DoD Secure-Working with National Industrial Security Program

Creating an excellent security environment at cleared defense contractor facilities.

March 25, 2022 jeffrey W. Bennett, ISP, SAPPC, SFPC, ISOC
DoD Secure-Working with National Industrial Security Program
Creating an excellent security environment at cleared defense contractor facilities.
Show Notes Transcript

Though defense contractors don't assign classification levels, it helps to understand why information gets classified and how the government identifies the classified information. The cleared contractor works with the classified information and protects it according to the markings.
From How to Get U.S. Government Contracts and Classified Work

  1. Influence at all levels
  2. Integrate security at all levels
  3. Be fiscally responsible 
  4.  Be flexible, but knowledgeable

If you need assistance with FSO or security training please contact me or visit my consulting site
Additionally, we have NISPOM fundamentals training perfect for studying and applying to your CDC facility. purposeful execution of Foreign travel pre-briefings-When employees travel to a foreign country, they may be targeted to provide sensitive information. A threat and/or defensive briefing should be provided to all cleared employees per NISPOM. (NISPOM Training). The briefings should be documented with signatures, dates and contents of briefings for presentation to Defense Security Services (DSS) industrial security representatives.

There is a lot of debate about professional certification. Currently, the drive and motivation for facility security officers (FSO) and security specialists to become Industrial Security Professional (ISP) certified is still self-motivation and not yet a requirement.

Jeff's Website
Jeff is available for speaking and consulting

SIMS Software
SIMS suite provides features/functionality you need to run automated industrial security programs.

Access Commander by MathCraft
We support the mission of FSOs, CSOs and other security professionals.

Bennett Institute
Online security clearance webinars and coaching. Providing security training and resources.

Mission Driven R

Support the show

FSO Consulting:

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

  • How to get a clearance
  • What to expect once you get a clearance
  • What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

Unknown Speaker  0:00  
Welcome to DOD secure and I'm your host, Jeff Bennett. With the latest in information that you need to navigate the world of clear defense contracting. We'll cover a few articles as well as introduce you two are proud sponsors who provide goods and services that assist other clear defense contractors with their day to day activities just making their lives so much easier. So stay tuned to information as well as our sponsors advertisements that might just help you. Alright, so in today's episode, we're going to talk about a few things. One is why the US government assigns classification levels, and what the responsibilities of the defense contractor are. Other one is four powerful ways that facility security officers can employ to create a security conscience, conscious enterprise and three ways facility security officers create an effective security culture. And finally, we might get into some certification information for those of you who may be interested. Alright, so concerning the government classification levels, why does the government assign classification levels, and how is a clear defense contractor supposed to respond? While the US government has designed policies that ensures that sensitive material is protected, you know, at the level designated to prevent unauthorized disclosure? unauthorized disclosure, for those of you not in the know simply means that somebody without the proper clearance level or appropriate clearance level should not be accessing classified information. But that's only part of it. What others fail to recognize is then aspect of need to know not only do you need the clearance, but you also have a requirement to understand what that classified information is that usually that's usually related to a contract or a project. So if you are a holder of information that is sensitive, you need to make sure also that that other person has a need to know that information. Just because they work in the same company or had the same clearance level does not justify their having access an authorized disclosure could also mean that the information is lost or vulnerable, out out somewhere where somebody can access it that's not supposed to access. So the government has, in these cases, put together guidance on how to handle information marked at a certain classification level. Now the original classifier or the original classification authority, OCA, they're the ones that get together to determine the classification levels of information. And they have to be able to explain the damage to national security should this information be disclosed in an unauthorized manner, and these levels coincide with damage to national security so you have the confidential secret and top secret levels.

Unknown Speaker  3:33  
And once they are identified, those who hold that classified information are required to safeguarded in the appropriate way. Top secret has more restrictions than secret and secret has more restrictions than confidential and so each must be protected according to their classification markings. For example, an unauthorized disclosure of confidential information could cause damage secret could be serious damage, top secret could cause exceptionally grave damage. The OCA once they determine these classification levels provide this guidance through a DD Form two, five for a security classification guide, and classification markings or combination of all of the above. So that's why it's important if somebody did a contract with the government, they had the appropriate tools that they need to determine these classification levels and how to protect them. As we spoke before, the DB form 254 gives explicit instructions on how the information should be protected, where the work is to take place in any additional instructions. One thing is important to understand defense contractors do not assign classification levels. That is a government sponsored activity. What the defense contractor does is something called derivative class. of vacation. And that means that they are compiling or summarizing or building a product based on classified information they received on their contract. If you want any other explanation of this, you can check our other podcasts that talk about classification levels, how to store classified information, where you can get our book, How To Get US government contracts and classified work. You can also get copies of the National Industrial Security program operating manual. All are available on my website at red bike And you can see links to those in the show notes.

