(703)876-3501 NISPOM Update for NCMS November 2012

advertisement
NISPOM Update for NCMS
November 2012
1
ROSALIND BAYBUTT
DIRECTOR – INDUSTRIAL SECURITY SERVICES
PAMIR CONSULTING LLC
rosalind.baybutt@pamirllc.com
rbaybutt@generaldynamics.com
(703) 319-9646
(703)876-3501
Pamir Consulting LLC
November 2012
NISPOM Review Process
2
 Draft NISPOM received by Industry in June 2010
 Attended 13 meetings with DoD, ISOO, et. al.
 Received numerous comments, updates for review




and comment on the comments
Final draft and meeting on format in July 2012
Final draft to be coordinated within Federal
Government
Industry and public to comment during Federal
Register process – 77 week process
Publication expected in Fall 2014
Pamir Consulting LLC
November 2012
Implementation
3
 “Conforming Change to the NISPOM” to be published
within 60 days to implement changes to information
security policy necessitated by Executive Order 13526.
 Additional conforming change to implement Executive
Order 13587 (Wikileaks) to counter Insider Threat. No
timeline on this change.
 Following publication of both the conforming changes and
the full NISPOM changes may be implemented
immediately but Industry will be required to complete
transition to new policy/procedures with 6 months.
Pamir Consulting LLC
November 2012
General Comments
4
 Chapter 8 (Information System Security) completely
re-written



DSS Industrial Security Field Operations (ISFO) Process
Manual will contain detailed policy and procedures.
Industry will review and comment on changes to ISFO.
Implementation of ISFO will be 6 months after promulgation.
 Chapter 10 (International) revision received by
Industry and will be included in update.
 SAP Policy is still under review. Will consist of
several volumes on specific topics.
Pamir Consulting LLC
November 2012
Facility Security Officer
5
 Paragraph 1-201
 The contractor shall appoint a U.S. Citizen employee, who is
cleared as part of the facility clearance to be the FSO. The FSO
will supervise and direct security measures necessary for
implementing applicable requirements of this manual and
related Federal requirements for classified information. The
FSO, or those otherwise performing security duties, shall
complete security training as specified in Chapter 3 and as
deemed appropriate by the CSA. Employees who are unable to
perform day-to-day oversight of the security operations of the
facility are not eligible to be the FSO.
Pamir Consulting LLC
November 2012
Self Inspections (Contractor Reviews)
6
 Paragraph 1-206b


As applicable, the self inspection shall include the review of
representative samples of the contractor’s derivative classification
actions.
Contractors shall review their security programs on a continuing basis
and shall also conduct a formal self-inspection at intervals consistent
with risk management principles. These self-inspections shall be related
to the activity, information and conditions; have sufficient scope, depth
and frequency as well as management support in execution and remedy.
The contractor shall prepare a formal report describing the selfinspection, its findings and resolution of issues found. The contractor
shall retain the formal report for CSA review through the next CSA
inspection.
Pamir Consulting LLC
November 2012
Senior Management Certification
7
 Paragraph 1-206c.
 A senior management official at the cleared facility shall certify
to the CSA in writing on an annual basis, that a self inspection
has been conducted, that senior management have been
briefed on the results, that appropriate corrective action has
been taken and that management fully supports the security
program at the cleared facility.
Pamir Consulting LLC
November 2012
Adverse Information
8
 Paragraph 1-302a
 Contractors shall report adverse information coming to their
attention concerning any of their cleared employees. This
includes any adverse information regarding a cleared
employee if the information would be required on the current
version of the SF 86 even though the individual may not yet
require a reinvestigation.
Pamir Consulting LLC
November 2012
Suspicious Contact
9
 Paragraph 1-302b
 Contractors shall report efforts by any method or any means
by any individual, to gain unauthorized access to classified
information or to unclassified information the export of which
is controlled by the International Traffic in Arms Regulations
(ITAR) or the Export Administration Regulations (EAR).
Pamir Consulting LLC
November 2012
Change in Cleared Employee Status
10
 Paragraph 1 - 302c
 Contractors shall report: (1) the death; (2) a change in name;
(3) termination of employment; (4) change in citizenship; (5)
marriage to a non-U.S. citizen; and (6) when the possibility of
access to classified information in the future has been
reasonably foreclosed.
Pamir Consulting LLC
November 2012
List of Classified Contracts
11
 Paragraph 1-302 o

When requested by the CSA, the contractor shall provide a
current list of all classified contracts as well as classified
subcontracts issued to other contractors. This report shall
identify the GCA for each contract listed.
Pamir Consulting LLC
November 2012
Reporting of Security Costs
12
 Paragraph 1- 302p
 When requested by the CSA, selected contractors shall provide,
using the CSA’s methodology, estimates of costs associated
with implementing the requirements of the NISP for a
specified period of time. The data points will be used by the
CSA in developing the annual report to the President on
overall NISP security costs as required by Reference a.
Pamir Consulting LLC
November 2012
Improper Transmissions
13
 Paragraph 1-302q

