Industrial Security Basics

Transcription

1 Industrial Security Basics Lessn 1: Curse Intrductin Intrductin Opening In rder t prtect ur Natinal Security, the U.S. gvernment must safeguard its classified infrmatin, but at the same time it must als share this infrmatin with the thusands f U.S. cmpanies wh wrk as gvernment cntractrs and require access t classified infrmatin while perfrming n cntracts, prgrams, bids, and research and develpment effrts. In rder t safely and securely share classified infrmatin with gvernment cntractrs, the gvernment established the Natinal Industrial Security Prgram, r NISP. T prtect the classified infrmatin entrusted t industry, the NISP relies n many individuals, frm bth industry and gvernment, in a wide range f rles and with a variety f respnsibilities. As smene wh plays a rle in industrial security, it is imprtant fr yu t understand nt nly yur wn duties, but the rles and respnsibilities f ther key industrial security persnnel as well. A shared understanding f the purpse and structure f the NISP, and the rles and respnsibilities f its key players, will help yu d yur part t prtect Natinal Security. Curse Overview Welcme t Industrial Security Basics. This curse will prvide yu with an verview f the NISP, including its structure, and regulatry fundatins. It will als intrduce yu t the key rles invlved in the NISP, and will review industrial security respnsibilities f each. Here are the curse bjectives. Identify the purpse f the Natinal Industrial Security Prgram (NISP), as well as the authrities that versee its peratin August, 2015 Center fr Develpment f Security Excellence Page 1

2 Lessn 1: Curse Intrductin Identify the purpse f the regulatry dcuments that frm the basis f the NISP, and identify where each dcument falls in the Industrial Security plicy framewrk Identify the primary rles invlved in the NISP and the industrial security respnsibilities f each August, 2015 Center fr Develpment f Security Excellence Page 2

3 Industrial Security Basics Lessn 2: NISP Overview and Oversight Cntents Intrductin... 2 Objectives... 2 Definitin and Purpse f the NISP... 3 What is the NISP?... 3 NISP Overview... 3 NISP Overview and Oversight... 4 Natinal Level Plicy... 4 Natinal Level Oversight... 5 Cgnizant Security Agencies... 5 DD Plicy and Oversight... 6 DD as CSA... 6 DD Plicy... 6 DD Oversight... 7 Review Activities... 8 Review Activity Review Activity Answer Key Review Activity Review Activity August 2015 Center fr Develpment f Security Excellence Page 1

4 Lessn 2: NISP Overview and Oversight Intrductin Objectives In rder t succeed in yur rle as an emplyee with industrial security respnsibilities, yu need t understand the purpse f the NISP. Yu shuld als be familiar with the regulatry dcuments that establish and guide the NISP, as well as the authrities that versee the NISP and ensure that it successfully carries ut its missin. Here are the lessn bjectives: Identify the purpse f the NISP, as well as the authrities that versee its peratin Identify the purpse f the NISP, including the distinct gvernment and industry respnsibilities Identify the rganizatins and rles that have NISP versight respnsibilities Identify the five NISP CSAs Identify the rganizatins and rles that have DD Oversight respnsibilities Identify key industrial security terminlgy relating t NISP authrity Identify the purpse f the regulatry dcuments that frm the basis f the NISP, and identify where each dcument falls in the Industrial Security plicy framewrk Identify the natinal level plicy that frms the fundatin f the NISP Identify the DD plicy dcuments that implement the NISP fr the DD Identify key industrial security terminlgy relating t NISP plicy August 2015 Center fr Develpment f Security Excellence Page 2

5 Lessn 2: NISP Overview and Oversight Definitin and Purpse f the NISP What is the NISP? The majrity f ur natin s technlgy is develped and prduced by industry and much f that technlgy is classified. The gvernment entrusts cleared industry with classified infrmatin fr use perfrming wrk n cntracts, prgrams, bids, and research and develpment effrts. The Natinal Industrial Security Prgram, r NISP, was established t ensure that cleared industry prtects classified infrmatin in its pssessin. The NISP applies t all U.S. cntractrs that require access t classified infrmatin, wrking fr all executive branch departments and agencies. In rder t ensure that classified infrmatin entrusted t industry is prperly prtected, DD M, the Natinal Industrial Security Prgram Operating Manual, r NISPOM, defines the requirements, restrictins, and safeguards that industry must fllw. These prtectins are in place befre any classified wrk may begin; gvernment agencies have the respnsibility t prvide security requirements fr all requests fr prpsals and cntracts that require access t classified infrmatin. Fr mre infrmatin n cntract requirements, see Acquisitins and Cntracting Basics in the NISP, available thrugh CDSE s Security, Training, Educatin and Prfessinalizatin Prtal, r STEPP. NISP Overview In rder t implement the NISP and prtect classified infrmatin, gvernment agencies and industry cntractrs play imprtant but distinct rles. Althugh we will review the details f these rles later in the curse, fr nw yu shuld understand the basic divisin f respnsibility in the NISP. On the gvernment side, Cgnizant Security Agencies, r CSAs, establish industrial security prgrams and versee and administer security requirements. There are five CSAs that are ultimately respnsible fr the security f all cleared U.S. cntractrs: Department f Defense Department f Energy Office f the Directr f Natinal Intelligence Nuclear Regulatry Cmmissin Department f Hmeland Security These agencies establish requirements, advise and assist cntractrs with industrial security, and prvide security versight. August 2015 Center fr Develpment f Security Excellence Page 3

