ISL 95L-1 March 20, 1995
NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING
MANUAL (NISPOM) IMPLEMENTATION GUIDANCE
This is a special issue of the Industrial Security Letter (ISL) dedicated to interpreting and clarifying various NISPOM requirements.
This issue includes only those requirements which are believed to be most significant. Future ISLs will also include NISPOM implementation issues.
1. IMPLEMENTATION OF THE NATIONAL INDUSTRIAL SECURITY
PROGRAM OPERATING MANUAL (NISPOM)
QUESTION/STATEMENT OF PROBLEM: Has the NISPOM been
published? If so, when do the requirements have to be implemented?
ANSWER/GUIDANCE: Publication and distribution of
the January 1995 NISPOM Baseline has been completed and the NISPOM
Supplement is
currently being processed for publication. If you
have not received your copy, you should immediately contact your
local Field Office.
For contract administration purposes, the NISPOM
is considered a revision of the Department of Defense Industrial
Security Manual for
Safeguarding Classified Information (ISM), dated
January 1991. Existing contracts do not have to be modified
unless the contracting
officer believes it to be necessary.
Contractors may implement NISPOM requirements immediately
if so desired but no later than July 31, 1995 (6 months from the
date of this Manual).
However, in accordance with NISPOM paragraph 1-102c,
if a contractor identifies more costly requirements, the contractor
shall notify the Cognizant Security Agency (CSA) (which in this case
would be the Field Office FO) in writing by July 31, 1995. If
the FO concurs, the contractor will have 3 years to implement the more
costly requirements. UNLESS A WAIVER IS GRANTED, ALL REQUIREMENTS
OF THE NISPOM, REGARDLESS OF COST IMPACT, MUST BE IMPLEMENTED
WITHIN THREE YEARS FROM THE DATE OF THIS MANUAL.
2. FEDERAL ACQUISITION REGULATION (FAR)
QUESTION/STATEMENT OF PROBLEM: What is the status
of necessary changes to the FAR, such as identifying the NISPOM
in lieu of the Industrial Security Manual?
ANSWER/GUIDANCE: The Defense Acquisition Regulations
(DAR) Council has agreed to a proposed FAR rule revising Parts
4, 27 and 52 to reflect the applicability of the NISPOM. The DAR
Council will seek approval to publish the change as soon as the FAR
Secretariat advises that there is agreement on the change. A draft
Federal Register notice has also been prepared. It is anticipated
that the notice will be published in the Federal Register for
public comment in the May/June time frame.
3. SECURITY COGNIZANCE, PARAGRAPH 1-104a
QUESTION/STATEMENT OF PROBLEM: The term CSA denotes
the DoD, DoE, NRC and the CIA. The CSA may further delegate responsibility
for security administration to one or more "Cognizant Security
Offices" (CSO). Who is our CSA and/or CSO?
ANSWER/GUIDANCE: For all DoD contractors participating
in the NISP, DoD will be the CSA. The local DIS FO will be the
CSO for most NISPOM requirements. DISCO may, however, be the CSO for
certain PCL/Reporting requirements. If in doubt, contact your
Industrial Security Representative.
4. SECURITY REVIEWS, PARAGRAPH 1-207a(1)
QUESTION/STATEMENT OF PROBLEM: The CSA will determine
the frequency of security reviews (formerly called inspections)
which should be conducted no more often than once every 12 months.
What is the frequency of security reviews?
ANSWER/GUIDANCE: As a baseline, the frequency of
security reviews will be initially set at 12 months for possessing
facilities and 18 months for nonpossessing facilities. These schedules
will be flexibly managed. Thereafter, frequency of reviews will
be based on factors such as threat, changed conditions, sensitivity of
programs, and security performance, consistent with the principle
of risk management.
