Greg Pannoni April 2016

Similar documents
DoD Update Insider Threat and the NISP

Introduction to Industrial Security, v3

Department of Defense INSTRUCTION

DERIVATIVE CLASSIFICATION TRAINING/IMPLEMENTATION AND OVERVIEW OF EXECUTIVE ORDERS IMPACTING THE NISP

Security Asset Protection Professional Certification (SAPPC) Competency Preparatory Tools (CPT)

Security Policy Updates AIA/NDIA Edition

FSO Role in the NISP. Student Guide. Lesson 1: Course Introduction. Course Information. Course Overview

February 11, 2015 Incorporating Change 4, August 23, 2018

Protection of Classified National Intelligence, Including Sensitive Compartmented Information

REPORT to the PRESIDENT. NATIONAL ARCHIVES and RECORDS ADMINISTRATION

NISPPAC Security Policy Updates

General Security. Question Answer Policy Resource

NISPOM Update & Security Basics

Suggested Contractor File Folder Headings

DEPARTMENT OF THE NAVY INSIDER THREAT PROGRAM. (1) References (2) DON Insider Threat Program Senior Executive Board (DON ITP SEB) (3) Responsibilities

Question Distractors References Linked Competency

REPORT ON COST ESTIMATES FOR SECURITY CLASSIFICATION ACTIVITIES FOR 2005

DoD M OPERATING MANUAL. February

Department of Defense DIRECTIVE

Department of Defense INSTRUCTION

(Billing Code ) Defense Federal Acquisition Regulation Supplement: Defense. Contractors Performing Private Security Functions (DFARS Case

Department of Defense DIRECTIVE

Department of Defense INSTRUCTION. SUBJECT: DoD Information Security Program and Protection of Sensitive Compartmented Information

Department of Defense DIRECTIVE

Contract Security Classification Specification. DD-254 Guidance

Personnel Clearances in the NISP

Industrial Security Program

Encl: (1) References (2) Department of the Navy Security Enterprise Governance (3) Senior Director for Security (4) Definitions (5) Responsibilities

Subj: DEPARTMENT OF THE NAVY (DON) INFORMATION SECURITY PROGRAM (ISP) INSTRUCTION

For Immediate Release October 7, 2011 EXECUTIVE ORDER

NUCLEAR REGULATORY COMMISSION [NRC ] Nuclear Regulatory Commission Insider Threat Program Policy Statement

Acquisitions and Contracting Basics in the National Industrial Security Program (NISP)

September 02, 2009 Incorporating Change 3, December 1, 2011

Personnel Security Update April 2016

Export-Controlled Technology at Contractor, University, and Federally Funded Research and Development Center Facilities (D )

DEFENSE OFFICE OF HEARINGS & APPEALS (DOHA) April 20, 2006 Briefing for the JSAC and NCMS (ISSIG)

January 3, 2011 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Center for Development of Security Excellence YEAR END REPORT

EXECUTIVE ORDER

SUMMARY FOR CONFORMING CHANGE #1 TO DoDM , National Industrial Security Program Operating Manual (NISPOM)

(Revised January 15, 2009) DISCLOSURE OF INFORMATION (DEC 1991)

The DD254 & You (SBIR)

Defense Federal Acquisition Regulation Supplement: Micro- AGENCY: Defense Acquisition Regulations System, Department of

NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL

(Billing Code ) Defense Federal Acquisition Regulation Supplement: Costs. Related to Counterfeit Electronic Parts (DFARS Case 2016-D010)

Agency Mission Assurance

Department of Defense DIRECTIVE. DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)

Department of Defense INSTRUCTION

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

Highlights of DoD Industry Information Day on the DFARS Cyber Rule

Department of Defense

Department of Defense INSTRUCTION

Personnel Security Update May 2016

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

AskPSMO-I Webinar: SF-312 Non-Disclosure Agreement

Department of Defense DIRECTIVE

This publication is available digitally on the AFDPO WWW site at:

Defense Security Service National Industrial Security Program. Guidelines for Trustees, Proxy Holders and Outside Directors

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE. SUBJECT: Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L))

EXECUTIVE ORDER 12333: UNITED STATES INTELLIGENCE ACTIVITIES

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

OFFICE OF THE DIRECTOR OF NATION At INTELLIGENCE WASHINGTON, DC 20511

A Guide. Preparation. DD Form 254. for the. of a. National Classification Management Society. Defense Security Service

Department of Defense INSTRUCTION

Department of Defense DIRECTIVE

CHAPTER 3. SECURITY TRAINING AND BRIEFINGS Section 1. Security Training and Briefings 3-1-1

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Open FAR Cases as of 2/9/ :56:25AM

Information Technology Management

(Billing Code ) Payment in Local Currency (Afghanistan) (DFARS Case 2013-D029) Regulation Supplement (DFARS) to incorporate into the DFARS

