NISPOM Changes - jsac

NISPOM Update for JSAC Workshop
Rosalind Baybutt
[email protected]
April 18, 2013
NISPOM Change Process
Draft changes to entire NISPOM received by
Industry in June 2010
Attended 13 meetings, provided comments,
made comments to the comments
Final draft and meeting on format in July 2012
Industry to comment on final draft through
Federal register – 77 week process
Publication expected Fall 2014
Additional Industrial Security Actions
“Conforming Change to the NISPOM” to implement
changes necessitated by Executive Order 13526
published March 28, 2013 – Change 1
 Additional conforming change to implement Executive
Order 13587 (Wikileaks) to counter insider threat. Draft
received by Industry for 30 day comment period – due
April 29, 2013 – Identified as “Draft” on these slides
 Draft Industrial Security Letter – Retention of threat
information – Industry comments provided
 DD Form 254 database – Industry participating in
requirements definition phase with DSS – proposed
completion late 2013
Facility Security Officer
Paragraph 1-201
The contractor shall appoint a U.S. Citizen
employee, who is cleared as part of the facility
clearance to be the FSO….The FSO, or those
otherwise performing security duties, shall
complete security training as specified in
Chapter 3 and as deemed appropriate by the
CSA. Employees who are unable to perform
day-to-day oversight of the security operations
of the facility are not eligible to be the FSO.
Insider Threat Program – Draft
Paragraph 1-202.
a. The contractor will establish an insider threat
program which will gather, integrate and report
relevant and available information indicative of a
potential or actual insider threat.
 b. The contractor will designate a U.S. citizen
employee, who is a senior official and cleared in
connection with the FCL, to establish and
execute an insider threat program.
Cooperation with Federal Agencies – Draft
Paragraph 1-204/5
Contractors shall cooperate with Federal agencies and
their officially credentialed representatives during official
inspections investigations concerning the protection of
classified information, or other information gathering, and
during personnel security investigations of present or
former employees and others. Cooperation includes
providing suitable arrangements within the facility for
conducting private interviews… providing relevant
employment and security records and records pertinent
to insider threat (e.g., security, information assurance
and human resources) for review when requested…
Self Inspections – Draft
Paragraph 1-206b
As applicable, the self inspection shall include the
review of representative samples of the contractor’s
derivative classification actions.
 These self-inspections shall be related to the
activity, information and conditions: have sufficient
scope, depth and frequency as well as management
support in execution and remedy. The contractor
shall prepare a formal report describing the selfinspection, its findings and resolution of issues
found. The contractor shall retain the formal report
for CSA review.
Senior Management Certification – Draft
Paragraph 1-206c
A senior management official at the cleared
facility shall certify to the CSA in writing on an
annual basis, that a self inspection has been
conducted, that senior management have been
briefed on the results, that appropriate corrective
action has been taken and that management
fully supports the security program at the
cleared facility.
National Reporting Requirements – Draft
Paragraph 1-302d.
Contractors will report all information specified in
the “Minimum Reporting Requirements for
Personnel with National Security Eligibility
Determinations” in accordance with guidance
provided by the CSA.
Suspicious Contact
Paragraph 1-302b
Contractors shall report efforts by any method or
means by any individual, to gain unauthorized
access to classified information or to
unclassified information the export of which is
controlled by the International Traffic in Arms
Regulations (ITAR) or the Export Administration
Regulations (EAR).
Change in Cleared Employee Status
Paragraph 1 – 302c
Contractors shall report: (the death; (2) a
change in name; (3) termination of employment;
(4) change in citizenship; (5) marriage to a nonU.S. citizen; and (6) when the possibility of
access to classified information in the future has
been reasonably foreclosed.
List of Classified Contracts
Paragraph 1-302o
When requested by the CSA, the contractor
shall provide a current list of all classified
contracts as well as classified subcontracts
issued to other contractors. This report shall
identify the GCA for each contract listed.
Reporting of Security Costs
Paragraph 1 – 302p
When requested by the CSA, selected
contractors shall provide, using the CSA’s
methodology, estimates of costs associated with
implementing the requirements of the NISP for a
specified period of time. The data points will be
used by the CSA in developing the annual report
the President on overall NISP security costs.
Improper Transmissions
Paragraph 1 – 302q
The contractor shall advise the sender of any
improper transmission of classified material and
notify the CSA of recurring improper
transmissions from the same sender. It there is
a loss, compromise or suspected compromise
as a result of the improper transmission refer to
paragraph 1 – 303 of the Chapter.
