NISPOM Update for NCMS November 2012 1 ROSALIND BAYBUTT DIRECTOR – INDUSTRIAL SECURITY SERVICES PAMIR CONSULTING LLC rosalind.baybutt@pamirllc.com rbaybutt@generaldynamics.com (703) 319-9646 (703)876-3501 Pamir Consulting LLC November 2012 NISPOM Review Process 2 Draft NISPOM received by Industry in June 2010 Attended 13 meetings with DoD, ISOO, et. al. Received numerous comments, updates for review and comment on the comments Final draft and meeting on format in July 2012 Final draft to be coordinated within Federal Government Industry and public to comment during Federal Register process – 77 week process Publication expected in Fall 2014 Pamir Consulting LLC November 2012 Implementation 3 “Conforming Change to the NISPOM” to be published within 60 days to implement changes to information security policy necessitated by Executive Order 13526. Additional conforming change to implement Executive Order 13587 (Wikileaks) to counter Insider Threat. No timeline on this change. Following publication of both the conforming changes and the full NISPOM changes may be implemented immediately but Industry will be required to complete transition to new policy/procedures with 6 months. Pamir Consulting LLC November 2012 General Comments 4 Chapter 8 (Information System Security) completely re-written DSS Industrial Security Field Operations (ISFO) Process Manual will contain detailed policy and procedures. Industry will review and comment on changes to ISFO. Implementation of ISFO will be 6 months after promulgation. Chapter 10 (International) revision received by Industry and will be included in update. SAP Policy is still under review. Will consist of several volumes on specific topics. Pamir Consulting LLC November 2012 Facility Security Officer 5 Paragraph 1-201 The contractor shall appoint a U.S. Citizen employee, who is cleared as part of the facility clearance to be the FSO. The FSO will supervise and direct security measures necessary for implementing applicable requirements of this manual and related Federal requirements for classified information. The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the CSA. Employees who are unable to perform day-to-day oversight of the security operations of the facility are not eligible to be the FSO. Pamir Consulting LLC November 2012 Self Inspections (Contractor Reviews) 6 Paragraph 1-206b As applicable, the self inspection shall include the review of representative samples of the contractor’s derivative classification actions. Contractors shall review their security programs on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles. These self-inspections shall be related to the activity, information and conditions; have sufficient scope, depth and frequency as well as management support in execution and remedy. The contractor shall prepare a formal report describing the selfinspection, its findings and resolution of issues found. The contractor shall retain the formal report for CSA review through the next CSA inspection. Pamir Consulting LLC November 2012 Senior Management Certification 7 Paragraph 1-206c. A senior management official at the cleared facility shall certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management have been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility. Pamir Consulting LLC November 2012 Adverse Information 8 Paragraph 1-302a Contractors shall report adverse information coming to their attention concerning any of their cleared employees. This includes any adverse information regarding a cleared employee if the information would be required on the current version of the SF 86 even though the individual may not yet require a reinvestigation. Pamir Consulting LLC November 2012 Suspicious Contact 9 Paragraph 1-302b Contractors shall report efforts by any method or any means by any individual, to gain unauthorized access to classified information or to unclassified information the export of which is controlled by the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Pamir Consulting LLC November 2012 Change in Cleared Employee Status 10 Paragraph 1 - 302c Contractors shall report: (1) the death; (2) a change in name; (3) termination of employment; (4) change in citizenship; (5) marriage to a non-U.S. citizen; and (6) when the possibility of access to classified information in the future has been reasonably foreclosed. Pamir Consulting LLC November 2012 List of Classified Contracts 11 Paragraph 1-302 o When requested by the CSA, the contractor shall provide a current list of all classified contracts as well as classified subcontracts issued to other contractors. This report shall identify the GCA for each contract listed. Pamir Consulting LLC November 2012 Reporting of Security Costs 12 Paragraph 1- 302p When requested by the CSA, selected contractors shall provide, using the CSA’s methodology, estimates of costs associated with implementing the requirements of the NISP for a specified period of time. The data points will be used by the CSA in developing the annual report to the President on overall NISP security costs as required by Reference a. Pamir Consulting LLC November 2012 Improper Transmissions 13 Paragraph 1-302q The contractor shall advise the sender of any improper transmission of classified material and notify the CSA of recurring improper transmissions from the same sender. If there is a loss, compromise or suspected compromise as a result of the improper transmission, refer to