6 Lessn 2: NISP Overview and Oversight In additin t the relevant CSA, the gvernment cntracting activity, r GCA, als plays a key rle in prtecting classified infrmatin entrusted t industry. The GCA has brad authrity regarding acquisitin functins fr its agency, as delegated by the agency head. In additin t issuing the cntract, the GCA als prvides industry cntractrs with cntract-specific guidance and versight. Finally, n the industry side, cntractrs have ne majr respnsibility they must implement the NISP requirements t prtect classified infrmatin. NISP Overview and Oversight Natinal Level Plicy Several natinal-level plicy dcuments establish and supprt the NISP acrss all executive agencies. In 1993, Executive Order established the NISP in rder t prvide a cmprehensive and gvernment-wide surce fr the requirements and safeguards used t prtect classified infrmatin entrusted t industry. This executive rder applies t all executive branch departments. 32 CFR 2004, NISP Implementing Directive, f 2006, and its amendment in 2010, implement this executive rder. The directive prvides agencies with guidance fr unifrm standards thrughut the NISP, and specifically utlines Cgnizant Security Agency (CSA) and Gvernment Cntracting Activity (GCA) respnsibilities. It als utlines requirements fr DD M, the Natinal Industrial Security Prgram Operating Manual, r NISPOM. The NISPOM prvides detailed industrial security plicy fr cntractrs. As a natinal-level dcument, the NISPOM ensures unifrm implementatin f the NISP acrss gvernment cntracts. The NISPOM prvides detailed perating instructins n a number f specific industrial security areas. NISPOM NISPOM tpics include: General plicies and prcedures Reprting requirements Facility clearances (FCLs) Persnnel security clearances (PCLs) Freign Ownership, Cntrl, r Influence (FOCI) issues Security training and briefings Classificatin Marking requirements Safeguarding f classified infrmatin August 2015 Center fr Develpment f Security Excellence Page 4

7 Lessn 2: NISP Overview and Oversight Visits and meetings Subcntracting Infrmatin System (IS) security Special requirements, including nuclear-related infrmatin, Critical Nuclear Weapn Design Infrmatin (CNWDI), intelligence infrmatin, and cmmunicatins security (COMSEC) Internatinal security requirements Natinal Level Oversight As yu saw, Executive Order establishes the NISP fr all executive branch departments. This executive rder grants the Natinal Security Cuncil, r NSC, verall plicy directin fr the NISP. Separately, it grants the Infrmatin Security Oversight Office, r ISOO, respnsibility fr verall implementatin f the NISP. The ISOO issues implementing directives, and prduces an annual reprt n the NISP. Chaired by the directr f the ISOO, the executive rder als establishes the Natinal Industrial Security Prgram Plicy Advisry Cmmittee, r NISPPAC, which advises n all matters cncerning NISP plicies. Finally, the executive rder designates the Secretary f Defense as Executive Agent fr the NISP. As Executive Agent, the Secretary f Defense is respnsible fr issuing and maintaining the NISPOM. Cgnizant Security Agencies E.O , alng with its implementing directive, 32 CFR 2004, als designates the Cgnizant Security Agencies (CSAs). As yu knw, CSAs establish specific industrial security prgrams and prvide industrial security guidance and versight in rder t prtect classified infrmatin entrusted t industry. CSAs inspect and mnitr cleared cmpanies that require access t classified infrmatin, and they determine eligibility fr access t classified infrmatin. As yu ll recall, there are currently five executive branch agencies that have been designated as CSAs. The Department f Defense is the largest CSA, with the mst classified cntracts with industry. As a CSA, the Secretary f Defense has peratinal versight f the DD prtin f the NISP and the authrity t enter int agreements with GCAs t prvide industrial security services. August 2015 Center fr Develpment f Security Excellence Page 5

8 Lessn 2: NISP Overview and Oversight Other CSAs include the Office f the Directr f Natinal Intelligence, the Department f Energy, the Nuclear Regulatry Cmmissin, and the Department f Hmeland Security. DD Plicy and Oversight DD as CSA As yu just saw, the DD is the largest CSA, and has the mst classified cntracts with industry. The DD has entered int agreements with mre than 28 ther Federal agencies t serve as CSA n their behalf. Thrugh memranda f agreement, r MOAs, with the Secretary f Defense, these agencies have agreed t recgnize the DD as their CSA. DD Plicy Several plicy dcuments implement the NISP fr the DD. DD Instructin , Natinal Industrial Security Prgram, establishes NISP plicy fr the DD in accrdance with Executive Orders and This instructin assigns and utlines respnsibilities fr NISP administratin. DD R, Industrial Security Regulatin, r ISR, sets frth the plicies, practices, and prcedures f the NISP fr DD cmpnents and the nn-dd agencies wh have entered int agreements with the DD, and utlines industrial security requirements. Finally, DD M, Vlume 3, NISP Prcedures fr Gvernment Activities Relating t Freign Ownership, Cntrl, r Influence, r FOCI, establishes the plicies, practices, and prcedures that DD cmpnents must use fr FOCI determinatin and mitigatin under the NISP. Until this is fully updated, DTM , prvides plicy guidance fr the prcessing f Natinal Interest Determinatins, r NIDs, in cnnectin with FOCI. Industrial Security Regulatin (ISR) ISR utlines security requirements fr: General security prcedures Facility and persnnel clearances Visitrs Security vulnerability assessments Security vilatins Security educatin Security classificatin and declassificatin August 2015 Center fr Develpment f Security Excellence Page 6

9 Lessn 2: NISP Overview and Oversight Internatinal security prgrams Industrial security frms DD Oversight In DD Instructin , the Secretary f Defense designates NISP versight respnsibilities t the Under Secretary f Defense fr Intelligence, r USD(I). USD(I), in turn, establishes the Defense Security Service, r DSS, as the Cgnizant Security Office, r CSO, fr the DD. This grants it authrity t administer and prvide security versight fr the DD NISP. DD als utlines the respnsibilities f the Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics, r USD(AT&L), and f the DD and nn-dd Cmpnents. Under Secretary f Defense fr Intelligence (USD(I)) Oversees NISP plicy and management Develps and updates DD R (ISR) Defense Security Service (DSS) Serves as the CSO fr cntractrs under DD security cgnizance Ensures cntractr eligibility fr access t classified infrmatin Administers the NISP Prvides security versight Prvides security educatin, training, certificatin, and prfessinal develpment fr DD and fr ther U.S. Gvernment persnnel, cntractr emplyees, and representatives f freign gvernments Under Secretary f Defense fr Acquisitin, Technlgy, and Lgistics (USD(AT&L)) Establishes acquisitin plicy, prcedures, and guidance, in crdinatin with USD(I) DD and nn-dd Cmpnents Ensure release f classified infrmatin is necessary Include the Security Requirements clause in cntracts Prvide classificatin guidance Cmply with DD R (Industrial Security Regulatin, r ISR) requirements August 2015 Center fr Develpment f Security Excellence Page 7