Unknown Speaker  5:45  
At Matthew Kraft, we believe security risks and lack of compliance are threats to a business and its people. We strive to provide our clients with the tools they need to stay compliant and prepare for the next generation of threats to comprehensive training, support and customers resources. We transform our clients into security professionals with know how to defend their organizations and maintain comprehensive security programs. For more information or ways we can help visit math or call 70372990 to two. At math craft, we support the mission of FSOs CSOs and other security professionals, who stand at the frontline of our nation's battle against foreign and domestic threats. With software designed to the latest federal security standards, we help them strategize, speed up self auditing processes, create new workflows, generate reports and receive technical information at a moment's notice. And again, if you're interested in some of the math, prep products and services, check our show notes for too many. So let's get back to it we can discuss four powerful ways that facility security officers can employ to create a security conscious enterprise. So what is key The first is influence at all levels. Now a key trait that an FSO or security manager or any manager really should demonstrate is the ability to work with organizational structures or personnel within differing organization, organizational structures to gain executive manager and workforce cooperation is a term we've heard before called stovepiping, where each person works on their special set of skills, and you go from place to place the place to get access to those skills. But when you have a stovepipe situation, the work isn't integrated. And to be able to integrate security policy into the organizational structure, the FS o should have influence at all levels of that corporate structure. An FSO can train and write policy but without the enterprise's full cooperation, they'll find it difficult to enforce. And you've probably all been there, where each stovepipe department has its own independent policy, but nothing weaves them together into a corporate corporate level policy. So for example, an FSO is responsible for reacting to security violations. And some of that reaction might mean to do some level of discipline, execute some level of discipline on an employee who committed several security infractions. Well, if an FSO puts out a policy of what that discipline might look like, and they do not have the support of human resources, or the Senior Vice President, for example, well, then it's just an empty threat. So in this example, HR and corporate policy would also support the FSOs policy in training to provide a better and more efficient security program. Now, point number two, integrate security at all levels. This kind of goes hand in hand with point one being, having influence at all levels. But now let's integrate this security aspect within the entire organization. A well integrated security plan ensures that all business units within an enterprise notify the FSO of any change in disposition of cleared employees. classified contracts or the ability of facilities to prevent unauthorized security or unauthorized disclosure of sensitive information.

Unknown Speaker  10:12  
This integrated system will trigger the contracts departments program managers, business development in other business units to coordinate with and keep that FSO informed of expired current and future contract opportunities and responsibilities. That way, the FSO can jump in ahead of any changes, and lead the charge to protect sensitive information and not be reactive. This leader leading the charge can also assist with being fiscally responsible, and budgeting security requirements, which is the next point be fiscally responsible, and important task that an FSO faces is the successful implementation of that security program while supporting the company's primary mission of pleasing the customer making money successfully performing on classified contracts and etc. security efforts should be risk based and focused while meeting requirements of the National Industrial Security program operating manual or the NIS Pom, an FSO with business competency and know how is highly desired. For small contractors this could mean selecting the most competent employee or leader for that appointed duty. For large organizations a thorough job description and performance requirements should capture the best candidate who would most likely lead a team of other security professionals. Point for be flexible but knowledgeable. The constantly evolving world situation creates an ever changing security environment. New technology, new devices may challenge current risk assessments in current countermeasures. Some changes may result in new government policies and guidance. These guidance and policy implementations may provide a environment through which the FSO and security staff must be able to negotiate flexibility and knowledge, flexibility of the changing requirements and knowledge of those requirements ahead of time for the FSO. The defense, counterintelligence and security agency dcsa communicates changes to that NIS Pom, and when changes are identified, the FSO should take advantage of an integrated security plan to notify the affected programs employees to reach a feasible solution. So those are four points that that FSOs can use to integrate their security policy throughout the organization. If you need any assistance with FSO, or security training, contact me I'm an editor at red bike where you can visit my website, Jeffrey W. Now I'd like to tell you about our other sponsors, sponsored mission driven research. They're there to glorify God by empowering employees to feel their mission. Their vision statement is that every employee finding fulfillment and joy by actively engaging in the mission, the core values are to go the extra mile for their customers grow our employees personally and professionally and give generously to our community. And their website, they describe themselves as a growing company providing technical services to the US federal government. If you'd like to know more about mission driven research, find them at mission driven And also in our show notes, I'll include a link to their website and how to contact them. Now let's talk about three ways episodes create an effective security culture. So now we're taking all of those requirements, all the ways that the FSO should integrate with corporate policies. And now let's talk about creating an effective security culture. Cleared employees should be aware of recruiting techniques, suspicious contact engagements and other methods that adversaries may use to acquire sensitive information in their possession or in their heads what they have knowledge of.