SECURITY EXECUTIVE AGENT DIRECTIVE 1

CHAPTER 1 General Provisions and Requirements

Department of Defense DIRECTIVE

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

(Billing Code P) Defense Federal Acquisition Regulation Supplement: Reporting of. Government-Furnished Property (DFARS Case 2012-D001)

SUMMARY: The Department of Homeland Security (DHS) is revising its procedures

Mission, Vision and FY11 Initiatives

Department of Defense INSTRUCTION

PERSONNEL SECURITY CLEARANCES

Department of Defense Consolidated Adjudications Facility

Department of Defense MANUAL

SECRETARY OF THE ARMY WASHINGTON

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE

BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE HANDBOOK FEBRUARY Security NATIONAL INTEREST DETERMINATION HANDBOOK

Presenting a live 90 minute webinar with interactive Q&A. Td Today s faculty features:

Information Security Oversight Office

Department of Defense INSTRUCTION

SUITABILITY AND SECURITY PROCESSES REVIEW REPORT TO THE PRESIDENT FEBRUARY 2014

Self-Inspection Handbook for NISP Contractors

Federal Register / Vol. 78, No. 222 / Monday, November 18, 2013 / Rules and Regulations

B. ACCESS, STORAGE, CUSTODY, CONTROL AND TRANSMISSION OF CLASSIFIED INFORMATION

Religious Ministry Support REFERENCE / AUTHORITYSOURCE DOCUMENT Information Sheet

OVERLOOK SYSTEMS TECHNOLOGIES, INC. Standard Practice Procedure

Department of Defense DIRECTIVE

Identification and Protection of Unclassified Controlled Nuclear Information

Job Aid: Understanding Your e-fcl Submission Requirements

Department of Defense DIRECTIVE. Inspector General of the Department of Defense (IG DoD)

Transcription:

Greg Pannoni April 2016

National Industrial Security Program (NISP) single, integrated, cohesive industrial security program Goal: eliminate redundant, overlapping, or unnecessary requirements that impeded national security interests. Established by EO 12829 Implementation: 32 CFR 2004 for Government Agencies NISPOM for Contractors ISOO responsible for: Implementing and monitoring the NISP Chairing the NISPPAC 2

NISP Update EO 12829 amended in Feb 2015 EO 13691, Promoting Private Sector Cybersecurity Information Sharing Establishes DHS as a NISP CSA for cybersecurity critical infrastructure Clarifies ODNI as a NISP CSA vice the CIA Now 5 CSAs: DoD, the NISP Executive Agent DOE NRC ODNI DHS 3

Update: NISPOM DoD, NISP Executive Agent, responsible for the NISPOM Two revisions underway: Change 2 to the 2006 version of the NISPOM: Incorporates insider threat provisions for industry from EO 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information Complete revision to replace the 2006 version of the NISPOM CSAs and NISPPAC working with DoD Reflects up-to-date NISP operations 4

NISPOM Change 2 Insider Threat Program Establish and Maintain Insider Threat program Designate Insider Threat Senior Official Must be cleared in connection with facility clearance Establish and execute an insider threat program May be FSO, but also has to be a Senior Official FSO must be integral member of contractor s program Gather, Integrate and Report As required by Cognizant Security Agency (CSA) Relevant and available information indicative of a potential or actual insider threat Unclassified 5

NISPOM Change 2 Insider Threat Training Considered appropriate by the CSA Personnel with insider threat program responsibilities Counterintelligence and security fundamentals Procedures for conducting insider threat response actions Applicable laws related to use (or misuse of records and data) All other cleared personnel Insider threat awareness training Training required before access to classified information Establish and maintain a record of all cleared employees who have completed the initial and annual training Unclassified 6

NISPOM Change 2 Information Systems Security ISSM role includes insider threat awareness User activities on contractor s classified systems are subject to monitoring Banners on all classified information systems (ISs) Activity on classified network is subject to monitoring Could be used in criminal, security or administrative actions Security awareness training for all users (initial and refresher) (chp 3) CSA guidance will be based on guidance for Federal ISs Terminology updates to synchronize to NIST 800-37 e.g., Assessment and Authorization instead of Certification and Accreditation Unclassified 7

NISPOM Change 2 Contractor Reviews More guidance on content, scope, and mgmt. support, including an annual certification by a senior mgmt. official. Formal report for CSA review. New Appendix D: NISPOM Supplement: will cancel 1995 NISPOM Supplement 1 No gap in guidance, since DoD will not publish NISPOM change #2 until DoD SAP volumes are published. Unclassified 8

Update: 32 CFR 2004 ISOO responsible for the NISP Implementing Directive Last revised in 2010 to clarify the NID process Complete revision underway with the CSAs Incorporates NISP insider threat responsibilities for CSAs and GCAs Fills a national-level policy gap for Executive Branch Agencies Expands the current regulation and clarifies responsibilities for: Sharing information Determining eligibility for access to classified information for companies and their employees FOCI and NIDs 9