10 Lessn 2: NISP Overview and Oversight Review Activities Review Activity 1 Select True r False fr each statement. Then check yur answers in the Answer Key at the end f this. The NISP nly applies t cntractrs wrking fr DD cmpnents and agencies. True False CSAs establish industrial security prgrams and prvide security versight. True False Because CSAs have security versight, after the cntract is issued GCAs d nt have any NISP respnsibilities. True False August 2015 Center fr Develpment f Security Excellence Page 8

11 Lessn 2: NISP Overview and Oversight Review Activity 2 Identify the dcument described by each statement. Then check yur answers in the Answer Key at the end f this. Outlines CSA and GCA respnsibilities, and prvides natinal-level guidance and standards. NISPOM 32 CFR 2004 DDI Establishes NISP plicy fr the DD and utlines respnsibilities fr DD NISP administratin NISPOM 32 CFR 2004 DDI Prvides plicy requirements and perating instructins fr cntractrs. NISPOM 32 CFR 2004 DDI August 2015 Center fr Develpment f Security Excellence Page 9

12 Lessn 2: NISP Overview and Oversight Answer Key Review Activity 1 The NISP nly applies t cntractrs wrking fr DD cmpnents and agencies. True False (crrect respnse) Feedback: The NISP applies t ALL executive branch departments. CSAs establish industrial security prgrams and prvide security versight. True (crrect respnse) False Feedback: CSAs establish industrial security prgrams and prvide security versight. Because CSAs have security versight, after the cntract is issued GCAs d nt have any NISP respnsibilities. True False (crrect respnse) Feedback: In additin t issuing the cntract, GCAs prvide industry cntractrs with cntract-specific guidance and versight. August 2015 Center fr Develpment f Security Excellence Page 10

13 Lessn 2: NISP Overview and Oversight Review Activity 2 Outlines CSA and GCA respnsibilities, and prvides natinal-level guidance and standards. NISPOM 32 CFR 2004 (crrect respnse) DDI Feedback: 32 CFR 2004 utlines CSA and GCA respnsibilities, and prvides natinal-level guidance and standards. Establishes NISP plicy fr the DD and utlines respnsibilities fr DD NISP administratin NISPOM 32 CFR 2004 DDI (crrect respnse) Feedback: DDI establishes NISP plicy fr the DD and utlines respnsibilities fr DD NISP administratin. Prvides plicy requirements and perating instructins fr cntractrs. NISPOM (crrect respnse) 32 CFR 2004 DDI Feedback: The NISPOM prvides plicy requirements and perating instructins fr cntractrs. August 2015 Center fr Develpment f Security Excellence Page 11

14 Industrial Security Basics Lessn 3: NISP Rles and Respnsibilities Cntents Intrductin... 2 Objectives... 2 Organizatinal Rles and Respnsibilities... 2 DD Delegatin f Security Cgnizance... 2 DSS Missin: Reginal NISP Administratin... 3 ISFO Headquarters Functins... 3 Industrial Plicy and Prgrams... 3 Cunterintelligence Directrate... 5 DSS Missin: SETA... 5 GCA Rle and Respnsibilities... 6 Individual Rles and Respnsibilities... 6 Intrductin t Individual Rles and Respnsibilities... 6 GCA Emplyees... 7 DSS Emplyees... 7 Cntractr Emplyees... 9 Review Activities Review Activity Review Activity Answer Key Review Activity Review Activity August 2015 Center fr Develpment f Security Excellence Page 1

15 Lessn 3: NISP Rles and Respnsibilities Intrductin Objectives In rder t succeed in its missin t prtect classified infrmatin entrusted t industry, the NISP relies n a variety f rganizatins and n individuals in a variety f rles. In rder t succeed in yur rle, yu shuld understand nt nly yur wn respnsibilities yu shuld als be aware f the functins carried ut by thers wrking t supprt the NISP. Here are the lessn bjectives: Identify the primary rles invlved in the NISP and the industrial security respnsibilities f each Identify the purpse and functin f DSS as Cgnizant Security Office, including specific DSS missin areas and functins Identify the Gvernment Cntracting Activity (GCA) rles and respnsibilities in NISP implementatin Identify the individual rles that supprt the NISP, alng with their industrial security respnsibilities Identify key industrial security terminlgy relating t NISP rles and respnsibilities Organizatinal Rles and Respnsibilities DD Delegatin f Security Cgnizance Befre explring the rles that individuals play in the NISP, let s take a mment t review the rles and respnsibilities f the rganizatins that supprt the NISP. As yu saw in the last lessn, Cgnizant Security Agencies, r CSAs, versee and administer industrial security requirements, and are ultimately respnsible fr the security f classified infrmatin used by cntractrs wh hld classified cntracts. As the largest f the CSAs, the DD delegates this security cgnizance t the Defense Security Service, r DSS, and names DSS as its Cgnizant Security Office, r CSO. As CSO, DSS administers the NISP, prvides security versight, and cnducts vulnerability reviews. DSS prvides security educatin and training; publishes industrial security letters, r ISLs, which prvide guidance and clarificatin n NISP plicies and prcedures; certifies, accredits, and versees infrmatin systems used t stre classified infrmatin; and finally, funds backgrund investigatins fr cntractr persnnel and makes interim determinatins fr cntractr persnnel wh require access t classified infrmatin. August 2015 Center fr Develpment f Security Excellence Page 2

