AJ's Banner
Industrial Security & You: Winds of Change -- Trim Your Sail
Concepts      Change.  Changing seasons.  Changing regulations.  Changing expectations.  Are you ready?  Have you prepared your management for the changes that have occurred already this year and the forecasted changes that will be here soon -- NISPOM Change 1, NISPOM Change 2 (currently reviewing industry feedback), Vulnerability Assessment Matrix revision (expected sometime this Spring), and the looming deadline of SWFT?
  
What is your plan to deal with the Winds of Change?  Are you involved with a local security organization like NCMS, Inc and attending local chapter meetings or Brown Bags?  Have you signed up for training so that you can catch the information as it flows down?
   
Stay focused on our goal to serve both our country and our companies and to protect our precious information.  Keep informed.
Review Your JPAS Responsibilities

Announcing

As of January 19th, the JPAS Disclosure Agreement changed -- did you notice?  Also as of March, the procedures to obtain a JPAS Account for either an Account Manager or User have changed.

 

Regardless of whether you just failed to keep your account active or you are a new user, there are now some required training courses that must be accomplished before you can be granted an account. 

 

The JPAS Account Request Procedures manual was last changed March 20th (see Request A JPAS Account link).

  • System Access Request (SAR) form will become the Personnel Security Systems Access Request (PSSAR) form.
  • JPAS, Information Assurance (IA), and Personally Identifiable Information (PII) training courses are required for all new account JPAS applicants  See the Account Request Checklist fro specific courses.
  • If submitting the PSSAR form to DMDC, you must also include proof of training along with the PSSAR form.  If you are retaining the form as required in the Account Manager Policy you must also maintain proof of training in the event of a DMDC audit or security incident.

Other changes are also on the near horizon and if you haven't already made the Defense Manpower Data Center (DMDC) webpage your launch point for JPAS, you will miss these and other important announcements.

 

The Data Quality Initiative (DQI) 597 was run on March 29th and effectively administratively debriefed access.  If you or your Security Management Office (SMO) were affected, you should have received notifications of the debrief.  If you have any questions or need clarification please check the DMDC webpage under the DQI section.

 

Recent Changes --

  • DOD CAF versus Collaborative CAF -- Collaborative CAF is to only be used for administrative purposes and RRUs will not be responded to.  RRUs should be submitted to the DoD CAF (DoD Industry CAF) or one of the Intel CAFs.
  • Procedures for PII Issues for Industry -- Industry FSOs need to monitor their employees' (and consultant's) records to ensure that names and/or DOBs are not updated with outdated information from the PDR.  Get guidance from the DMDC Webpage.
    • If the PII is incorrect, check to see if the record contains a DoD Electronic Data Interchange Person Number (EDIPN).  If not, then you can update the record in JPAS.
    • If it does contain an EDIPN and the Person Category is not Civilian or Military, the FSO or the subject will need to submit official documentation to DMDC to support the change.
    • Remember the PDR update occurs monthly on the day of the employee's birth.
    • If the subject's Person Category is Military, Civilian, or Retiree, they will need to personally contact their Personnel Center, milConnect, and/or DFAS to update the record.
  • Notes: JPAS Users are prohibited from looking up subjects of which they have No Need-to-Know or Authority.
  • Industry: If you mistakenly enter an incorrect SSN while initiating an investigation, submit an RRU before any action is taken on the record.
  • Make sure your SMOs are set up properly by following the instructions in the JVS modifications document in the left-hand navigation of the DMDC webpage.
  • JPAS Printouts and SWFT Account Requests -- Note that clearance verification for SWFT accounts is NOT a valid use for printing out JPAS person summaries.  Do not include these printouts in your SWFT account request -- See 8/10/12 posting.

And on June 1st -- The DoD Call Center will transfer all servicing of JPAS/SWFT/e-QIP calls to the DMDC Contact Center (800467-5526 or dmdc.contactcenter@mail.mil).  Continue to use the DoD Security Services Center (888-282-7682) until June.

 

For JPAS training or On-Demand Support in the area of JPAS and/or e-QIP please check Areas of Focus for upcoming scheduled courses or email me at annmartick@ajsconsultingisp.com for more information.

.

About AJ's Consulting and Ann Martick, ISP

QuestionsAJ's Consulting is a sole proprietorship that provides training and On-Demand consulting in the Industrial Security area for both NISP Signatories and DoD Contractors.   Have a question?  I should have an answer for you or at least know where to send you to get the answer.

 

Ann Martick, ISP is the owner/consultant of AJ's Consulting, a part-time FSO for 5 different companies in the Austin-San Antonio Metro area, and an Adjunct Instructor for The Graduate School USA's Security courses.  With 20+ years of experience in Industrial Security, I am sure that I can be of assistance to you.  
Can Charging a Cellphone be a Threat?

Cellphone charge Did you ever think that charging a cellphone could be a threat to your desktop, laptop, or even your corporate network?

 

A couple of months ago I received a report from my husband that his company had just spent two hours trying to isolate and eliminate the threat to their corporate network that came from an 'innocent' cellphone plugged in to charge.

 

It was an android phone similar to the one in the picture above.  The person had plugged it in to charge it and unwittingly unleashed a piece of malware onto the corporate network.  All of a sudden files were being copied and hidden, the duplicate files were renamed to executables, and it spread like wildfire across

3 servers and affected both the campus where it originated and the corporate office.  Any individual clicking to open a folder was actually clicking on an executable file which then spread the malware.  I do not think they ever identified the name of the malware.

 

Many android phones allow you to set the option that the phone asks upon connection whether you are wishing to "charge only" or to access it as a "mobile storage device" -- just like a flash drive.

 

There are many antivirus and malware protection applications available for the various phones.  If you have not already downloaded one for your phone, you may want to consider using one.

 

Here are some cellphone security awareness presentations and articles to provide to your staff to educate them on this threat.

How much company information is accessed via your staff's smart phones?  How likely is it that an incident like this could happen to you? 

 

Have a suggested topic you would like to see addressed or have an article to share?  Email me at annmartick@ajsconsultingisp.com.

                              Winds of Change

Planner NISPOM Conforming Change 1 has been posted on the DSS website (www.dss.mil) as of April 1st.  The date of this change is March 26th.  The main focus of this change is to implement Executive Order (EO) 13526 and ISOO's Directive Number 1 for Industry. 

 

We have been waiting on a new NISPOM since EO 13526 and Directive Number 1 came out.  The recently posted Conforming Change 1 to the NISPOM dated February 2006 now incorporates those changes.  Industry now has 6 months to implement these changes - except where the implementation is required to be immediate like for changes in Chapter 10 relating to the US-UK treaty.

    

  • Changes For Chapter 1 include -
    • Replacing EO 12829 with EO 13526
    • Replacing Director of the CIA with Director of National Intelligence (DNI) - responsible authority for classified intelligence
    • Including the Chairman of the NRC (Nuclear Regulatory Commission) with the Secretary of Energy as responsible authority for RD and FRD
    • Adding a reference to the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004
    • Timeline for implementing changes can take 6 months, except for changes in Chapter 10 relating to the US-UK Treaty which must be implemented immediately
    • Addition of 2 new signatories - Office of Personnel Management (OPM) and National Archives and Records Administration (NARA)
    • Addition of DNI Hotline information
    • Clarifying the case history for litigation regarding a contractor's liability for defamation of an employee per the requirements of this manual
  • Changes for Chapter 4 include implementation of Directive Number 1 which was implementing new marking requirements required by EO 13526
  • Changes for Chapter 5 include updating required document control requirements and replacing DCID 6/9 with ICD 705 as an alternative closed room construction requirement standard
  • Changes for Chapter 9 include adding Transclassified Foreign Nuclear Information (TFNI) and how to handle it
  • Changes for Chapter 10 include Transfers pursuant to an ITAR Exemption and Classified technical data or certain defense articles requirements
  • New Definitions in Appendix C include
    • Defense Articles
    • UK Community
    • Working Papers and
    • Edited definition for National of the United States

As indicated earlier there is a proposed NISPOM Conforming Change 2 that was submitted for Industry feedback earlier this year.  Some changes in this Conforming Change includes adding requirements and definitions regarding Insider Betrayal and training staff on how to recognize and report it.  The Insider Betrayal program will merge with the Counter Intelligence program and be more obvious than in the past.  More information on this change will be provided in later editions of this newsletter.  The timeline on receiving this change is still unknown.