NISPPAC Membership comprised of the CSAs, other Executive Branch Agencies, industry representatives Provides advice to the Chair on NISP policy matters Industry members nominated by their peers Subject to FACA, Freedom of Information Act, Government Sunshine Act 3 meetings a year Meeting notices in the Federal Register Next meeting: Thursday, April 14 at Archives Summer meeting: Monday, June 6 in Nashville, TN During the Annual NCMS Seminar Gaylord Opryland Hotel 2:00 pm in Delta Ballroom D 10

NISPPAC INDUSTRY MEMBERS Tony Ingenito Term: 2012-2016 (Industry Lead) J.C Dodson Term: 2012-2016 William Davidson Term: 2013-2017 Phil Robinson Term: 2013-2017 Martin Strones Term: 2014-2018 Northrop Grumman e-mail: Tony.Ingenito@ngc.com BAE Systems e-mail: jeffrey.dodson@baesystems.com Keypoint Government Services e-mail: william.davidson@keypoint.us.com Squadron Defense Group e-mail: phillip.robinson@squadrondefense.com Strones Enterprises e-mail: mstrones@gmail.com Michelle Sutphin Term: 2014-2018 BAE Systems Dennis Keith Harris Corporation Term: 2015-2019 Quinton Wilkes Term: 2015-2019 e-mail: michelle.sutphin@baesystems.com e-mail: Dkeith@harris.com L-3 Communications Corporation e-mail: Quinton.Wilkes@L-3com.com

NISPPAC Working Groups Opportunity for NISPPAC members to address specific areas of interest Standing Working Groups: Personnel Security Contractor Information Systems Ad Hoc NISPOM Rewrite SAP 12

CUI Program Update 32CFR2002 (CUI Implementing Regulation) is scheduled to be released May 25, 2016. Projected Effective Date: July 25, 2016 On the effective date (or Day Zero), agencies will begin implementation activities. Modification to agency policy, training, physical safeguarding, system configuration, self-inspection programs, and contracts (agreements) July 2017, one year from effective date, CUI Federal Acquisition Regulation will be published. 13

32 CFR 2002 (May 2016) Implements the CUI Program Establishes policy for designating, handling, and decontrolling information that qualifies as CUI Describes, defines, and provides guidance on the minimum protections for CUI Physical and Electronic Environments Destruction Marking Sharing Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities) These protections must continue as described in the underlying authorities. 14

Implementation Activities within Executive Branch Day 0 180 Year 1 180 Year 2 Policy Training Physical Safeguarding Develop and Publish Policy (Planning) (Planning) Develop and Publish Component Policy Develop and Deploy Training Complete CUI Training Implement Physical Safeguarding Systems Self- Inspection Assessment of Systems Develop Systems Transition Strategy Initiate Internal Oversight 15

CUI Approach for Contractor Environment Government E.O. 13556 Registry 32 CFR 2002 NIST SP 800-171 FAR Industry Until the formal process of establishing a single FAR clause takes place, the CUI requirements in NIST SP 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. 1 Year The Department of Defense has revised its DFARS to reference the NIST SP 800-171. 16

Submit any questions to: CUI@NARA.GOV 17

Web Resources ISOO Web Page: http://www.archives.gov/isoo/ ISOO Policy Documents: E.O. 12829: http://www.archives.gov/isoo/policy-documents Implementing Directive (32 C.F.R. Part 2004): http://www.archives.gov/isoo/policy-documents/isoo-implementingdirective.html NISP and NISPPAC sections Member listings Charter and Bylaws Minutes of NISPPAC meetings 18

BACKUP 19

NISP POLICY RELATIONSHIPS E.O. 13526 CLASSIFIED NATIONAL SECURITY INFORMATION E.O. 13549 E.O. 12829 CLASSIFIED NATIONAL SECURITY INFORMATION PROGRAM FOR STATE, LOCAL, TRIBAL, & PRIVATE SECTOR ENTITIES NATIONAL INDUSTRIAL SECURITY PROGRAM E.O. 13587 E.O. 13691 STRUCTURAL REFORMS TO IMPROVE THE SECURITY OF CLASSIFIED NETWORKS AND THE RESPONSIBLE SHARING OF CLASSIFIED INFORMATION PROMOTING PRIVATE SECTOR CYBERSECURITY INFORMATION SHARING 20

E.O. 13526 Classified National Security Information (12/29/2009) E.O. 13587 E.O. 13549 Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information E.O. 12829 National Industrial Security Program (1/8/1993) Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities (8/18/2010) (10/7/2011) E.O. 13556 Controlled Unclassified Information ( 11/4/2010) 21

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback