NISPOM.US

SETA Flash, July 19, 2010 - THE DSS ACADEMY ANNOUNCES RELEASE OF THE NEW SPECIAL ACCESS PROGRAM (SAP) OVERVIEW COURSE, SA001.16

Tue, 20 Jul 2010 14:22:38 -0000

SETA Flash, July 19, 2010

The DSS Academy announces the release of the Special Access Program Overview Course and Final Examination (SA001.16/SA001.06). This 1.5 hour online training will provide students with an overview of the Department of Defense (DoD) Special Access Program (SAP) environment, including its history, purpose, life cycle, approval process, and roles and responsibilities. Once the course is successfully completed, students will be instructed to register for the final examination, which takes approximately 1 hour to complete. A passing score for the final examination is 80 percent.

Registration for this course is through the ENROL Web site at https://enrol.dss.mil/enrol/lang-default/SYS_login.asp.

If you have any questions, send an e-mail to SAPSecurity.Training@dss.mil.

NISPOM 5-511 Requirements re Public Release of Info on Classified Contracts

Mon, 19 Jul 2010 21:35:36 -0000

In light of the Washington Post commencement of publication of a series of articles on classified and security agencies and contractors, and DSS admonition, via a release from Kathleen Watson dated July 16, 2010 that "Publication is expected starting on or about July 19, 2010, with additional articles published thereafter. We anticipate the article series and website will generate follow-on national media interest, as well as media interest in the local cleared companies.
If approached by any media outlets regarding these articles or website, please be mindful of the public release provisions stated in Block 12 of the Contract Security Classification
Specification (DD Form 254) issued with each of your contracts that involve access to classified information. Any public release of information regarding classified contracts
requires review by and approval of your Government Contracting Activity, except as authorized by Paragraph 5-511 of the National Industrial Security Program Operating
Manual (NISPOM), DoD 5220.22-M. Should your management or public affairs offices be contacted by the media, if
appropriate, you may refer media inquiries to Office of the Assistant Secretary of Defense for Public Affairs at 703-697-5131."

To make the requirements of this NISPOM provision readily available to readers, NISPOM.US is providing the following reprint of the pertinant guidance from the NISPOM provisions cited in the DSS release:

5-511. Disclosure to the Public. Contractors shall not disclose classified or unclassified information pertaining to a classified contract to the public without prior review and clearance as specified in the Contract Security Classification Specification for the contract or as otherwise specified by the GCA.

a. Requests for approval shall be submitted through the activity specified in the GCA-provided classification guidance for the contract involved. Each request shall indicate the approximate date the contractor intends to release the information for public disclosure and identify the media to be used for the initial release. A copy of each approved request for release shall be retained for a period of one inspection cycle for review by the CSA. All information developed subsequent to the initial approval shall also be cleared by the appropriate office prior to public disclosure.

b. The following information need not be submitted for approval unless specifically prohibited by the GCA:
(1) The fact that a contract has been received, including the subject matter of the contract and/or type of item in general terms provided the name or description of the subject matter is not classified.
(2) The method or type of contract; such as, bid, negotiated, or letter.
(3) Total dollar amount of the contract unless that information equates to (a) a level of effort in a sensitive research area, or (b) quantities of stocks of certain weapons and equipment that are classified.
(4) Whether the contract will require the hiring or termination of employees.
(5) Other information that from time-to-time may be authorized on a case-by-case basis in a specific agreement with the contractor.
(6) Information previously officially approved for public disclosure.

c. The procedures of this paragraph also apply to information pertaining to classified contracts intended for use in unclassified brochures, promotional sales literature, reports to stockholders, or similar material.

d. Information that has been declassified is not automatically authorized for public disclosure. Contractors shall request approval for public disclosure of "declassified" information in accordance with the procedures of this paragraph.

DSS conducting telephonic outreach to small cleared companies

Mon, 19 Jul 2010 21:06:59 -0000

(7/16/10) DSS conducting telephonic outreach to small cleared companies:
DSS has announced via a website release that it is currently conducting telephonic outreach to a number of small cleared contractors in order to update DSS facility files. If your facility receives a call, please respond to the questions with as much information and detail as possible. If you have questions or wish to verify the identity of the caller, please contact DSS at 703-325-5483.

