NISPOM Update for JSAC Workshop Rosalind Baybutt rbaybutt@generaldynamics.com April 18, 2013 NISPOM Change Process Draft changes to entire NISPOM received by Industry in June 2010 Attended 13 meetings, provided comments, made comments to the comments Final draft and meeting on format in July 2012 Industry to comment on final draft through Federal register – 77 week process Publication expected Fall 2014 2 Additional Industrial Security Actions “Conforming Change to the NISPOM” to implement changes necessitated by Executive Order 13526 published March 28, 2013 – Change 1 Additional conforming change to implement Executive Order 13587 (Wikileaks) to counter insider threat. Draft received by Industry for 30 day comment period – due April 29, 2013 – Identified as “Draft” on these slides Draft Industrial Security Letter – Retention of threat information – Industry comments provided DD Form 254 database – Industry participating in requirements definition phase with DSS – proposed completion late 2013 3 Facility Security Officer Paragraph 1-201 The contractor shall appoint a U.S. Citizen employee, who is cleared as part of the facility clearance to be the FSO….The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the CSA. Employees who are unable to perform day-to-day oversight of the security operations of the facility are not eligible to be the FSO. 4 Insider Threat Program – Draft Paragraph 1-202. a. The contractor will establish an insider threat program which will gather, integrate and report relevant and available information indicative of a potential or actual insider threat. b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. 5 Cooperation with Federal Agencies – Draft Paragraph 1-204/5 Contractors shall cooperate with Federal agencies and their officially credentialed representatives during official inspections investigations concerning the protection of classified information, or other information gathering, and during personnel security investigations of present or former employees and others. Cooperation includes providing suitable arrangements within the facility for conducting private interviews… providing relevant employment and security records and records pertinent to insider threat (e.g., security, information assurance and human resources) for review when requested… 6 Self Inspections – Draft Paragraph 1-206b As applicable, the self inspection shall include the review of representative samples of the contractor’s derivative classification actions. These self-inspections shall be related to the activity, information and conditions: have sufficient scope, depth and frequency as well as management support in execution and remedy. The contractor shall prepare a formal report describing the selfinspection, its findings and resolution of issues found. The contractor shall retain the formal report for CSA review. 7 Senior Management Certification – Draft Paragraph 1-206c A senior management official at the cleared facility shall certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management have been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility. 8 National Reporting Requirements – Draft Paragraph 1-302d. Contractors will report all information specified in the “Minimum Reporting Requirements for Personnel with National Security Eligibility Determinations” in accordance with guidance provided by the CSA. 9 Suspicious Contact Paragraph 1-302b Contractors shall report efforts by any method or means by any individual, to gain unauthorized access to classified information or to unclassified information the export of which is controlled by the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). 10 Change in Cleared Employee Status Paragraph 1 – 302c Contractors shall report: (the death; (2) a change in name; (3) termination of employment; (4) change in citizenship; (5) marriage to a nonU.S. citizen; and (6) when the possibility of access to classified information in the future has been reasonably foreclosed. 11 List of Classified Contracts Paragraph 1-302o When requested by the CSA, the contractor shall provide a current list of all classified contracts as well as classified subcontracts issued to other contractors. This report shall identify the GCA for each contract listed. 12 Reporting of Security Costs Paragraph 1 – 302p When requested by the CSA, selected contractors shall provide, using the CSA’s methodology, estimates of costs associated with implementing the requirements of the NISP for a specified period of time. The data points will be used by the CSA in developing the annual report the President on overall NISP security costs. 13 Improper Transmissions Paragraph 1 – 302q The contractor shall advise the sender of any improper transmission of classified material and notify the CSA of recurring improper transmissions from the same sender. It there is a loss, compromise or suspected compromise as a result of the improper transmission refer to paragraph 1 – 303 of the Chapter. 14 Reports to DoD on Penetration of Networks and Information Systems – Draft Paragraph 1-400. As required by Section 941, FY 2013 National Defense Authorization Act, contractors are required to report any penetration of covered networks or information systems that contain or process information created by or for DoD which the contractor is required to apply enhanced protection. 15 Reports on Network Penetrations – Draft Paragraph 1-401. Contractors will report immediately to DoD any successful penetration of a covered network or information system. A description of the technique or method used A sample of the malicious software A summary of DoD information that has been potentially compromised Contractors will promptly reply to a DoD request for approval to disseminate information outside DoD. 16 Access to Equipment by DoD Personnel – Draft Paragraph 1-402. Upon request, the contractor will provide: Access to equipment or information of the contractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor. Access to information created by or for DoD in connection with any Department program which may have been successfully exfiltrated from a contractor network or information system. 17 Facility Clearances Outside the US Paragraph 2-102b Company operations located on a U.S. Government installation outside of the United States are eligible for an FCL with the concurrence of the Installation Commander or Head of the U.S. Government installation. 18 PCLs required in Connection with the FCL – Draft Paragraph 2-104. The senior management official, the FSO and the Insider Threat Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106. 19 Personnel Security Clearances Paragraph 2-202 The electronic version of the SF 86 shall be completed by the employee, …The FSO or designee may provide assistance to the employee in entering data provided the employee agrees and acknowledges that he or she is responsible for the accuracy of the information submitted. The FSO shall submit the SF 86 as soon as practicable, but on average not later than 7 days after receipt of the completed form from the applicant. 20 Personnel Security Clearances Paragraph 2 – 202c The FSO or designee shall maintain the retained SF 86 in such a manner that the confidentiality of the documents is preserved and protected against access by anyone within the company other than the FSO or designee. When the applicant’s eligibility has been granted, denied or revoked and no higher level access (SAP or SCI) is required or anticipated, the retained documentation shall be returned to the employee or destroyed. 21 Verification of U.S. Citizenship and Identity Paragraph 2-207 The contractor shall require each applicant for a PCL who claims U.S. citizenship to produce evidence of citizenship. In addition the contractor shall verify identity by reviewing a valid State or federal government-issued picture identification. The contractor shall document the means used to verify U.S. citizenship and identity and make a written record of the documents used. A current passport or passport card is acceptable proof of citizenship and identity. 