Unknown Speaker  14:51  
There are a few methods that you that FSOs can use to bring awareness to their teams, making awareness part of The culture and injecting it into the enterprise. For example, while the FSO leads a team of security professionals, or in some cases with smaller companies, is the team of security professionals, they should create the type of training that is tailored towards every team working on a different classified contract. injecting this knowledge into the security program also enhances security postures by bringing to light the types and frequency of suspicious context. So point number one, the purposeful execution of foreign travel pre briefings. Now we know that in the National Industrial Security program operating manual, there's emphasis on reporting support, foreign travel, and this is a big task because now the facility security officers look ahead and try to get their cleared employees to report any potential overseas travel, and this could include those overseas travel occasions during cruises. The FSO needs to know this information because now the clear defense contractor is required to report foreign travel to the dcsa. Now, giving this briefing helps the foreign travel be aware of any recruiting potential, a threat and or defensive briefing should be provided to each cleared employee and in this pump requires this training and briefing should be documented with signatures, dates and contents of the of the briefings and presented to the dcsa upon request when they do their annual reviews or whenever those reviews are occurring. Point two is conduct deep briefings once the employees returned from their travel. This is a tool to follow up with the threat or defensive security training or briefing that was presented prior to their travel. Now you can close the loop and provide in your reports or just close a loop and demonstrate that closure to the dcsa. During their audit. Three implementation of a quality assurance effort to check and verify suspicious contact reports. There training the reported directions and employee knowledge. For example, setting up an appropriate simulated exercise to validate employee knowledge or their situation situational awareness of the reporting suspicious contact reporting process. This can be done in a couple of different ways. One is providing trigger points at various business units. For example, a cleared employee traveling overseas may be required by policy to contact Human Resources, the company insurance company travel branch or travel arrangers, export compliance officer and many others. So the FSO can build in and demonstrate a trigger point where they are notified to provide the briefings or other performance actions. The other sub point is built in or build in simulation exercises during annual security refresher training, demonstrate and document this training, discussion, role playing and other activities that teach and test declared employee knowledge. Well, as I mentioned before, tips can be found in my book, How To Get US government contracts and classified work. Also, if you visit red byte publishing, we do have these nice POM required trainings that you can download. We have security awareness training, annual refresher training, derivative classifier training, insider threat briefings and more. You can just download and present to your cleared employees and receive credit for that. I'd like to talk to you now about one of my friends and sponsor, Ron Sixtus. That s YK S T U S. And he says, for example, you might be filling out your SF 86 or application for security. And he suddenly realized that there are red flags. Ron says you need good advice before submitting that Sf 86. So get with Ron involved in involve him as soon as possible in your process is always best to have him review your problem questions and answers before you submitted.

