Try these ISP Certification Test Questions

Posted in Uncategorized on October 22, 2013 by Red Bike Publishing

1.      In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL1?
a.            Trans 1 
b.            Trans 2
c.             Trans 3, 4
d.            Trans 5
e.             Trans 6

2.      Which entity is required to review and revise Contract Security Classification Specification when change occurs?
a.            CSO
b.            GCA 
c.             CSA
d.            FSO
e.             GSA

3.      Which are appropriate page markings for a document classified at the SECRET level?
a.            SECRET, TOP SECRET, SENSITIVE, CONFIDENTIAL
b.            CONFIDENTIAL, SECRET, UNCLASSIFIED 
c.             CONFIDENTIAL, FOUO, TOP SECRET
d.            UNCLASSIFIED, FOUO, SENSITIVE
e.             All the above






Scroll down for answers





1.      In the Protection Profile Table for Confidentiality, which Data Transmission is required for PL1?
a.            Trans 1 (NISPOM Chapter 8 Table 5)
b.            Trans 2
c.             Trans 3, 4
d.            Trans 5
e.             Trans 6

2.      Which entity is required to review and revise Contract Security Classification Specification when change occurs?
a.            CSO
b.            GCA (NISPOM 4-103b)
c.             CSA
d.            FSO
e.             GSA

3.      Which are appropriate page markings for a document classified at the SECRET level?
a.            SECRET, TOP SECRET, SENSITIVE, CONFIDENTIAL
b.            CONFIDENTIAL, SECRET, UNCLASSIFIED (NISPOM 4-204)
c.             CONFIDENTIAL, FOUO, TOP SECRET
d.            UNCLASSIFIED, FOUO, SENSITIVE
e.             All the above

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.

New ITAR Guidelines

Posted in defense contractor, export, government, itar, technical data on October 16, 2013 by Red Bike Publishing
The unofficial ITAR has been updated. The three affected parts are: Part 120, Part 123 and Part 126. Some of the changes include paragraphs that were formerly categorized as “reserved”. The changes equal 20 additional pages to a 5 x 6 book publication of the ITAR. That’s pretty significant. In fact Part 126.16 is such a paragraph formerly marked as “reserved” and now is filled with 5500 words of text.
Let’s take a look at the exemption to the Defense Trade Cooperation Treaty between the United States and Australia. This paragraph defines transfer, export, retransfer, reexport, Australian Community, United States Community and other relevant terms. It also explains which exports qualify for licensing exemptions. Though the information addresses transfer of export controlled items between the US and Australia, this article is written to  provide a rule of thumb in handling all cases of export controlled information, articles and services.
Paragraph 126.16 also addresses the export of Defense Articles both classified and unclassified. For example, it reminds us that “U.S.-origin classified defense articles or defense services may be exported only pursuant to a written request, directive, or contract from the U.S. Department of Defense that provides for the export of the classified defense article(s) or defense service(s).”

Paragraph 126.16 j. further identifies the required markings based on the classification level of the export and refers to the National Industrial Security Program Operating Manual (NISPOM).
The lesson here is for government and contractors to properly identify defense articles and information, proprietary data, classified information, technical data, where it resides. Without proper identification and protection, an unauthorized export could occur. The unauthorized activity could be mistakenly exporting an item as exempt from licensing where a license is actually required. Another example would be providing export controlled information in a briefing when non-US persons should be excluded from that briefing and so on.
To prevent unauthorized exports, follow the simple rule of thumb. The government identifies and properly marks the information as government owned, controlled, for official use only, critical technology and etc. The contractor is bound to heed the protection requirements. This includes contract sensitive, research and development, plans, drawings and other government program items. The contractor must also identify customer furnished equipment and treat any contract related items, by products and etc. with the same level of sensitivity as identified by the government and other contractors.
The next step would be selecting countermeasures such as: marking the items, limiting access to US persons, or even enforcing need to know should be established to limit any chance of unauthorized export, “deemed” or otherwise. Confusion over whether or not something is exportable, whether or not a license is required or the items are exempt is eliminated when employees can easily identify what is export controlled.

