Post on 30-Dec-2015
ROSALIND BAYBUTTDIRECTOR – INDUSTRIAL SECURITY SERVICES
PAMIR CONSULTING LLCrosalind.baybutt@pamirllc.comrbaybutt@generaldynamics.com
(703) 319-9646(703)876-3501
NISPOM Update for NCMS November 2012
November 2012Pamir Consulting LLC
1
NISPOM Review Process
Draft NISPOM received by Industry in June 2010Attended 13 meetings with DoD, ISOO, et. al.Received numerous comments, updates for review
and comment on the commentsFinal draft and meeting on format in July 2012Final draft to be coordinated within Federal
GovernmentIndustry and public to comment during Federal
Register process – 77 week processPublication expected in Fall 2014
November 2012Pamir Consulting LLC
2
Implementation
“Conforming Change to the NISPOM” to be published within 60 days to implement changes to information security policy necessitated by Executive Order 13526.
Additional conforming change to implement Executive Order 13587 (Wikileaks) to counter Insider Threat. No timeline on this change.
Following publication of both the conforming changes and the full NISPOM changes may be implemented immediately but Industry will be required to complete transition to new policy/procedures with 6 months.
November 2012Pamir Consulting LLC
3
General Comments
Chapter 8 (Information System Security) completely re-written DSS Industrial Security Field Operations (ISFO) Process
Manual will contain detailed policy and procedures. Industry will review and comment on changes to ISFO. Implementation of ISFO will be 6 months after
promulgation.
Chapter 10 (International) revision received by Industry and will be included in update.
SAP Policy is still under review. Will consist of several volumes on specific topics.
November 2012Pamir Consulting LLC
4
Facility Security Officer
Paragraph 1-201 The contractor shall appoint a U.S. Citizen employee,
who is cleared as part of the facility clearance to be the FSO. The FSO will supervise and direct security measures necessary for implementing applicable requirements of this manual and related Federal requirements for classified information. The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the CSA. Employees who are unable to perform day-to-day oversight of the security operations of the facility are not eligible to be the FSO.
November 2012Pamir Consulting LLC
5
Self Inspections (Contractor Reviews)
Paragraph 1-206b As applicable, the self inspection shall include the review of
representative samples of the contractor’s derivative classification actions.
Contractors shall review their security programs on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles. These self-inspections shall be related to the activity, information and conditions; have sufficient scope, depth and frequency as well as management support in execution and remedy. The contractor shall prepare a formal report describing the self-inspection, its findings and resolution of issues found. The contractor shall retain the formal report for CSA review through the next CSA inspection.
November 2012Pamir Consulting LLC
6
Senior Management Certification
Paragraph 1-206c. A senior management official at the cleared facility
shall certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management have been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility.
November 2012Pamir Consulting LLC
7
Adverse Information
Paragraph 1-302a Contractors shall report adverse information coming
to their attention concerning any of their cleared employees. This includes any adverse information regarding a cleared employee if the information would be required on the current version of the SF 86 even though the individual may not yet require a reinvestigation.
November 2012Pamir Consulting LLC
8
Suspicious Contact
Paragraph 1-302b Contractors shall report efforts by any method or any
means by any individual, to gain unauthorized access to classified information or to unclassified information the export of which is controlled by the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).
November 2012Pamir Consulting LLC
9
Change in Cleared Employee Status
Paragraph 1 - 302c Contractors shall report: (1) the death; (2) a change in
name; (3) termination of employment; (4) change in citizenship; (5) marriage to a non-U.S. citizen; and (6) when the possibility of access to classified information in the future has been reasonably foreclosed.
November 2012Pamir Consulting LLC
10
List of Classified Contracts
Paragraph 1-302 o When requested by the CSA, the contractor shall
provide a current list of all classified contracts as well as classified subcontracts issued to other contractors. This report shall identify the GCA for each contract listed.
November 2012Pamir Consulting LLC
11
Reporting of Security Costs
Paragraph 1- 302p When requested by the CSA, selected contractors
shall provide, using the CSA’s methodology, estimates of costs associated with implementing the requirements of the NISP for a specified period of time. The data points will be used by the CSA in developing the annual report to the President on overall NISP security costs as required by Reference a.
