rosalind baybutt director – industrial security services pamir consulting llc...

ROSALIND BAYBUTTDIRECTOR – INDUSTRIAL SECURITY SERVICES

PAMIR CONSULTING [email protected]@generaldynamics.com

(703) 319-9646(703)876-3501

NISPOM Update for NCMS November 2012

November 2012Pamir Consulting LLC

1

NISPOM Review Process

Draft NISPOM received by Industry in June 2010Attended 13 meetings with DoD, ISOO, et. al.Received numerous comments, updates for review

and comment on the commentsFinal draft and meeting on format in July 2012Final draft to be coordinated within Federal

GovernmentIndustry and public to comment during Federal

Register process – 77 week processPublication expected in Fall 2014


2

Implementation

“Conforming Change to the NISPOM” to be published within 60 days to implement changes to information security policy necessitated by Executive Order 13526.

Additional conforming change to implement Executive Order 13587 (Wikileaks) to counter Insider Threat. No timeline on this change.

Following publication of both the conforming changes and the full NISPOM changes may be implemented immediately but Industry will be required to complete transition to new policy/procedures with 6 months.


3

General Comments

Chapter 8 (Information System Security) completely re-written DSS Industrial Security Field Operations (ISFO) Process

Manual will contain detailed policy and procedures. Industry will review and comment on changes to ISFO. Implementation of ISFO will be 6 months after

promulgation.

Chapter 10 (International) revision received by Industry and will be included in update.

SAP Policy is still under review. Will consist of several volumes on specific topics.


4

Facility Security Officer

Paragraph 1-201 The contractor shall appoint a U.S. Citizen employee,

who is cleared as part of the facility clearance to be the FSO. The FSO will supervise and direct security measures necessary for implementing applicable requirements of this manual and related Federal requirements for classified information. The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the CSA. Employees who are unable to perform day-to-day oversight of the security operations of the facility are not eligible to be the FSO.


5

Self Inspections (Contractor Reviews)

Paragraph 1-206b As applicable, the self inspection shall include the review of

representative samples of the contractor’s derivative classification actions.

Contractors shall review their security programs on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles. These self-inspections shall be related to the activity, information and conditions; have sufficient scope, depth and frequency as well as management support in execution and remedy. The contractor shall prepare a formal report describing the self-inspection, its findings and resolution of issues found. The contractor shall retain the formal report for CSA review through the next CSA inspection.


6

Senior Management Certification

Paragraph 1-206c. A senior management official at the cleared facility

shall certify to the CSA in writing on an annual basis, that a self inspection has been conducted, that senior management have been briefed on the results, that appropriate corrective action has been taken and that management fully supports the security program at the cleared facility.


7

Adverse Information

Paragraph 1-302a Contractors shall report adverse information coming

to their attention concerning any of their cleared employees. This includes any adverse information regarding a cleared employee if the information would be required on the current version of the SF 86 even though the individual may not yet require a reinvestigation.


8

Suspicious Contact

Paragraph 1-302b Contractors shall report efforts by any method or any

means by any individual, to gain unauthorized access to classified information or to unclassified information the export of which is controlled by the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).


9

Change in Cleared Employee Status

Paragraph 1 - 302c Contractors shall report: (1) the death; (2) a change in

name; (3) termination of employment; (4) change in citizenship; (5) marriage to a non-U.S. citizen; and (6) when the possibility of access to classified information in the future has been reasonably foreclosed.


10

List of Classified Contracts

Paragraph 1-302 o When requested by the CSA, the contractor shall

provide a current list of all classified contracts as well as classified subcontracts issued to other contractors. This report shall identify the GCA for each contract listed.


11

Reporting of Security Costs

Paragraph 1- 302p When requested by the CSA, selected contractors

shall provide, using the CSA’s methodology, estimates of costs associated with implementing the requirements of the NISP for a specified period of time. The data points will be used by the CSA in developing the annual report to the President on overall NISP security costs as required by Reference a.


12

Improper Transmissions

Paragraph 1-302q The contractor shall advise the sender of any

improper transmission of classified material and notify the CSA of recurring improper transmissions from the same sender. If there is a loss, compromise or suspected compromise as a result of the improper transmission, refer to paragraph 1-303 of the Chapter.


13

Reports of Loss, Compromise or Suspected Compromise

Paragraph 1-303b and c Initial report. If the contractor’s preliminary inquiry

confirms that a loss, compromise, or suspected compromise of any classified information occurred, the contractor shall submit an initial verbal or e-mail notification within 24 hours and an initial report within 3 working days of this determination unless otherwise notified by the CSA.

Final report. When the investigation has been completed, a final report shall be submitted to the CSA within 30 days of submission of the initial report. Under extenuating circumstances the CSA may grant an extension.


14

Facility Clearances Outside the US

Paragraph 2-102b The company must be organized and existing under

the laws of any of the fifty states, the District of Columbia, or of the organized United States territories. The company must be located in the United States or on a government installation outside of the United States regardless of location or its U.S. territorial areas. Company operations located on a U.S. Government installation outside of the United States are eligible for an FCL with the concurrence of the Installation Commander or Head of the U.S. Government installation.


15

Personnel Security Clearances

Paragraph 2-202 The electronic version of the SF 86 shall be completed

by the employee, with assistance from the FSO or equivalent contractor employee if needed and reviewed by the FSO…

The FSO or designee may provide assistance to the employee in entering data provided the employee agrees and acknowledges that he or she is responsible for the accuracy of the information submitted.

The FSO or designee shall submit the SF 86 as soon as practicable, but on average not later than 7 days after receipt of the completed form from the applicant.


16

Personnel Security Clearances

Paragraph 2-202c The FSO or designee shall maintain the retained

documentation (SF 86) in such a manner that the confidentiality of the documents is preserved and protected against access by anyone within the company other than the FSO or designee. When the applicant’s eligibility for access to classified information has been granted, denied or revoked and no higher level access ( SAP or SCI) is required or anticipated, the retained documentation shall be returned to the employee or destroyed.


17

Pre-employment Clearance Action

Paragraph 2-205 The commitment for employment will indicate that

employment shall commence within 30 days of the granting of the eligibility that permits the employee to perform the tasks or services associated with the contract or Government requirement for which the individual was hired. The written commitment must identify the level of PCL required as well as the contractual source of the requirement (unless the existence of the contractual relationship is classified).


18

Contractor-Granted Clearances

Paragraph 2-206. Contractor-granted clearances are no longer valid for

access to classified information.

November 2012Pamir Consulting, LLC

19

Verification of U.S. Citizenship and Identity

Paragraph 2-207 The contractor shall require each applicant for a PCL

who claims U.S. citizenship to produce evidence of citizenship. In addition the contractor shall verify identity by reviewing a valid State or Federal government-issued picture identification. The contractor shall document the means used to verify U.S. citizenship and identity and make a written record of the documents used.

Paragraph 2-208d A current passport or passport card is acceptable

proof of citizenship and identity.


20

Foreign Ownership, Control or Influence

Paragraph 2-302 A company is required to complete a Standard Form 328 when

applying for an FCL or when material changes occur to information previously submitted. In the case of a business organization, the SF 328 may be a consolidated response rather than separate submissions from individual legal entities within the business organization. Consolidated submissions shall be executed by the highest cleared entity in the business organization and provide sufficient detail to allow the CSA to determine the extent of foreign ownership, control or influence at each legal entity within the business organization. Depending on specific circumstances the CSA may request one or more of the legal entities that make up a corporate family to submit individual SF 328s and will determine mitigation or negation instruments that must be put in place.


21

Security Training

Paragraph 3-105 The contractor shall forward the executed SF 312 to the

CSA for retention, unless directed to retain these forms by the CSA.

Paragraph 3-106f Initial security briefing shall include counterintelligence

awareness training.

Paragraph 3-107 Annual refresher training shall include

counterintelligence awareness training.

Paragraph 3-108 Signing the SF 312 debriefing is not required.


22

Derivative Classification Responsibilities

Paragraph 4-102a & b Contractor personnel make derivative classification

decisions when they incorporate, paraphrase, restate, or generate in new form information that is already classified and then mark the newly developed material consistently with the classification markings that apply to the source information.

Derivative classification includes the classification of information based on guidance, which may be either a source document, or classification guide. The duplication or reproduction of existing classified information is not derivative classification.


23

Classification and Marking

Paragraph 4-102c The contractor shall ensure that all employees authorized to make

derivative classification decisions are: (1) identified by name and position or by personal identifier on

documents they derivatively classify (2) observe and respect original classification decisions (3) carry forward to any newly created documents the pertinent

classification markings. For derivatively classified documents shall carry forward (a) the date or event for declassification that corresponds to the

longest period of classification among the sources (b) a listing of source materials

(4) trained in accordance with CSA direction, in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years

(5) suspended from conducting derivative classification if they do not receive such training

(6) Given ready access to pertinent classification guides, etc.


24

Marking Miscellaneous Material

Paragraph 4-215 Material developed in connection with the handling,

processing, production, storage, and utilization of classified information shall be handled in a manner that ensures adequate protection of the classified information involved and shall be destroyed at the earliest practical time, unless a requirement exists to retain such material. Examples of such material include classified computer media such as USB sticks, hard drives, CD ROMS, and diskettes. Such material shall be marked to indicate the highest overall classification of the information contained or embodied within the material. There is no requirement to mark such material with any additional markings.


25

End of Day Security Checks

Paragraph 5-102 Contractors that store classified material shall

establish a system of security checks at the close of each working day to ensure that all classified material and security repositories that have been accessed during the working day have been appropriately secured.


26

Control and Accountability

Paragraph 5-200 Contractors shall establish an information management

system to facilitate retrieval and proper disposition of the classified information in their possession.

Paragraph 5-203b Classified working papers, including those generated

electronically, in the preparation of a finished document….Working papers shall be controlled and marked in the same manner prescribed for a finished document at the same classification level if released outside the facility or retained for more than 180 days from the date of origin.


27

Secret Storage

Paragraph 5-303 SECRET material shall be stored in a GSA-approved

security container, an approved vault, closed area, or open storage area. Supplemental protection is required for storage in closed areas and open storage areas.


28

Open Storage

Paragraph 5-306 c Open storage of Secret and Confidential documents and

IS media in closed areas requires CSA approval. Entrance doors to such areas must be secured by built-in GSA-approved electro-mechanical combination locks. (Note: The presence of fixed media such as internal, non-removable hard drives in operational IS is not considered open storage.) For Secret material, areas protected by an approved

IDS with a 30 minute response time, as well as security-in-depth as determined by the CSA, will be eligible for such approval. For open storage areas lacking sufficient security-in-depth, a 5 minute response time is required.


29

Open Storage Area Approval

Paragraph 5-306 d The CSA and the contractor shall agree on the need to

establish, and the extent of, closed areas prior to the award of the contract, when possible, or when the need for such areas becomes apparent during contract performance. Areas authorized for open storage of classified documents shall be limited in size to that required to accommodate storage needs. The contractor shall ensure that visitors to such areas without the requisite PCL and need-to-know for all information stored in the area are denied access to the classified material contained therein.


30

Supplemental Protection

Paragraph 5-307 Depending on the classification and nature of the

material to be protected as well as the storage method used, the contractor has various options for supplemental protection listed below. No supplemental protection is required for the storage of Secret material in GSA-approved security containers or for the storage of Confidential material. Prior to implementing any supplemental protection measure to satisfy the requirements of this paragraph, the contractor shall obtain written approval from the CSA.


31

Supplemental Protection

Paragraph 5-307 a and b When the CSA has approved security in depth, the CSA

may authorize inspection of security containers, vaults, closed areas and open storage areas during non-working hours. These recurring patrols may be accomplished by an employee or subcontractor cleared to at least the Secret level to satisfy the supplemental protection requirement. When recurring patrols are authorized in lieu of IDS, the interval between patrols shall not exceed 2 hours for Top Secret and 4 hours for Secret.

