Private Sector Clearance Program (PSCP) Webinar Critical Infrastructure Protection Committee November 18, 2014 Nathan Mitchell, ESCC Clearance Liaison
Agenda History NERC CIPC Private Sector Clearance Program (PSCP) Guidebook ESCC Clearance Handbook Requirements to Obtain Clearance Responsibilities of a Clearance Holder Initial and Annual Security Training Report of Foreign Travel (ipsecurity@hq.dhs.gov) Changes, Deactivation, and Termination of a clearance How to use your clearance 2 RELIABILITY ACCOUNTABILITY
History of PSCP 1998, Presidential Decision Directive/NSC (PDD) 63 PDD 63 Develops the framework for information sharing Encourages the formation of ISACs. The Electricity Sector chose NERC to run the ES ISAC 2002 Department of Homeland Security (DHS) 2003, Homeland Security Presidential Directive (HSPD) 7 Framework for Information Sharing between US Government and Private Sector Government Coordinating Council (GCC) and Sector Coordinating Councils (SCC) 3 RELIABILITY ACCOUNTABILITY
History of PSCP 2010 Executive Order 13549 Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities Assigns DHS Office of the Chief Security Officer (OCSO) responsibility for DHS security programs DHS Office of Infrastructure Protection (IP) established the Private Sector Clearance Program (PSCP) for critical infrastructure Ensure that select critical infrastructure private sector owners, operators, and industry representatives may be processed for security clearances. 4 RELIABILITY ACCOUNTABILITY
History of PSCP 2013, EO 13636, Improving Critical Infrastructure Cybersecurity DHS IP is responsible for identifying appropriate private sector stakeholders who are in a position to enhance the DHS infrastructure security and resilience mission It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Expedite clearances for select group of critical infrastructure 5 RELIABILITY ACCOUNTABILITY
NERC CIPC PSCP Guidebook Objectives Review the U.S. Government requirements applicable to our industry Examine protocols for granting private sector clearances Develop recommendations on security clearances for industry Develop a model for industry to use in determining which personnel should seek a security clearance 6 RELIABILITY ACCOUNTABILITY
NERC CIPC PSCP Guidebook Findings Industry SMEs provide valuable operational context to classified discussions Need for consistent process for identifying appropriate individuals for clearance Maturing information sharing process from one way briefings to a collaboration between government industry experts Need for a better understanding of the clearance process Need for active participation by clearance holders in classified discussions Need for additional TS SCI clearances 7 RELIABILITY ACCOUNTABILITY
NERC CIPC PSCP Guidebook Recommendations Inform government of the value that industry SMEs bring to classified discussions Use the clearance model to identify and validate industry nominees on a functional basis Use the ES ISAC to facilitate the selection process Encourage nominees to use the guidance to expedite processing of clearance applications Encourage nominees to use the guidance to meet their obligations as clearance holders Advocate for more TS SCI clearances for key industry personnel 8 RELIABILITY ACCOUNTABILITY
NERC CIPC PSCP Guidebook Clearances NERC FUNCTIONAL ENTITY REGISTRATION TYPE RC BA TO TOP TSP GOP GO DP IC Tota l Granting D/A (DOE, DHS, etc.) Cyber Security Jane Doe* 1 D/A AREA OF EXPERTISE Physical Security Operations Executive John Doe* Jane Smith* John Smith* Jim Example^ Jane Example^ 3 D/A 1 D/A 1 D/A Clearance Total 1 1 1 1 0 1 0 1 0 6 9 RELIABILITY ACCOUNTABILITY
Clearances by Sector 10 RELIABILITY ACCOUNTABILITY
ESCC Clearance Handbook Granting of security clearances to select industry representatives facilitates access to classified information to better enable risk informed decision making; assists in determining the content, structure, and types of information most useful to critical infrastructure owners, operators, and industry representatives; and allows greater participation in the protection of critical infrastructure and the security of the homeland. 11 RELIABILITY ACCOUNTABILITY
