NISPOM Update for Dulles ISAC November 10, 2015 Rosalind Baybutt rbaybutt@generaldynamics.com Notes level one Notes level two Notes level three Notes level four

NISPOM Changes Draft changes to entire NISPOM received by Industry in June 2010 - This draft is currently inactive New process underway to rewrite entire 2006 NISPOM “Conforming” Change 2 (Insider Threat) currently in final review within DoD Implementation of Executive Order 13587 “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information” October 7, 2011 Publication following review with a 6 month implementation period

Change to NISP Executive Order EO 12829, National Industrial Security Program, amended by EO 13691, Promoting Private Sector Cybersecurity Information Sharing. Dept. of Homeland Security (DHS) is a Cognizant Security Agency with authority to issue clearances and inspect contractors. DHS must concur with changes to the NISPOM and shall prescribe that portion of the NISPOM that pertains to classified information shared under a critical infrastructure protection program.

NISPOM Conforming Change 2 Draft Language

Definitions - Draft Insider – Any person with authorized access to any government or contractor resource to include personnel, facilities, information, equipment, networks or systems. Insider Threat – The threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the US through espionage, terrorism, unauthorized disclosure of National Security Information or through the loss or degradation of government, company, contract or program information, resources or capabilities.

Insider Threat Program – Draft Paragraph 1-202. a. The contractor will establish and maintain an insider threat program which will gather, integrate and report relevant and available information indicative of a potential or actual insider threat. b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. The Insider Threat Senior Official may also serve as the FSO. If not the FSO, the contractor’s Insider Threat Program Senior Official will assure that the FSO is an integral member of the contractor’s implementation program for an insider threat program. c. A corporate family may choose to establish a corporate-wide insider threat program with one senior official designated to establish and execute the program. Each cleared legal entity using the corporate-wide Insider Threat Program Senior Official must separately designate that person as the Insider Threat Program Senior Official for that legal entity.

Cooperation with Federal Agencies – Draft Paragraph 1-204/5 Contractors shall cooperate with Federal agencies and their officially credentialed representatives during official inspections investigations concerning the protection of classified information, and during personnel security investigations of present or former employees and others. Cooperation includes providing suitable arrangements within the facility for conducting private interviews… providing relevant employment and security records and records pertinent to insider threat (e.g., security, cybersecurity and human resources) for review when requested, and rendering other necessary assistance.

Reporting Requirements - Draft Paragraph 1-300. Contractors are required to report certain events that: impact the status of the facility clearance; impact the status of an employee’s personnel security clearance; may indicate the employee poses an insider threat; affect the proper safeguarding of classified information, or that indicate that classified information has been lost or compromised. Definition Adverse Information – Any information that adversely reflects of the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, that his or her access to classified information clearly may not be in the interest of national security or that the individual constitutes an insider threat.

PCLs required in Connection with the FCL – Draft Paragraph 2-104. The senior management official, the FSO and the Insider Threat Senior Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106.

Security Training and Briefings – Draft Paragraph 3-103. The designated Insider Threat Senior Official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees complete training considered appropriate by the CSA. a. Contractor insider threat program personnel, including the contractor designated Insider Threat Senior official, must be trained in: Counterintelligence and security fundamentals including applicable legal issues Procedures for conducting insider threat response actions Applicable laws and regulations regarding the gathering, integration, retention, safeguarding and use of records and data including the consequences of misuse of such information Applicable legal, civil liberties and privacy policies

Insider Threat Training - Draft Paragraph 3-103b. All cleared employees must be provided insider threat awareness training before being granted access to classified information and annually thereafter. Training will address current and potential threats in the work and personal environment and will include: The importance of detecting potential insider threats by cleared employees and reporting suspected activity Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems Indicators of insider threat behavior, and procedures to report such behavior Counterintelligence and security reporting requirements Paragraph 3-103c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual training. Depending on CSA specific guidance, a CSA may conduct training and maintain records. .

Insider Threat Awareness Course Description: This course provides a thorough understanding of how Insider Threat Awareness is an essential component of a comprehensive security program. With a theme of, "If you see something, say something" the course promotes the reporting of suspicious activities observed within the place of duty. Using a few case study scenarios, the course teaches the common indicators which highlight actions and behaviors that can signify an insider threat. The instruction promotes a proactive approach to reporting the suspicious activities. Prerequisite for “Establishing an Insider Threat Program for your Organization” 30 minute course that can be taken without registration through CDSE. Certificate provided.

Establishing an Insider Threat Program for your Organization Description: This course is designed for individuals designated as the organizational Insider Threat Program Manager. The instruction provides guidance for organizational Insider Threat Program Managers on how to organize and design their specific program. It covers the minimum standards outlined in the Executive Order 13587 which all programs must consider in their policy and plans. The course recommends which internal organizational disciplines should be included as integral members in the organization's Insider Threat team or "hub" to ensure all potential vulnerabilities are considered. The course instructs the Insider Threat Program Manager to ensure he and his team receive fundamental training in the topics required by the National Policy. Register through CDSE. 60 minute course. Test required

Initial Security Briefings - Draft Paragraph 3-106/7. Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following: A threat awareness security briefing, including insider threat awareness in accordance with paragraph 1-103b of this Manual. Counterintelligence awareness briefing An overview of the security classification system Employee reporting obligations and requirements including insider threat Initial and annual refresher cybersecurity awareness training for all authorized IS users Security procedures and duties applicable to the employee’s job

DSS Initial/Annual Security Training New employee security training developed by DSS to provide the initial and annual refresher training required by the NISPOM. There is a test and the employee can print a certificate upon passing the test. The "Counterintelligence Awareness and Security Brief" course was developed for employees at cleared defense contractor facilities. The emphasis of the training is on awareness of potential threats directed against U.S. technology; it also explains common suspicious activities, including insider threats that should be reported to the Facility Security Officer (FSO) in compliance with NISPOM 1-302. FSOs are encouraged to use this training to meet the Security Training and Briefings requirement outlined in NISPOM Chapter 3. Unfortunately I do not see DSS making it available through our LMS.