Reports to DoD on Penetration of Networks and
Information Systems – Draft
Paragraph 1-400.
As required by Section 941, FY 2013 National
Defense Authorization Act, contractors are
required to report any penetration of covered
networks or information systems that contain or
process information created by or for DoD which
the contractor is required to apply enhanced
Reports on Network Penetrations – Draft
Paragraph 1-401.
Contractors will report immediately to DoD any
successful penetration of a covered network or
information system. A description
of the technique or method used
 A sample of the malicious software
 A summary of DoD information that has been
potentially compromised
Contractors will promptly reply to a DoD request
for approval to disseminate information outside
Access to Equipment by DoD Personnel – Draft
Paragraph 1-402.
Upon request, the contractor will provide:
Access to equipment or information of the
contractor necessary to conduct forensic analysis
in addition to any analysis conducted by the
Access to information created by or for DoD in
connection with any Department program which
may have been successfully exfiltrated from a
contractor network or information system.
Facility Clearances Outside the US
Paragraph 2-102b
Company operations located on a U.S.
Government installation outside of the United
States are eligible for an FCL with the
concurrence of the Installation Commander or
Head of the U.S. Government installation.
PCLs required in Connection with the FCL – Draft
Paragraph 2-104.
The senior management official, the FSO and
the Insider Threat Official must always be
cleared to the level of the FCL. Other officials,
as determined by the CSA, must be granted
PCLs or be excluded from classified access
pursuant to paragraph 2-106.
Personnel Security Clearances
Paragraph 2-202
 The electronic version of the SF 86 shall be
completed by the employee, …The FSO or designee
may provide assistance to the employee in entering
data provided the employee agrees and
acknowledges that he or she is responsible for the
accuracy of the information submitted.
 The FSO shall submit the SF 86 as soon as
practicable, but on average not later than 7 days
after receipt of the completed form from the
Personnel Security Clearances
Paragraph 2 – 202c
The FSO or designee shall maintain the retained
SF 86 in such a manner that the confidentiality
of the documents is preserved and protected
against access by anyone within the company
other than the FSO or designee. When the
applicant’s eligibility has been granted, denied
or revoked and no higher level access (SAP or
SCI) is required or anticipated, the retained
documentation shall be returned to the
employee or destroyed.
Verification of U.S. Citizenship and Identity
Paragraph 2-207
 The contractor shall require each applicant for a
PCL who claims U.S. citizenship to produce
evidence of citizenship. In addition the contractor
shall verify identity by reviewing a valid State or
federal government-issued picture identification.
The contractor shall document the means used to
verify U.S. citizenship and identity and make a
written record of the documents used.
 A current passport or passport card is acceptable
proof of citizenship and identity.
Security Training and Briefings – Draft
Paragraph 3-103.
 The designated senior contractor official will ensure that
contractor program personnel assigned insider threat program
responsibilities and all other cleared employees are trained.
Contractor Insider Threat Program personnel must be trained:
 Counterintelligence and security fundamentals to include legal
 Procedures for conducting insider threat response actions
 Applicable laws and regulations regarding the gathering,
integration retention, safeguarding and use of records and
 Applicable legal, civil liberties and privacy policies
Insider Threat Training – Draft
All cleared employees must be provided insider threat awareness
training, either in-person or computer-based, within 30 days of
initial employment or prior to being granted access to classified
information and annually thereafter. Training will address current
and potential threats in the work and personal environment and will
include at a minimum:
The importance of detecting potential insider threats by cleared
employees and reporting suspected activity to the insider threat
program designee;
Methodologies of adversaries to recruit trusted insiders and collect
classified information, in particular within information systems;
Indicators of insider threat behavior, and procedures to report such
behavior; and
Counterintelligence and security reporting requirements
The contractor will maintain a record of all cleared employees who
have completed the training.
Derivative Classification Responsibilities – Change 1
Paragraph 4-102 a & b
 Contractor personnel make derivative classification
decisions when they incorporate, paraphrase,
restate, or generate in new form information that is
already classified and then mark the newly
developed material consistently with the
classification markings that apply to the source
 The duplication or reproduction of existing classified
information is not derivative classification.
Classification and Marking – Change 1
Paragraph 4-102c
 The contractor shall ensure that all employees authorized
to make derivative classifications decisions are:
 (1) identified by name and position or by personal
identifier on documents they derivatively classify
 (4) trained in accordance with CSA direction, in the
proper application of the derivative classification
principles with an emphasis on avoiding overclassification, at least once every 2 years.