5. REPORTS TO BE SUBMITTED TO THE CSA, PARAGRAPHS
1-302a THROUGH 1-302o
QUESTION/STATEMENT OF PROBLEM: It was clear in ISM
paragraphs 1-301 and 1-303 which reports were to be submitted
to DISCO and which reports were to be submitted to the FO. This distinction
is not made in the NISPOM because CSAs other than DoD have their
own reporting channels.
ANSWER/GUIDANCE:
The following reports, paragraphs 1-302h through
1-302o, will be submitted to the FO:
6. CHANGE IN CLEARED EMPLOYEE STATUS, PARAGRAPH 1-302c
QUESTION/STATEMENT OF PROBLEM: A requirement to report
change in marital status has been added to this paragraph. Are
all changes in marital status, i.e., separation, death of spouse,
etc., required to be reported?
ANSWER/GUIDANCE: Marriage and divorce are the only
changes in marital status that need to be reported and then only
for employees cleared TOP SECRET or having access to SCI.
7. PCLs CONCURRENT WITH THE FCL, PARAGRAPH 2-105
QUESTION/STATEMENT OF PROBLEM: Will DISCO continue
to process rank and file employees, necessary for contract performance,
concurrently with the FCL processing?
ANSWER/GUIDANCE: Yes, although DISCO will continue to process these clearances, they will not be given priority handling at the PIC.
There may be instances, however, when the LOCs are
issued to the facility prior to the interim and/or final FCL being
granted. These PCLs are not valid nor shall access be granted to
any individual employee until receipt of the interim and/or final
FCL.
8. PERSONNEL CLEARANCES, PARAGRAPH 2-200c
QUESTION/STATEMENT OF PROBLEM: Within a multiple
facility organization (MFO), PCLs will be issued to a company's
home office facility (HOF) unless an alternative arrangement
is approved by the CSA. Cleared employee transfers within an MFO,
and classified access thereto, shall be managed by the contractor. Will
all PCLs now be issued to the HOF? If so, is the HOF responsible
for providing visit authorization letters (VALs) for all classified visits
made throughout the MFO? What is an acceptable alternative plan
and who is the CSA responsible for approving this plan?
ANSWER/GUIDANCE: Contractors will have two options
available: (i) all LOCs may be issued to the HOF, or (ii) LOCs
may be issued to individual cleared facilities within the MFO, to
a designated PMF within an MFO or a combination thereof. Option
(i) is required by the NISPOM unless an alternative plan (option ii) is
approved by the CSA (which in this case would be the FO).
The HOF is not responsible for providing VALs for classified visits made throughout the MFO. Once the PCL information has been verified from the HOF, each cleared division or operating location may execute the VAL for any cleared employee located at their site.
If an alternative plan is approved, DISCO notification
of cleared employee transfers must be submitted via DISCO Form
562. New facilities will have LOCs issued to the HOF unless
DISCO is otherwise notified on the appropriate clearance application.
9. PERSONNEL CLEARANCES, PARAGRAPH 2-200e
QUESTION/STATEMENT OF PROBLEM: The contractor shall not submit a request for a PCL to one agency if the employee applicant is known to be cleared or is in process for a PCL by another agency. To permit PCL verification, the contractor should provide the new agency with the full name, date and place of birth, current address, social security number, clearing agency and type of clearance.
ANSWER/GUIDANCE: Contractor employees possessing
a valid PCL (at the appropriate level) from another Government
agency shall not be required to complete a DD Form 398 or 398-2. Contractors
may complete DISCO Form 562 containing the information outlined
above so that DISCO can verify the PCL. An LOC will be issued by DISCO
if there is a current PCL at the required level that can be verified.
When the PCL cannot be confirmed, DISCO will notify
the contractor that a DD Form 398 or 398-2 is required. If it
is determined that a Periodic Reinvestigation (PR) is required, DISCO
will issue the LOC and request the PR. Additionally, if a clearance
is requested on an individual who is "in process" by another
agency, DISCO will not open a PSI but will await issuance on the
basis of the completed investigation by the other agency. Contractors should
not submit the request for a PCL to DISCO until notified of the
issuance of the PCL by the other agency.