DCII transition from DSS to DMDC

Mon, 19 Jul 2010 21:05:21 -0000

(07/19/10) DCII transition from DSS to DMDC

On Feb. 2, 2010, a Memorandum of Agreement was signed that detailed actions to be taken to transfer DoD enterprise personnel security IT systems from the Defense Security Service (DSS) to the Defense Manpower Data Center (DMDC). This transfer was directed by Gordon England, then Deputy Secretary of Defense on January 15, 2009. The IT systems to be transferred include the Joint Personnel Adjudication System (JPAS), the Defense Central Index of Investigations (DCII), the Secure Web Fingerprint Transmission (SWFT), and the improved Investigative Records Repository (iIRR). To date, JPAS, SWFT, and the iIRR have been transferred to DMDC.

The Defense Central Index of Investigations (DCII) is an automated central index that identifies investigations conducted by Department of Defense investigative agencies. DCII is operated and maintained on behalf of the DoD components and office of the Deputy Under Secretary of Defense for HUMINT, Counterintelligence and Security.
Effective July 26, 2010, the program management and operational control of DCII will be transferred from DSS to DMDC. DSS and DMDC are making every effort to make the transition as seamless and transparent to the users as possible, and will initially provide joint support to DCII customers.

For customer service, please continue to contact the DoD Security Services Center at 1-888-282-7682 or via e-mail address occ.cust.serv@dss.mil.
Additional notices will be posted on the DSS and DMDC websites as needed.

DSS issues Press Advisory to Cleared Companies

Mon, 19 Jul 2010 21:03:49 -0000

07/16/2010

Defense Security Service (DSS) Notice to Cleared Companies

Subject: Potential Disclosure of Contract Information

Early next week, we expect the Washington Post to publish articles and an interactive website that will likely identify government agencies and contractors allegedly
conducting Top Secret work. The website is expected to enable users to see the relationships between the federal government and its contractors, describe the type of
work the contractors perform, and may identify many government and contractor facility locations.

Publication is expected starting on or about July 19, 2010, with additional articles published thereafter. We anticipate the article series and website will generate follow-on
national media interest, as well as media interest in the local cleared companies.

If approached by any media outlets regarding these articles or website, please be mindful of the public release provisions stated in Block 12 of the Contract Security Classification
Specification (DD Form 254) issued with each of your contracts that involve access to classified information. Any public release of information regarding classified contracts
requires review by and approval of your Government Contracting Activity, except as authorized by Paragraph 5-511 of the National Industrial Security Program Operating
Manual (NISPOM), DoD 5220.22-M.

Should your management or public affairs offices be contacted by the media, if appropriate, you may refer media inquiries to Office of the Assistant Secretary of Defense for Public Affairs at 703-697-5131.

We recognize that this information can be put to legitimate use. However, without a doubt, foreign intelligence services, terrorist organizations, and criminal elements will also have interest in this kind of information. It is important that companies continually review their overall security posture to ensure that it meets required standards. We recommend that companies affected by this publication and website assess, and take steps to mitigate, risk to their workforce, facility and operations. These steps should include reinforcement of security and counterintelligence (CI) protections, and a dedicated effort to enhance workforce awareness of threats. This is also a good opportunity to review the contents of your website to ensure that it does not contain information for which you should have received prior release approval. Security and CI events related to the publication of these articles and website should be reported through normal company channels to your Facility Security Officer and DSS Industrial Security Representative.

If you have any questions, requests for specific guidance, and/or want to report any unusual activity, please don’t hesitate to have your Facility Security Officer work with
the local DSS Industrial Security representative. DSS is committed to working with companies to safeguard classified information.

Kathy Watson
Director

Fact Sheet for National Strategy for Trusted Identities in Cyberspace

Tue, 13 Jul 2010 14:23:49 -0000

The White House
Office of the Press Secretary

For Immediate Release June 25, 2010
Fact Sheet for National Strategy for Trusted Identities in Cyberspace

Today, June 25th, the draft National Strategy for Trusted Identities in Cyberspace is being released for public comment and input. Key facts and concepts about the strategy are provided below. For the report and blog post from the President’s Cybersecurity Coordinator, Howard Schmidt please visit http://www.whitehouse.gov/blog/.

. Impetus

• One of the near term action items of the President’s Cyberspace Policy Review is to develop a “cybersecurity-focused identity management vision and strategy.” The National Strategy for Trusted Identities in Cyberspace (NSTIC) answers that requirement.

• The need for such a strategy is due to the rising tide of identity theft, online fraud and cyber intrusions, the proliferation of usernames and passwords that individuals must remember, and the need to deliver online services more securely and efficiently.

II. Development Process

• The National Security Staff (NSS) has led an interagency writing team to develop the draft strategy through a very transparent, open, and collaborative process.