November 2012Pamir Consulting LLC
12
Improper Transmissions
Paragraph 1-302q The contractor shall advise the sender of any
improper transmission of classified material and notify the CSA of recurring improper transmissions from the same sender. If there is a loss, compromise or suspected compromise as a result of the improper transmission, refer to paragraph 1-303 of the Chapter.
November 2012Pamir Consulting LLC
13
Reports of Loss, Compromise or Suspected Compromise
Paragraph 1-303b and c Initial report. If the contractor’s preliminary inquiry
confirms that a loss, compromise, or suspected compromise of any classified information occurred, the contractor shall submit an initial verbal or e-mail notification within 24 hours and an initial report within 3 working days of this determination unless otherwise notified by the CSA.
Final report. When the investigation has been completed, a final report shall be submitted to the CSA within 30 days of submission of the initial report. Under extenuating circumstances the CSA may grant an extension.
November 2012Pamir Consulting LLC
14
Facility Clearances Outside the US
Paragraph 2-102b The company must be organized and existing under
the laws of any of the fifty states, the District of Columbia, or of the organized United States territories. The company must be located in the United States or on a government installation outside of the United States regardless of location or its U.S. territorial areas. Company operations located on a U.S. Government installation outside of the United States are eligible for an FCL with the concurrence of the Installation Commander or Head of the U.S. Government installation.
November 2012Pamir Consulting LLC
15
Personnel Security Clearances
Paragraph 2-202 The electronic version of the SF 86 shall be completed
by the employee, with assistance from the FSO or equivalent contractor employee if needed and reviewed by the FSO…
The FSO or designee may provide assistance to the employee in entering data provided the employee agrees and acknowledges that he or she is responsible for the accuracy of the information submitted.
The FSO or designee shall submit the SF 86 as soon as practicable, but on average not later than 7 days after receipt of the completed form from the applicant.
November 2012Pamir Consulting LLC
16
Personnel Security Clearances
Paragraph 2-202c The FSO or designee shall maintain the retained
documentation (SF 86) in such a manner that the confidentiality of the documents is preserved and protected against access by anyone within the company other than the FSO or designee. When the applicant’s eligibility for access to classified information has been granted, denied or revoked and no higher level access ( SAP or SCI) is required or anticipated, the retained documentation shall be returned to the employee or destroyed.
November 2012Pamir Consulting LLC
17
Pre-employment Clearance Action
Paragraph 2-205 The commitment for employment will indicate that
employment shall commence within 30 days of the granting of the eligibility that permits the employee to perform the tasks or services associated with the contract or Government requirement for which the individual was hired. The written commitment must identify the level of PCL required as well as the contractual source of the requirement (unless the existence of the contractual relationship is classified).
November 2012Pamir Consulting LLC
18
Contractor-Granted Clearances
Paragraph 2-206. Contractor-granted clearances are no longer valid for
access to classified information.
November 2012Pamir Consulting, LLC
19
Verification of U.S. Citizenship and Identity
Paragraph 2-207 The contractor shall require each applicant for a PCL
who claims U.S. citizenship to produce evidence of citizenship. In addition the contractor shall verify identity by reviewing a valid State or Federal government-issued picture identification. The contractor shall document the means used to verify U.S. citizenship and identity and make a written record of the documents used.
Paragraph 2-208d A current passport or passport card is acceptable
proof of citizenship and identity.
November 2012Pamir Consulting LLC
20
Foreign Ownership, Control or Influence
Paragraph 2-302 A company is required to complete a Standard Form 328 when
applying for an FCL or when material changes occur to information previously submitted. In the case of a business organization, the SF 328 may be a consolidated response rather than separate submissions from individual legal entities within the business organization. Consolidated submissions shall be executed by the highest cleared entity in the business organization and provide sufficient detail to allow the CSA to determine the extent of foreign ownership, control or influence at each legal entity within the business organization. Depending on specific circumstances the CSA may request one or more of the legal entities that make up a corporate family to submit individual SF 328s and will determine mitigation or negation instruments that must be put in place.
November 2012Pamir Consulting LLC
21
Security Training
Paragraph 3-105 The contractor shall forward the executed SF 312 to the
CSA for retention, unless directed to retain these forms by the CSA.
Paragraph 3-106f Initial security briefing shall include counterintelligence
awareness training.
Paragraph 3-107 Annual refresher training shall include
counterintelligence awareness training.
Paragraph 3-108 Signing the SF 312 debriefing is not required.
