FSO Consultants

Many cleared companies face logistical & financial challenges maintaining National Industrial Security Program (NISP) compliance in the areas of personnel clearance and facility clearance processing, education materials and records management. Our staff has years of FSO experience and our services are centered on policies, procedures and training for compliance with Government security requirements. Our team intimately understands the rules and regulations of dozens of agencies, and help our clients quickly and efficiently put compliant facility security programs into place. Our Company FSO Consultants is a Service-Disabled Veteran / Woman Owned Small Business specializing in National Industrial Security Program consulting with a proven track record in project delivery.

Outsmarted Cars While some may describe the Smart Car as the modern-day clown car, most actually view them as an innovative transportation option. Made possible by Mercedes-Benz teaming up with Swatch and equipped with system-driven forms of AI, the technical operation of the Smart Car consists of special electronic sensors that feed real-time information back to the computer brain. GPS navigation, reverse sensing systems, assisted parking, web and email access, voice control, smart card activation instead of keys, and systems that keep the vehicle a safe distance from cars and objects in its path are all potential benefits of a Smart Car. The US Commerce Department has proposed a ban on the sale or import of smart vehicles that use specific Chinese or Russian technology because of national security concerns. A national security risks range from Chinese or Russian embedded software and hardware in US vehicles to the possibility of remote sabotage via hacking and personal data collection. While having your personal data stolen by China (again) would be annoying, however a foreign entity taking control over your car while on the highway with, potentially, thousands of similar cars to create chaotic disasters all throughout the U.S. seems far more troubling. The ban would not apply to cars already on the road that have Chinese software installed. The software ban would take effect for vehicles for “model year” 2027 and the hardware ban for “model year” 2030. #fso #fsoconsultants #industrialsecurity #nationalsecurity #smartcar

Catch Me If You Can in a digital age. Catch Me If You Can is based on the life of Frank Abagnale who, in one of his many offenses as a con artist, posed as an airline pilot “catching a flight home” to get free rides often fooling Airport security and others. This year, white hat researchers Ian Carroll and Sam Curry discovered a flaw in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs that could allow threat actors to bypass certain airport security systems and potentially pose as flight crew members. KCM is a TSA program that allows security officers to verify the identity and employment status of crewmembers to bypass security screening, and CASS allows airline gate agents to rapidly determine if a pilot is authorized for an aircraft’s cockpit jump seat, a seat utilized by crew commuting or traveling. ?FlyCASS is a third party, web-based CASS and KCM application employed by smaller airlines. Ian Carroll and Sam Curry found a SQL injection vulnerability in FlyCASS which gave them administrative management of the list of pilots and flight attendants associated with the targeted airline. ?Carroll and Curry were able to create and add a fictitious new employee to the KCM and CASS databases to verify their findings. The issue was reported to the Federal Aviation Administration (FAA), ARINC (KCM system operators), and the Cybersecurity & Infrastructure Security Agency (CISA). In response to their report, the FlyCASS service was disabled in the KCM and CASS system and the identified issues were patched much to the dismay of terrorists and aspiring Frank Abagnale copy-cats alike. #fso #fsoconsultants #nationalsecurity #airport #TSA #industrialsecurity #whitehat #FAA

Catch Me If You Can in a digital age. Catch Me If You Can is based on the life of Frank Abagnale who, in one of his many offenses as a con artist, posed as an airline pilot “catching a flight home” to get free rides often fooling Airport security and others. This year, white hat researchers Ian Carroll and Sam Curry discovered a flaw in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs that could allow threat actors to bypass certain airport security systems and potentially pose as flight crew members. KCM is a TSA program that allows security officers to verify the identity and employment status of crewmembers to bypass security screening, and CASS allows airline gate agents to rapidly determine if a pilot is authorized for an aircraft’s cockpit jump seat, a seat utilized by crew commuting or traveling. ?FlyCASS is a third party, web-based CASS and KCM application employed by smaller airlines. Ian Carroll and Sam Curry found a SQL injection vulnerability in FlyCASS which gave them administrative management of the list of pilots and flight attendants associated with the targeted airline. ?Carroll and Curry were able to create and add a fictitious new employee to the KCM and CASS databases to verify their findings. The issue was reported to the Federal Aviation Administration (FAA), ARINC (KCM system operators), and the Cybersecurity & Infrastructure Security Agency (CISA). In response to their report, the FlyCASS service was disabled in the KCM and CASS system and the identified issues were patched much to the dismay of terrorists and aspiring Frank Abagnale copy-cats alike. #fso #fsoconsultants #nationalsecurity #airport #TSA #industrialsecurity #whitehat #FAA

Phone Jacked Once a convenience on the wall, our phones are now the most expensive item that fits in our pockets. When cell phones drop to 5 percent charge left, some people start frantically looking around for an outlet as though it was a fresh source of water in the desert. Scammers have found a way to take advantage of this “need.” The FCC issued warnings about "juice jacking" at public USB charging stations in airports, such as the Denver Airport most recently and specifically. Juice jacking, a compromise of devices like smartphones and tablets, uses the same cable for charging and data transfer. This type of attack either installs malware on the device or steals information from the device (log-ins, locations, etc.). The FCC advises that malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to a criminal. At that point criminals can access personal online accounts or further sell the information. In some cases, criminals intentionally leave infected cables plugged in at charging stations in hopes of an unsuspecting victim. People could utilize a USB data blocker, a small dongle that adds a layer of protection between a device and the charging point, to counter this threat. Protection programs like Norton, McAfee, or Trend Micro could also assist, however its best to avoid the issue entirely: stay away from public ports. #nationalsecurity #fso #fsoconsultants #infosec #industrialsecurity #airport

Looking forward to a fabulous discussion on navigating the DCSA FCL process!

