Presentation on theme: "NISPOM Update for JSAC Workshop"— Presentation transcript:
1NISPOM Update for JSAC Workshop Rosalind BaybuttApril 18, 2013Notes level oneNotes level twoNotes level threeNotes level four
2NISPOM Change ProcessDraft changes to entire NISPOM received by Industry in June 2010Attended 13 meetings, provided comments, made comments to the commentsFinal draft and meeting on format in July 2012Industry to comment on final draft through Federal register – 77 week processPublication expected Fall 2014
3Additional Industrial Security Actions “Conforming Change to the NISPOM” to implement changes necessitated by Executive Order published March 28, 2013 – Change 1Additional conforming change to implement Executive Order (Wikileaks) to counter insider threat. Draft received by Industry for 30 day comment period – due April 29, 2013 – Identified as “Draft” on these slidesDraft Industrial Security Letter – Retention of threat information – Industry comments providedDD Form 254 database – Industry participating in requirements definition phase with DSS – proposed completion late 2013
4Facility Security Officer Paragraph 1-201The contractor shall appoint a U.S. Citizen employee, who is cleared as part of the facility clearance to be the FSO….The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the CSA. Employees who are unable to perform day-to-day oversight of the security operations of the facility are not eligible to be the FSO.
5Insider Threat Program – Draft Paragrapha. The contractor will establish an insider threat program which will gather, integrate and report relevant and available information indicative of a potential or actual insider threat.b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program.
6Cooperation with Federal Agencies – Draft Paragraph 1-204/5Contractors shall cooperate with Federal agencies and their officially credentialed representatives during official inspections investigations concerning the protection of classified information, or other information gathering, and during personnel security investigations of present or former employees and others. Cooperation includes providing suitable arrangements within the facility for conducting private interviews… providing relevant employment and security records and records pertinent to insider threat (e.g., security, information assurance and human resources) for review when requested…
7Self Inspections – Draft Paragraph 1-206bAs applicable, the self inspection shall include the review of representative samples of the contractor’s derivative classification actions.These self-inspections shall be related to the activity, information and conditions: have sufficient scope, depth and frequency as well as management support in execution and remedy. The contractor shall prepare a formal report describing the self-inspection, its findings and resolution of issues found. The contractor shall retain the formal report for CSA review.
8Senior Management Certification – Draft Paragraph 1-206cA senior management official at the cleared facility shall certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management have been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility.
9National Reporting Requirements – Draft Paragraph 1-302d.Contractors will report all information specified in the “Minimum Reporting Requirements for Personnel with National Security Eligibility Determinations” in accordance with guidance provided by the CSA.
10Suspicious Contact Paragraph 1-302b Contractors shall report efforts by any method or means by any individual, to gain unauthorized access to classified information or to unclassified information the export of which is controlled by the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).
11Change in Cleared Employee Status Paragraph 1 – 302cContractors shall report: (the death; (2) a change in name; (3) termination of employment; (4) change in citizenship; (5) marriage to a non-U.S. citizen; and (6) when the possibility of access to classified information in the future has been reasonably foreclosed.
12List of Classified Contracts Paragraph 1-302oWhen requested by the CSA, the contractor shall provide a current list of all classified contracts as well as classified subcontracts issued to other contractors. This report shall identify the GCA for each contract listed.
13Reporting of Security Costs Paragraph 1 – 302pWhen requested by the CSA, selected contractors shall provide, using the CSA’s methodology, estimates of costs associated with implementing the requirements of the NISP for a specified period of time. The data points will be used by the CSA in developing the annual report the President on overall NISP security costs.
14Improper Transmissions Paragraph 1 – 302qThe contractor shall advise the sender of any improper transmission of classified material and notify the CSA of recurring improper transmissions from the same sender. It there is a loss, compromise or suspected compromise as a result of the improper transmission refer to paragraph 1 – 303 of the Chapter.
15Reports to DoD on Penetration of Networks and Information Systems – Draft ParagraphAs required by Section 941, FY 2013 National Defense Authorization Act, contractors are required to report any penetration of covered networks or information systems that contain or process information created by or for DoD which the contractor is required to apply enhanced protection.
16Reports on Network Penetrations – Draft ParagraphContractors will report immediately to DoD any successful penetration of a covered network or information system. A descriptionof the technique or method usedA sample of the malicious softwareA summary of DoD information that has been potentially compromisedContractors will promptly reply to a DoD request for approval to disseminate information outside DoD.
17Access to Equipment by DoD Personnel – Draft ParagraphUpon request, the contractor will provide:Access to equipment or information of the contractor necessary to conduct forensic analysis in addition to any analysis conducted by the contractor.Access to information created by or for DoD in connection with any Department program which may have been successfully exfiltrated from a contractor network or information system.
18Facility Clearances Outside the US Paragraph 2-102bCompany operations located on a U.S. Government installation outside of the United States are eligible for an FCL with the concurrence of the Installation Commander or Head of the U.S. Government installation.
19PCLs required in Connection with the FCL – Draft ParagraphThe senior management official, the FSO and the Insider Threat Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph
20Personnel Security Clearances Paragraph 2-202The electronic version of the SF 86 shall be completed by the employee, …The FSO or designee may provide assistance to the employee in entering data provided the employee agrees and acknowledges that he or she is responsible for the accuracy of the information submitted.The FSO shall submit the SF 86 as soon as practicable, but on average not later than 7 days after receipt of the completed form from the applicant.
21Personnel Security Clearances Paragraph 2 – 202cThe FSO or designee shall maintain the retained SF 86 in such a manner that the confidentiality of the documents is preserved and protected against access by anyone within the company other than the FSO or designee. When the applicant’s eligibility has been granted, denied or revoked and no higher level access (SAP or SCI) is required or anticipated, the retained documentation shall be returned to the employee or destroyed.