November 2012Pamir Consulting LLC
22
Derivative Classification Responsibilities
Paragraph 4-102a & b Contractor personnel make derivative classification
decisions when they incorporate, paraphrase, restate, or generate in new form information that is already classified and then mark the newly developed material consistently with the classification markings that apply to the source information.
Derivative classification includes the classification of information based on guidance, which may be either a source document, or classification guide. The duplication or reproduction of existing classified information is not derivative classification.
November 2012Pamir Consulting LLC
23
Classification and Marking
Paragraph 4-102c The contractor shall ensure that all employees authorized to make
derivative classification decisions are: (1) identified by name and position or by personal identifier on
documents they derivatively classify (2) observe and respect original classification decisions (3) carry forward to any newly created documents the pertinent
classification markings. For derivatively classified documents shall carry forward (a) the date or event for declassification that corresponds to the
longest period of classification among the sources (b) a listing of source materials
(4) trained in accordance with CSA direction, in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years
(5) suspended from conducting derivative classification if they do not receive such training
(6) Given ready access to pertinent classification guides, etc.
November 2012Pamir Consulting LLC
24
Marking Miscellaneous Material
Paragraph 4-215 Material developed in connection with the handling,
processing, production, storage, and utilization of classified information shall be handled in a manner that ensures adequate protection of the classified information involved and shall be destroyed at the earliest practical time, unless a requirement exists to retain such material. Examples of such material include classified computer media such as USB sticks, hard drives, CD ROMS, and diskettes. Such material shall be marked to indicate the highest overall classification of the information contained or embodied within the material. There is no requirement to mark such material with any additional markings.
November 2012Pamir Consulting LLC
25
End of Day Security Checks
Paragraph 5-102 Contractors that store classified material shall
establish a system of security checks at the close of each working day to ensure that all classified material and security repositories that have been accessed during the working day have been appropriately secured.
November 2012Pamir Consulting LLC
26
Control and Accountability
Paragraph 5-200 Contractors shall establish an information management
system to facilitate retrieval and proper disposition of the classified information in their possession.
Paragraph 5-203b Classified working papers, including those generated
electronically, in the preparation of a finished document….Working papers shall be controlled and marked in the same manner prescribed for a finished document at the same classification level if released outside the facility or retained for more than 180 days from the date of origin.
November 2012Pamir Consulting LLC
27
Secret Storage
Paragraph 5-303 SECRET material shall be stored in a GSA-approved
security container, an approved vault, closed area, or open storage area. Supplemental protection is required for storage in closed areas and open storage areas.
November 2012Pamir Consulting LLC
28
Open Storage
Paragraph 5-306 c Open storage of Secret and Confidential documents and
IS media in closed areas requires CSA approval. Entrance doors to such areas must be secured by built-in GSA-approved electro-mechanical combination locks. (Note: The presence of fixed media such as internal, non-removable hard drives in operational IS is not considered open storage.) For Secret material, areas protected by an approved
IDS with a 30 minute response time, as well as security-in-depth as determined by the CSA, will be eligible for such approval. For open storage areas lacking sufficient security-in-depth, a 5 minute response time is required.
November 2012Pamir Consulting LLC
29
Open Storage Area Approval
Paragraph 5-306 d The CSA and the contractor shall agree on the need to
establish, and the extent of, closed areas prior to the award of the contract, when possible, or when the need for such areas becomes apparent during contract performance. Areas authorized for open storage of classified documents shall be limited in size to that required to accommodate storage needs. The contractor shall ensure that visitors to such areas without the requisite PCL and need-to-know for all information stored in the area are denied access to the classified material contained therein.
November 2012Pamir Consulting LLC
30
Supplemental Protection
Paragraph 5-307 Depending on the classification and nature of the
material to be protected as well as the storage method used, the contractor has various options for supplemental protection listed below. No supplemental protection is required for the storage of Secret material in GSA-approved security containers or for the storage of Confidential material. Prior to implementing any supplemental protection measure to satisfy the requirements of this paragraph, the contractor shall obtain written approval from the CSA.
November 2012Pamir Consulting LLC
31
Supplemental Protection
Paragraph 5-307 a and b When the CSA has approved security in depth, the CSA
may authorize inspection of security containers, vaults, closed areas and open storage areas during non-working hours. These recurring patrols may be accomplished by an employee or subcontractor cleared to at least the Secret level to satisfy the supplemental protection requirement. When recurring patrols are authorized in lieu of IDS, the interval between patrols shall not exceed 2 hours for Top Secret and 4 hours for Secret.