• The writing team has engaged with approximately 70 industry advisory councils and associations to collect input on drafts of the strategy. These stakeholder groups represent various communities, including privacy, state and local government, healthcare, and the financial sector. Nearly 4000 comments from industry and government have been collected and adjudicated.

• The current final draft is posted on www.nstic.ideascale.com for public review and input. The Department of Homeland Security is supporting the NSS in this public review period and is providing NSS with the use of an Open Government tool called IdeaScale to collect and prioritize comments. The document will be posted for a three week period (closing July 19th).

• NSS is aiming to finalize the document (including Presidential signature) in October 2010 to coincide with National Cybersecurity Awareness Month.

III. Scope

• The strategy is focused on improving our ability to identify and authenticate the organizations, individuals, and underlying infrastructure (e.g., routers, servers, desktops, mobile devices, software, data, etc.) involved in an online transaction.

• Online transactions can include everything from accessing electronic health records, to online banking, to making a purchase online, to sending an email.

• There are many ways to do this identification and authentication, ranging from less secure user names and passwords to more secure Public Key Infrastructure (or PKI).

IV. Organization

• The Strategy contains an introduction, a vision, guiding principles, goals and objectives, and a call to action.
• Accompanying the Strategy will be an implementation plan that lays out specific recommendations that align to the goals in the strategy. These recommendations call for development of new standards, new pilots, new grants, new programs, and new offices. The recommendations are where the rubber meets the road, and where we will be driving real change in our effort to build this identity ecosystem.

V. Goals of the Strategy

• We want to create an environment, or an Identity Ecosystem as we refer to it in the Strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on.

• End users in this Identity Ecosystem should be able to use strong (e.g., multifactor), interoperable credentials to authenticate themselves online for a variety of different transactions.

• In order to get to this future world the draft strategy lays out four goals. They are:

1. Design the Identity Ecosystem. This includes working with industry to develop and identify the standards and policies that govern the identity ecosystem. It also includes addressing legal issues in the Identity Ecosystem such as defining liability caps for identity providers.

2. Build the Identity Ecosystem infrastructure. This includes working with industry and state and local government to deploy strong, interoperable identity solutions. It also includes reinvigorating government efforts to encourage the deployment of device and object relative authentication protocols such as Domain Name Security (DNSSEC), Internet Protocol Security (IPSEC), and Border Gateway Protocol Security (BGPSEC).

3. Strengthen privacy protections for end users and increase awareness of risks. This includes formally adopting (perhaps through new laws) enhanced privacy protections for individuals in the Identity Ecosystem. For example, we are considering requiring identity providers to abide by the Fair Information Practice Principles. This goal also includes working with the interagency working group that has been established to create a national awareness campaign for cybersecurity and ensure that trusted identities messaging is included in that campaign.

4. Manage the Identity Ecosystem. This includes establishing the proper structures within government, including a program office to oversee implementation of the strategy and an industry advisory council, to ensure the long term success of the identity ecosystem. It also includes enhanced government participation in various international fora, including policy bodies and standards organizations.

To Comment on the report please visit http://www.nstic.ideascale.com.

The National Strategy for Trusted Identities in Cyberspace

Tue, 13 Jul 2010 14:21:49 -0000

The White House Blog
The National Strategy for Trusted Identities in Cyberspace
Posted by Howard A. Schmidt on June 25, 2010 at 02:00 PM EDT
Cyberspace has become an indispensible component of everyday life for all Americans. We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure. It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth. Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much -- has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

The Department of Homeland Security (DHS), a key partner in the development of the strategy, has posted the draft NSTIC at www.nstic.ideascale.com. Over the next three weeks (through July 19th), DHS will be collecting comments from any interested members of the general public on the strategy. I encourage you to go to this website, submit an idea for the strategy, comment on someone else’s idea, or vote on an idea. Your input is valuable to the ultimate success of this document. The NSTIC will be finalized later this fall.

Thank you for your input!

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

(06/30/10) ISFO Process Manual Update

Thu, 01 Jul 2010 14:42:40 -0000

Change in the Spill Overwrite Requirement Listed in Appendix S of the ISFO Process Manual, dated March 2010 – Effective immediately, sanitization of media will be complete when three overwrite cycles have been completed. Currently, the ISFO Process Manual states in Appendix S-2 #4 that the wiping utility “Must be able to sanitize by overwriting with a pattern, and then its complement, and finally with another unclassified pattern (e.g., “00110101” followed by “11001010” and then followed by “10010111” [considered three cycles]). Sanitization is not complete until six passes of the three cycles are successfully completed.” DSS is updating the ISFO Process Manual stating that “Sanitization is not complete until the three cycles (overwrites) are successfully completed.” If the process is not successful, the hard drive must be destroyed. DSS will incorporate this change in the next release of the ISFO Process Manual.

(6/28/10) NEW!!!! Electronic Communications Plan (ECP) Released

Thu, 01 Jul 2010 14:39:04 -0000

The Defense Security Service is pleased to release an Electronic Communications Plan (ECP) template for use by facilities cleared under the National Industrial Security Program (NISP). This new product supports the National Industrial Security Program Manual (NISPOM) and provides tools to mitigate Foreign Ownership Control or Influence. The ECP template will assist Industry with developing appropriate security countermeasures to effectively monitor electronic communications and ensure that unclassified systems/networks are protected from FOCI.

Effective immediately, those companies that are in the FOCI mitigation process and will require an ECP, must comply with the requirements of the new template within 45 days of the execution of the FOCI mitigation agreement.

Effective September 1, 2010, companies under existing FOCI mitigation agreements that require an ECP are required to be compliant with the new ECP template by the date of their next annual DSS security inspection. Companies that require assistance regarding the ECP template or its implementation should contact their Industrial Security Representative.

The above requirements apply to FOCI signatory facilities that require an Electronic Communications Plan. Branch or division locations and Subsidiary entities which fall under a FOCI signatory requiring an ECP will have 45 days from the date of the signatory facility's ECP approval to submit their site-specific ECP to their local Industrial Security Representative. A copy of the "DSS ELECTRONIC COMMUNICATIONS PLAN TEMPLATE" is available in the downlioads area of this website.

SETA Flash - June 25, 2010

Fri, 25 Jun 2010 13:32:27 -0000

SEATS AVAILABLE FOR THE "GETTING STARTED SEMINAR FOR NEW FSOs," ON 24 AUGUST, IN HUNTSVILLE, ALABAMA.

Seats are now available for the upcoming seminar for "Getting Started Seminar for New Facility Security Officers (FSOs)." The seminar is scheduled for August 24, 2010, in Huntsville, Alabama.

This seminar provides new FSOs with an opportunity to discuss fundamental National Industrial Security Program (NISP) requirements in a collaborative classroom environment and develop a network of professional associates. Topics are based on material presented in the prerequisite course, -FSO Role in the NISP- (IS021.16).

The seminar is structured for basic levels of achievement that will enable participants to perform the functions of an FSO. The course pertains to industrial security (protection of classified Defense information within industry) and provides an opportunity for discussion of the security requirements and internal security controls as set forth in DoD 5220.22-M as well as an understanding of the day-to-day operation of a security program at a cleared facility.

Topics include developing professional relationships, knowing what to report to whom and how to make those reports, conducting self-inspections, maintaining records that support a security program, counterintelligence (CI) and threat awareness, and developing an effective security training and awareness program. The target audience for this seminar is new FSOs at facilities cleared in NISP. The seminar is also suitable for security staff members from cleared facilities and anyone else interested in the duties of an FSO. Before registering for the seminar, participants must have successfully completed the online -FSO Role in the NISP- course.

To register for the course, go to https://enrol.dss.mil/enrol/lang-en/SYS_login.asp. Mr. Keith Owens, the Course Manager, can be reached for questions at 410-865-3460 or IndustrialSecurity.training@dss.mil.

The scheduled day and location for the seminar is as follows:

Aug. 24, 2010
Dynetics Corporation
1002 Explorer Blvd
Huntsville, Al 35806

GOT JPAS?

So you think you know the Joint Personnel Adjudication System (JPAS)? Well, the instructors at DSS Academy have put together a little quiz to test your knowledge and provide you with a little fun. There are only 10 questions. Click on the link below to start the quiz.

https://enrol.dss.mil/courseware/quizzes/jpas/1/

CONTACT INFORMATION

General Security - GeneralSecurity.Training@dss.mil

Industrial Security - IndustrialSecurity.Training@dss.mil

Personnel Security - PersonnelSecurity.Training@dss.mil

Information Security - InformationSecurity.Training@dss.mil

Special Access Program (SAP) Security - SAPSecurity.Training@dss.mil

Physical Security - PhysicalSecurity.Training@dss.mil

JPAS training inquiries - JPAS.Training@dss.mil

Resource Tool comments and suggestions - resource.tool@dss.mil

General Academy questions - DSS.Academy@dss.mil

ENROL or registration questions - DSSA.Registrar.support@dss.mil

Technical problems or system error messages - DSSA.Enrol.support@dss.mil