As I encountered each of the obstacles, I began to weave a story of how the NISP worked as the hero to ease their fight the monsters of bad security management and our "endangered" secrets. I began by explaining the following: government contracts, six step OCA process, security classification level assignment and notification, markings, DD Forms 254, required initial security briefings, SF312 training, annual security awareness training, NISPOM guidance, derivative classifier training, OPM security clearance investigation process, continuous evaluation, periodic re-investigations, and Defense Security Services education, partnerships, and reviews.  There was not enough time to go into everything, but I used the allotted time to educate and correct their misguided assumptions.

However, these mistaken beliefs are not only shared by Hollywood and the general American public; newly cleared employees may share similar beliefs.

So, how should a facility security officer and cleared employees respond? Would they lambaste the less knowledgeable person, take time to train them, or become frustrated and walk away. 

I've had the opportunity to see all three approaches. The correct and most effective approach is to take the time to train and correct the problem. Next time you engage employees, perform training, or advise a program, be ready for anything, treat the topic with respect and correct the situation.

Tuesday, July 14, 2015

NISPOM Based Questions

Looking for study information for your next SPeD or ISP Certification studies?

Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about.

1. You are an FSO of a growing defense contractor. One of the executives approaches you about the need for more space to conduct classified work. He is agreeable to implementing your recommendation to use a restricted area and would like you to prepare a security briefing for his team. Prior to your briefing, you conduct the necessary research. Describe the reason for a restricted area and when cleared employees would use a restricted area. Keep in mind access control and storage requirements.

2. You have just sat down to eat lunch and receive a phone call from a cleared employee. She tells you that the security container’s drawers are closed, but the dial on the combination lock has not been engaged. She explains further that according to the SF 702, the container had been locked and checked 20 minutes earlier. She is sure that was “about the time everyone left for lunch.” What would you direct her to do?

3. Your colleagues leave for the day. On their way out, they inform you that you are the last to leave. The facility is authorized to store classified materials. What will you check for prior to leaving?

4. As part of the building project, you are responsible for providing input into the projected classified contracts and the required work space and storage requirements. As you put together a presentation you research the requirements of a much needed closed area. Describe how a closed area should be constructed. Who approves the construction requirements?

So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.