Self Inspections – Draft Paragraph 1-207b. Contractors shall review their security system on a continuing basis and shall also conduct a formal self-inspection, including the self-inspection required by paragraph 8-101h, at intervals consistent with risk management principles. These self-inspections will be related to the activity, information, information systems and conditions of the overall security program to include insider threat programs; have sufficient scope, depth and frequency; and management support in execution and remedy. The contractor will prepare a formal report describing the self-inspection, its findings and resolution of issues found. The contractor will retain the formal report for CSA review through the next CSA inspection. Self-inspections by contractors will include the review of representative samples of the contractor’s derivative classification actions, as applicable.

Senior Management Certification – Draft Paragraph 1-207b (3) A senior management official at the cleared facility will certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management has been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility.

Reports to DoD about Cyber Incidents on Cleared Defense Contractors (CDCs) IS Approved to Process Classified information – Draft Paragraph 1-400. This section applies only to CDCs. DoD will provide detailed reporting instructions via industrial security letters. This section sets forth the CDC reporting requirements for any cyber incidents involving CDC ISs that have been approved by the designated DoD NISP CSO to process classified information, referred to in this Manual as a “covered IS.” A covered IS will be considered a type of covered network consistent with Section 941, FY 2013 National Defense Authorization Act requirements. As applicable, the reporting requirements of this section are in addition to those in paragraph 1-301 or 1-303 of this Manual.

Reports to be Submitted to DoD - Draft Paragraph 1-401. CDCs will report immediately to DoD any cyber incident on a covered IS, as described in paragraph 1-400c of this section. At a minimum, CDCs will report: A description of the technique or method used in the cyber incident A sample of the malicious software, if discovered and isolated by the CDC, involved in the cyber incident A summary of classified information in connection with any program that has been potentially compromised due to the cyber incident. DoD will obtain approval from the CDC before the distribution outside the DoD of information obtained or derived from the CDC’s reporting that is not created by or for the DoD. The CDC will promptly respond to such a request.

Access to Equipment by DoD Personnel – Draft Paragraph 1-402. The DoD ISL, when issued, will include procedures consistent with CDC required reporting set in paragraph 1-401 of this section. Those procedures will: Include a mechanism for DoD personnel, upon request to the CDC, to obtain access to equipment or information of the CDC that is necessary to conduct forensic analysis in addition to any analysis conducted by the CDC. Provide that the CDC is only required to provide DoD access to equipment or information, as described in paragraph 1-402a of this section to determine whether information was successfully exfiltrated from a CDC’s covered IS and if so, what information was exfiltrated.

Information Systems Security - Draft Chapter 8 completely rewritten and most of it was deleted. NISPOM will contain requirements to maintain an IS security program, conduct training, appoint an ISSM, prepare security plans, certification and accreditation process and security controls. All other requirements will be detailed in CSA guidance – DSS ODAA Process Manual

Information System Security - Draft Paragraph 8-100a. Contractor Information Systems (ISs) that are used to capture, create, store, process or distribute classified information must be properly managed to protect against unauthorized disclosure of classified information and, when required by contract, loss of the availability or integrity of the information or the system. ISs security will use a risk-based approach, including a baseline set of management, operational and technical controls. Paragraph 8-100c. Banners will be included on all classified ISs to notify users they are subject to monitoring and that such monitoring could be used against them in a criminal, security, or administrative proceeding.

Information System Security - Draft Paragraph 8-100d. The contractor will implement protection measures in accordance with guidance issued by the CSA, including tools or capabilities required by the CSA to monitor user activity indicative of insider threat. The guidance issued by the CSA will be based on requirements for Federal systems, (Federal Information Security Management Act) and defined in National Institute of Standards and Technology (NIST) 800-37 and Committee on National Security System (CNSS) Directive 504 and other applicable CNSS publications. The CSA may provide profiles containing security controls appropriate for specific types of systems, configurations and environments.

Information System Security - Draft Paragraph 8-101. The contractor will maintain an ISs security program that incorporates a risk-based set of management, operational and technical controls, consistent with guidelines established by the CSA. The ISs security program must include, at a minimum, the following elements: Policies and procedures that reduce information security risks to an acceptable level and address information security throughout the IS life cycle. Plans for providing adequate information security for data resident in the IS or on the networks, facilities or groups of ISs. Training Test and Evaluation – continuous monitoring Procedure for detecting, reporting and responding to incidents

Chapter 9 Section1, Restricted Data – completely eliminated. Referral to Appendix D NISPOM Supplement of this Manual. Section 3, Intelligence Information - Just a general paragraph that Intelligence Information is under the jurisdiction and control of the Director for National Intelligence, who establishes security policy for the protection of national intelligence and intelligence sources, methods and activities.

Chapter 10, Section 8 Transfers of Defense Articles to Australia or the United Kingdom without a License or other Written Authorization. Section was amended to add provisions of the Defense Trade Cooperation Treaty between the US and Australia.

Cancellation of NISPOM Supplement 1 Paragraph 1-100. This Manual incorporates and cancels DoD 5220.22-M, Supplement 1, “National Industrial Security Program Operating Manual Supplement, “ February 1, 1995. Appendix D – Security Requirements for SAPs, SCI, IC Compartmented Programs, RD and FRD Given the sensitive nature of the classified information in these categories, the security requirements prescribed in this appendix exceed NISPOM baseline standards and as appropriate may be applied through specific contract requirements.