22Verification of U.S. Citizenship and Identity Paragraph 2-207The contractor shall require each applicant for a PCL who claims U.S. citizenship to produce evidence of citizenship. In addition the contractor shall verify identity by reviewing a valid State or federal government-issued picture identification. The contractor shall document the means used to verify U.S. citizenship and identity and make a written record of the documents used.A current passport or passport card is acceptable proof of citizenship and identity.
23Security Training and Briefings – Draft ParagraphThe designated senior contractor official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained.Contractor Insider Threat Program personnel must be trained:Counterintelligence and security fundamentals to include legal issuesProcedures for conducting insider threat response actionsApplicable laws and regulations regarding the gathering, integration retention, safeguarding and use of records and dataApplicable legal, civil liberties and privacy policies
24Insider Threat Training – Draft All cleared employees must be provided insider threat awareness training, either in-person or computer-based, within 30 days of initial employment or prior to being granted access to classified information and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee;Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems;Indicators of insider threat behavior, and procedures to report such behavior; andCounterintelligence and security reporting requirementsThe contractor will maintain a record of all cleared employees who have completed the training.
25Derivative Classification Responsibilities – Change 1 Paragraph a & bContractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form information that is already classified and then mark the newly developed material consistently with the classification markings that apply to the source information.The duplication or reproduction of existing classified information is not derivative classification.
26Classification and Marking – Change 1 Paragraph 4-102cThe contractor shall ensure that all employees authorized to make derivative classifications decisions are:(1) identified by name and position or by personal identifier on documents they derivatively classify(4) trained in accordance with CSA direction, in the proper application of the derivative classification principles with an emphasis on avoiding over-classification, at least once every 2 years.(5)are not authorized to conduct derivative classification until they receive such training(6) given ready access to pertinent classification guides, etc.
27“Classified By” Line – Change 1 Paragraph a.The purpose of the “Classified By” line is to identify the person who applies derivative classification markings for the document. If not otherwise evident, the line will include the agency and office of origin will be identified and follow the name and position or personal identifier of the derivative classifier.
28End of Day Security Checks Paragraph 5-102Contractors that store classified material shall establish a system of security checks at the close of each working day to ensure that all classified material and security repositories that have been accessed during the working day have been appropriately secured.
29Control and Accountability Paragraph 5-200Contractors shall establish an information management system to facilitate retrieval and proper disposition of the classified information in their possession.
30Control and Accountability Paragraph 5-203bClassified working papers, including those generated electronically, in the preparation of a finished document…Working papers shall be controlled and marked in the same manner prescribed for a finished document at the same classification level if released outside the facility or retained for more than 180 days from the date of origin.
31Secret Storage Paragraph 5-303 SECRET material shall be stored in a GSA-approved security container, an approved vault, closed area, or open storage area. Supplemental protection is required for storage in closed areas and open storage areas.
32Confidential Transmission Paragraph 5-404CONFIDENTIAL material shall be transmitted by the methods established for SECRET material or by U.S. Postal Service Certified Mail.
33Disclosure Paragraph 5-503 Parent and subsidiary entities with FCLs within a business organization are authorized to disclose classified information to one another when access is necessary for the performance of tasks or services essential to the fulfillment of a legitimate government need. A business arrangement must be in place between the parent and subsidiary entities so that appropriate security classification guidance can be provided for the classified information.
34Intrusion Detection Systems Paragraph 5-903The following resources may be used to investigate alarms: proprietary security force personnel, central station guards, a subcontracted guard service or when other methods are not available, properly cleared, trained and designated employees of the contractor. The contractor shall test the efficacy of the alarm response at least annually and provide a written report to the CSA of any failure to respond.
35Subcontracting Paragraph 7-102 & 7-104 In any circumstance or situation wherein the prime contractor has reason to doubt a subcontractor’s ability to protect classified information, such information shall not be released until the security vulnerability or condition is rectified by the subcontractor.Similarly, should the prime contractor determine or uncover substandard industrial security performance on the part of one of its subcontractors, the prime shall notify the GCA and CSA of the circumstances as appropriate.
36Information System Security – Draft Paragraph 8-100b.Protection requires a balanced approach including IS security features to include but not limited to administrative, operational, physical, computer, communications and personnel controls. Protective measures commensurate with the classification of the information, the threat and the operational requirements associated with the environment of the IS are required. At a minimum, classified network banners will be included to notify employees that they are subject to monitoring and that such monitoring could be used against them in a criminal, security or administrative proceeding.
37Users of IS – Draft Paragraph 8-105 c (6). All Users shall: Acknowledge, in writing, that their activity on any classified network is subject to monitoring and that such monitoring could be used against them in a criminal, security or administrative proceeding. The Agreement language will be provided by the appropriate CSA.
38Designated Government Representative ParagraphIn those circumstances when a USG official is not readily available to perform the DGR functions in a timely manner, the contractor may request that the CSA appoint a contractor employee to perform those functions provided the following criteria are met by the FSO and Empowered Official:Identify the responsible contractor employee and provide to the CSA a certification that the specified requirements of this Manual have been satisfied.Provide to the CSA for review all of the required documentation specified in paragraph b.
39Reporting Overseas Assignments Paragraph dThe contractor shall annually report to the CSA all overseas assignments of contractor employees with or in process for PCLs. Information shall include:The overseas location with contact informationThe number of employees assigned overseas in excess of 90 consecutive daysThe government organization controlling the location with contact informationJustification for access to classified information
40Definitions Need-to-know A determination made within the Executive Branch that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. This determination is conveyed to the contractor via contractual requirements or other direction from within the Executive Branch.