March 20, 1995
NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM) IMPLEMENTATION GUIDANCE
This is a special issue of the Industrial Security Letter (ISL) dedicated to interpreting and clarifying various NISPOM requirements. This issue includes only those requirements which are believed to be most significant. Future ISLs will also include NISPOM implementation issues.
1. IMPLEMENTATION OF THE NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM)
QUESTION/STATEMENT OF PROBLEM: Has the NISPOM been published? If so, when do the requirements have to be implemented?
ANSWER/GUIDANCE: Publication and distribution of the January 1995 NISPOM Baseline has been completed and the NISPOM Supplement is currently being processed for publication. If you have not received your copy, you should immediately contact your local Field Office.
For contract administration purposes, the NISPOM is considered a revision of the Department of Defense Industrial Security Manual for Safeguarding Classified Information (ISM), dated January 1991. Existing contracts do not have to be modified unless the contracting officer believes it to be necessary.
Contractors may implement NISPOM requirements immediately if so desired but no later than July 31, 1995 (6 months from the date of this Manual).
However, in accordance with NISPOM paragraph 1-102c, if a contractor identifies more costly requirements, the contractor shall notify the Cognizant Security Agency (CSA) (which in this case would be the Field Office FO) in writing by July 31, 1995. If the FO concurs, the contractor will have 3 years to implement the more costly requirements. UNLESS A WAIVER IS GRANTED, ALL REQUIREMENTS OF THE NISPOM, REGARDLESS OF COST IMPACT, MUST BE IMPLEMENTED WITHIN THREE YEARS FROM THE DATE OF THIS MANUAL.
2. FEDERAL ACQUISITION REGULATION (FAR)
QUESTION/STATEMENT OF PROBLEM: What is the status of necessary changes to the FAR, such as identifying the NISPOM in lieu of the Industrial Security Manual?
ANSWER/GUIDANCE: The Defense Acquisition Regulations (DAR) Council has agreed to a proposed FAR rule revising Parts 4, 27 and 52 to reflect the applicability of the NISPOM. The DAR Council will seek approval to publish the change as soon as the FAR Secretariat advises that there is agreement on the change. A draft Federal Register notice has also been prepared. It is anticipated that the notice will be published in the Federal Register for public comment in the May/June time frame.
3. SECURITY COGNIZANCE, PARAGRAPH 1-104a
QUESTION/STATEMENT OF PROBLEM: The term CSA denotes the DoD, DoE, NRC and the CIA. The CSA may further delegate responsibility for security administration to one or more "Cognizant Security Offices" (CSO). Who is our CSA and/or CSO?
ANSWER/GUIDANCE: For all DoD contractors participating in the NISP, DoD will be the CSA. The local DIS FO will be the CSO for most NISPOM requirements. DISCO may, however, be the CSO for certain PCL/Reporting requirements. If in doubt, contact your Industrial Security Representative.
4. SECURITY REVIEWS, PARAGRAPH 1-207a(1)
QUESTION/STATEMENT OF PROBLEM: The CSA will determine the frequency of security reviews (formerly called inspections) which should be conducted no more often than once every 12 months. What is the frequency of security reviews?
ANSWER/GUIDANCE: As a baseline, the frequency of security reviews will be initially set at 12 months for possessing facilities and 18 months for nonpossessing facilities. These schedules will be flexibly managed. Thereafter, frequency of reviews will be based on factors such as threat, changed conditions, sensitivity of programs, and security performance, consistent with the principle of risk management.
5. REPORTS TO BE SUBMITTED TO THE CSA, PARAGRAPHS 1-302a THROUGH 1-302o
QUESTION/STATEMENT OF PROBLEM: It was clear in ISM paragraphs 1-301 and 1-303 which reports were to be submitted to DISCO and which reports were to be submitted to the FO. This distinction is not made in the NISPOM because CSAs other than DoD have their own reporting channels.
ANSWER/GUIDANCE: The following reports, paragraphs 1-302a through 1-302g, will be submitted to DISCO:
- Adverse Information
- Suspicious Contacts
- Change in Cleared Employee Status
- Representative of a Foreign Interest
- Citizenship by Naturalization
- Employees Desiring Not to Perform on Classified Work
- SF 312
The following reports, paragraphs 1-302h through 1-302o, will be submitted to the FO:
- Changed Conditions Affecting the FCL
- Change in Storage Capability
- Inability to Safeguard Classified Material
- Security Equipment Vulnerabilities
- Unauthorized Receipt of Classified Material
- Employee Information in Compromise Cases
- Disposition of Classified Material Terminated from Accountability
- Foreign Classified Contracts
6. CHANGE IN CLEARED EMPLOYEE STATUS, PARAGRAPH 1-302c
QUESTION/STATEMENT OF PROBLEM: A requirement to report change in marital status has been added to this paragraph. Are all changes in marital status, i.e., separation, death of spouse, etc., required to be reported?