The contractor shall advise the sender of any improper
transmission of classified material and notify the CSA of
recurring improper transmissions from the same sender. If
there is a loss, compromise or suspected compromise as a
result of the improper transmission, refer to paragraph 1-303
of the Chapter.
Pamir Consulting LLC
November 2012
Reports of Loss, Compromise or Suspected Compromise
14
 Paragraph 1-303b and c
 Initial report. If the contractor’s preliminary inquiry confirms
that a loss, compromise, or suspected compromise of any
classified information occurred, the contractor shall submit an
initial verbal or e-mail notification within 24 hours and an
initial report within 3 working days of this determination
unless otherwise notified by the CSA.
 Final report. When the investigation has been completed, a
final report shall be submitted to the CSA within 30 days of
submission of the initial report. Under extenuating
circumstances the CSA may grant an extension.
Pamir Consulting LLC
November 2012
Facility Clearances Outside the US
15
 Paragraph 2-102b
 The company must be organized and existing under the laws of
any of the fifty states, the District of Columbia, or of the
organized United States territories. The company must be
located in the United States or on a government installation
outside of the United States regardless of location or its U.S.
territorial areas. Company operations located on a U.S.
Government installation outside of the United States are
eligible for an FCL with the concurrence of the Installation
Commander or Head of the U.S. Government installation.
Pamir Consulting LLC
November 2012
Personnel Security Clearances
16
 Paragraph 2-202
 The electronic version of the SF 86 shall be completed by the
employee, with assistance from the FSO or equivalent
contractor employee if needed and reviewed by the FSO…
 The FSO or designee may provide assistance to the employee
in entering data provided the employee agrees and
acknowledges that he or she is responsible for the accuracy of
the information submitted.
 The FSO or designee shall submit the SF 86 as soon as
practicable, but on average not later than 7 days after receipt of
the completed form from the applicant.
Pamir Consulting LLC
November 2012
Personnel Security Clearances
17
 Paragraph 2-202c
 The FSO or designee shall maintain the retained
documentation (SF 86) in such a manner that the
confidentiality of the documents is preserved and protected
against access by anyone within the company other than the
FSO or designee. When the applicant’s eligibility for access to
classified information has been granted, denied or revoked and
no higher level access ( SAP or SCI) is required or anticipated,
the retained documentation shall be returned to the employee
or destroyed.
Pamir Consulting LLC
November 2012
Pre-employment Clearance Action
18
 Paragraph 2-205
 The commitment for employment will indicate that
employment shall commence within 30 days of the granting of
the eligibility that permits the employee to perform the tasks
or services associated with the contract or Government
requirement for which the individual was hired. The written
commitment must identify the level of PCL required as well as
the contractual source of the requirement (unless the existence
of the contractual relationship is classified).
Pamir Consulting LLC
November 2012
Contractor-Granted Clearances
19
 Paragraph 2-206.
 Contractor-granted clearances are no longer valid for access to
classified information.
Pamir Consulting, LLC
November 2012
Verification of U.S. Citizenship and Identity
20
 Paragraph 2-207
 The contractor shall require each applicant for a PCL who
claims U.S. citizenship to produce evidence of citizenship. In
addition the contractor shall verify identity by reviewing a
valid State or Federal government-issued picture
identification. The contractor shall document the means used
to verify U.S. citizenship and identity and make a written
record of the documents used.
 Paragraph 2-208d
 A current passport or passport card is acceptable proof of
citizenship and identity.
Pamir Consulting LLC
November 2012
Foreign Ownership, Control or Influence
21
 Paragraph 2-302

A company is required to complete a Standard Form 328 when
applying for an FCL or when material changes occur to information
previously submitted. In the case of a business organization, the SF
328 may be a consolidated response rather than separate
submissions from individual legal entities within the business
organization. Consolidated submissions shall be executed by the
highest cleared entity in the business organization and provide
sufficient detail to allow the CSA to determine the extent of foreign
ownership, control or influence at each legal entity within the
business organization. Depending on specific circumstances the CSA
may request one or more of the legal entities that make up a
corporate family to submit individual SF 328s and will determine
mitigation or negation instruments that must be put in place.
Pamir Consulting LLC
November 2012
Security Training
22
 Paragraph 3-105
 The contractor shall forward the executed SF 312 to the CSA
for retention, unless directed to retain these forms by the CSA.
 Paragraph 3-106f
 Initial security briefing shall include counterintelligence
awareness training.
 Paragraph 3-107
 Annual refresher training shall include counterintelligence
awareness training.
 Paragraph 3-108
 Signing the SF 312 debriefing is not required.
Pamir Consulting LLC
November 2012
Derivative Classification Responsibilities
23
 Paragraph 4-102a & b
 Contractor personnel make derivative classification decisions
when they incorporate, paraphrase, restate, or generate in new
form information that is already classified and then mark the
newly developed material consistently with the classification
markings that apply to the source information.
 Derivative classification includes the classification of
information based on guidance, which may be either a source
document, or classification guide. The duplication or
reproduction of existing classified information is not derivative
classification.
Pamir Consulting LLC
November 2012
Classification and Marking
24
 Paragraph 4-102c
 The contractor shall ensure that all employees authorized to make derivative
classification decisions are:
 (1) identified by name and position or by personal identifier on documents
they derivatively classify
 (2) observe and respect original classification decisions
 (3) carry forward to any newly created documents the pertinent classification
markings. For derivatively classified documents shall carry forward
 (a) the date or event for declassification that corresponds to the longest
period of classification among the sources
 (b) a listing of source materials
 (4) trained in accordance with CSA direction, in the proper application of the
derivative classification principles, with an emphasis on avoiding overclassification, at least once every 2 years
 (5) suspended from conducting derivative classification if they do not receive
such training
 (6) Given ready access to pertinent classification guides, etc.
Pamir Consulting LLC
November 2012
Marking Miscellaneous Material
25
 Paragraph 4-215
 Material developed in connection with the handling,
processing, production, storage, and utilization of classified
information shall be handled in a manner that ensures
adequate protection of the classified information involved and
shall be destroyed at the earliest practical time, unless a
requirement exists to retain such material. Examples of such
material include classified computer media such as USB sticks,
hard drives, CD ROMS, and diskettes. Such material shall be
marked to indicate the highest overall classification of the
information contained or embodied within the material. There
is no requirement to mark such material with any additional
markings.
Pamir Consulting LLC
November 2012
End of Day Security Checks
26
 Paragraph 5-102
 Contractors that store classified material shall establish a
system of security checks at the close of each working day to
ensure that all classified material and security repositories that
have been accessed during the working day have been
appropriately secured.
Pamir Consulting LLC
November 2012
Control and Accountability
27
 Paragraph 5-200
 Contractors shall establish an information management
system to facilitate retrieval and proper disposition of the
classified information in their possession.
 Paragraph 5-203b
 Classified working papers, including those generated
electronically, in the preparation of a finished
document….Working papers shall be controlled and marked in
the same manner prescribed for a finished document at the
same classification level if released outside the facility or
retained for more than 180 days from the date of origin.
Pamir Consulting LLC
November 2012
Secret Storage
28
 Paragraph 5-303
 SECRET material shall be stored in a GSA-approved security
container, an approved vault, closed area, or open storage
area. Supplemental protection is required for storage in closed
areas and open storage areas.
Pamir Consulting LLC
November 2012
Open Storage
29
 Paragraph 5-306 c

Open storage of Secret and Confidential documents and IS media
in closed areas requires CSA approval. Entrance doors to such
areas must be secured by built-in GSA-approved electromechanical combination locks. (Note: The presence of fixed
media such as internal, non-removable hard drives in operational
IS is not considered open storage.)
 For Secret material, areas protected by an approved IDS with a
30 minute response time, as well as security-in-depth as
determined by the CSA, will be eligible for such approval. For
open storage areas lacking sufficient security-in-depth, a 5
minute response time is required.
Pamir Consulting LLC
November 2012
Open Storage Area Approval
30
 Paragraph 5-306 d
 The CSA and the contractor shall agree on the need to
establish, and the extent of, closed areas prior to the award of
the contract, when possible, or when the need for such areas
becomes apparent during contract performance. Areas
authorized for open storage of classified documents shall be
limited in size to that required to accommodate storage needs.
The contractor shall ensure that visitors to such areas without
the requisite PCL and need-to-know for all information stored
in the area are denied access to the classified material
contained therein.
Pamir Consulting LLC
November 2012
Supplemental Protection
31
 Paragraph 5-307
 Depending on the classification and nature of the material to
be protected as well as the storage method used, the contractor
has various options for supplemental protection listed below.
No supplemental protection is required for the storage of
Secret material in GSA-approved security containers or for the
storage of Confidential material. Prior to implementing any
supplemental protection measure to satisfy the requirements
of this paragraph, the contractor shall obtain written approval
from the CSA.
Pamir Consulting LLC
November 2012
Supplemental Protection
32
 Paragraph 5-307 a and b