 

Another change that is scheduled for Spring of 2013 is a revision of the Vulnerability Assessment Matrix.  This revision is currently being beta-tested at several facilities.  One of the biggest changes is in the area of the NISP Enhancements.  Instead of 13 NISP Enhancements there will only be 11.  Two of the enhancements focus on Counter Intelligence and Cyber Intrusions.  In order to be able to qualify for the CI Enhancement you must have an effective CI program and be able to provide --

  • An Actionable Suspicious Contact report that results in finding or assisting in finding attempts to access protected information. or
  • You report foreign visitors before a visit and a foreign intelligence agent is identified and/or during the visit you or the escort(s) prevent access to sensitive information and reports it resulting in an actionable report. or
  • You report a foreign visit where you or the escort(s) stopped/prevented attempts to access sensitive information and it results in an actionable report.

Another NISP enhancement change is regarding Self Inspections; just documenting multiple self inspections is not enough to obtain that enhancement.

 

If you have insight on the revised Vulnerability Assessment Matrix or more questions on the upcoming changes mentioned here, please send me an email at annmartick@ajsconsultingisp.com.

 

 

Thank you for reading my newsletter and passing it on to others who may benefit. 
 

What I do best is assist you with solutions to challenging industrial security challenges.  How may I assist you today?

 

Regards,


Ann J. Martick, ISP
AJ's Consulting
 
In This Issue
Review Your JPAS Responsibilities
About AJ's Consulting & Ann Martick, ISP
Can Charging a Cellphone be a Threat?
Winds of Change
Additional Resources
Fax Your SF 312s
Best money spent on consulting services in my career.

 

Current Customer

Quick Links 
  
~~~~~~~~~~~~~~
Thank you for your time and expertise during our conference call last Friday.  Your support on the JPAS is truly amazing.  Your support of our profession is a great example.
 
Thom Holt
FairWinds
Human Resource Solutions, LLC
Join Our Mailing List

GS_Newsletter

 

 

 LS_NCMS_Flyer2013

Annotated NISPOM w/ Change 1

 

Great facilities and instructor...Ann really was helpful and made the system easy to use.  Very organized.
 
Kenneth Browning
Round Rock, TX 
Articles of Interest

 

4 Survival Skills Every Kid Should Know

 

6 Ways to Enhance Your Credibility

 

7 Effective Privacy Techniques for Reducing Identity Theft

 

10 Tips to Secure Funding for a Security Program

 

40 Years of Freedom for Navy Hero Marked

 

A Walking Tour: 33 Questions to Ask About Your Company's Security

 

Ana Montes -- Do You Know What She Did?

 

Android, iPhone are Top Fraud Targets

 

Changing the Sound of Your Voice

 

Could You Be This Creative in an Emergency?

 

DHS, FBI Agents Nab NASA Contractor as Apparent Spy

 

Hacker Uses an Android to Remotely Hijack an Airplane

 

How the Civil-War Changed Your Life

 

How to Deal With Flash Mobs

 

Line Blurs Between Insider, Outsider Attacks

 

Majority of Convicted Terrorists in US are American Citizens

 

Mexico Drug Cartels Sending Agents to Run Crime Rings in US

 

On the Internet, the FBI Knows If You're a Dog

 

RTE Documentary to Shed Light on Waterford Link to 'Jihad Jane' Plot

 

Sneaky New Tricks from Identity Thieves

 

The D*I*C*E Man on the Web

 

Wounded Warrior Program

Very well organized training material.  Instructor, knowledge and training techniques were the best I've experienced.  I thoroughly appreciate the small class size that allowed personalized training and allowed extra time for specific questions and exercises.

 

Gail Madriaga

Honolulu, HI

Fax Your
SF 312s
SF312
On April 1st DSS posted that the new preferred method of transmission of SF 312s is via Fax to 301-833-3942 ATTN: SF-312.   
Join Our Mailing List