The U.S.A vs. TikTok How did a platform for viral one-minute dances become a National Security issue for the U.S.???While the app is owned by TikTok LLC, a company incorporated in Delaware and based in Culver City, CA, the LLC is in turn controlled by TikTok Ltd, which is registered in the Cayman Islands and based in Shanghai, China. ?That firm is owned by ByteDance Ltd, also incorporated in the Cayman Islands and based in Beijing, China.?Since part of TikTok is based in China, and China requires its companies to share any national security-related data with the government upon request, TikTok’s popularity among Americans might give China a back door to almost every cell phone in the country. Setting aside the discussion many parents, educators, and mental-health experts are having about whether TikTok’s content and addictive nature are unhealthy for young minds, the app continues to encroach on Meta’s social media territory. ?Renewed efforts by Congress to force TikTok to sell or face a ban in the US have the backing of the White House, even as President Biden’s reelection campaign has started to use the platform to reach younger voters.?Irony at its finest!?Much like other forms of data collection implemented by China, National Security experts are concerned China will use its influence over parts of ByteDance Ltd to back-door into American cell phones and monitor individuals who share information that may be harmful to America.?Just as our cell phones and other smart devices are always listening and providing targeted ads, many fear China is listening too. National Security experts fear China will use TikTok to their advantage and flood their propaganda to sway American opinions.?Napal, E.U., Canada, Britian, Taiwan, New Zealand, Pakistan, Afghanistan, Indonesia, and Somalia have all implemented bans on TikTok, in one way or another, as they also see TikTok as a risk to National Security. #fso #fsoconsultants #nationalsecurity #tiktok #informationsecurity #industrialsecurity

Access Denied The “Guarding the United States Against Reckless Disclosures Act” by Rep. Mikie Sherrill seeks to restrict classified access of an individual charged or convicted of: unlawful retention of national defense information, obstructing an official proceeding, unlawful disclosure or improper handling of classified information, acting as a foreign agent, or compromising national security. The GUARD Act extends its authority to the President, Vice President, members of Congress, candidates for federal office, and all federal employees defined under U.S. code (e.g., U.S. Postal Service employees, Postal Regulatory Commission, the Transportation Security Administration, uniformed personnel, etc.). Access to classified information would be suspended from the date on which an indictment is filed. The subject would not be allowed access until either the charge is dismissed, or they have been found not guilty. In part, the covered crimes are among several allegedly committed by personnel in high offices. How the act will apply to the President or Vice President if they are hypothetically indicted remains unclear. The GUARD Act has been submitted to the House Committee on Oversight and Accountability and the Committee on House Administration. #fso #fsoconsultants #industrialsecurity #nationalsecurity #personnelsecurity

Access Denied The “Guarding the United States Against Reckless Disclosures Act” by Rep. Mikie Sherrill seeks to restrict classified access of an individual charged or convicted of: unlawful retention of national defense information, obstructing an official proceeding, unlawful disclosure or improper handling of classified information, acting as a foreign agent, or compromising national security. The GUARD Act extends its authority to the President, Vice President, members of Congress, candidates for federal office, and all federal employees defined under U.S. code (e.g., U.S. Postal Service employees, Postal Regulatory Commission, the Transportation Security Administration, uniformed personnel, etc.). Access to classified information would be suspended from the date on which an indictment is filed. The subject would not be allowed access until either the charge is dismissed, or they have been found not guilty. In part, the covered crimes are among several allegedly committed by personnel in high offices. How the act will apply to the President or Vice President if they are hypothetically indicted remains unclear. The GUARD Act has been submitted to the House Committee on Oversight and Accountability and the Committee on House Administration. #fso #fsoconsultants #industrialsecurity #nationalsecurity #personnelsecurity

CMMC Problem Factory Cybersecurity Maturity Model Certification (CMMC) went into effect in 2020 as an assessment standard designed to ensure defense contractors comply with security requirements designed to protect sensitive information. The system was updated in 2021 to further streamline the requirements. The model is now due for another much-needed update to address modern cybersecurity issues. The update will require the Department of Defense to identify CMMC Level 1, 2, or 3 as a solicitation requirement for defense contractors and subcontractors competing for federal contracts. The aim is to expand the application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs. A key part of any companies’ compliance with CMMC is applying the standards outlined in the National Institute of Standards and Technology’s (NIST) special publication 800-171, which establishes how they should secure CUI data that requires protection. Once CMMC is implemented in 48 CFR, DoD will specify the required CMMC Level in the solicitation and the resulting contract. The Pentagon is planning for a phased implementation for all solicitations issued on or after Oct. 1, 2026. Waivers could be issued in certain cases before solicitations are issued, but it is best not to rely on them and prepare to meet new requirements for solicitations in future proposals. #nationalsecurity #industrialsecurity #fso #fsoconsultants #informationsecurity #cmmc