16 Lessn 3: NISP Rles and Respnsibilities DSS Missin: Reginal NISP Administratin Administratin f the NISP is key t the verall DSS missin, and much f that administratin is carried ut by DSS Industrial Security Field Operatins, r ISFO. ISFO prvides versight and cnducts security vulnerability assessments fr apprximately 13,000 cleared cntractr facilities. ISFO maintains industrial security field ffices all ver the cuntry, gruped int 4 gegraphic regins. Each regin has a reginal directr, wh versees the peratin f field ffices in his r her regin. Each field ffice is lcally managed by a Field Office Chief, and staffed by Industrial Security Representatives, r IS Reps. The Field Office Chief assigns an IS Rep t each cntractr facility. ISFO Headquarters Functins In additin t verseeing the field ffices and their peratins, Industrial Security Field Operatins (ISFO) versees headquarters cmpnents including the Facility Clearance Branch, which prcesses cmpanies fr facility security clearances, r FCLs, issues FCLs, and mnitrs cmpanies that hld FCLs. ISFO als versees the Persnnel Security Management Office fr Industry, r PSMO-I, which prcesses persnnel security clearances. Finally, ISFO versees the Office f Designated Apprving Authrity, r ODAA. ODAA carries ut DSS certificatin and accreditatin, r C and A, determinatins fr cntractr infrmatin systems t prcess classified infrmatin. T learn mre abut each f these headquarters cmpnents, see the DSS ISFO website. Industrial Plicy and Prgrams Industrial Security Field Operatins (ISFO) and cleared cntractrs receive industrial security supprt frm anther DSS rganizatin, Industrial Plicy and Prgrams, r IP. IP supprts the NISP in the areas f NISP security plicy, Freign Ownership, Cntrl, r Influence, r FOCI, issues, the administratin f internatinal prgrams, and ther areas. IP is cmpsed f several divisins. August 2015 Center fr Develpment f Security Excellence Page 3

17 Lessn 3: NISP Rles and Respnsibilities Plicy Supprts DSS ISFO with timely and cnsistent plicy guidance Prvides effective interpretatin f NISP plicy t DSS persnnel, GCAs, and cleared cntractrs FOCI Operatins Determines and mitigates FOCI Determines the need fr a Natinal Interest Determinatin (NID) under a Special Security Agreement (SSA) Participates in security vulnerability assessments and annual meetings T learn mre abut FOCI and the NISP, see the Understanding FOCI curse, available thrugh CDSE s Security, Training, Educatin and Prfessinalizatin Prtal, r STEPP, and the Natinal Interest Determinatins and FOCI Shrts, available thrugh CDSE s website. FOCI Analytics Assesses and verifies NISP facility data t highlight vulnerabilities Recmmends strategies fr mitigating risks t Natinal Security Crdinates with ISFO and the FOCI Operatins Divisin and prvides the fllwing services: Prepares FOCI assessments, which recmmend the apprpriate mitigatin tl fr each individual case, including assessments fr all Cmmittee n Freign Investment in the United States (CFIUS) cases invlving DSS equities Executes and remves FOCI Bard Reslutin mitigatin plans Prpses Natinal Interest Determinatins (NIDs) n behalf f the GCA Internatinal Prgrams Oversees invlvement with freign gvernments, freign cntractrs, and NATO Carries ut NATO inspectins Assists with security vulnerability assessments Reviews Transprtatin Plans Validates security assurances Issues NATO Facility (Security) Clearances (FCLs) and versees the DD NATO Direct-Hire prgram August 2015 Center fr Develpment f Security Excellence Page 4

18 Lessn 3: NISP Rles and Respnsibilities Assessments and Evaluatins (A&E) Mnitrs cntractrs fr changes impacting cntractr Facility (Security) Clearances (FCLs) Analyses, reprts, and certifies data fr Persnnel Security Investigatins (PSIs): Plans, prgrams, and budgets fr cntractr PSI requirements Cnducts annual surveys f cntractrs t estimate PSI requirements Mnitrs expenditures and prvides analysis and versight f PSI funding fr cleared industry Oversees NISP cmpliance reprting and business integrity: Assesses and verifies self-reprted financial infrmatin in supprt f the NISP Practively mnitrs data and events pertinent t NISP reprting thrugh cntinuus mining f cmmercial and gvernment data surces Cnducts and reprts n the annual NISP Cst Cllectin Survey, which captures security csts incurred by cntractr facilities Special Prgrams Manages the security versight functin f DSS's direct and indirect supprt t the Special Access Prgram (SAP) cmmunity Cunterintelligence Directrate The Cunterintelligence, r CI, Directrate als prvides supprt t Industrial Security Field Operatins (ISFO) and cleared cntractrs. The CI directrate receives suspicius cntact reprts, r SCRs, versees CI awareness and reprting, and, alng with ISFO, perfrms advise and assist visits and assists with security vulnerability assessments. T learn mre, see the DSS CI website. DSS Missin: SETA As yu just saw, DSS perfrms a variety f critical functins as CSO. DSS s missin als includes Security Educatin, Training and Awareness, r SETA, which is administered by the Center fr Develpment f Security Excellence, r CDSE. CDSE s missin is the prfessinalizatin f the security cmmunity, and t accmplish this, CDSE prvides security educatin and training fr bth DD and industry. August 2015 Center fr Develpment f Security Excellence Page 5

19 Lessn 3: NISP Rles and Respnsibilities T learn mre, see the DSS CDSE website. GCA Rle and Respnsibilities Remember that, althugh DSS has security cgnizance fr the DD, Gvernment Cntracting Activities, r GCAs, play an imprtant rle in the NISP. The designatin f a CSA des nt relieve the GCA f its NISP respnsibilities. As yu knw, the GCA issues the cntract and ensures the security requirements clause (Federal Acquisitin Regulatin, r FAR, Security Requirements clause) is included in cntracts that will require access t classified infrmatin. The GCA als prvides cntract-specific guidance fr cntracts that require access t classified infrmatin, including the DD Cntract Security Classificatin Specificatin, r DD Frm 254, and classificatin and declassificatin infrmatin. In additin, the GCA spnsrs facilities fr facility clearances; ensures the Original Classificatin Authrity, r OCA, cnducts damage assessments in the case f lss, cmprmise, r suspected cmprmise f classified infrmatin; and prvides apprpriate educatin and training t any department r agency persnnel wh have NISP respnsibilities. Individual Rles and Respnsibilities Intrductin t Individual Rles and Respnsibilities As yu have already seen, in rder t prtect classified infrmatin, gvernment agencies, including the GCA wh issued the classified cntract, DSS in its rle as the CSA fr the DD, and the industry cntractr, all have a rle t play in the NISP. Within each f these rganizatins, different individuals d their part t make sure that classified infrmatin is prtected. On the gvernment side, DD Security Specialists r Activity Security Managers act as the GCA representatives t the NISP and serve as resident security experts. As part f the rganizatin with security versight respnsibility, DSS emplyees have a range f key respnsibilities in implementing the NISP. These emplyees include Industrial Security Representatives, r IS Reps, Infrmatin System Security Prfessinals, r ISSPs, Cunterintelligence, r CI, Persnnel, including Cunterintelligence Special Agents, r CISAs, and ther Industrial Security Headquarters Persnnel, including Field Operatins and Plicy and Prgrams. Finally, n the cntractr side, Facility Security Officers, r FSOs, versee the dayt-day peratin f the cntractr s security prgram, while Infrmatin System Security Managers, r ISSMs, are respnsible fr managing infrmatin system security. August 2015 Center fr Develpment f Security Excellence Page 6

