- National Industrial Security Program
-
The National Industrial Security Program, or NISP, is the nominal authority (in the United States) for managing the needs of private industry to access classified information.
The NISP was established in 1993 by Executive Order 12829.[1] The National Security Council nominally sets policy for the NISP, while the Director of the Information Security Oversight Office is nominally the authority for implementation. Under the ISOO, the Secretary of Defense is nominally the Executive Agent, but the NISP recognizes four different Cognizant Security Agencies, all of which have equal authority: the Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission.[2]
Contents
NISP Operating Manual (DoD 5220.22-M)
A major component of the NISP is the NISP Operating Manual, also called NISPOM, or DoD 5220.22-M.[3] The NISPOM establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of 2010[update], the current NISPOM edition is dated 28 Feb 2006. Chapters and selected sections of this edition are:
- Chapter 1 - General Provisions and Requirements
- Chapter 2 - Security Clearances
- Section 1 - Facility Clearances
- Section 2 - Personnel Security Clearances
- Section 3 - Foreign Ownership, Control, or Influence (FOCI)
- Chapter 3 - Security Training and Briefings
- Chapter 4 - Classification and Marking
- Chapter 5 - Safeguarding Classified Information
- Chapter 6 - Visits and Meetings
- Chapter 7 - Subcontracting
- Chapter 8 - Information System Security
- Chapter 9 - Special Requirements
- Section 1 - RD and FRD
- Section 2 - DoD Critical Nuclear Weapon Design Information (CNWDI)
- Section 3 - Intelligence Information
- Section 4 - Communication Security (COMSEC)
- Chapter 10 - International Security Requirements
- Chapter 11 - Miscellaneous Information
- Section 1 - TEMPEST
- Section 2 - Defense Technical Information Center (DTIC)
- Section 3 - Independent Research and Development (IR&D) Efforts
- Appendices
Data sanitization
DoD 5220.22-M is sometimes cited as a standard for sanitization to counter data remanence. The NISPOM actually covers the entire field of government-industrial security, of which data sanitization is a very small part (about two paragraphs in a 141 page document).[4] Furthermore, the NISPOM does not actually specify any particular method. Standards for sanitization are left up to the Cognizant Security Authority. The Defense Security Service provides a Clearing and Sanitization Matrix (C&SM) which does specify methods.[5] As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction is acceptable.
Unrelated to NISP or NISPOM, NIST also publishes a Data Sanitization standard, including methods to do so.[6]
Revised Informaton
The above information is out of date. The currently correct document is ISFO Process Manual V3 14 June 2011. This document is available by request only, and is not directly available online. The document has gone through many revisions and name changes. Currently it is slated to be updated twice a year.
The new version has had the section on disk sanitization greatly rewritten.
Chapters and selected sections of the new edition are:
- 1 Preface
- 2 Introduction
- 3 Purpose
- 4 Introduction of NIST 800-53 Controls
- 5 SECURITY CONTROLS
