Licensed defense contractors provide the technology and expertise that deliver products and services to our defense industry. CDC and be a prime contractor or subcontractor and are contracted to support government organizations. The CDC designation indicates that the organization is a government contractor with facility clearance and is comprised of employees with personnel security clearance. With classified contracts, CDC is obligated to protect the classified information of its government customers while complying with classified contracts.
CDC is part of the National Industrial Safety Program (NISP). The National Industrial Safety Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guide covers topics such as employee responsibilities, required training, ongoing assessment, maintaining security clearance, and much more. The Defense Counterintelligence and Security Agency (DCSA), formally known as DSS, provides the majority of DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information in accordance with NISPOM.
Cleared Defense Contractors does a great job of not only performing classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in CDC’s toolkit and can be used to help them remain compliant and demonstrate their level of compliance.
1. Operational Manual of the National Industrial Program (NISPOM)
The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors on how to protect classified information. This NISPOM print includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses the responsibilities of a licensed contractor, including: security clearances, required training and briefings, classification and markings, protection of classified information, visits and meetings, outsourcing, information system security, special requirements, security requirements international and much more.
2. International Traffic in Arms Regulations (ITAR)
“Any person engaged in the United States in the business of manufacturing or exporting defense articles or providing defense services must register…” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding controlled exports “. elements.”-DDTC
Companies that provide defense goods and services must know how to protect American technology; the ITAR provides the answers. ITAR is the defense products and services provider’s guide to when and how to obtain an export license. This book provides answers to:
Which defense contractors must register with the DDTC?
What defense products require export licences?
What defense services require export licences?
What are the export responsibilities of companies and governments?
What constitutes an export?
How do I apply for a license or support agreement?
3. Self-Inspection Manual for NISP Contractors
The National Industrial Safety Program (NISPOM) Operating Manual requires all participants in the National Industrial Safety Program (NISP) to conduct their own safety reviews (self-inspections). This Self-Inspection Manual is designed as a job aid to help you meet this requirement. It is not intended to be used as a checklist only. Rather, its goal is to help you develop a workable self-inspection program specifically designed for the classified needs of your licensed business. You will also find that they have included several techniques that will help improve the overall quality of your self-inspection. To be most effective, it is suggested that you consider your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.
4. Training for authorized employees
A. Initial Security Awareness Training and Security Awareness Refresher Training
Initial security awareness training and security awareness refresher training
The main presentation is excellent for initial training or for the annual security awareness refresher training required of all authorized employees.
NISPOM requires the following training topics during initial training and refresher training:
• Threat Awareness Security Report, including Insider Threat
• Counterintelligence awareness briefing
• General description of the securities classification system
• Employee reporting obligations and requirements, including insider threat
• Cybersecurity awareness training for all authorized IS users
NISPOM training contains the requirements for annual security training and initial security training.
b. Derivatives Classifier Training
The NISPOM outlines the requirements for derivatives classification training to include… the proper application of derivatives classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those who do not have this training are not authorized to perform the tasks.
Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or regenerate information that is already classified; then mark newly developed material consistent with the classification marks that apply to the source information.
Counter Insider Threat Training
This training program includes the insider threat training requirements identified by NISPOM. NISPOM has identified the following requirements for establishing an insider threat program. Download and submit the training here and meet the training requirements:
• Designate a senior insider threat official
• Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
• Establish an Insider Threat Program group
• Provide training on insider threats
• Monitor classified network activity
• Collect, integrate and report relevant and credible information; detect privileged information that poses a risk to classified information; and mitigate the risk of insider threats
• Conduct self-inspections of the Insider Threat Program.
d. SF 312 Briefing
This training is for newly licensed employees and should be given prior to initial security briefings.
Newly authorized employees must sign an SF-312 Confidentiality Agreement. Instead of just asking them to sign the box, why not give them the appropriate SF-312 Report that describes what exactly is on the form and why they are signing it?
As mentioned above, CDCs not only have to perform on classified contracts according to contractual requirements, but are also evaluated based on how well they protect classified information. The tools listed above are designed to help CDC comply with the requirements.