Response to an IDS as described in Section 9 of this Chapter shall be within: (1) 15 minutes (without security in depth) (2) 30 minutes (with security in depth)


32

Security in Depth

Paragraph 5-307c (1) The contractor shall document the specific layered and

complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, periodically review the effectiveness of these controls and report any changes affecting those controls to the CSA.

(2) At a minimum, the contractor shall consider the following elements in their security in depth assessment: Perimeter controls Badge systems when personal recognition impractical Controlled access to areas where classified work is

performed Access control devices Additional elements as determined by the CSA


33

Confidential Transmission

Paragraph 5-404 Confidential material shall be transmitted by the

methods established for Secret material or by U.S. Postal Service Certified Mail.


34

Disclosure

Paragraph 5-503 Parent and subsidiary entities with FCLs within a

business organization are authorized to disclose classified information to one another when access is necessary for the performance of tasks or services essential to the fulfillment of a legitimate government need. A business arrangement must be in place between the parent and subsidiary entities so that appropriate security classification guidance can be provided for the classified information.


35

Intrusion Detection Systems

Paragraph 5-901 CSA approval is required before installing an IDS.

Approval of a new IDS shall be based on the criteria of DCID 6/9, UL Standard 2050, or other standard approved by the CSA.

Paragraph 5-903 The following resources may be used to investigate alarms:

proprietary security force personnel, central station guards, a subcontracted guard service, or when other methods are not available, properly cleared, trained and designated employees of the contractor. The contractor shall test the efficacy of alarm response at least annually and provide a written report to the CSA of any failure to respond.


36

Subcontracting

Paragraph 7-102 In any circumstance or situation wherein the prime

contractor has reason to doubt a subcontractor’s ability to protect classified information, such information shall not be released until the security vulnerability or condition is rectified by the subcontractor.

Paragraph 7-104 Similarly, should the prime contractor determine or

uncover substandard industrial security performance on the part of one of its subcontractors, the prime shall notify the GCA and CSA of the circumstances as appropriate.


37

Designated Government Representative

Paragraph 10-401 In those circumstances when a USG official is not readily

available to perform the DGR functions in a timely manner, the contractor may request that the CSA appoint a contractor employee to perform those functions provided the following criteria are met by the FSO and Empowered Official: Identify the responsible contractor employee and provide to

the CSA a certification that the specified requirements of this Manual have been satisfied.

Provide to the CSA for review all of the other required documentation specified in paragraph 10-401b. The contractor will receive either approval of the transfer procedures or approval subject to further action or disapproval.


38

Reporting Overseas Assignments

Paragraph 10-601 d The contractor shall annually report to the CSA, by CSA

designated means, all overseas assignments of contractor employees with, or in process for PCLs. Information provided shall include: The overseas operating location for each employee with contact

information and identified contractor point of contact for the overseas location

The number of contractor employees assigned to overseas locations exceeding 90 consecutive days

The identification of the government organization controlling the location with contact information for the USG security officials

Justification for access to USG or foreign government information

November 2012Pamir Consulting, LLC

39

NATO Briefings – From DSS Website FAQs

Q: Do contractors have to record the most recent NATO Annual Refresher Briefing date in the Joint Personnel Adjudication System (JPAS)? A: Paragraph 10-706 of the NISPOM only requires the

NATO initial briefing date and the NATO debriefing date should be recorded in JPAS. The contractor should retain a verifiable record of the most recent NATO Annual Refresher Briefing.

Q: Is DSS required to provide NATO Annual Refresher Briefing to the Facility Security Officer (FSO)? A: As DSS is required to provide the NATO initial

briefing to the FSO, DSS should also provide the NATO Annual Refresher Briefing.


40

Definitions

Need-to-Know A determination made within the Executive Branch

that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. This determination is conveyed to the contractor via contractual requirements or other direction from within the Executive Branch.


41

rosalind baybutt director – industrial security services pamir consulting llc...

Documents