Unknown Speaker  19:51  
You can call Ron at 256713 or 0221 you can email him at our Sixtus s y KST us at Bond boats vo nd the letter in vo t Or visit security clearance defense And also we're going to have his information in our show notes as well. Alright, this next discussion is about a security certification called the Industrial Security Professional and Industrial Security oversight certification, two different certifications. One is by a professional organization called ncms. And the other is by the Department of Defense. And so we have a master exam prep for studying for the certifications. And we have two of them in two formats. One is for the older version in NES palm, and one is for the upcoming version of the NES palm. Currently, both certifications are testing out of the older version of NES palm. But if you want to get ahead and study for when the test changes over to the 32 CFR Part 117. These books are available. Now there's a lot of debate about professional certification. Currently, the drive and motivation for facilities, security officers and their staff to become ISP certified is still self motivating and not yet a requirement. So there are not many outright requirements for security professionals to devote time, money and other valuable resources necessary to getting that certification. The Department of Defense and professional organizations like ASI s and ncms are performing the monumental task of creating credible and viable certification programs to demonstrate a professionals expertise, I do recommend that professionals seek out and qualify for the appropriate ones. There are a few job announcements that you might see out there and job postings with defense contractors that actually require certification. But slowly the DoD agencies are tying secure certifications to job positions as well. Now the DOD has created a certification for their employees called the security professional and Education Development Program, or SPE D and it's pronounced speed with a long E. Now, some agencies do require other certifications, but none have called out this ISP certification. They are again beginning to call out speed certification and under the speed certification program. There are many certifications called Security fundamental professional security certification, the ISOC as I mentioned earlier, the SAP PC. Now since contracts, regulations and jobs don't really require these, those protecting classified information to have a certification. Why would anybody want to really pursue such an aggressive campaign to learn this POM topics other than it's a fine piece of material to read. Here are five of the many reasons a professional should seek this certification, one become more attractive as an employee. Now if a certification requirement does not exist, the employee could work out an agreement with their cert supervisor, the supervisor would agree to challenge all employees to study for and take that certification. Once they passed, they could be eligible for promotion and raises if they remain in good standing to become more attractive while bidding on contracts. A contractor with ISPs can leverage what they had that they have employees board certified to protect classified information. My company actually did that with me. Prepare for better opportunities. A certification candidate can set one employee a certification I'm sorry, can you know set one employee above the rest, sometimes being the best may not be enough. You have to prove it. knowledge skills and abilities are believable and when proven with board certification. Though this certification may not be a requirement, it can give that extra push during evaluations times for raises and of course during that job interview

Unknown Speaker  24:31  
you can help others according to the inseam s ISPs can serve as mentors and certification exam Proctor's the ISP also gives credibility to those who would like to teach and train within their profession. Now being certifies opens are being certified it opens doors for you to be a mentor and help other people become certified. This mentorship is incredibly valuable. gives you a chance to practice your skills and your expertise. Now consulting speaking of proof and credibility, many of you are consultants or have plans to become a consultant. If you write, teach, consult, demonstrate or represent Industrial Security to clients and customers. Certification shouldn't be behind your name because it will cause your potential customers to pay attention. So if you're waiting for some it make you get certified and keep waiting is not going to happen. But if you're self motivated, go for this certification. trends show that the certification is not going to be required anytime soon. However, if you want to be among the few industrial security professionals get your certification demonstrate that you are among the professionals board certified to protect that classified information. As I mentioned earlier, we do have these books available at red bike publishing calm and if you want to fundamental walk through the NES pump, we do have a course set up at Bennett is called NES pump fundamentals. And we hope to see you there right would like to tell you now give me a special message from Sims software tests. I M as in Mike test software is clear defense contractors you represent the backbone of innovation. The front line of our national security is all that we hold dear. Sim software is proud to be your ally in these endeavors. As most trusted name in Industrial Security Information Management over 30 years, sim software equips you with the tools to protect the lifeblood of your organization. Our flagship Sims suite provides all the features and functionality you need to run an automated paperless Industrial Security Program. Gain a 360 degree view of every physical, virtual and human asset inside your security domain. From classified documents and materials to cleared personnel facilities visitor to control information systems and more. Sims supports requirements within all security communities. Visit Sims at Sims or call 858481929. To or see our show notes for more information. Thank you so much for attending another episode of Dios D secure with me, I'm your host, Jeff Bennett. And it's been truly a pleasure. We're going on three years now and we appreciate every one of you. Please go back to our catalogue and listen to our other shows if you're new. And by all means send comments I put an email link in our show notes at to read read by Visit our sponsors to they they've put a lot of themselves into this product and we appreciate every one of them. Remember, you can find out more about our podcast and our service and products if you're interested in our show notes. So until next time, we'll see you

Transcribed by