20 Lessn 3: NISP Rles and Respnsibilities GCA Emplyees DD Security Specialists r Activity Security Managers are the GCA representatives t the NISP. They serve as security experts, and maintain security cgnizance ver all activity infrmatin, persnnel, infrmatin systems, physical security and mst imprtantly fr the NISP industrial security. DD Security Specialists r Activity Security Managers review, and may als cmplete, the DD Frm 254, which prvides classificatin and declassificatin infrmatin t cntractrs, and they receive security vilatin and administrative inquiry reprts in cases f lss, cmprmise, r suspected cmprmise f classified infrmatin. In cases where the cntractr accesses classified infrmatin at the gvernment base r installatin, the DD Security Specialist r Activity Security manager must ensure cmpliance with DD Plicies, and is respnsible fr cnducting security inspectins n the gvernment installatin. If, hwever, the cntractr accesses classified infrmatin at their wn facility n the installatin, a Memrandum f Agreement r Memrandum f Understanding (MOA/MOU) between the GCA and DSS will identify specific respnsibilities. If DSS retains respnsibility then the NISPOM applies; if the GCA retains respnsibility, then DD plicy applies. DSS Emplyees As CSO fr DD, DSS prvides security supprt t a large number f military services, defense agencies, nn-dd Federal Agencies, and cleared cntactr facilities. T d this, it relies n individuals in a variety f rles. Industrial Security Representatives (IS Reps) are DSS emplyees and there are ver 200 lcated thrughut the cuntry. They serve as the cntractr s primary pint f cntact fr security matters; Infrmatin System Security Prfessinals (ISSPs) wrk with IS Reps and cntractr persnnel n all matters related t the accreditatin and maintenance f accredited cntractr infrmatin systems; Each gegraphic regin has a Regin Cunterintelligence, r CI, Chief wh versees the activities f the CI Special Agents, r CISAs, wh prvide advice, versight, and training regarding CI issues. Finally, headquarters persnnel supprt the varius DSS peratinal elements ISFO, IP, CI, and CDSE as well as cleared cntractrs in a wide range f security areas. August 2015 Center fr Develpment f Security Excellence Page 7

21 Lessn 3: NISP Rles and Respnsibilities IS Rep Majr Industrial Security Representative (IS Rep) Respnsibilities Wrks clsely with the Facility Security Officer (FSO) t prvide advice, assistance, and versight Cnducts facility surveys befre issuance f Facility (Security) Clearances (FCLs) Cnducts security vulnerability assessments and reviews f the cntractr s security prgram Crdinates with ther entities within the Defense Security Service (DSS) t versee all aspects f cntractr security, including Freign Ownership, Cntrl, r Influence (FOCI) Internatinal security Accredited infrmatin systems Special prgrams (e.g., Special Access Prgrams (SAP), Arms, Ammunitin, and Explsives (AA&E)) ISSP Receives reprts f security vilatins frm FSO Cnduct administrative inquiries, when apprpriate Reprts security vilatins t Gvernment Cntracting Activity (GCA) Majr Infrmatin System Security Prfessinal (ISSP) Respnsibilities Wrks with Industrial Security Representatives (IS Reps), Facility Security Officers (FSOs), and Infrmatin System Security Managers (ISSMs) n all matters related t the maintenance f accredited classified cntractr infrmatin systems Perfrms assessments f classified infrmatin systems and makes recmmendatins t the RDAA Participates in security vulnerability assessments f facilities with accredited classified infrmatin systems Evaluates vulnerabilities Identifies ptential cyber security threats Helps develp mitigatin strategies Respnds t security vilatins invlving accredited classified infrmatin systems Develps and maintains technical prficiency f ever changing technlgy develpments August 2015 Center fr Develpment f Security Excellence Page 8

22 Lessn 3: NISP Rles and Respnsibilities CI Persnnel (CI Chief and CISA) Majr Cunterintelligence (CI) Persnnel Respnsibilities Cunterintelligence Special Agents (CISAs) wrk with Facility Security Officers (FSOs) t: Identify ptential threats t U.S. technlgy Develp emplyee CI awareness/reprting Assist with freign travel briefings and debriefings CISAs wrk with Industrial Security Representatives (IS Reps) t: Cnduct Advise and Assist visits Prvide advice and guidance regarding CI best practice Help cnduct vulnerability assessments Evaluates vulnerabilities Headquarters Persnnel Headquarters persnnel include Field Operatins and Plicy and Prgram Persnnel, wh supprt Industrial Security Field Office (ISFO) and Industrial Plicy and Prgrams (IP) functins. Cntractr Emplyees At cntractr facilities, individuals in tw rles are primarily respnsible fr verseeing the NISP: the Facility Security Officer (FSO) and the Infrmatin System Security Manager (ISSM). The FSO has ultimate respnsibility fr the administratin, versight, and day-t-day peratin f the cntractr security prgram. FSOs must ensure cmpliance with the NISP, fllw NISPOM Guidelines, and remain cmpliant with the terms utlined in DD 441. Mre infrmatin abut the FSO s rle and respnsibilities can be fund in the FSO Rle in the NISP curse available in STEPP. The ISSM wrks very clsely with the FSO t manage cntractr-wned infrmatin systems. The ISSM ensures that NISPOM Infrmatin System Security, r ISS, requirements are met. FSO Majr FSO Respnsibilities T ensure cmpliance with the NISP, FSO respnsibilities include, but are nt limited t: Mnitring apprved classified infrmatin systems, including infrmatin strage, prcessing, and remval Wrking with DSS t maintain a viable security prgram August 2015 Center fr Develpment f Security Excellence Page 9

23 Lessn 3: NISP Rles and Respnsibilities Maintaining prcedures fr incming and utging classified visits Educating all cleared persnnel n their security respnsibilities The FSO versees facility security, including but nt limited t: ISSM Facility clearance Persnnel clearances Security educatin Safeguarding f classified infrmatin Reprting t the gvernment Self-inspectins Majr ISSM Respnsibilities ISSM respnsibilities include, but are nt limited t: Infrmatin System Security (ISS) educatin, awareness, and training Establishment, dcumentatin, maintenance, and mnitring f ISS prgrams and prcedures Identificatin/dcumentatin f unique lcal infrmatin security threats and vulnerabilities Peridic self-inspectins Ntificatin t the CSA f security relevant changes t infrmatin systems The ISSM develps facility prcedures fr: Handling f media and equipment cntaining classified infrmatin Implementatin f security features Incident reprting User acknwledgment f respnsibility Threat detectin (auditing and mnitring fr malware, phishing attempts, etc.) August 2015 Center fr Develpment f Security Excellence Page 10

24 Lessn 3: NISP Rles and Respnsibilities Review Activities Review Activity 1 Which f these are DSS respnsibilities r functins? Select all that apply. Then check yur answers in the Answer Key at the end f this. Prvide security educatin and training Certify, accredit, and versee infrmatin systems Prvide cntract-specific classificatin guidance Fund cntractr backgrund investigatins August 2015 Center fr Develpment f Security Excellence Page 11

25 Lessn 3: NISP Rles and Respnsibilities Review Activity 2 Identify the rle described by each statement. Then check yur answers in the Answer Key at the end f this. This DSS emplyee serves as the cntractr s primary pint f cntact fr security. ISSP FSO ISSM IS Rep This DSS emplyee versees accredited cntractr infrmatin system use. ISSP FSO ISSM IS Rep This cntractr emplyee administers and versees the cntractr security prgram. ISSP FSO ISSM IS Rep This cntractr emplyee manages infrmatin systems and ensures ISS requirements are met. ISSP FSO ISSM IS Rep August 2015 Center fr Develpment f Security Excellence Page 12

26 Lessn 3: NISP Rles and Respnsibilities Answer Key Review Activity 1 Which f these are DSS respnsibilities r functins? Prvide security educatin and training (crrect respnse) Certify, accredit, and versee infrmatin systems (crrect respnse) Prvide cntract-specific classificatin guidance Fund cntractr backgrund investigatins (crrect respnse) Feedback: DSS prvides security educatin and training, certifies, accredits, and versees infrmatin systems, and funds cntractr backgrund investigatins. GCAs prvide cntract-specific classificatin guidance. August 2015 Center fr Develpment f Security Excellence Page 13

27 Lessn 3: NISP Rles and Respnsibilities Review Activity 2 Identify the rle described by each statement. This DSS emplyee serves as the cntractr s primary pint f cntact fr security. ISSP FSO ISSM IS Rep (crrect respnse) Feedback: IS Reps serve as the cntractr s primary pint f cntact fr security. This DSS emplyee versees accredited cntractr infrmatin system use. ISSP (crrect respnse) FSO ISSM IS Rep Feedback: ISSPs versee accredited cntractr infrmatin system use. This cntractr emplyee administers and versees the cntractr security prgram. ISSP FSO (crrect respnse) ISSM IS Rep Feedback: FSOs administer and versee cntractr security prgrams. This cntractr emplyee manages infrmatin systems and ensures ISS requirements are met. ISSP FSO ISSM (crrect respnse) IS Rep Feedback: ISSMs manage infrmatin systems and ensure ISS requirements are met. August 2015 Center fr Develpment f Security Excellence Page 14

28 Industrial Security Basics Lessn 4: Curse Cnclusin Curse Cnclusin Curse Summary In this curse, yu learned abut the purpse f the NISP, the regulatry dcuments that establish and guide the NISP, the authrities that versee the NISP, and the rganizatins and individuals wh ensure that the NISP succeeds in its missin t prtect classified infrmatin entrusted t industry. Lessn Review Here is a list f the lessns in the curse: Lessn 1: Curse Intrductin Lessn 2: NISP Overview and Oversight Lessn 3: NISP Rles and Respnsibilities Lessn 4: Curse Cnclusin. Curse Objectives Cngratulatins. Yu have cmpleted the Industrial Security Basics curse. Yu shuld nw be able t perfrm all f the listed activities: Identify the purpse f the Natinal Industrial Security Prgram (NISP), as well as the authrities that versee its peratin Identify the purpse f the regulatry dcuments that frm the basis f the NISP, and identify where each dcument falls in the Industrial Security plicy framewrk Identify the primary rles invlved in the NISP and the industrial security respnsibilities f each T receive curse credit, yu MUST take the Industrial Security Basics examinatin. Please use the STEPP system frm the Center fr Develpment f Security Excellence t register fr the nline exam. August 2015 Center fr Develpment f Security Excellence Page 1

29 Glssary Curse: Industrial Security Basics Access: The ability and pprtunity t gain knwledge f classified infrmatin Arms, Ammunitin and Explsives (AA&E): Prgram that prvides guidance regarding the safety f arms, ammunitins and explsives. Assessment and Evaluatins (A&E): Mnitrs cntractrs fr changes impacting their Facility Clearance (FCL) and analyses, reprts and certifies data fr Persnnel Security Investigatins (PSIs). Certificatin and Accreditatin (C&A): The standard Department f Defense (DD) apprach fr identifying infrmatin security requirements, prviding security slutins, and managing the security f DD Infrmatin Systems (IS). Classified Cntract: Any cntract requiring access t classified infrmatin by a cntractr in the perfrmance f the cntract. (A cntract may be a classified cntract even thugh the cntract dcument is nt classified.) The requirements prescribed fr a classified cntract als are applicable t all phases f pre-cntract activity, including slicitatins (bids, qutatins, and prpsals), pre-cntract negtiatins, pst-cntract activity, r ther GCA prgram r prject which requires access t classified infrmatin by a cntractr. Classified Infrmatin: Official infrmatin that has been determined, pursuant t Executive Order r any predecessr rder, r pursuant t the Atmic Energy Act f 1954, t require prtectin against unauthrized disclsure in the interest f natinal security which has been designated. Classified Visit: A visit during which a visitr will require, r is expected t require, access t classified infrmatin. Cleared Emplyees: All cntractr emplyees granted PCLs and all emplyees being prcessed fr PCLs. Cgnizant Security Agencies (CSAs): Agencies f the Executive Branch that have been authrized by Executive Order t establish an industrial security prgram t safeguard classified infrmatin under the jurisdictin f these agencies when disclsed r released t U.S. Industry. These agencies are: The Department f Defense, Office f the Directr f Natinal Intelligence, Department f Energy, Nuclear Regulatry Cmmissin, and Department f Hmeland Security. Cgnizant Security Office (CSO): The rganizatinal entity delegated by the head f a CSA t administer industrial security n behalf f the CSA. Page 1

30 Curse Glssary Cmmittee n Freign Investment in the United States (CFIUS): an Interagency cmmittee chaired by the Treasury Department, cnducts reviews f prpsed mergers, acquisitin r takevers f U.S. persns by freign interests under sectin 721 (Exn- Flri amendment) f the Defense Prductin Act (reference (m)). Cmmunicatins Security (COMSEC): Prtective measures taken t deny unauthrized persns infrmatin derived frm telecmmunicatins f the U.S. gvernment relating t natinal security and t ensure the authenticity f such cmmunicatins. Cmprmise: An unauthrized disclsure f infrmatin. Cntract Security Classificatin Specificatin DD Frm 254: DD Frm 254 prvides t the cleared cntractr, r cleared subcntractr the security requirements and the classificatin guidance that are necessary t perfrm n a specific classified cntract. Cntractr: Any industrial, educatinal, cmmercial, r ther entity that has been granted an FCL by a CSA. DD Frm 254: Cntract Security Classificatin Specificatin DD Frm 441 (Security Agreement): A Department f Defense Security Agreement that is entered int between a cntractr wh will have access t classified infrmatin, and the DD in rder t preserve and maintain the security f the U.S. thrugh the preventin f unauthrized disclsure f classified infrmatin. Defense Security Service (DSS): The Defense Security Service (DSS) is an agency f the Department f Defense (DD) lcated in Quantic, Virginia with field ffices thrughut the United States. The Under Secretary f Defense fr Intelligence prvides authrity, directin and cntrl ver DSS. DSS prvides the military services, Defense Agencies, 30 federal agencies and apprximately 13,500 cleared cntractr facilities with security supprt services. DSS is the CSO fr mst DD classified cntracts. DSS supprts the Natinal Security and the warfighter, secures the natin's technlgical base, and versees the prtectin f U. S. and freign classified infrmatin in the hands f industry. DSS accmplishes this missin by clearing industrial facilities, accrediting infrmatin systems, facilitating the persnnel security clearance prcess, delivering security educatin and training, and prviding infrmatin technlgy services that supprt the industrial and persnnel security missins f DD and its partner agencies. Defense Security Service, Center fr Develpment f Security Excellence (CDSE): The Center fr Develpment f Security Excellence is respnsible fr prviding security educatin and training t DD and ther U.S. Gvernment persnnel, DD cntractrs, and spnsred representatives f freign gvernments. Page 2

31 Curse Glssary Defense Security Service, Cunterintelligence (CI) Office: Office within the Defense Security Service that prvides cunterintelligence supprt t DSS thrugh CI reviews, assessments, analysis, and reprts. Defense Security Service, Facility Clearance Branch (FCB): The Defense Security Service (DSS) Facility Clearance Branch prcesses cntractrs fr Facility Security Clearance (FCL) based upn prcurement need, issues FCLs, and mnitrs the cntractr's cntinued eligibility in the NISP. Defense Security Service, Field Cunterintelligence Specialist (FCIS): Assists FSOs in identifying ptential threats t U.S. technlgy and develping CI awareness and reprting by cmpany emplyees. Defense Security Service, Field Office Chief (FOC): Manages the field ffices that are staffed by Industrial Security Representatives, r IS Reps. The Field Office Chief is respnsible fr ensuring that each facility is assigned an IS Rep. Defense Security Service, Freign Ownership Cntrl r Influence (FOCI) Office: This ffice within the Defense Security Service wrks with the lcal IS Rep t reslve issues that arise when a cleared facility r a facility being prcessed fr a facility clearance is subject t freign wnership, cntrl r influence. Defense Security Service, Industrial Plicy and Prgrams (IP): This ffice within the Defense Security Service supprts the Industrial Security Field Operatins branch in the areas f NISP security plicy, Freign Ownership, Cntrl, r Influence, r FOCI issues and the administratin f internatinal prgram. Defense Security Service, Industrial Security Field Operatins (ISFO): Prvides versight and cnducts security vulnerability assessments fr apprximately 13,500 cleared cntractr facilities. They maintain industrial security field ffices all ver the cuntry. Defense Security Service, Industrial Security Representative (IS Rep): Lcal representative frm the Defense Security Service that prvides advice and assistance n security matters and with establishing yur security prgram t ensure yur facility is in cmpliance with the NISP. Defense Security Service, Infrmatin Systems Security Prfessinal (ISSP): Lcal representative frm the Defense Security Service, Office f Designated Apprving Authrity (ODAA) that prvides advice and assistance visits t imprve the security psture with regard t Infrmatin Systems and help facilitate the prcess f getting yur infrmatin systems accredited t prcess classified infrmatin. Defense Security Service, Internatinal Prgrams: An ffice within the Defense Security Service that versees invlvement with freign gvernments, freign cntractrs Page 3