 (5)are not authorized to conduct derivative
classification until they receive such training
 (6) given ready access to pertinent classification
guides, etc.
“Classified By” Line – Change 1
Paragraph 4-208 a.
The purpose of the “Classified By” line is to
identify the person who applies derivative
classification markings for the document. If not
otherwise evident, the line will include the
agency and office of origin will be identified and
follow the name and position or personal
identifier of the derivative classifier.
End of Day Security Checks
Paragraph 5-102
Contractors that store classified material shall
establish a system of security checks at the
close of each working day to ensure that all
classified material and security repositories that
have been accessed during the working day
have been appropriately secured.
Control and Accountability
Paragraph 5-200
Contractors shall establish an information
management system to facilitate retrieval and
proper disposition of the classified information in
their possession.
Control and Accountability
Paragraph 5-203b
Classified working papers, including those
generated electronically, in the preparation of a
finished document…Working papers shall be
controlled and marked in the same manner
prescribed for a finished document at the same
classification level if released outside the facility
or retained for more than 180 days from the date
of origin.
Secret Storage
Paragraph 5-303
SECRET material shall be stored in a GSAapproved security container, an approved vault,
closed area, or open storage area.
Supplemental protection is required for storage
in closed areas and open storage areas.
Confidential Transmission
Paragraph 5-404
CONFIDENTIAL material shall be transmitted by
the methods established for SECRET material
or by U.S. Postal Service Certified Mail.
Paragraph 5-503
Parent and subsidiary entities with FCLs within a
business organization are authorized to disclose
classified information to one another when
access is necessary for the performance of
tasks or services essential to the fulfillment of a
legitimate government need. A business
arrangement must be in place between the
parent and subsidiary entities so that
appropriate security classification guidance can
be provided for the classified information.
Intrusion Detection Systems
Paragraph 5-903
The following resources may be used to
investigate alarms: proprietary security force
personnel, central station guards, a
subcontracted guard service or when other
methods are not available, properly cleared,
trained and designated employees of the
contractor. The contractor shall test the efficacy
of the alarm response at least annually and
provide a written report to the CSA of any failure
to respond.
Paragraph 7-102 & 7-104
 In any circumstance or situation wherein the prime
contractor has reason to doubt a subcontractor’s
ability to protect classified information, such
information shall not be released until the security
vulnerability or condition is rectified by the
 Similarly, should the prime contractor determine or
uncover substandard industrial security performance
on the part of one of its subcontractors, the prime
shall notify the GCA and CSA of the circumstances
as appropriate.
Information System Security – Draft
Paragraph 8-100b.
 Protection requires a balanced approach including
IS security features to include but not limited to
administrative, operational, physical, computer,
communications and personnel controls. Protective
measures commensurate with the classification of
the information, the threat and the operational
requirements associated with the environment of the
IS are required. At a minimum, classified network
banners will be included to notify employees that
they are subject to monitoring and that such
monitoring could be used against them in a criminal,
security or administrative proceeding.
Users of IS – Draft
Paragraph 8-105 c (6).
All Users shall:
Acknowledge, in writing, that their activity on any
classified network is subject to monitoring and
that such monitoring could be used against them
in a criminal, security or administrative
proceeding. The Agreement language will be
provided by the appropriate CSA.
Designated Government Representative
Paragraph 10-401
 In those circumstances when a USG official is not
readily available to perform the DGR functions in a
timely manner, the contractor may request that the
CSA appoint a contractor employee to perform those
functions provided the following criteria are met by
the FSO and Empowered Official:
Identify the responsible contractor employee and
provide to the CSA a certification that the specified
requirements of this Manual have been satisfied.
 Provide to the CSA for review all of the required
documentation specified in paragraph 10-401b.
Reporting Overseas Assignments
Paragraph 10-601d
The contractor shall annually report to the CSA
all overseas assignments of contractor
employees with or in process for PCLs.
Information shall include:
The overseas location with contact information
The number of employees assigned overseas in
excess of 90 consecutive days
The government organization controlling the
location with contact information
Justification for access to classified information
A determination made within the Executive
Branch that a prospective recipient has a
requirement for access to, knowledge of, or
possession of the classified information to
perform tasks or services essential to the
fulfillment of a classified contract or program.
This determination is conveyed to the contractor
via contractual requirements or other direction
from within the Executive Branch.

similar documents