- 5.1 MANAGEMENT CONTROLS
- 5.1.1 SECURITY PLANNING (PL)
- 5.1.1.1 Roles and Responsibilities
- 5.1.1.1.1 Office of the Designated Approving Authority (ODAA)
- 5.1.1.1.2 Information System Security Professional (ISSP)
- 5.1.1.1.3 Information Systems Security Manager (ISSM)
- 5.1.1.1.4 ISSMs for Multiple Facility Organizations (MFO)
- 5.1.1.1.5 Information System Security Officer (ISSO)
- 5.1.1.1.6 Network ISSO
- 5.1.1.1.7 Users of Information Systems (IS)
- 5.1.1.2 Information System (IS) Types
- 5.1.1.2.1 Multiuser Standalone (MUSA)
- 5.1.1.2.2 Local Area Networks (LAN)
- 5.1.1.2.3 Interconnected System/Wide Area Network (WAN)
- 5.1.1.2.4 Virtualization
- 5.1.1.2.5 Special Categories
- 5.1.1.2.5.1 Single-User, Standalone Systems (SUSA)
- 5.1.1.2.5.2 Periods Processing
- 5.1.1.2.5.3 Pure Servers
- 5.1.1.2.5.4 Test Equipment
- 5.1.1.2.5.5 Special Purpose, Tactical, Embedded Systems
- 5.1.1.2.5.6 Copiers
- 5.1.1.1 Roles and Responsibilities
- 5.1.2 SECURITY ASSESSMENT AND AUTHORIZATION (CA)
- 5.1.2.1 Types of Security Plans
- 5.1.2.1.1 System Security Plan (SSP)
- 5.1.2.1.2 Master System Security Plan (MSSP)
- 5.1.2.2 Information System Connections
- 5.1.2.2.1 Network Security Plans (NSP)
- 5.1.2.2.1.1 Memorandum of Understanding (MOU)/Interconnected Systems Agreement (ISA)
- 5.1.2.2.1.1.1 MOU Requirements
- 5.1.2.2.1.1.2 MOU Content
- 5.1.2.2.1.1.3 MOU Sample
- 5.1.2.2.1.2 Defense Information Systems Network (DISN) Connections
- 5.1.2.2.1.1 Memorandum of Understanding (MOU)/Interconnected Systems Agreement (ISA)
- 5.1.2.2.2 International System Security Plans
- 5.1.2.2.1 Network Security Plans (NSP)
- 5.1.2.3 Types of Networks
- 5.1.2.3.1 Unified Networks
- 5.1.2.3.2 Interconnected Networks
- 5.1.2.3.3 Network Security Plans (NSP)
- 5.1.2.4 Plan of Action & Milestone (POA&M)
- 5.1.2.4.1 Plan of Action and Milestone Template (POA&M)
- 5.1.2.1 Types of Security Plans
- 5.1.3 CONFIGURATION MANAGEMENT (CM)
- 5.1.3.1 Configuration Management Process
- 5.1.4 PROGRAM MANAGEMENT (PM)
- 5.1.5 RISK ASSESSMENT (RA)
- 5.1.5.1 Risk Assessment Requirements
- 5.1.5.2 Enhanced Controls
- 5.1.6 SYSTEM AND SERVICES ACQUISITION (SA)
- 5.1.6.1 Certification and Accreditation (C&A)
- 5.1.6.1.1 C&A Life Cycle
- 5.1.6.1.2 C&A Process
- 5.1.6.1.2.1 Certification
- 5.1.6.1.2.2 Review
- 5.1.6.1.2.3 Accreditation
- 5.1.6.1.2.4 Verification
- 5.1.6.2 Software Protections
- 5.1.6.1 Certification and Accreditation (C&A)
- 5.1.1 SECURITY PLANNING (PL)
- 5.2 OPERATIONAL CONTROLS
- 5.2.1 AWARENESS AND TRAINING (AT)
- 5.2.1.1 Security Education
- 5.2.1.2 Cleared Contractor Training
- 5.2.2 CONTINGENCY PLANNING (CP)
- 5.2.2.1 Contingency Planning
- 5.2.2.2 System Recovery and Assurances
- 5.2.3 INCIDENT RESPONSE (IR)
- 5.2.3.1 Classified Spills
- 5.2.3.1.1 Incident Response Plan
- 5.2.3.1.2 Sanitizing and Declassifying
- 5.2.3.1.3 Classified Spill Cleanup Procedures
- 5.2.3.1.4 Wiping Utility
- 5.2.3.1.5 DSS-Approved Classified Spill Cleanup Plan
- 5.2.3.1.6 Contamination Cleanup Procedures
- 5.2.3.1 Classified Spills
- 5.2.4 MAINTENANCE (MA)
- 5.2.4.1 Maintenance
- 5.2.4.2 Cleared Maintenance Personnel
- 5.2.4.3 Uncleared (or Lower-Cleared) Maintenance Personnel
- 5.2.4.4 Remote Maintenance
- 5.2.5 MEDIA PROTECTION (MP)
- 5.2.5.1 Media Protection