For a printed copy of ITAR and the NISPOM, visit www.redbikepublishing.com

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.

The Standard Form (SF) 312 is revised

Posted in DSS, fso, nispom, Security, sf 312 on October 10, 2013 by Red Bike Publishing
NISOM
The Standard Form (SF) 312 is revised

In July 2013 the SF 312, Classified Information Nondisclosure Agreement, was updated to reflect language from the 2011 Public Law 112-74, Financial Services and General Government Appropriations Act and 2012 Public Law 112-199, Whistle blower Protection Enhancement Act (WPEA).

The WPEA (law) lays out protection in place for those employees who report instances of fraud, waste and abuse and the language is being added to many forms include non-disclosure agreement. Cleared employees are required to report adverse information concerning themselves and other cleared employees. This adverse information is anything that would question a person’s loyalty and ability to protect classified material. Additionally, cleared employees should report any information concerning changes in protective measures at a cleared facility that would indicate classified information would not be adequately protected as originally intended.

So, why is the WPEA language included?

Reporting adverse information is a requirement of all cleared employees who observe questionable practices concerning an employee’s ability to protect classified information. Though a daunting task, reporting this information is an expectation levied on cleared employees. Adverse information reporting is part of the continuous evaluation process and used to determine whether or not a cleared person is still trustworthy of having access to classified information.

The WPEA language might seem out of scope for a document requiring the continuous protection of classified information. However, this language is not a warning to employees reminding them of an obligation, but a legal requirement for employers to protect employees who report instances of fraud, waste and abuse. This reporting applies to derivative information reporting, classification challenges and etc. Fraud, waste and abuse issues can be reported on processes, machinery, costs and etc used within a national security structure. An employee can better report what might be classified information concerning fraud, waste and abuse within the classified channels. Without this language, an employee may not know how report such instances.

So now what?

Include this language while providing NISPOM training. Train your employees on the SF 312, security awareness, security refresher and other training. Need ideas, check this out.


The revised SF 312 dated 7-2013 is posted in the General Services Administration (GSA) forms library on their website and can be directly downloaded here. There is no requirement to resign and execute a new SF 312, previously executed forms are still valid.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.

marcus evans ITAR Compliance WEST Conference

Posted in compliance, export, itar, marcus evans on October 10, 2013 by Red Bike Publishing

Executives from the Aerospace, Defense, Satellite and Similar Industries to Share Best Practices and Lessons Learned at the marcus evans ITAR Compliance WEST Conference 

Navigating the Complexities of the Changing Compliance Structure through Improved Operational Communication, Language Interpretation and Jurisdictional Understanding 

San Diego, CA– September 27, 2013– marcus evans, the world’s largest event management group, will host the ITAR Compliance WEST Conference, November 18-20, 2013 in San Diego, CA. Executives across the Aerospace, Defense, Satellite and similar industries will share their thoughts and practices for compliance with the ever-evolving export regulations. DRS Technologies, Raytheon, Northrop Grumman, Virgin Galactic, Lockheed Martin Space Systems Company, Maxim Integrated and many other will be discussing their challenges and efforts with past and future upcoming reforms efforts.

October 15, 2013, new rules are expected to go into effect changing the current status of exports. Positive steps have been made to increase efficiency and ease the impact of these recent and ever changing regulations and the marcus evans ITAR Compliance WEST Conference will tackle the latest obstacles and pressing issues in the industry while highlighting how organizations stay competitive in today’s global atmosphere. 

Attending this marcus evans conference will enable executives to: 
– Manage the transition from ITAR to EAR and review recent changes to the Export Control Reform Initiative 

– Develop new compliance structure methods and data sharing techniques – Grasp new definitions and language found in the recently released regulations 

– Review prior violations and corrections and identify best practices 

– Explore upcoming regulation releases and what the future holds for ITAR Compliance

For more information on this conference or to get a complete list of speakers or sessions, please visit http://www.marcusevans-conferences-northamerican.com/ICW2013_PRelease or email Tyler Kelch, Media & PR Coordinator, tylerke@marcusevansch.com

About marcus evans 

marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually, ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.

How to get ready for the DSS Inspection

Posted in derivative classification, DSS, fso, nispom, training on October 2, 2013 by Red Bike Publishing
NISPOM
As mentioned in an earlier article, NISPOM Change 1 requires Derivative Classification Training and Record keeping Guidance. This guidance requires that the cleared contractor provide cleared personnel with initial Derivative Classification Training and follow up and at least once every 2 years. The training topics are vital to the cleared contractor performing on classified contracts.  Properly trained employees reduce the risk of unauthorized disclosure of classified information.
Currently this training can be put in place at the cleared contractor’s initiative. The sooner training is implemented the better. The Defense Security Services will be publishing an Industrial Security Letter (ISL) that provides instruction for conducting training including a “trained by” date to meet the requirements of the recent NISPOM changes. Why not begin the training now and be prepared for success before DSS gives the deadline for conducting training. Remember, if not trained, cleared employees cannot perform on classified work requiring derivative classification. That’s a lot of missed.
Remember that DSS is in the business of auditing. They are more than capable of both helping a company succeed with good training and working relationships, but they are also just as equipped to find security violations. Failure to protect classified information is a security violation. Failures are often caused by mismarked materials.
For example, after reviewing requirements of a DD Form 254 and statement of work, the industrial security representative discovers that derivative classification work has been occurring since the contract award a year prior. However, training records indicate that the derivative classification training had only been conducted in the last two weeks (while preparing for the inspection).  It wouldn’t be hard to deduce that there is a possible security violation and perhaps a review of classified inventory is in order.
So, how can you prepare to meet this challenge? 
Cleared contractors can refer to NISPOM paragraph 4-102 and develop training based on the directed subjects. Document that training and schedule follow-up training in two years. A good practice is to provide a copy of the training with training signatures or certificates. That way DSS can determine who was trained and whether or not the derivative classification training conformed to NISPOM Change 1.
No time to write training?
You can find training though professional organizations, at the DSS website or here

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.

Try the ISP Certification Practice Questions

Posted in csa, DSS, fso, fso training, gca, isp certification, nispom on September 23, 2013 by Red Bike Publishing

Are you studying for the ISP Certification Exam? If so, try these questions. There are 440 more just like them in Red Bike Publishing’s Unofficial Study Guide for: ISP Certification

1. Subcontracted guards must be under a classified contract with which of the following:

a. GCA, CSA

b. CSA, DSS

c. Cleared contractor facility, Installing alarm company

d. Monitoring station, Installing alarm company

e. All the above

2. Contractors who extract classified information are making _____ decisions:

a. Reasons for classification

b. Security Classification Guidance

c. Derivative classification

d. Classification

e. Classified document

3. A U.S. contractor’s requirement to maintain custody, control and storage of classified information abroad is the responsibility of:

a. GCA

b. U.S. Government

c. CSA

d. State Department

e. DGR

4. U.S. RESTRICTED AND FORMERLY RESTRICTED Data is marked all EXCEPT:

a. COSMIC TOP SECRET ATOMAL

b. NATO RESTRICTED ATOMAL

c. NATO CONFIDENTIAL ATOMAL

d. NATO SECRET ATOMAL

e. None of the above

Scroll down for answers:




1. Subcontracted guards must be under a classified contract with which of the following:
c. Cleared contractor facility, Installing alarm company (NISPOM 5-903a4)

2. Contractors who extract classified information are making _____ decisions:
c. Derivative classification (NISPOM 4-102)

