Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.
The CDCs are part of the National Industrial Security Program (NISP). The National Industrial Security Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guidance includes topics such as employee responsibilities, required training, continuous evaluation, maintaining security clearance, and much more. The Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS provides most DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information according to the NISPOM.
Cleared Defense Contractors have a big job not only performing on classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in the CDC’s toolbox and can be employed to help them remain in compliance and demonstrate their level of compliance.
1. National Industrial Program Operating Manual (NISPOM)
The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors of how to protect classified information. This printing of the NISPOM includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses a cleared contractor’s responsibilities including: Security Clearances, Required Training and Briefings, Classification and Markings, Safeguarding Classified Information, Visits and Meetings, Subcontracting, Information System Security, Special Requirements, International Security Requirements and much more.
2. International Traffic in Arms Regulation (ITAR)
“Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register… ” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.”-DDTC
Companies that provide defense goods and services should understand how to protect US technology; the ITAR provides the answers. ITAR is the defense product and service provider’s guide book for knowing when and how to obtain an export license. This book provides answers to:
Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?
3. Self Inspection Handbook For NISP Contractors
The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It is not intended to be used as a checklist only. Rather it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find they have included various techniques that will help enhance the overall quality of your self-inspection. To be most effective it is suggested that you look at your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.
4. Training for Cleared Employees
a. Initial Security Awareness Training and Security Awareness Refresher Training
Initial Security Awareness Training and Security Awareness Refresher Training
The main presentation is great for initial training or for refresher annual security awareness training required of all cleared employees.
NISPOM requires the following training topics during initial training and refresher training:
• Threat Awareness Security Briefing Including Insider Threat
• Counterintelligence Awareness Briefing
• Overview Of The Security Classification System
• Employee Reporting Obligations And Requirements, Including Insider Threat
• Cybersecurity awareness training for all authorized IS users
NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training.
b. Derivative Classifier Training
The NISPOM outlines requirements for derivative classification training to include… the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those without this training are not authorized to perform the tasks.
Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.
c. Insider Threat Training
This training program includes the NISPOM identified Insider Threat Training requirements. The NISPOM has identified the following requirements to establish an Insider Threat Program. Download and present the training here and meet the training requirements:
• Designate an Insider Threat senior official
• Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
• Establish an Insider Threat Program group
• Provide Insider Threat training
• Monitor classified network activity
• Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
• Conduct self-inspections of Insider Threat Program.
d. SF 312 Briefing
This Training is for Newly Cleared Employees and should be given prior to Initial Security Briefings
Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.
As mentioned earlier, CDCs not only have to perform on classified contracts according to contractual requirements, but they are evaluated on how well they are protecting classified information. The tools mentioned above are designed to assist the CDCs in meeting requirements.