ESCC Clearance Handbook Codifies the DHS and ESCC PSCP liaison relationship Gives justifications needed to obtain a clearance Responsibilities of a Clearance Holder Non disclosure agreements Initial and Annual Security Training Significant Life Changes Report of Foreign Travel Changes, Deactivation, and Termination of a clearance How to Use the Clearance 12 RELIABILITY ACCOUNTABILITY
ESCC PSCP liaison An ESCC Liaison position has been established to help facilitate the efficient processing of security clearances for the Electricity Subsector. Communicate on a regular basis with the IP (SOPD) Electricity Liaison Team Assist in the pre vetting of clearance requests, Managing the flow and maintaining awareness of the status of clearances in process, and Assist in providing more detailed justification for the requested clearance and priority of the application. 13 RELIABILITY ACCOUNTABILITY
ESCC PSCP liaison The pre vetting process is an informal check and balance process, The ESCC Liaison verifies a nominee s place of employment, position within the utility or organization, and reviews the nomination s justification. Priority is given to senior level positions of an organization or a designee of the Chief Executive Officer (CEO) or CSO, SMEs, and members of the critical information sharing forums and associations 14 RELIABILITY ACCOUNTABILITY
ESCC PSCP liaison Note: Applications require utility senior management approval; without this approval, applications will likely be returned to the nominee for further justification after the first review. Note: A nominee is strongly encouraged to submit an email or letter on official company letterhead from their Security Coordinator, Company Senior Manager, or Chief Security Officer (CSO) approving the nominee for a security clearance. This correspondence should include the name of the utility and the senior manager s name, contact number, and email address. 15 RELIABILITY ACCOUNTABILITY
Nomination Stage The DHS/IP Electricity Liaison team (electricityliaisons@hq.dhs.gov ) and Protective Security Advisors (PSAs), (PSCDOPS@hq.dhs.gov) are the primary nominators for the Electricity Subsector. Private sector individuals, organizations, or associations may not initiate nominations or self nominate, may recommend an individual for nomination to an approved Nominator. An eligible nominee must be an employee not a contractor or consultant Start by filing out DHS Form 9014 16 RELIABILITY ACCOUNTABILITY
DHS Form 9014 17 RELIABILITY ACCOUNTABILITY
Clearance Processing 18 RELIABILITY ACCOUNTABILITY
eqip Application Process Once the nominee s Personal Identifiable Information (PII) is obtained, the IP Security Office will enter the information into eqip, a secure government portal for investigation processing of the required online security questionnaire. Note: The nominee must complete his or her security questionnaire in eqip within 45 days of initiation, or he or she will be inactivated and may be removed from consideration. Upon initiation of and OCSO background investigation DHS may grant an interim Secret clearance Interim Secret clearances are typically granted in seven days The average timeline for the full security clearance process is approximately two to three months 19 RELIABILITY ACCOUNTABILITY
Non-Disclosure Agreements Non Disclosure Agreements Complete a Classified Information Nondisclosure Agreement (SF 312) Complete a DHS Non Disclosure Agreement (DHS Form 11000 6) Review Statement of Understanding Relative to the Protection of Classified National Security Information and sign letter of acknowledgement Safeguarding Classified Information A cleared individual is responsible for safeguarding all classified information that he/she has accessed in accordance with the terms of the SF 312 20 RELIABILITY ACCOUNTABILITY
Security Training Initial and Annual Security Training To maintain a clearance, the cleared individual must complete both initial and annual refresher security training. The annual refresher security training is administered by the PSCP Administrator, who will notify clearance holders via email when the training is due. PSCP participants should notify the DHS/IP PSCP Administrator (PSCP@hq.dhs.gov ) or the Electricity Liaison team (electricityliaisons@hq.dhs.gov) of any change to their email address so that it can be updated. 21 RELIABILITY ACCOUNTABILITY
Reporting Significant Life Events A cleared individual must report significant life events to IP Security Office (ipsecurity@hq.dhs.gov) Name Marital Status Citizenship changes Adverse information, such as Recent arrests, criminal charges (including charges that are dismissed), citations, tickets, summons or detentions by Federal, State, or other law enforcement authorities for violations of law within or outside of the U.S. (Traffic violations for which a fine of up to $300 was imposed need not be reported, unless the violation was alcohol or drugrelated) 22 RELIABILITY ACCOUNTABILITY
Reporting Significant Life Events Alcohol or drug related problems Personal or business related bankruptcy filing Loss or compromise of classified information Any unofficial contact with foreign nationals If a member of the individual s immediate family is a citizen or resident of a foreign country Any potential employment or service with a foreign government, organization, entity or interest If a cleared individual is aware of any security violation he/she or another cleared individual have committed, then he/she shall promptly report the violation to IP Security (ipsecurity@hq.dhs.gov). 23 RELIABILITY ACCOUNTABILITY
Report of Foreign Travel All foreign travel, both business and leisure, should be reported in advance of departure. Contact IP Security (ipsecurity@hq.dhs.gov) to obtain a Notification of Foreign Travel Form. For foreign travel not reported in advance, the form should still be completed and submitted to IP Security. 24 RELIABILITY ACCOUNTABILITY
Report of Foreign Travel 25 RELIABILITY ACCOUNTABILITY
Deactivation of a clearance DHS will deactivate a clearance for any of the following reasons: Failure to complete annual security refresher training Change in employment (a new DHS Form 9014 must be submitted to reactivate) Change in Name Change in citizenship No access to classified information for more than one (1) year 26 RELIABILITY ACCOUNTABILITY
Termination of Need to Know Upon leaving his/her position of employment and/or no longer retaining a need to know with regards to classified information, the cleared individual shall contact IP Security (ipsecurity@hq.dhs.gov) and the PSCP Administrator (PSCP@hq.dhs.gov) to commence the debriefing process and removal from the program. 27 RELIABILITY ACCOUNTABILITY
How to use your clearance Reach out to their local PSAs, Fusion Centers (https://nfcausa.org/), Federal Bureau of Investigation Field Offices, Secret Service Offices, and other Federal partners Introduce yourselves and provide subject matter expertise as required This strengthens the public private partnership, Gives awareness of points of contact at secured facilities and dates of classified meetings or briefings of interest Permanent Certification, or perm cert, allows a person who is cleared through one U.S. Federal Department or Agency to have his/her clearance passed to another U.S. Federal Department or Agency for a period of up to one year. 28 RELIABILITY ACCOUNTABILITY
How to use your clearance Developing Unclassified Documents and Tearlines Integrate threat analysis efforts with the ES ISAC to develop industry guidance and alerts The bidirectional sharing of information can help the federal partners evaluate intelligence data and provide feedback on industry issues of concern Individuals cleared at the appropriate level may also have greater awareness of, and potentially access to, tools and technologies that will enhance the information sharing process. 29 RELIABILITY ACCOUNTABILITY
How to use your clearance Cybersecurity Risk Information Sharing Program (CRISP) National Cyber Investigative Joint Task Force The joint meetings between the ESCC and Government Executives to develop strategic level policy Electricity industry representatives may provide assistance during national incident response operations. 30 RELIABILITY ACCOUNTABILITY
References NERC CIPC Personnel Security Clearance Task Force (PSCTF) Report: http://www.nerc.com/comm/cipc/personnel%20security%20clearances%2 0Task%20Force%20PSCTF%20201/Personnel%20Security%20Clearances%2 0Task%20Force%20Report.pdf DHS Form 9014: http://www.khlaw.com/files/17583_dhs%20form%209014.pdf ESCC Security Clearance Handbook: Coming Soon 31 RELIABILITY ACCOUNTABILITY
Questions? Nathan Mitchell ESCC Clearance Liaison nmitchell@publicpower.org 202-467-2925