3. A U.S. contractor’s requirement to maintain custody, control and storage of classified information abroad is the responsibility of:
b. U.S. Government (NISPOM 10-602a)

4. U.S. RESTRICTED AND FORMERLY RESTRICTED Data is marked all EXCEPT:
b. NATO RESTRICTED ATOMAL (NISPOM 10-701)




Applying Risk Analysis to Cleared Defense Contractors

Posted in DSS, fso, nispom, risk, susceptibility, vulnerability on September 21, 2013 by Red Bike Publishing

DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. The matrix does provide a good way to gauge the security program. Even though the threat, vulnerability and impact are already identified, an FSO should still use a risk assessment model. The way to get to good evaluations and enhanced measures is to analyze the protection of classified information and demonstrate how the NISPOM is implemented. A risk analysis provides that answer.

The NISPOM and other guidance make our jobs easy. For example, if it’s classified lock it up in a GSA approved container and limit access to those with clearance and need to know. The above is simplified for discussion purposes, but it makes the point, there is another piece to protection; analysis.

You might be familiar with the terms susceptibility, vulnerability and risk analysis. These are analyses that we in the defense industry should be regularly practicing, but as demonstrated above, NISPOM makes it easy for us to get by without analysis.

Let’s look at the terms in ways we can apply them. Susceptibility is the evaluation of assets on hand and prioritizing them for protection. However, there is no defined threat. For example, I am susceptible to malaria. However, I do not have to take any countermeasures as long as I don’t become exposed to someone who has malaria or travel to an area that is known for malaria outbreaks, I need to take precaution.

Suppose, a contractor makes helicopter harnesses. Their assets are proprietary processes, harnessing material, know how, customer drawings, inventory and facilities. For susceptibility, a security manager would work with shareholders and customers to prioritize the assets and determine which is more valuable and worthy of the most security effort. The security manager would then implement best practices to protect those efforts against general threats. We don’t know who the bad guys are or what they want, we just want to make the product hard to get. Security might put sensitive items under lock, key and alarm, limit access to sensitive information and issue employee badges to keep non employees out of the work area.

Vulnerability is susceptibility in presence of a threat. I am susceptible to malaria, but now I’m going on a trip to Nepal where malaria is documented. I now have documented evidence of a threat and impact; I could become very sick and possibly die. Now I am vulnerable to a threat.

Back to the contractor making harnesses for helicopters. The project manager has just learned that employees from other contracts are “borrowing” inventory to fulfill their customer requirements. This team is vulnerable to not having enough resources to meet customer requirements. We now have documented evidence of a valid threat with the impact of the possible shift in schedule.

A risk analysis looks at the identified vulnerability and applies tailored countermeasures to reduce the threat activity. I don’t want to die so I conduct a risk analysis. I could take the risk adverse direction and just not go to Nepal, but that’s out of the question. Another option is to accept all the risk and take my chances that I could be one of the fortunate ones. However I could go the doctor and get a treatment to prevent malaria even as I am exposed to it. My further risk assessment would include the different kinds of treatment with the various dosage schedules and side effects.

The contractor making helicopter harnesses should conduct similar risk analysis. He could become risk averse and move his employees to a dedicated area and control access exclusively, but the cost would outweigh the risk. He could accept all the risk and continue as before, but the threat would reduce his capability. He could also conduct further analysis and come up with lost cost/no cost solutions to address the threat. These solutions would be to move inventory bin to a better location to be observed. Inform the program managers of other programs of their employees’ unacceptable behavior and etc.
A risk analysis begins with susceptibility analysis and ends with ensuring adequate countermeasures exist to prevent loss. Even though the NISPOM addresses requirements for operating under the National Industrial Security Program, the FSO should address susceptibility, vulnerability and risk for all assets at the cleared facility. Each cleared contractor works with classified information in varying environments and degrees of difficulty. The NISPOM can’t address every situation but risk analysis can.


  Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.