ANSWER/GUIDANCE: Marriage and divorce are the only changes in marital status that need to be reported and then only for employees cleared TOP SECRET or having access to SCI.
7. PCLs CONCURRENT WITH THE FCL, PARAGRAPH 2-105
QUESTION/STATEMENT OF PROBLEM: Will DISCO continue to process rank and file employees, necessary for contract performance, concurrently with the FCL processing?
ANSWER/GUIDANCE: Yes, although DISCO will continue to process these clearances, they will not be given priority handling at the PIC. There may be instances, however, when the LOCs are issued to the facility prior to the interim and/or final FCL being granted. These PCLs are not valid nor shall access be granted to any individual employee until receipt of the interim and/or final FCL.
8. PERSONNEL CLEARANCES, PARAGRAPH 2-200c
QUESTION/STATEMENT OF PROBLEM: Within a multiple facility organization (MFO), PCLs will be issued to a company's home office facility (HOF) unless an alternative arrangement is approved by the CSA. Cleared employee transfers within an MFO, and classified access thereto, shall be managed by the contractor. Will all PCLs now be issued to the HOF? If so, is the HOF responsible for providing visit authorization letters (VALs) for all classified visits made throughout the MFO? What is an acceptable alternative plan and who is the CSA responsible for approving this plan?
ANSWER/GUIDANCE: Contractors will have two options available: (i) all LOCs may be issued to the HOF, or (ii) LOCs may be issued to individual cleared facilities within the MFO, to a designated PMF within an MFO or a combination thereof. Option (i) is required by the NISPOM unless an alternative plan (option ii) is approved by the CSA (which in this case would be the FO).
The HOF is not responsible for providing VALs for classified visits made throughout the MFO. Once the PCL information has been verified from the HOF, each cleared division or operating location may execute the VAL for any cleared employee located at their site.
If an alternative plan is approved, DISCO notification of cleared employee transfers must be submitted via DISCO Form 562. New facilities will have LOCs issued to the HOF unless DISCO is otherwise notified on the appropriate clearance application.
9. PERSONNEL CLEARANCES, PARAGRAPH 2-200e
QUESTION/STATEMENT OF PROBLEM: The contractor shall not submit a request for a PCL to one agency if the employee applicant is known to be cleared or is in process for a PCL by another agency. To permit PCL verification, the contractor should provide the new agency with the full name, date and place of birth, current address, social security number, clearing agency and type of clearance.
ANSWER/GUIDANCE: Contractor employees possessing a valid PCL (at the appropriate level) from another Government agency shall not be required to complete a DD Form 398 or 398-2. Contractors may complete DISCO Form 562 containing the information outlined above so that DISCO can verify the PCL. An LOC will be issued by DISCO if there is a current PCL at the required level that can be verified.
When the PCL cannot be confirmed, DISCO will notify the contractor that a DD Form 398 or 398-2 is required. If it is determined that a Periodic Reinvestigation (PR) is required, DISCO will issue the LOC and request the PR. Additionally, if a clearance is requested on an individual who is "in process" by another agency, DISCO will not open a PSI but will await issuance on the basis of the completed investigation by the other agency. Contractors should not submit the request for a PCL to DISCO until notified of the issuance of the PCL by the other agency.
10. NATIONAL AGENCY CHECK AND CREDIT CHECK (NACC), PARAGRAPH 2-201b
QUESTION/STATEMENT OF PROBLEM: An NACC is required for a SECRET, an L, or a CONFIDENTIAL PCL. Is this requirement retroactive for existing SECRET or CONFIDENTIAL PCLs?
ANSWER/GUIDANCE: The NACC will not be retroactive for existing SECERT and CONFIDENTIAL PCLs.
11. CLEARANCE TERMINATIONS, PARAGRAPH 2-216
QUESTION/STATEMENT OF PROBLEM: The contractor shall terminate a PCL (a) upon termination of employment; or (b) when the need for access to classified information in the future is reasonably foreclosed. Termination of a PCL is accomplished by submitting a CSA-designated form to the CSA. What is the CSA-designated form and who is the CSA that should be receiving this form? Is there a suggested time frame in which PCLs should be terminated when no access has occurred? Are contractors still required to down grade PCLs?
ANSWER/GUIDANCE: The DISCO Form 562 shall be used for submitting PCL terminations to DISCO.
Although there is no specified duration for the required termination, contractors should exercise judgment in determining the circumstances which might warrant a termination. And while there is no longer a requirement for contractors to downgrade a PCL, DISCO will determine if the TOP SECRET PCL is required when a TOP SECRET PR is requested. If there is no anticipated requirement, DISCO will automatically downgrade the TOP SECRET PCL to SECRET and notify the contractor by issuing a new LOC.
12. CLEARANCE REINSTATEMENTS, PARAGRAPH 2-217
QUESTION/STATEMENT OF PROBLEM: A PCL can be reinstated provided (a) no more than 24 months has lapsed since the date of termination of clearance; (b) there is no known adverse information; (c) the most recent investigation must not exceed 5 years (TOP SECRET, Q) or ten years (SECRET, L); and . . . Can a PCL be reinstated if there is adverse known and/or the most recent investigation exceeds the five or ten-year investigative scope?
ANSWER/GUIDANCE: DISCO will reinstate the PCL unless the adverse information is sufficient to warrant an interim suspension. If the contractor knows of adverse information that has not yet been reported to DISCO, it should be reported via the DISCO Form 562 or an accompanying letter.
DISCO will also reinstate the PCL even if a PR is due (a PR will be simultaneously requested with the reinstatement).
DISCO Form 562 will be used to request reinstatements. The contractor cannot grant access to classified information until receipt of the LOC.
NOTE: Since PCLs may be retained until further access is reasonably foreclosed (indefinitely), revalidations are no longer required.
13. CLASSIFIED INFORMATION NONDISCLOSURE AGREEMENT (SF 312), PARAGRAPH 3-105
QUESTION/STATEMENT OF PROBLEM: The contractor shall forward the executed SF 312 to the CSA for retention. Who is the CSA and should all SF 312s be forwarded?
ANSWER/GUIDANCE: DISCO is the CSA. Only those SF 312s executed after July 31, 1995, should be forwarded to DISCO for retention. Those executed prior to July 31, 1995, should continue to be retained by the contractor until notified to forward them to DISCO. A strategy for the submission of existing SF 312s to DISCO will be developed and announced in the near future.
14. CONTROL AND ACCOUNTABILITY, CHAPTER 5 - SECTION 2
QUESTION/STATEMENT OF PROBLEM: Since the document accountability system for SECRET material has been eliminated, except for highly sensitive program information and where special conditions exist as approved by the government contracting activity, GCA, what is required under the NISPOM for records of classified material?
ANSWER/GUIDANCE: An Information Management System (IMS) is required to control all classified information, to include CONFIDENTIAL, which the contractor has in their possession. As a minimum, the IMS should be equivalent to the system used by the contractor to protect its proprietary information.
Contractors are also required to maintain an external receipt and dispatch record for TOP SECRET, SECRET and CONFIDENTIAL information.
15. SUPPLEMENTAL PROTECTION, PARAGRAPH 5-307c
QUESTION/STATEMENT OF PROBLEM: GSA-approved security containers and approved vaults secured with a locking mechanism meeting Federal Specification FF-L-2740 do not require supplemental protection when the CSA has determined that the GSA approved security container or approved vault is located in an area of the facility with security-in-depth. Does this paragraph mean that supplemental protection is required when storing SECRET information in a GSA-approved container or vault?
ANSWER/GUIDANCE: No, paragraph 5-307c refers ONLY to the protection of TOP SECRET information. It affords contractors a potentially more cost-efficient means to safeguard TOP SECRET information if the facility has approved security-in-depth. Storage requirements for containers used to safeguard SECRET information are explained in paragraph 5-303.
16. OPEN SHELF STORAGE OF CONFIDENTIAL DOCUMENTS IN A CLOSED AREA, PARAGRAPH 5-306a
QUESTION/STATEMENT OF PROBLEM: Does the open shelf or bin storage of CONFIDENTIAL documents in a Closed Area require the use of an IDS?
ANSWER/GUIDANCE: No, paragraph 5-304 is clear that supplemental protection is not required for CONFIDENTIAL.
17. SECRET TRANSMISSION OUTSIDE A FACILITY, PARAGRAPH 5- 403e
QUESTION/STATEMENT OF PROBLEM: Can Federal Express (FedEx) now be used to transmit SECRET and/or CONFIDENTIAL material?
ANSWER/GUIDANCE: In a letter, dated November 22, 1994, the Assistant Secretary of Defense (C3I) authorized certain elements of the Department of Defense to use FedEx to transmit SECRET and CONFIDENTIAL information within the continental United States. The letter did not specifically address whether this policy applied to overnight shipments to or by defense contractor facilities. Some OSD elements and military departments assumed that it did and have begun to use this service to transmit classified information to contractors.
DIS has been advised by the Office of the ASD (C3I) that it was NOT their intention to permit such shipments to or by DoD contractors at this time, unless specifically directed to do so by the government contracting activity. Contractors are not required to clear all employees who handle incoming FedEx shipments nor to use cleared employees to open and screen all such packages. Instead, uncleared personnel who are likely to open FedEx packages should be briefed that, if a FedEx package is opened and the inner envelope is marked SECRET or CONFIDENTIAL, the inner envelope should be immediately delivered UNOPENED to an authorized, cleared employee for receipt and distribution.
The receipt of a FedEx package containing classified information need not be reported as an improper transmission or possible compromise unless: (1) the inner envelope was opened by an uncleared employee and compromise occurred; (2) there were signs of tampering; or (3) the package contained TOP SECRET information. Some uncleared commercial delivery companies may be approved by the CSA when appropriate procedures have been developed, but none have been approved to date. The approval of any companies in the future and the procedures to be used will be announced in a forthcoming ISL.
18. WITNESS TO DESTRUCTION, PARAGRAPH 5-706
QUESTION/STATEMENT OF PROBLEM: The ISM previously allowed for the destruction of classified material by one cleared employee and one subcontractor employee working on the premises of the contractor. The NISPOM, however, states that destruction shall be by appropriately cleared employees of the contractor. Can cleared subcontractor employees be used for the destruction of TOP SECRET material?
ANSWER/GUIDANCE: Yes, cleared subcontractor employees may still be utilized as the witness for the destruction of TOP SECRET material.
19. RESTRICTED DATA, CHAPTER 9
QUESTION/STATEMENT OF PROBLEM: For Restricted Data (RD) information, should the requirements of the NISPOM baseline or the NISPOM Supplement (NISPOMSUP) be followed?
ANSWER/GUIDANCE: When the Department of Energy (DoE) agreed to participate in the National Industrial Security Program (NISP), it became necessary to reconcile the differences between the way DoE and DoD handle Restricted Data (RD). Rather than increase the level of protection for all RD within the DoD, it was decided to identify a category of the most sensitive RD information and provide enhanced protection to that information only.
A joint DoE/DoD Nuclear Weapons Information Access Authorization Review Group has been formed to identify the information to be included in this category and establish the safeguards required for its protection. Unfortunately, this Review Group was not able to complete its work prior to the publication of the NISPOM. Although references remain in NISPOM paragraphs 9-105b, 9-110 and 9-111 to the NISPOMSUP, the majority of RD information will be covered by the NISPOM baseline. DoD contractors are to cont inue to safeguard RD information, including Critical Nuclear Weapons Design Information (CNWDI), as they would other information of the same classification category, e.g., TOP SECRET RD is to be protected the same as TOP SECRET information, SECRET RD is to be protected the same as SECRET information and CONFIDENTIAL RD information is to be protected the same as CONFIDENTIAL information.
20. RESTRICTED DATA - PERSONNEL SECURITY CLEARANCES, PARAGRAPH 9-105b
QUESTION/STATEMENT OF PROBLEM: Is a favorable SSBI required for access to SECRET RD information?
ANSWER/GUIDANCE: No, an SSBI is not required for access to SECRET RD information (refer to the guidance in item number 7 above).
21. RESTRICTED DATA - CLASSIFICATION, PARAGRAPH 9-106
QUESTION/STATEMENT OF PROBLEM: What guidance should be followed concerning the derivative classification of materials containing RD?
ANSWER/GUIDANCE: DoD contractors should continue to follow the classification guidance provided with their User Agency contracts.
22. VERIFICATION OF FACILITY CLEARANCE AND SAFEGUARDING, APPENDIX A
QUESTION/STATEMENT OF PROBLEM: Is the telephone number for the Central Verification Activity (CVA) listed on page A-5 of the NISPOM correct?
ANSWER/GUIDANCE: No, the correct telephone number for the CVA is (410) 631-0690/0691/0695/0697. Until this error is corrected, it is recommended that a pen and ink change be made to this page.
23. OTHER INDUSTRIAL SECURITY ADDRESSES, APPENDIX A
QUESTION/STATEMENT OF PROBLEM?: Has the address and telephone number listed for OISI-CASA on page A-5 of the NISPOM been changed?
ANSWER/GUIDANCE: Yes, the correct address and telephone number for OISI-CASA is:
24. INDUSTRIAL SECURITY BULLETIN BOARD
QUESTION/STATEMENT OF PROBLEM?: What is the Industrial Security Bulletin Board and how can it be accessed?
ANSWER/GUIDANCE: The Defense Investigative Service has set up an electronic bulletin board to provide timely distribution of information relating to the National Industrial Security Program. The bulletin board has the current NISPOM, interpretations, me eting announcements, computer security information and a place for you to place your questions and concerns. Future revisions/changes to the NISPOM will also be posted. The bulletin board is available to the entire industrial security community and is e asily accessed via telnet or direct dial. All you need is a computer and a modem to gain access to the latest industrial security information.
A convenient one-page User's Guide appears at the end of this ISL and can be detached for easy reference.
GREGORY A. GWASH
To be contacted for a confidential consultation
please E-mail: email@example.com
or send a letter via US Mail to: