|
Industrial Security & You: May Your Days be Merry & Bright |
During this hectic holiday season do you find your self and  others worried to a frazzle? Do thoughts of protecting national secrets conflict with financial worries, seasonal scams, rushed deadlines, and party overload? Give your staff the proper briefings for travel, personal safety, and remind them about their responsibilities to protect our national secrets -- even those publicized with eye-catching headlines. If you have not yet received an email notification -- the information publicized by WikiLeaks has not been declassified and DoD Contractors are responsible for ensuring that their staff and consultants are aware that accessing the information or downloading it results in contamination of unclassified information systems -- a Data Spill. A reportable security violation and extremely expensive and time intensive clean-up. Not the sort of gift your management wants to receive. Give the gift of training so that your staff and management can enjoy a safe, secure, and merry holiday season. |
|
|
Reviewing & Ensuring JPAS Access |
Have you reviewed your JPAS Account holders recently? Have all account holders taken the required Personally Identifiable Information (PII) training or similar Privacy Act training for accessing government computers, databases, and applications? Are you sure you do not still have account holders who have left your company, but still retain access to reviewing your facility's JPAS records?
Per the Account Management Policy (June 2009), the prime JPAS Account Manager or FSO should review and keep JPAS Account holders current -- removing invalid users from access. Several of the DSS IS Reps (and Annual Security Review reports) indicate that reviewing the number of JPAS Account holders, the training of JPAS Account holders, and retainage of the SAR forms originally signed by the JPAS Account holders are items on their Annual Security Review check list.
DSS IS Reps may also ask a JPAS Account holder to access JPAS and run a report or check for ghost personnel. If the account holder has not accessed JPAS in over 60 days, he or she may be locked out and require an Account Manager to reset the password and account or a phone call to the DSS Help Desk to have access reinstated. You may be wise to verify that your account holders have access, require access (whether as a backup Account Manager or to perform usual duties as assigned), and are able to access JPAS -- before your DSS IS Rep visits and makes a request.
Interested in finding out more regarding the expectations of JPAS Account holders, or how to maintain your JPAS records, register now for the Got JPAS -- Now What? webinar, a JPAS & e-QIP training session: JPAS & e-QIP Immersion or JPAS & e-QIP Proficiency & Troubleshooting, or contact me for a On-Demand JPAS Support Services quote at ajsconsulting@earthlink.net. |
|
Remembering Our Heroes |
 Protecting classified is one way to assist and protect our heroes who serve. Another way is to protect sensitive unclassified information by practicing OPSEC.
Sometimes we wish to do more than just assist and protect. Sometimes we wish to show our gratitude and goodwill towards those who keep us safe and free.
The following links are to various agencies who support those who serve, have served in the past, or are family members of those who have served. This Christmas consider creating a family or company tradition of giving to one or more of the following charities either out of appreciation for their service, gratitude for their service or compassion for their needs.
Remember also to remind your management and staff that classified and unclassified information needs protecting regardless of holidays and celebrations. Do not forget to include information on how to protect themselves and their families over the holidays. If I can be of assistance in developing or customizing your security briefings, please do not hesitate to call (512) 650-4819 or email me at ajsconsulting@earthlink.net. |
|
Prepared for Data Spills? |
 Did you know that a Data Spill can happen whether or not you have an accredited classified system? Many government agencies define a Data Spill as anytime an unclassified information system (laptop, server, copier with hard drive, desktop, network, etc.) is contaminated by classified information. How can this happen? It happens when any of the following occur:
- Viewing or downloading leaked classified information from the Internet (like WikiLeaks);
- Receiving/Sending an email with information labeled as classified (Confidential, Secret, or Top Secret);
- Inserting classified media (floppy disk, thumbdrive, CD or DVD) into an unclassified information system -- whether labeled or not;
- Typing notes into an application on a computer without realizing some or all of the notes were marked as classified;
- Copying classified information on a copier with a hard drive, connected to the unclassified network, or both; or
- Individual downloads classified information from an accredited classified information system, photographs or otherwise records classified information and removes it from a secure work area without telling security.
The above list is not all inclusive -- I am sure you can think of a few ways I have not mentioned. A better question is are you prepared to report and clean up a data spill? Do you have a plan in place and approved tools (approved by your customer or DSS) to assist in the clean-up? Questions? Look for another article on this topic next month or email ajsconsulting@earthlink.net for more details. |
|
NTK & JPAS -- Do Your Part | |
What does JPAS have to do with Need-To-Know (NTK)? Have you kept your personnel records in JPAS up-to-date? Do you grant access (Indoctrinate) at the correct level? Do you debrief and remove access when an individual leaves or he no longer needs access to clearance at that level or maybe at all? Why is this your responsibility?
Prior to JPAS (pre-2004) industry relied on DISCO to provide verification of an individual's clearance and sometimes had to submit several updates to ensure that the accurate status of an individual was recorded. With JPAS industry has taken on the responsibility to ensure that an individual's access is accurate and based upon contractual need. Remember that JPAS is now the database of record as to who has access at what level.
This means that when an individual shows up at your facility, visits my facility, shows up at a military base, or to visit a government customer he or she should be ready to produce identification to prove who they are and to assist Visit Control with information like a Social Security number enabling a review of JPAS verifying their eligibility (granted by CAF) and clearance (granted by you the FSO) levels prior to being granted access. If the person's record is up-to-date and accurate, then the first part of the Need-to-Know equation has been answered -- Clearance Level. The second part of the Need-to-Know equation can then be answered by the person to be visited -- Mission Critical need to know to complete a contractual task, service, or product.
Failure to ensure accurate information (Procedures Governing Use of JPAS by Cleared Contractors items # 1 & 2) can result in a person not gaining access to information that he or she requires to fulfill a contractual obligation or in a person obtaining access to classified information when that person should have been debriefed and removed from JPAS -- an unauthorized disclosure of classified information.
Item # 1 reads: Contractors shall accurately maintain the JPAS records pertaining to their employees and consultants. Contractors must expeditiously update these records when changes occur (e.g., termination of employment).
An expeditiously update is: if management updates Human Resources and Payroll, they should also update security who can then update JPAS.
Nobody wants to hear about an unauthorized disclosure of classified which resulted from not updating JPAS. Do your part to facilitate your company's compliance with expectations and securing our nation's secrets. |
|
AJ's Consulting's Training Schedule |  Why choose AJ's Consulting's training? My training is hands-on, intensive, and customized for the attendees. Whether the number of attendees is one, two, three, or more, the training focuses on specific challenges facing the attendees and incorporates the compliance expectations of DSS Memos: Procedures Governing the Use of JPAS and General Principles of NISPOM Compliance for Cleared Contractors.
-
FSO & SSO Personnel Security Administration
- December 21, 2010 8:30-4:30 PM
 - RSVP deadline -- December 14, 2010
Note: Ann J. Martick, ISP is joining JPW Security Solutions' team as an instructor in 2011. Check out the scheduled training here. |
|
|
 Thank you for reading my newsletter and passing it on to others who may benefit. What I do best is assist you with solutions to challenging industrial security challenges. How may I assist you today?
Merry Christmas & Happy New Year,
Ann J. Martick, ISP
AJ's Consulting
|
Best money spent on consulting services in my career.
Current Customer
|
|
My Wish for You is a Merry, Bright, & Secure Holiday Season.
|
|
|
This [JPAS & e-QIP Immersion training] was incredibly helpful and provided great information. It was well worth the time & cost.
Karen Gardner
Austin, TX |
 |
|
Briefing on the
SF 312 | |
| |
How do you brief the SF 312 Non-Disclosure Agreement? Do you mention that it is a binding agreement between the individual and the U.S. Government? Do you walk the individual through the different Executive Orders and other legislation mentioned, or just give him or her a copy of the above booklet to peruse? When do you brief on the SF 312?
Consider revisiting the SF 312 during your next refresher briefing. You could touch on highlights of each Executive Order, or maybe on the responsibilities the individual agrees to. You may ask questions to see if your audience is aware that there is no statute of limitations for treason or that they can be prosecuted to the full extent of the law -- including the death penalty. Revisiting the Need-To-Know responsibilities from the point of view of the SF 312 can be enlightening.
What tidbit could you find in the briefing book to include in your next security awareness briefing or quiz? |
[FSO] class was outstanding - Very good for new FSO's. Would highly recommend. The instructor was very knowledgeable and answered all my questions - made the class.
Kevin Cloud
Austin, TX |
|
Newsletter Sponsors | |
|
|
Ann made me feel very welcome - very personalized assistance. I was able to ask lots of specific questions.
Suzanne Chime
|
The procedures will be a great help in updating and maintaining my SMO in JPAS.
Vida Castillo
Trinity, FL |
|
Acronyms | |
| |
Without definition all acronyms are meaningless.
AIARG -- Austin Information Awareness Resource Group (ISSM Brown Bag)
CAF -- Central Adjudication Facility (Navy, Army, Air Force, Marines, DSS, etc.) CSO -- Cognizant Security Office (DSS, Navy, Army, Air Force, Marines, etc.) CT-G2ASP -- Central Texas Greater Austin Area Security Professionals (FSO Brown Bag) DCII -- Defense Center Investigations Index
DEERS -- Defense Enrollment Eligibility Reporting System DHS -- Department of Homeland Security DISCO -- Defense Security Clearance Office
DMDC -- Defense Manpower Data Center
DOHA -- Department of Hearings and Appeals DSS -- Defense Security Service
EO -- Executive Order of the President of the United States.
FCL -- Facility Security Clearance Level FSO -- Facility Security Officer
e-QIP -- Electronic Questionnaire for Investigations Processing ENROL -- Electronic Network Registration and On-Line Learning
ISFD -- Industrial Security Facility Database
ISP -- Industrial Security Professional (certification) IS Reps -- Industrial Security Representatives of DSS
ISL -- Industrial Security Letter
ISSM -- Information System Security Manager
ISSO -- Information System Security Officer
JAMS -- Joint Adjudication Management System
JCAVS -- Joint Clearance and Access Verification System
JPAS -- Joint Personnel Adjudication System
NTK -- Need-To-Know
OPM -- Office of Personnel Management (contractor for many CAFs)
SIOP -- Single Integrated Operational Plan
VAR -- Visit Authorization Request Acronym(s) not listed? Contact Ann Martick and she may be able to identify and/or add your contributions to the list above. |
 |
|
The class was excellent. The small group size was very conducive to learning and the ability to practice with our own data made the session practical.
Michelle Stalder
Charlotte, NC |
|
|