32 Curse Glssary and NATO. They carry ut NATO inspectins, issues NATO FCLs and versees the DD NATO Direct-Hire prgram. Defense Security Service, Office f Designated Apprving Authrity (ODAA): Office within the Defense Security Service that facilitates the certificatin and accreditatins prcess fr infrmatin systems at cleared cntractr facilities. Defense Security Service, Persnnel Security Management Office fr Industry (PSMO-I): Office within the Defense Security Service that prcesses requests fr, and ther actins related t persnnel security clearances fr persnnel frm facilities participating in the NISP. Defense Security Service, Special Prgrams: Manages the security versight functin f DSS direct and indirect supprt t the Special Access Prgram (SAP) cmmunity. Directr f Natinal Intelligence (DNI): Retains authrity ver access t intelligence surces and methds. DD Security Specialist: Als called Activity Security Managers act as the GCA representatives t the NISP and serve as resident security subject matter experts (SMEs).They als maintain security cgnizance ver all activity infrmatin, persnnel, infrmatin systems, physical security and industrial security. Eligibility: A DD Cnslidated Adjudicatin facility (DD CAF) has made an adjudicative determinatin f member s Persnnel Security Investigatin (PSI) and that member may have access t classified infrmatin equal t the level f their adjudicated investigatin. Executive Order (EO): An rder issued by the President t create a plicy and regulate its administratin within the Executive Branch. Facility: A plant, labratry, ffice, cllege, university, r cmmercial structure with assciated warehuses, strage areas, utilities, and cmpnents, that, when related by functin and lcatin, frm an perating entity. (A business r educatinal rganizatin may cnsist f ne r mre facilities as defined herein.) Fr the purpses f industrial security, the term des nt include Gvernment installatins. Facility (Security) Clearance (FCL): An Administrative determinatin that, frm a security viewpint, a cmpany is eligible fr access t classified infrmatin f a certain categry (and all lwer categries). Facility Security Officer (FSO): A U.S. citizen emplyee, appinted by a cntractr wh will supervise and direct security measures necessary fr implementing the NISPOM and ther Federal requirements fr classified infrmatin. Page 4

33 Curse Glssary Federal Acquisitin Regulatin (FAR): Cntains the rules fr gvernment acquisitin. These rules prvide instructin, frms and guidance n gvernment cntracting. Federal Bureau f Investigatins (FBI): The FBI is an intelligence-driven and threatfcused natinal security rganizatin with bth intelligence and law enfrcement respnsibilities the principal investigative arm f the U.S. Department f Justice and a full member f the U.S. Intelligence Cmmunity. Freign Interest: Any gvernment, agency f a freign gvernment, r representative f a freign gvernment; any frm f business enterprise r legal entity rganized, chartered r incrprated under the laws f any cuntry ther than the United States r its territries, and any persn wh is nt a citizen r natinal f the United States. Freign Ownership, Cntrl, r Influence, (FOCI): Whenever a freign interest has the pwer, direct r indirect, whether r nt exercised, and whether r nt exercisable, t direct r decide matters affecting the management r peratins f a cmpany in a manner which may result in unauthrized access t classified infrmatin r may adversely affect the perfrmance f classified cntracts. Gvernment Cntracting Activity (GCAs): An element f an agency designated by the agency head and delegated brad authrity regarding acquisitin functins. Industrial Security: That prtin f infrmatin security cncerned with the prtectin f classified infrmatin in the custdy f U.S. industry. Industrial Security Letters (ISLs): Dcuments that prvide detailed peratinal guidance and ntificatin f changes t r clarificatin f existing plicies r requirements t the NISPOM. Infrmatin Security: The result f any system f administrative plicies and prcedures fr identifying, cntrlling, and prtecting frm unauthrized disclsure, infrmatin the prtectin f which is authrized by executive rder. Infrmatin Security Oversight Office (ISOO): Office respnsible fr implementing and mnitring the NISP and fr issuing implementing directives that shall be binding n agencies. Infrmatin System Security Manager (ISSM): An individual appinted by a cntractr with versight respnsibility fr the develpment, implementatin, and evaluatin f the facility's infrmatin system security prgram. The ISSM must be trained t a level cmmensurate with the cmplexity f the facility's infrmatin systems. Infrmatin System Security Officer (ISSO): ISSOs may be appinted by the ISSM in facilities with multiple accredited infrmatin systems. The ISSM will determine the respnsibilities t be assigned t the ISSO in accrdance with NISPOM Chapter 8. Page 5

34 Curse Glssary Memranda f Agreement (MOAs): A written agreement amng relevant parties that specifies rles, respnsibilities, terms and cnditins fr each party t reach a cmmn gal. Natinal Industrial Security Prgram (NISP): The Natinal Industrial Security Prgram (NISP) was established by Executive Order fr the prtectin f classified infrmatin released r disclsed t industry in cnnectin with classified cntracts. The NISP applies standards fr the prtectin f classified infrmatin released r disclsed t cntractrs f all federal executive branch departments and agencies. Requirements f the NISP are stated in the Natinal Industrial Security Prgram Operating Manual (NISPOM), (DD M). Natinal Industrial Security Prgram Operating Manual (NISPOM): A manual issued in accrdance with the Natinal Industrial Security Prgram that prescribes the requirements, restrictins, and ther safeguards t prevent unauthrized disclsure f classified f classified infrmatin. Natinal Industrial Security Prgram Plicy Advisry Cmmittee (NISPPAC): The Cmmittee members shall advise the Chairman f the Cmmittee n all matters cncerning the plicies f the Natinal Industrial Security Prgram, including recmmended changes t thse plicies as reflected in E.O , its implementing directives, r the perating manual established under E.O , and serve as a frum t discuss plicy issues in dispute. Natinal Interest Determinatin (NID): Is a written statement by the Gvernment Cntracting Activity r GCA, affirming that the release f prscribed infrmatin t the cmpany will nt harm the Natinal Security interests f the U. S. Natinal Security Cuncil (NSC): A gverning entity respnsible fr prviding verall plicy directin fr the Natinal Industrial Security Prgram. Nrth Atlantic Treaty Organizatin (NATO): All classified infrmatin military, plitical, and ecnmic circulated within Nrth Atlantic Treaty Organizatin (NATO), whether such infrmatin riginated in NATO r is received frm member natins r frm internatinal rganizatins. Original Classificatin Authrity (OCA): An individual authrized in writing, either by the United States (U.S.) President, r by agency heads r ther fficials designated by the President, t initially classify a piece f infrmatin. OCAs must receive training t perfrm this duty. Persnnel (Security) Clearance (PCL): An administrative determinatin that an individual is eligible, frm a security pint f view, fr access t classified infrmatin f the same r lwer categry as the level f the persnnel clearance being granted. Page 6