Category Archives: NISPOM/DCID

Travel with a USG security clearance? 5 tips for a secure trip

[text_output]Foreign TravelTravel security for the cleared professional is incredibly important, both for personal safety as well as the protection of classified information.

One of the first briefings an individual receives after being informed that they have been granted a security clearance, is the counterintelligence brief. Included in the counterintelligence brief will be multiple references to foreign and hostile intelligence services and their interest in individuals who have been granted a security clearance and enjoy the trust of the U.S. government. This is reinforced during the foreign travel security brief which the cleared individual will receive from their Facility Security Officer.

Both the Federal Bureau of Investigation and the Defense Security Services have issued counterintelligence guidance (see below) to prep the foreign traveler, and it should be a mainstay of the pre-travel preparation by any traveler.[/text_output][feature_headline type=”left” level=”h1″ looks_like=”h1″ icon=”adjust”]5 travel tips[/feature_headline]

[text_output]

[icon_list_item type=”laptop”][/icon_list_item]     Tip #1:

Travel with “designated” travel devices. Ensure the device(s) which are being used are “designated” travel devices, that is devices which are sanitized prior to travel, loaded only with data required for the trip. It is no doubt difficult for the traveling executive to want access to every email and all their electronic files when on the road, as productivity may drop. Security concerns, however, make it prudent to only travel with information specific to the trip.[/text_output][line][text_output]

[icon_list_item type=”globe”][/icon_list_item]     Tip #3:

Register your itinerary with the U.S. Department of State. The Department of State’s Smart Traveler Enrollment Program is designed specifically to alert the U.S. Embassy or Consulate where one is traveling. Enrollment is free, and the traveler can update itinerary via the website. In the event of a natural catastrophe or civil disturbance, the Embassy/Consulate will have your contact data and if warnings or alerts are provided to U.S. persons in the consular zone, the traveler will be included.[/text_output][text_output]

[icon_list_item type=”credit-card”][/icon_list_item]     Tip #5:

Avoid illegal activities. Avoid any activities which could be construed as provocative by the local security services. From time to time, travelers in foreign locales lose their inhibitions, avoid such. Nothing makes the foreign intelligence officer’s job easier than a traveler who chooses to place themselves in a compromising position. This could take the form of taking an envelope from a stranger; engaging in black-market currency exchange; purchase of illegal substances; etc.[/text_output][line]

[text_output]

[icon_list_item type=”bank”][/icon_list_item]     Tip #2:

Maintain 24/7 possession of these devices. As detailed in the counterintelligence pamphlets, foreign intelligence services delight in being allowed physical access to cleared U.S. personnel’s electronic devices. Maintaining 24/7 possession, increases the level of difficulty considerably. Try not to allow convenience to trump security, and use the hotel room safe to secure the electronic devices. While the safe may slow down the casual thief, they are accessible by the aforementioned foreign intelligence service in seconds, using the same technology the hotel will use when you call and advise you have forgotten the 4-6 digit pin and your passport is inside.[/text_output][line][text_output]

[icon_list_item type=”search”][/icon_list_item]     Tip #4:

Have no expectation of privacy. While privacy is fleeting in many locales due to population density and cultural norms, the privacy discussion here is more along the lines of privacy for sensitive conversations or meetings. Hotel rooms, restaurants, elevators, cafes, lobby’s etc., should all be considered hostile environments where no sensitive conversations should take place.[/text_output][line][text_output]Prevendra-Logo-Final-01-90Need to help putting together a travel security program for your company?

We can help.

Contact us directly via our contact page.[/text_output]

[text_output]The above first appeared under the byline of Christopher Burgess on ClearanceJobs.com

Prevendra - Clearance Jobs[/text_output]

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra - Facility Security Officer - Cognizant Security Authority

National Security – Facility Security Officer & Cognizant Security Authority

Prevendra - Clearance JobsWorking within the Defense contractor environment, the roles and responsibilities of the facility security officer are of critical importance.

Thinking of entering the defense contractor market place or wish to provide services to a classified government customer, Department of Defense, intelligence community or other government agency or department? You will want to familiarize yourself with the National Industrial Security Program Operating Manual (NISPOM) and the Director of Central Intelligence Directives (DCIDs). The NISPOM is your security operational bible, containing the many parameters surrounding the defense classified engagement, while the DCIDs serve the same purpose from engagement within the intelligence community.

Fair warning, engaging within the classified community you will encounter acronym overload, the manual contains over 103 of these. That said, there are acronyms which every entity supporting a classified government engagement will want to know. The CSA, CSO, and FSO are three of the most important.

CSA = COGNIZANT SECURITY AUTHORITY

Within the NISPOM/DCIDs parlance, Cognizant Security Authority (CSA) denotes the department or agency which has security administrative responsibility for the classified activities and contracts under their remit. The CSA serves as the ultimate arbiter with respect to interpretation of the NISPOM or DCIDs, whichever is applicable. Inquiries are forwarded to the CSA either through the Cognizant Security Offices (CSO) for contractor facilities or the commander or head of facility for U.S. Government facilities. If a contractor is to utilize a CSO, the CSA will identify the entity to the contractor. In addition to providing interpretation of the operating manuals, the CSA also serves as the decision point with respect to obtaining a waiver.