Response to an IDS as described in Section 9 of this Chapter shall be within: (1) 15 minutes (without security in depth) (2) 30 minutes (with security in depth)
November 2012Pamir Consulting LLC
32
Security in Depth
Paragraph 5-307c (1) The contractor shall document the specific layered and
complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, periodically review the effectiveness of these controls and report any changes affecting those controls to the CSA.
(2) At a minimum, the contractor shall consider the following elements in their security in depth assessment: Perimeter controls Badge systems when personal recognition impractical Controlled access to areas where classified work is
performed Access control devices Additional elements as determined by the CSA
November 2012Pamir Consulting LLC
33
Confidential Transmission
Paragraph 5-404 Confidential material shall be transmitted by the
methods established for Secret material or by U.S. Postal Service Certified Mail.
November 2012Pamir Consulting LLC
34
Disclosure
Paragraph 5-503 Parent and subsidiary entities with FCLs within a
business organization are authorized to disclose classified information to one another when access is necessary for the performance of tasks or services essential to the fulfillment of a legitimate government need. A business arrangement must be in place between the parent and subsidiary entities so that appropriate security classification guidance can be provided for the classified information.
November 2012Pamir Consulting LLC
35
Intrusion Detection Systems
Paragraph 5-901 CSA approval is required before installing an IDS.
Approval of a new IDS shall be based on the criteria of DCID 6/9, UL Standard 2050, or other standard approved by the CSA.
Paragraph 5-903 The following resources may be used to investigate alarms:
proprietary security force personnel, central station guards, a subcontracted guard service, or when other methods are not available, properly cleared, trained and designated employees of the contractor. The contractor shall test the efficacy of alarm response at least annually and provide a written report to the CSA of any failure to respond.
November 2012Pamir Consulting LLC
36
Subcontracting
Paragraph 7-102 In any circumstance or situation wherein the prime
contractor has reason to doubt a subcontractor’s ability to protect classified information, such information shall not be released until the security vulnerability or condition is rectified by the subcontractor.
Paragraph 7-104 Similarly, should the prime contractor determine or
uncover substandard industrial security performance on the part of one of its subcontractors, the prime shall notify the GCA and CSA of the circumstances as appropriate.
November 2012Pamir Consulting LLC
37
Designated Government Representative
Paragraph 10-401 In those circumstances when a USG official is not readily
available to perform the DGR functions in a timely manner, the contractor may request that the CSA appoint a contractor employee to perform those functions provided the following criteria are met by the FSO and Empowered Official: Identify the responsible contractor employee and provide to
the CSA a certification that the specified requirements of this Manual have been satisfied.
Provide to the CSA for review all of the other required documentation specified in paragraph 10-401b. The contractor will receive either approval of the transfer procedures or approval subject to further action or disapproval.
November 2012Pamir Consulting LLC
38
Reporting Overseas Assignments
Paragraph 10-601 d The contractor shall annually report to the CSA, by CSA
designated means, all overseas assignments of contractor employees with, or in process for PCLs. Information provided shall include: The overseas operating location for each employee with contact
information and identified contractor point of contact for the overseas location
The number of contractor employees assigned to overseas locations exceeding 90 consecutive days
The identification of the government organization controlling the location with contact information for the USG security officials
Justification for access to USG or foreign government information
November 2012Pamir Consulting, LLC
39
NATO Briefings – From DSS Website FAQs
Q: Do contractors have to record the most recent NATO Annual Refresher Briefing date in the Joint Personnel Adjudication System (JPAS)? A: Paragraph 10-706 of the NISPOM only requires the
NATO initial briefing date and the NATO debriefing date should be recorded in JPAS. The contractor should retain a verifiable record of the most recent NATO Annual Refresher Briefing.
Q: Is DSS required to provide NATO Annual Refresher Briefing to the Facility Security Officer (FSO)? A: As DSS is required to provide the NATO initial
briefing to the FSO, DSS should also provide the NATO Annual Refresher Briefing.
November 2012Pamir Consulting LLC
40
Definitions
Need-to-Know A determination made within the Executive Branch
that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. This determination is conveyed to the contractor via contractual requirements or other direction from within the Executive Branch.
November 2012Pamir Consulting LLC
41