10. NATIONAL AGENCY CHECK AND CREDIT CHECK (NACC),
PARAGRAPH 2-201b
QUESTION/STATEMENT OF PROBLEM: An NACC is required
for a SECRET, an L, or a CONFIDENTIAL PCL. Is this requirement
retroactive for existing SECRET or CONFIDENTIAL PCLs?
ANSWER/GUIDANCE: The NACC will not be retroactive
for existing SECERT and CONFIDENTIAL PCLs.
11. CLEARANCE TERMINATIONS, PARAGRAPH 2-216
QUESTION/STATEMENT OF PROBLEM: The contractor shall
terminate a PCL (a) upon termination of employment; or (b) when
the need for access to classified information in the future is reasonably
foreclosed. Termination of a PCL is accomplished by submitting
a CSA-designated form to the CSA. What is the CSA-designated form
and who is the CSA that should be receiving this form? Is there
a suggested time frame in which PCLs should be terminated when no access has
occurred? Are contractors still required to downgrade PCLs?
ANSWER/GUIDANCE: The DISCO Form 562 shall be used
for submitting PCL terminations to DISCO.
Although there is no specified duration for the required
termination, contractors should exercise judgment in determining
the circumstances which might warrant a termination.
And while there is no longer a requirement for contractors
to downgrade a PCL, DISCO will determine if the TOP SECRET PCL
is required when a TOP SECRET PR is requested. If there
is no anticipated requirement, DISCO will automatically downgrade
the TOP SECRET PCL to SECRET and notify the contractor by
issuing a new LOC.
12. CLEARANCE REINSTATEMENTS, PARAGRAPH 2-217
QUESTION/STATEMENT OF PROBLEM: A PCL can be reinstated
provided (a) no more than 24 months has lapsed since the date
of termination of clearance; (b) there is no known adverse information;
(c) the most recent investigation must not exceed 5 years (TOP
SECRET, Q) or ten years (SECRET, L); and . . . Can a PCL be reinstated
if there is adverse known and/or the most recent investigation
exceeds the five or ten-year investigative scope?
ANSWER/GUIDANCE: DISCO will reinstate the PCL unless
the adverse information is sufficient to warrant an interim suspension.
If thecontractor knows of adverse information that has
not yet been reported to DISCO, it should be reported via the
DISCO Form 562 or an accompanying letter.
DISCO will also reinstate the PCL even if a PR is
due (a PR will be simultaneously requested with the reinstatement).
DISCO Form 562 will be used to request reinstatements.
The contractor cannot grant access to classified information until
receipt of the LOC.
NOTE: Since PCLs may be retained until further access
is reasonably foreclosed (indefinitely), revalidations are no
longer required.
13. CLASSIFIED INFORMATION NONDISCLOSURE AGREEMENT
(SF 312), PARAGRAPH 3-105
QUESTION/STATEMENT OF PROBLEM: The contractor shall
forward the executed SF 312 to the CSA for retention. Who is the
CSA and should all SF 312s be forwarded?
ANSWER/GUIDANCE: DISCO is the CSA. Only those SF
312s executed after July 31, 1995, should be forwarded to DISCO
for retention. Those executed prior to July 31, 1995, should continue
to be retained by the contractor until notified to forward them
to DISCO. A strategy for the submission of existing SF 312s to DISCO will
be developed and announced in the near future.
14. CONTROL AND ACCOUNTABILITY, CHAPTER 5 - SECTION
2
QUESTION/STATEMENT OF PROBLEM: Since the document
accountability system for SECRET material has been eliminated,
except for highly sensitive program information and where special conditions
exist as approved by the government contracting activity, GCA,
what is required under the NISPOM for records of classified material?
ANSWER/GUIDANCE: An Information Management System
(IMS) is required to control all classified information, to include
CONFIDENTIAL, which the contractor has in their possession. As
a minimum, the IMS should be equivalent to the system used by
the contractor to protect its proprietary information.
Contractors are also required to maintain an external
receipt and dispatch record for TOP SECRET, SECRET and CONFIDENTIAL
information.
15. SUPPLEMENTAL PROTECTION, PARAGRAPH 5-307c
QUESTION/STATEMENT OF PROBLEM: GSA-approved security
containers and approved vaults secured with a locking mechanism
meeting Federal Specification FF-L-2740 do not require supplemental
protection when the CSA has determined that the GSA-approved security
container or approved vault is located in an area of the facility
with security-in-depth. Does this paragraph mean that supplemental
protection is required when storing SECRET information in a GSA-approved
container or vault?
ANSWER/GUIDANCE: No, paragraph 5-307c refers ONLY
to the protection of TOP SECRET information. It affords contractors
a potentially more cost-efficient means to safeguard TOP SECRET information
if the facility has approved security-in-depth. Storage requirements
for containers used to safeguard SECRET information are
explained in paragraph 5-303.
16. OPEN SHELF STORAGE OF CONFIDENTIAL DOCUMENTS
IN A CLOSED AREA, PARAGRAPH 5-306a
QUESTION/STATEMENT OF PROBLEM: Does the open shelf
or bin storage of CONFIDENTIAL documents in a Closed Area require
the use of an IDS?
ANSWER/GUIDANCE: No, paragraph 5-304 is clear that
supplemental protection is not required for CONFIDENTIAL.
17. SECRET TRANSMISSION OUTSIDE A FACILITY, PARAGRAPH
5-403e
QUESTION/STATEMENT OF PROBLEM: Can Federal Express
(FedEx) now be used to transmit SECRET and/or CONFIDENTIAL material?
ANSWER/GUIDANCE: In a letter, dated November 22,
1994, the Assistant Secretary of Defense (C3I) authorized certain
elements of the Department of Defense to use FedEx to transmit SECRET
and CONFIDENTIAL information within the continental United States.
The letter did not specifically address whether this policy applied
to overnight shipments to or by defense contractor facilities.
Some OSD elements and military departments assumed that it did and
have begun to use this service to transmit classified information
to contractors.
DIS has been advised by the Office of the ASD (C3I)
that it was NOT their intention to permit such shipments to or
by DoD contractors at this time, unless specifically directed to do so
by the government contracting activity. Contractors are not required
to clear all employees who handle incoming FedEx shipments nor
to use cleared employees to open and screen all such packages.
Instead, uncleared personnel who are likely to open FedEx packages should
be briefed that, if a FedEx package is opened and the inner envelope
is marked SECRET or CONFIDENTIAL, the inner envelope should
be immediately delivered UNOPENED to an authorized, cleared employee
for receipt and distribution.
The receipt of a FedEx package containing classified
information need not be reported as an improper transmission or
possible compromise unless: (1) the inner envelope was opened by an uncleared
employee and compromise occurred; (2) there were signs of tampering;
or (3) the package contained TOP SECRET information.
Some uncleared commercial delivery companies may
be approved by the CSA when appropriate procedures have been developed,
but none have been approved to date. The approval of any companies
in the future and the procedures to be used will be announced
in a forthcoming ISL.
18. WITNESS TO DESTRUCTION, PARAGRAPH 5-706
QUESTION/STATEMENT OF PROBLEM: The ISM previously
allowed for the destruction of classified material by one cleared
employee and one subcontractor employee working on the premises of
the contractor. The NISPOM, however, states that destruction shall
be by appropriately cleared employees of the contractor. Can cleared
subcontractor employees be used for the destruction of TOP SECRET
material?
ANSWER/GUIDANCE: Yes, cleared subcontractor employees
may still be utilized as the witness for the destruction of TOP
SECRET material.
19. RESTRICTED DATA, CHAPTER 9
QUESTION/STATEMENT OF PROBLEM: For Restricted Data
(RD) information, should the requirements of the NISPOM baseline
or the NISPOM Supplement (NISPOMSUP) be followed?
ANSWER/GUIDANCE: When the Department of Energy (DoE)
agreed to participate in the National Industrial Security Program
(NISP), it became necessary to reconcile the differences between
the way DoE and DoD handle Restricted Data (RD). Rather than increase
the level of protection for all RD within the DoD, it was decided
to identify a category of the most sensitive RD information and
provide enhanced protection to that information only.
A joint DoE/DoD Nuclear Weapons Information Access
Authorization Review Group has been formed to identify the information
to be included in this category and establish the safeguards
required for its protection. Unfortunately, this Review Group
was not able to complete its work prior to the publication of the
NISPOM. Although references remain in NISPOM paragraphs 9-105b,
9-110 and 9-111 to the NISPOMSUP, the majority of RD information will be
covered by the NISPOM baseline. DoD contractors are to continue
to safeguard RD information, including Critical Nuclear Weapons
Design Information (CNWDI), as they would other information of
the same classification category, e.g., TOP SECRET RD is to be protected
the same as TOP SECRET information, SECRET RD is to be protected
the same as SECRETinformation and CONFIDENTIAL RD information is to
be protected the same as CONFIDENTIAL information.
20. RESTRICTED DATA - PERSONNEL SECURITY CLEARANCES,
PARAGRAPH 9-105b
QUESTION/STATEMENT OF PROBLEM: Is a favorable SSBI
required for access to SECRET RD information?
ANSWER/GUIDANCE: No, an SSBI is not required for
access to SECRET RD information (refer to the guidance in item
number 7 above).
21. RESTRICTED DATA - CLASSIFICATION, PARAGRAPH 9-106
QUESTION/STATEMENT OF PROBLEM: What guidance should
be followed concerning the derivative classification of materials
containing RD?
ANSWER/GUIDANCE: DoD contractors should continue
to follow the classification guidance provided with their User
Agency contracts.
22. VERIFICATION OF FACILITY CLEARANCE AND SAFEGUARDING,
APPENDIX A
QUESTION/STATEMENT OF PROBLEM: Is the telephone number
for the Central Verification Activity (CVA) listed on page A-5
of the NISPOM correct?
ANSWER/GUIDANCE: No, the correct telephone number
for the CVA is (410) 631-0690/0691/0695/0697. Until this error
is corrected, it is recommended that a pen and ink change be made to
this page.
23. OTHER INDUSTRIAL SECURITY ADDRESSES, APPENDIX
A
QUESTION/STATEMENT OF PROBLEM?: Has the address and
telephone number listed for OISI-CASA on page A-5 of the NISPOM
been changed?
ANSWER/GUIDANCE: Yes, the correct address and telephone
number for OISI-CASA is:
OISI-CASA
DIS, Industrial Security FO (S41ME)
1600 Sarno Road, Suite 201
Melbourne, FL 32935-4992
COMM: (407)255-5185
FAX: (407)255-5192
Until this error is corrected, it is recommended
that a pen and ink change be made to this page.
24. INDUSTRIAL SECURITY BULLETIN BOARD
QUESTION/STATEMENT OF PROBLEM?: What is the Industrial
Security Bulletin Board and how can it be accessed?
ANSWER/GUIDANCE: The Defense Investigative Service
has set up an electronic bulletin board to provide timely distribution
of information relating to the National Industrial Security
Program. The bulletin board has the current NISPOM, interpretations,
meeting announcements, computer security information and
a place for you to place your questions and concerns. Future revisions/changes
to the NISPOM will also be posted. The bulletin board is
available to the entire industrial security community and is easily
accessed via telnet or direct dial. All you need is a computer and a
modem to gain access to the latest industrial security information.
A convenient one-page User's Guide appears at the
end of this ISL and can be detached for easy reference.
GREGORY A. GWASH
Deputy Director
(Industrial Security)