22 Security Training and Briefings – Draft Paragraph 3-103. The designated senior contractor official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained. Contractor Insider Threat Program personnel must be trained: Counterintelligence and security fundamentals to include legal issues Procedures for conducting insider threat response actions Applicable laws and regulations regarding the gathering, integration retention, safeguarding and use of records and data Applicable legal, civil liberties and privacy policies 23 Insider Threat Training – Draft All cleared employees must be provided insider threat awareness training, either in-person or computer-based, within 30 days of initial employment or prior to being granted access to classified information and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum: The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee; Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems; Indicators of insider threat behavior, and procedures to report such behavior; and Counterintelligence and security reporting requirements The contractor will maintain a record of all cleared employees who have completed the training. 24 Derivative Classification Responsibilities – Change 1 Paragraph 4-102 a & b Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form information that is already classified and then mark the newly developed material consistently with the classification markings that apply to the source information. The duplication or reproduction of existing classified information is not derivative classification. 25 Classification and Marking – Change 1 Paragraph 4-102c The contractor shall ensure that all employees authorized to make derivative classifications decisions are: (1) identified by name and position or by personal identifier on documents they derivatively classify (4) trained in accordance with CSA direction, in the proper application of the derivative classification principles with an emphasis on avoiding overclassification, at least once every 2 years. (5)are not authorized to conduct derivative classification until they receive such training (6) given ready access to pertinent classification guides, etc. 26 “Classified By” Line – Change 1 Paragraph 4-208 a. The purpose of the “Classified By” line is to identify the person who applies derivative classification markings for the document. If not otherwise evident, the line will include the agency and office of origin will be identified and follow the name and position or personal identifier of the derivative classifier. 27 End of Day Security Checks Paragraph 5-102 Contractors that store classified material shall establish a system of security checks at the close of each working day to ensure that all classified material and security repositories that have been accessed during the working day have been appropriately secured. 28 Control and Accountability Paragraph 5-200 Contractors shall establish an information management system to facilitate retrieval and proper disposition of the classified information in their possession. 29 Control and Accountability Paragraph 5-203b Classified working papers, including those generated electronically, in the preparation of a finished document…Working papers shall be controlled and marked in the same manner prescribed for a finished document at the same classification level if released outside the facility or retained for more than 180 days from the date of origin. 30 Secret Storage Paragraph 5-303 SECRET material shall be stored in a GSAapproved security container, an approved vault, closed area, or open storage area. Supplemental protection is required for storage in closed areas and open storage areas. 31 Confidential Transmission Paragraph 5-404 CONFIDENTIAL material shall be transmitted by the methods established for SECRET material or by U.S. Postal Service Certified Mail. 32 Disclosure Paragraph 5-503 Parent and subsidiary entities with FCLs within a business organization are authorized to disclose classified information to one another when access is necessary for the performance of tasks or services essential to the fulfillment of a legitimate government need. A business arrangement must be in place between the parent and subsidiary entities so that appropriate security classification guidance can be provided for the classified information. 33 Intrusion Detection Systems Paragraph 5-903 The following resources may be used to investigate alarms: proprietary security force personnel, central station guards, a subcontracted guard service or when other methods are not available, properly cleared, trained and designated employees of the contractor. The contractor shall test the efficacy of the alarm response at least annually and provide a written report to the CSA of any failure to respond. 34 Subcontracting Paragraph 7-102 & 7-104 In any circumstance or situation wherein the prime contractor has reason to doubt a subcontractor’s ability to protect classified information, such information shall not be released until the security vulnerability or condition is rectified by the subcontractor. Similarly, should the prime contractor determine or uncover substandard industrial security performance on the part of one of its subcontractors, the prime shall notify the GCA and CSA of the circumstances as appropriate. 35 Information System Security – Draft Paragraph 8-100b. Protection requires a balanced approach including IS security features to include but not limited to administrative, operational, physical, computer, communications and personnel controls. Protective measures commensurate with the classification of the information, the threat and the operational requirements associated with the environment of the IS are required. At a minimum, classified network banners will be included to notify employees that they are subject to monitoring and that such monitoring could be used against them in a criminal, security or administrative proceeding. 36 Users of IS – Draft Paragraph 8-105 c (6). All Users shall: Acknowledge, in writing, that their activity on any classified network is subject to monitoring and that such monitoring could be used against them in a criminal, security or administrative proceeding. The Agreement language will be provided by the appropriate CSA. 37 Designated Government Representative Paragraph 10-401 In those circumstances when a USG official is not readily available to perform the DGR functions in a timely manner, the contractor may request that the CSA appoint a contractor employee to perform those functions provided the following criteria are met by the FSO and Empowered Official: Identify the responsible contractor employee and provide to the CSA a certification that the specified requirements of this Manual have been satisfied. Provide to the CSA for review all of the required documentation specified in paragraph 10-401b. 38 Reporting Overseas Assignments Paragraph 10-601d The contractor shall annually report to the CSA all overseas assignments of contractor employees with or in process for PCLs. Information shall include: The overseas location with contact information The number of employees assigned overseas in excess of 90 consecutive days The government organization controlling the location with contact information Justification for access to classified information 39 Definitions Need-to-know A determination made within the Executive Branch that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. This determination is conveyed to the contractor via contractual requirements or other direction from within the Executive Branch. 40 41