paragraph 1-303 of the Chapter. Pamir Consulting LLC November 2012 Reports of Loss, Compromise or Suspected Compromise 14 Paragraph 1-303b and c Initial report. If the contractor’s preliminary inquiry confirms that a loss, compromise, or suspected compromise of any classified information occurred, the contractor shall submit an initial verbal or e-mail notification within 24 hours and an initial report within 3 working days of this determination unless otherwise notified by the CSA. Final report. When the investigation has been completed, a final report shall be submitted to the CSA within 30 days of submission of the initial report. Under extenuating circumstances the CSA may grant an extension. Pamir Consulting LLC November 2012 Facility Clearances Outside the US 15 Paragraph 2-102b The company must be organized and existing under the laws of any of the fifty states, the District of Columbia, or of the organized United States territories. The company must be located in the United States or on a government installation outside of the United States regardless of location or its U.S. territorial areas. Company operations located on a U.S. Government installation outside of the United States are eligible for an FCL with the concurrence of the Installation Commander or Head of the U.S. Government installation. Pamir Consulting LLC November 2012 Personnel Security Clearances 16 Paragraph 2-202 The electronic version of the SF 86 shall be completed by the employee, with assistance from the FSO or equivalent contractor employee if needed and reviewed by the FSO… The FSO or designee may provide assistance to the employee in entering data provided the employee agrees and acknowledges that he or she is responsible for the accuracy of the information submitted. The FSO or designee shall submit the SF 86 as soon as practicable, but on average not later than 7 days after receipt of the completed form from the applicant. Pamir Consulting LLC November 2012 Personnel Security Clearances 17 Paragraph 2-202c The FSO or designee shall maintain the retained documentation (SF 86) in such a manner that the confidentiality of the documents is preserved and protected against access by anyone within the company other than the FSO or designee. When the applicant’s eligibility for access to classified information has been granted, denied or revoked and no higher level access ( SAP or SCI) is required or anticipated, the retained documentation shall be returned to the employee or destroyed. Pamir Consulting LLC November 2012 Pre-employment Clearance Action 18 Paragraph 2-205 The commitment for employment will indicate that employment shall commence within 30 days of the granting of the eligibility that permits the employee to perform the tasks or services associated with the contract or Government requirement for which the individual was hired. The written commitment must identify the level of PCL required as well as the contractual source of the requirement (unless the existence of the contractual relationship is classified). Pamir Consulting LLC November 2012 Contractor-Granted Clearances 19 Paragraph 2-206. Contractor-granted clearances are no longer valid for access to classified information. Pamir Consulting, LLC November 2012 Verification of U.S. Citizenship and Identity 20 Paragraph 2-207 The contractor shall require each applicant for a PCL who claims U.S. citizenship to produce evidence of citizenship. In addition the contractor shall verify identity by reviewing a valid State or Federal government-issued picture identification. The contractor shall document the means used to verify U.S. citizenship and identity and make a written record of the documents used. Paragraph 2-208d A current passport or passport card is acceptable proof of citizenship and identity. Pamir Consulting LLC November 2012 Foreign Ownership, Control or Influence 21 Paragraph 2-302 A company is required to complete a Standard Form 328 when applying for an FCL or when material changes occur to information previously submitted. In the case of a business organization, the SF 328 may be a consolidated response rather than separate submissions from individual legal entities within the business organization. Consolidated submissions shall be executed by the highest cleared entity in the business organization and provide sufficient detail to allow the CSA to determine the extent of foreign ownership, control or influence at each legal entity within the business organization. Depending on specific circumstances the CSA may request one or more of the legal entities that make up a corporate family to submit individual SF 328s and will determine mitigation or negation instruments that must be put in place. Pamir Consulting LLC November 2012 Security Training 22 Paragraph 3-105 The contractor shall forward the executed SF 312 to the CSA for retention, unless directed to retain these forms by the CSA. Paragraph 3-106f Initial security briefing shall include counterintelligence awareness training. Paragraph 3-107 Annual refresher training shall include counterintelligence awareness training. Paragraph 3-108 Signing the SF 312 debriefing is not required. Pamir Consulting LLC November 2012 Derivative Classification Responsibilities 23 Paragraph 4-102a & b Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form information that is already classified and then mark the newly developed material consistently with the classification markings that apply to the source information. Derivative classification includes the classification of information based on guidance, which may be either a source document, or classification guide. The duplication or reproduction of existing classified information is not derivative classification. Pamir Consulting LLC November 2012 Classification and Marking 24 Paragraph 4-102c The contractor shall ensure that all employees authorized to make derivative classification decisions are: (1) identified by name and position or by personal identifier on documents they derivatively classify (2) observe and respect original classification decisions (3) carry forward to any newly created documents the pertinent classification markings. For derivatively classified documents shall carry forward (a) the date or event for declassification that corresponds to the longest period of classification among the sources (b) a listing of source materials (4) trained in accordance with CSA direction, in the proper application of the derivative classification principles, with an emphasis on avoiding overclassification, at least once every 2 years (5) suspended from conducting derivative classification if they do not receive such training (6) Given ready access to pertinent classification guides, etc. Pamir Consulting LLC November 2012 Marking Miscellaneous Material 25 Paragraph 4-215 Material developed in connection with the handling, processing, production, storage, and utilization of classified information shall be handled in a manner that ensures adequate protection of the classified information involved and shall be destroyed at the earliest practical time, unless a requirement exists to retain such material. Examples of such material include classified computer media such as USB sticks, hard drives, CD ROMS, and diskettes. Such material shall be marked to indicate the highest overall classification of the information contained or embodied within the material. There is no requirement to mark such material with any additional markings. Pamir Consulting LLC November 2012 End of Day Security Checks 26 Paragraph 5-102 Contractors that store classified material shall establish a system of security checks at the close of each working day to ensure that all classified material and security repositories that have been accessed during the working day have been appropriately secured. Pamir Consulting LLC November 2012 Control and Accountability 27 Paragraph 5-200 Contractors shall establish an information management system to facilitate retrieval and proper disposition of the classified information in their possession. Paragraph 5-203b Classified working papers, including those generated electronically, in the preparation of a finished document….Working papers shall be controlled and marked in the same manner prescribed for a finished document at the same classification level if released outside the facility or retained for more than 180 days from the date of origin. Pamir Consulting LLC November 2012 Secret Storage 28 Paragraph 5-303 SECRET material shall be stored in a GSA-approved security container, an approved vault, closed area, or open storage area. Supplemental protection is required for storage in closed areas and open storage areas. Pamir Consulting LLC November 2012 Open Storage 29 Paragraph 5-306 c Open storage of Secret and Confidential documents and IS media in closed areas requires CSA approval. Entrance doors to such areas must be secured by built-in GSA-approved electromechanical combination locks. (Note: The presence of fixed media such as internal, non-removable hard drives in operational IS is not considered open storage.) For Secret material, areas protected by an approved IDS with a 30 minute response time, as well as security-in-depth as determined by the CSA, will be eligible for such approval. For open storage areas lacking sufficient security-in-depth, a 5 minute response time is required. Pamir Consulting LLC November 2012 Open Storage Area Approval 30 Paragraph 5-306 d The CSA and the contractor shall agree on the need to establish, and the extent of, closed areas prior to the award of the contract, when possible, or when the need for such areas becomes apparent during contract performance. Areas authorized for open storage of classified documents shall be limited in size to that required to accommodate storage needs. The contractor shall ensure that visitors to such areas without the requisite PCL and need-to-know for all information stored in the area are denied access to the classified material contained therein. Pamir Consulting LLC November 2012 Supplemental Protection 31 Paragraph 5-307 Depending on the classification and nature of the material to be protected as well as the storage method used, the contractor has various options for supplemental protection listed below. No supplemental protection is required for the storage of Secret material in GSA-approved security containers or for the storage of Confidential material. Prior to implementing any supplemental protection measure to satisfy the requirements of this paragraph, the contractor shall obtain written approval from the CSA. Pamir Consulting LLC November 2012 Supplemental Protection 32 Paragraph 5-307 a and b When the CSA has approved security in depth, the CSA may authorize inspection of security containers, vaults, closed areas and open storage areas during non-working hours. These recurring patrols may be accomplished by an employee or subcontractor cleared to at least the Secret level to satisfy the supplemental protection requirement. When recurring patrols are authorized in lieu of IDS, the interval between patrols shall not exceed 2 hours for Top Secret and 4 hours for Secret. Response to an IDS as described in Section 9 of this Chapter shall be within: (1) 15 minutes (without security in depth) (2) 30 minutes (with security in depth) Pamir Consulting LLC November 2012 Security in Depth 33 Paragraph 5-307c (1) The contractor shall document the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, periodically review the effectiveness of these controls and report any changes affecting those controls to the CSA. (2) At a minimum, the contractor shall consider the following elements in their security in depth assessment: Perimeter controls Badge systems when personal recognition impractical Controlled access to areas where classified work is performed Access control devices Additional elements as determined by the CSA Pamir Consulting LLC November 2012 Confidential Transmission 34 Paragraph 5-404 Confidential material shall be transmitted by the methods established for Secret material or by U.S. Postal Service Certified Mail. Pamir Consulting LLC November 2012 Disclosure 35 Paragraph 5-503 Parent and subsidiary entities with FCLs within a business organization are authorized to disclose classified information to one another when access is necessary for the performance of tasks or services essential to the fulfillment of a legitimate government need. A business arrangement must be in place between the parent and subsidiary entities so that appropriate security classification guidance can be provided for the classified information. Pamir Consulting LLC November 2012 Intrusion Detection Systems 36 Paragraph 5-901 CSA approval is required before installing an IDS. Approval of a new IDS shall be based on the criteria of DCID 6/9, UL Standard 2050, or other standard approved by the CSA. Paragraph 5-903 The following resources may be used to investigate alarms: proprietary security force personnel, central station guards, a subcontracted guard service, or when other methods are not available, properly cleared, trained and designated employees of the contractor. The contractor shall test the efficacy of alarm response at least annually and provide a written report to the CSA of any failure to respond. Pamir Consulting LLC November 2012 Subcontracting 37 Paragraph 7-102 In any circumstance or situation wherein the prime contractor has reason to doubt a subcontractor’s ability to protect classified information, such information shall not be released until the security vulnerability or condition is rectified by the subcontractor. Paragraph 7-104 Similarly, should the prime contractor determine or uncover substandard industrial security performance on the part of one of its subcontractors, the prime shall notify the GCA and CSA of the circumstances as appropriate. Pamir Consulting LLC November 2012 Designated Government Representative 38 Paragraph 10-401 In those circumstances when a USG official is not readily available to perform the DGR functions in a timely manner, the contractor may request that the CSA appoint a contractor employee to perform those functions provided the following criteria are met by the FSO and Empowered Official: Identify the responsible contractor employee and provide to the CSA a certification that the specified requirements of this Manual have been satisfied. Provide to the CSA for review all of the other required documentation specified in paragraph 10-401b. The contractor will receive either approval of the transfer procedures or approval subject to further action or disapproval. Pamir Consulting LLC November 2012 Reporting Overseas Assignments 39 Paragraph 10-601 d The contractor shall annually report to the CSA, by CSA designated means, all overseas assignments of contractor employees with, or in process for PCLs. Information provided shall include: The overseas operating location for each employee with contact information and identified contractor point of contact for the overseas location The number of contractor employees assigned to overseas locations exceeding 90 consecutive days The identification of the government organization controlling the location with contact information for the USG security officials Justification for access to USG or foreign government information Pamir Consulting, LLC November 2012 NATO Briefings – From DSS Website FAQs 40 Q: Do contractors have to record the most recent NATO Annual Refresher Briefing date in the Joint Personnel Adjudication System (JPAS)? A: Paragraph 10-706 of the NISPOM only requires the NATO initial briefing date and the NATO debriefing date should be recorded in JPAS. The contractor should retain a verifiable record of the most recent NATO Annual Refresher Briefing. Q: Is DSS required to provide NATO Annual Refresher Briefing to the Facility Security Officer (FSO)? A: As DSS is required to provide the NATO initial briefing to the FSO, DSS should also provide the NATO Annual Refresher Briefing. Pamir Consulting LLC November 2012 Definitions 41 Need-to-Know A determination made within the Executive Branch that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. This determination is conveyed to the contractor via contractual requirements or other direction from within the Executive Branch. Pamir Consulting LLC November 2012