FSO = FACILITY SECURITY OFFICER

Within Defense contractor facilities, sits the Facility Security Officer (FSO). The FSO must be a US Citizen employee, who is cleared to work within the cleared facility. The FSO is appointed by his/her employer – the contractor – as the FSO. The FSO will “supervise and direct security measures” within the facility. Thankfully, one is not simply appointed FSO and cut loose, the FSO is required to take applicable training courses in order to understand fully the complexity of the requirements levied by the CSA and outlined within the NISPOM/DCIDs.

For those who enjoy the trust of their government, and are working within a classified environment, they can expect the FSO to provide a facility specific standard operating procedures (SOP). The SOP will include those portions of the NISPOM/DCIDs applicable, as well as any unique requirements levied by the CSA or the contracting government agency.

Reference: NISPOM February 2006 (Incorporating Change 1 – March 28, 2013)


 

This article was originally crafted for ClearanceJobs.com in January 2014 and has been updated prior to being posted here.

Prevendra - rejected - NISPOM

Top 10 reasons your employee’s security clearance was rejected

We’ve all been there. The Defense Industrial Security Clearance Office (DISCO) or the Office of Personnel Management (OPM) rejects your applicant’s application package. What went wrong? Your employee dutifully filled out all the necessary paperwork you thought the application package was complete and tight. But here you are, reading, “We are sorry to advise that your application package for John Doe has been rejected, please address the following issue and resubmit.”

In this day and age of a highly mobile society, where residence and job change occur more frequently than in the past, the need to have your data complete helps the applicant tremendously – with respect to DISCO – their number one identified issue is incomplete or missing employment information.

DISCO admonishes:

List all employment; include the company which is submitting the clearance request as current employer. Applicant should list all full-time work, paid or unpaid,
consulting/contracting work, all military service duty locations, temporary military duty locations (TDY) over 90 days, self-employment, other paid work, and all periods of
unemployment.”

Whereas, OPM notes their number one identified issue is the fingerprint cards aren’t being submitted in a timely manner.

OPM admonishes:

“Fingerprint cards must be provided to OPM within 14 days of approval by DISCO”

The good news is, both DISCO and OPM have shared with us their top ten reasons for application rejections (current as of July 2012)

DISCO – THESE TEN ITEMS ACCOUNT FOR 96% OF ALL DISCO REJECTIONS

  1. Missing employment information
  2. Missing social security number of spouse or adult co-habitant
  3. Missing relatives information
  4. Missing Selective Service registration information
  5. Incomplete information concerning debts or bankruptcy
  6. Missing education reference information
  7. Missing employment reference information
  8. Incomplete explanation of employment record
  9. Missing personal reference information
  10. Missing explanation of drug usage

OPM – THESE TEN ITEMS ACCOUNT FOR 98% OF ALL OPM REJECTIONS

  1. Fingerprint cards not submitted within the required timeframe
  2. Certification/Release forms information illegible or missing
  3. Certification/Release forms not meeting date requirements
  4. Discrepancy of place and date of birth information
  5. Missing references (character, residential, employment or educational)
  6. Discrepancy of e-QIP Request ID Number
  7. Missing employment information
  8. Certification/Release forms not submitted
  9. Missing education information
  10. Missing residence information

Using the above two lists as a final checklist will significantly reduce the likelihood the applicant’s application will be rejected based on a missing or incomplete item. Remember, it is both the applicant’s and security officer’ responsibility to ensure the packages submitted to DISCO/OPM are complete.

As the adage goes, the devil is in the details.


This piece by Christopher Burgess originally appeared on  the ClearanceJobs blog.

Prevendra - Clearance Jobs

Resume Security – Know what and where your are posting

Prevendra - Clearance JobsResume Security – The security risks associated with resumes, including candidate provision of content and employer’s processes and checks and balances.

RESUME SECURITY

There are two sides of the coin surrounding the security aspects of the job hunt. On one side of the coin we have the individual and the risks which the individual jobseeker is exposed during their job hunt and on the other we have the employer, who is sifting and sorting for the best candidate while also managing the risks of making decisions based on resume content.

THE JOB HUNTER:

What are your risks?

The resume: Identity theft comes in many forms, from something as mundane has having your content lifted and used by another person. How can you protect against the identity theft dynamic? Some items shouldn’t appear on a resume, including your Social Security Number (SSN) or your physical address. A telephone number or an email to a unique, one-off, email should be sufficient for an interested employer to reach out and engage. Only when an offer is to be made or when the interview process has advanced to the background check step should these key identity items be provided.

The job search process: It is important you know to whom you are sharing your resume and the bonafides of the recruiter or that blind position requirement you see on a job board. There have been documented cases of individuals with access to Human Resource systems culling through the personnel and applicant files, lifting a sufficient amount of information to craft a parallel identity and then obtaining credit cards and loans under the duplicate persona. The aforementioned steps will go a long way toward lowering the identity theft risk.

THE EMPLOYER:

What are your responsibilities?