When the CSA has approved security in depth, the CSA may
authorize inspection of security containers, vaults, closed areas and
open storage areas during non-working hours. These recurring
patrols may be accomplished by an employee or subcontractor
cleared to at least the Secret level to satisfy the supplemental
protection requirement. When recurring patrols are authorized in
lieu of IDS, the interval between patrols shall not exceed 2 hours for
Top Secret and 4 hours for Secret.
Response to an IDS as described in Section 9 of this Chapter shall be
within:
 (1) 15 minutes (without security in depth)
 (2) 30 minutes (with security in depth)
Pamir Consulting LLC
November 2012
Security in Depth
33
 Paragraph 5-307c


(1) The contractor shall document the specific layered and
complementary security controls sufficient to deter and detect
unauthorized entry and movement within the facility, periodically
review the effectiveness of these controls and report any changes
affecting those controls to the CSA.
(2) At a minimum, the contractor shall consider the following
elements in their security in depth assessment:
 Perimeter controls
 Badge systems when personal recognition impractical
 Controlled access to areas where classified work is performed
 Access control devices
 Additional elements as determined by the CSA
Pamir Consulting LLC
November 2012
Confidential Transmission
34
 Paragraph 5-404

Confidential material shall be transmitted by the methods
established for Secret material or by U.S. Postal Service
Certified Mail.
Pamir Consulting LLC
November 2012
Disclosure
35
 Paragraph 5-503

Parent and subsidiary entities with FCLs within a
business organization are authorized to disclose classified
information to one another when access is necessary for
the performance of tasks or services essential to the
fulfillment of a legitimate government need. A business
arrangement must be in place between the parent and
subsidiary entities so that appropriate security
classification guidance can be provided for the classified
information.
Pamir Consulting LLC
November 2012
Intrusion Detection Systems
36
 Paragraph 5-901
 CSA approval is required before installing an IDS. Approval of
a new IDS shall be based on the criteria of DCID 6/9, UL
Standard 2050, or other standard approved by the CSA.
 Paragraph 5-903
 The following resources may be used to investigate alarms:
proprietary security force personnel, central station guards, a
subcontracted guard service, or when other methods are not
available, properly cleared, trained and designated employees
of the contractor. The contractor shall test the efficacy of
alarm response at least annually and provide a written report
to the CSA of any failure to respond.
Pamir Consulting LLC
November 2012
Subcontracting
37
 Paragraph 7-102

In any circumstance or situation wherein the prime
contractor has reason to doubt a subcontractor’s ability to
protect classified information, such information shall not
be released until the security vulnerability or condition is
rectified by the subcontractor.
 Paragraph 7-104

Similarly, should the prime contractor determine or
uncover substandard industrial security performance on
the part of one of its subcontractors, the prime shall
notify the GCA and CSA of the circumstances as
appropriate.
Pamir Consulting LLC
November 2012
Designated Government Representative
38
 Paragraph 10-401
 In those circumstances when a USG official is not readily
available to perform the DGR functions in a timely manner,
the contractor may request that the CSA appoint a contractor
employee to perform those functions provided the following
criteria are met by the FSO and Empowered Official:
Identify the responsible contractor employee and provide to the
CSA a certification that the specified requirements of this Manual
have been satisfied.
 Provide to the CSA for review all of the other required
documentation specified in paragraph 10-401b. The contractor
will receive either approval of the transfer procedures or approval
subject to further action or disapproval.

Pamir Consulting LLC
November 2012
Reporting Overseas Assignments
39
 Paragraph 10-601 d
 The contractor shall annually report to the CSA, by CSA
designated means, all overseas assignments of contractor
employees with, or in process for PCLs. Information provided
shall include:
The overseas operating location for each employee with contact
information and identified contractor point of contact for the
overseas location
 The number of contractor employees assigned to overseas
locations exceeding 90 consecutive days
 The identification of the government organization controlling the
location with contact information for the USG security officials
 Justification for access to USG or foreign government information

Pamir Consulting, LLC
November 2012
NATO Briefings – From DSS Website FAQs
40
 Q: Do contractors have to record the most recent NATO
Annual Refresher Briefing date in the Joint Personnel
Adjudication System (JPAS)?
 A: Paragraph 10-706 of the NISPOM only requires the NATO
initial briefing date and the NATO debriefing date should be
recorded in JPAS. The contractor should retain a verifiable
record of the most recent NATO Annual Refresher Briefing.
 Q: Is DSS required to provide NATO Annual Refresher
Briefing to the Facility Security Officer (FSO)?
 A: As DSS is required to provide the NATO initial briefing to
the FSO, DSS should also provide the NATO Annual Refresher
Briefing.
Pamir Consulting LLC
November 2012
Definitions
41
 Need-to-Know
 A determination made within the Executive Branch that a
prospective recipient has a requirement for access to,
knowledge of, or possession of the classified information to
perform tasks or services essential to the fulfillment of a
classified contract or program. This determination is conveyed
to the contractor via contractual requirements or other
direction from within the Executive Branch.
Pamir Consulting LLC
November 2012
Download