Cleared defense contractors provide the technology and
know-how that delivers products and services to our defense industry. CDCs and
be a prime contractor or subcontractor and are contracted to support government
organizations. The designation of CDC indicates that the organization is a
government contractor with a facility clearance and is made up of employees
with personnel security clearances. With classified contracts, the CDCs are
required to protect their government customer’s classified information while
performing on classified contracts.
The CDCs are part of the National Industrial Security Program
(NISP). The National Industrial Security Program Operating Manual (NISPOM)
provides guidance on how to perform on classified contracts. The guidance
includes topics such as employee responsibilities, required training,
continuous evaluation, maintaining security clearance, and much more. The
Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS
provides most DoD agency oversight and compliance reviews. They perform
vulnerability assessments and determine how well a CDC protects classified
information according to the NISPOM.
Cleared Defense Contractors have a big job not only performing
on classified contracts, protecting classified information, but also
documenting or validating compliance. The following tools should be in the
CDC’s toolbox and can be employed to help them remain in compliance and
demonstrate their level of compliance.
1. National Industrial Program Operating Manual (NISPOM)
The National Industrial Security Program Operating Manual
the Department of Defense’s instruction to contractors of how to protect
classified information. This printing of the NISPOM includes the latest from
the Defense Security Services to include an Index and Industrial Security
Letters. The NISPOM addresses a cleared contractor’s responsibilities
including: Security Clearances, Required Training and Briefings, Classification
and Markings, Safeguarding Classified Information, Visits and Meetings,
Subcontracting, Information System Security, Special Requirements,
International Security Requirements and much more.
2. International Traffic in Arms Regulation (ITAR)
“Any person who engages in the United States in the
business of either manufacturing or exporting defense articles or furnishing
defense services is required to register…” ITAR “It is the contractor’s
responsibility to comply with all applicable laws and regulations regarding
Companies that provide defense goods and services should
understand how to protect US technology; the ITAR provides the answers. The International Traffic in Arms Regulation (ITAR)
is the defense product and service provider’s guide book for knowing when and
how to obtain an export license. This book provides answers to:
Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?
Inspection Handbook For NISP Contractors
National Industrial Security Program Operating Manual (NISPOM) requires all
participants in the National Industrial Security Program (NISP) to conduct
their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a
job aid to assist you in complying with this requirement. It is not intended to
be used as a checklist only. Rather it is intended to assist you in developing
a viable self-inspection program specifically tailored to the classified needs
of your cleared company. You will also find they have included various
techniques that will help enhance the overall quality of your self-inspection.
To be most effective it is suggested that you look at your self-inspection as a
three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.
for Cleared Employees
The main presentation is great for initial training or for
refresher annual security awareness training required of all cleared employees.
NISPOM requires the following training topics during initial
training and refresher training:
Awareness Security Briefing Including
Of The Security Classification System
Reporting Obligations And Requirements, Including Insider Threat
awareness training for all authorized IS users
NISPOM Training contains requirements
for the Annual Security Awareness and Initial Security Training.
The NISPOM outlines requirements for derivative classification training
to include… the proper application of the
derivative classification principles, with an emphasis on avoiding
over-classification, at least once every 2 years. Those
without this training are not authorized to perform the tasks.
Contractor personnel make derivative classification
decisions when they incorporate, paraphrase, restate, or generate in new form,
information that is already classified; then mark the newly developed material
consistently with the classification markings that apply to the source
c. Insider Threat
This training program includes the NISPOM identified Insider Threat Training requirements.
The NISPOM has identified the following requirements to establish an Insider
Threat Program. Download and present the training here and meet the training
an Insider Threat senior official
an Insider Threat Program / Self-certify the Implementation Plan in
writing to DSS.
an Insider Threat Program group
Insider Threat training
classified network activity
integrate, and report relevant and credible information; detect insiders
posing risk to classified information; and mitigate insider threat risk
self-inspections of Insider Threat Program.
d. SF 312 Briefing
This Training is for Newly Cleared Employees and should be
given prior to Initial Security Briefings
Newly cleared employees must sign an SF-312, Non
Disclosure Agreement. Instead of just having them sign the box, why not give
them the appropriate SF-312 Briefing describing what exactly is on the
form and why they are signing it.
As mentioned earlier, CDCs not only have to perform on
classified contracts according to contractual requirements, but they are
evaluated on how well they are protecting classified information. The tools
mentioned above are designed to assist the CDCs in meeting requirements. Red Bike
Publishing is pleased to be a partner in the NISP and provides tools to assist
CDCs in their efforts. More information can be found at www.redbikepublishing.com
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing
He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures.
He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".