The employer is challenged to ensure the candidate is who they claim to be and the information they are providing is accurate. The risk of fraudulent data finding its way onto a resume is not insignificant. According to a recent survey conducted by HireRight, two out of three employers have encountered an applicant lying on their resume (which may indicate that number is actually higher, as the likelihood of 100% of those engaging in this fraudulent practice being identified is slim). Reviewing social networks is a low-cost, high return methodology of validating the candidate’s bona fides. Call references and evolve secondary level references during your due back ground check. And do yourself a favor and use a secure, niche site such as ClearanceJobs.com.

The employer also must remember to protect their job applicant’s information from various types of exploitation to include – financial identity theft (Loans/credit cards/bank accounts); social security identity theft, a market for social security numbers exists to help document those who are ineligible for social security numbers; and use of an applicant’s identity when confronted by law enforcement.

In sum, if you are looking for your next position, when you are posting or submitting resume, you are placing your information into the hands of anther to protect, take a moment and ensure that you are not giving away too much personal information. And for those who are accepting resumes, remember you are being entrusted with the personal information of an applicant – protect it.

Source: http://news.clearancejobs.com

Prevendra - NISPOM training

Prevendra: U.S. National Industrial Security – NISPOM Training Requirement

National Industrial Security - training requirement

For U.S. Defense Contractors, the National Industrial Security Program Operating Manual (NISPOM) is the bible of process, procedure and how things are accomplished for every contractor.  Additionally, every cleared employee must be provided security training.  And you the contractor or the contractor’s security representative are responsible for its creation and presentation.  Your cleared personnel are also individually responsible, as noted in Security – Who is Responsible?” each employee is both responsible and accountable for the security of their customer’s data and their own company’s data.  U.S. defense contractors have a bit of assistance in the preparation of their training in the form of  the U.S. NISPOM Chapter 1-205. Security Training and Briefings manual which states, “Contractors are responsible for advising all cleared employees, including those outside the United States, of their individual responsibility for safeguarding classified information. In this regard, contractors shall provide security training as appropriate, according to Chapter 3, to cleared employees by initial briefings, refresher briefings, and debriefings.”  In NISPOM Chapter 3-100 through 3-108  the Department of Defense goes on to discuss the specifics of the Security Training and Briefings requirement – Chapter 3 contains all the information necessary to ensure your training program meets the NISPOM Training Requirement.  Let’s discuss some of the content for an effective NISPOM training program.

Prevendra - NISPOM - Security Training

NISPOM Chapter 3

What do you have in your training deck?  The answer best be appropriate content, and lots of it.  It’s not enough anymore to buy a training kit and roll it to you population, you must adjust your training content to accomplish the goals and objectives of the Cognizant Security Agency (CSA) and your company.

Threat awareness briefing? How do you design your Threat Assessment briefing? Can your colleagues answer the questions of a CSA auditor in an appropriate manner? Perhaps more appropriately, should a hostile individual approach your colleagues who have been through your training recognize the threat if it appeared before their eyes, or in front of their person either via their network connection or in person and respond appropriately?  How do you test for comprehension?

Defensive security briefing? What is the company’s defense?  How does it align with the CSA? Will your defensive security brief prepare you for all encounters which may occur involving a person or entity with deleterious designs on your company and CSA.  And don’t forget the counterintelligence component. Regardless of your overall security budget and posture, there is no reason why an individual can’t be fully prepared with a defensive security brief, and access to ongoing dynamic education.

Classification system (Government and Company)?  Pay attention to your customer’s data classification system, and if the NISPOM applies, ensure all personnel know how and where classified information is to be stored, transported and created.  Furthermore, every company should have their own data classification system, the more complex, the less it will be used, so do keep it simple.  Many companies have been able to survive with three – Public, Company Private and Company Restricted.

Reporting Obligations and Requirements? Every individual with a security clearance is obliged to adhere to a series of reporting requirements.  These include the basic travel and fraternization with foreign nationals for US cleared personnel, all the way to the highly sophisticated nuances of a Special Access Program.

Security Procedures and Duties applicable to the employee’s job?  Does your training take into account the subtle nuances between internal locations and if dealing with multiple CSA’s to ensure the Standard Operating Procedure (SOP) is correct and applicable to all jobs, all positions and all locations?

What is your cadence?  The NISPOM requires you to have an annual security education and training program for every cleared employee.  Is once a year sufficient?  Do you refresh your content?  What is your content?  Lectures?  Video-on-Demand? Interactive self-paced training?  At Prevendra, we advocate ongoing and continuous training and refreshing, with an annual comprehensive review.  Once and done, may make you compliant with the NISPOM, but your employees won’t have the same retention as an ongoing comprehensive training regime.

All the above constitutes the bare-bones training regime to satisfy the NISPOM training requirement, with a bit of creativity and investment, a comprehensive ongoing training program can be created, which ensures your cleared employees are always be exposed to new training materials.

Here is a training film from the US Government archives, circa 1963: Cold War Espionage

At Prevendra, knowledge is shared, secrets are protected. 

——————————————

Loose Lips Can Cost Lives – Photo credit: Creative Commons License James Vaughan via Compfight