- 5.2.5.2 Hardware Marking
- 5.2.5.3 Trusted Download
- 5.2.5.3.1 Trusted Download Procedures
- 5.2.5.3.1.1 DSS Authorized File Type/Formats
- 5.2.5.3.1.2 DSS File Transfer Procedures
- 5.2.5.3.1.3 DSS Authorized Procedure (Windows-Based)
- 5.2.5.3.1.4 DSS Authorized Procedure (Unix)
- 5.2.5.3.1.5 Alternate Trusted Download Risk Acceptance Letter (RAL) Example
- 5.2.5.3.1 Trusted Download Procedures
- 5.2.5.4 Mobile Systems
- 5.2.5.4.1 Mobile Processing Procedures
- 5.2.5.5 Clearing and Sanitization
- 5.2.5.5.1 Clearing
- 5.2.5.5.2 Sanitizing
- 5.2.5.5.3 Magnetic Tape
- 5.2.5.5.4 Organization Destruction Options
- 5.2.5.5.5 DSS Clearing and Sanitization Matrix
- 5.2.6 PHYSICAL AND ENVIRONMENTAL PROTECTION (PE)
- 5.2.6.1 Physical Security (8-308, 5-306, 5-308, 6-104)
- 5.2.6.2 Hardware and Software Protection
- 5.2.6.3 Protected Distribution System (PDS)
- 5.2.6.4 Emergency Procedures (5-104)
- 5.2.6.5 TEMPEST (11-100)
- 5.2.7 PERSONNEL SECURITY (PS)
- 5.2.7.1 Personnel Security Clearance Verification
- 5.2.7.2 Personnel Sanctions
- 5.2.8 SYSTEM AND INFORMATION INTEGRITY (SI)0
- 5.2.8.1 Flaw Remediation
- 5.2.8.2 Unclassified Software Review
- 5.2.8.3 Antivirus
- 5.2.1 AWARENESS AND TRAINING (AT)
- 5.3 TECHNICAL CONTROLS
- 5.3.1 ACCESS CONTROL (AC)
- 5.3.1.1 Access Control
- 5.3.1.2 Separation of Function
- 5.3.1.3 Logon Banner
- 5.3.1.4 Session Controls
- 5.3.1.4.1 Successive Login Attempt Controls
- 5.3.1.4.2 User Inactivity
- 5.3.1.4.3 Logon Notification (PL-2/PL-3)
- 5.3.1.5 USB Devices and Ports
- 5.3.1.6 Radio Frequency ID (RFID) Tags
- 5.3.1.7 Secure Wireless LANs (S-WLAN)
- 5.3.1.8 Foreign Ownership, Control & Influence (FOCI)
- 5.3.2 AUDIT AND ACCOUNTABILITY (AU)
- 5.3.2.1 Audit Requirements
- 5.3.2.2 Security Seals
- 5.3.3 IDENTIFICATION AND AUTHENTICATION (IA)
- 5.3.3.1 Identification and Authentication Management
- 5.3.3.2 Generic or Group Accounts (8-505)
- 5.3.3.3 Password Policy
- 5.3.3.4 BIOS Password
- 5.3.4 SYSTEM AND COMMUNICATIONS PROTECTION (SC)
- 5.3.4.1 Data Transmission Protection
- 5.3.4.2 Network Management and Protections
- 5.3.4.2.1 Controlled Interfaces
- 5.3.4.3 Classified Voice over IP (VOIP)/Video Teleconferencing (VTC)
- 5.3.4.4 Thin Client Systems
- 5.3.4.5 Masking/Coding/Disassociation
- 5.3.1 ACCESS CONTROL (AC)
- 5.1 MANAGEMENT CONTROLS
- 6 System Security Plan Submission Process
- 6.1 Variances
- 7 Defense Industrial Base Cyber Security Accreditation Process (DIBNET)
- 8 Reference List
- 9 Glossary
References
- ^ "Executive Order 12829". FAS website. http://www.fas.org/irp/offdocs/eo12829.htm. Retrieved 2007-04-01.
- ^ "NISP Brochure" (PDF). DSS. Archived from the original on 2006-04-20. http://web.archive.org/web/20060420050102/http://www.dss.mil/isec/nispbrochure.pdf. Retrieved 2007-04-01. (59 KB)
- ^ "Download NISPOM". DSS. http://www.dss.mil/isp/fac_clear/download_nispom.html. Retrieved 2010-11-10.
- ^ DoD (2006-02-28). "National Industrial Security Program Operating Manual (NISPOM)" (PDF). DSS. pp. 8–3-1. https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/nispom2006-5220.pdf#page=75. Retrieved 2008-11-13. (1.92 MB)
- ^ "DSS Clearing & Sanitization Matrix" (PDF). DSS. 2007-06-28. http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf. Retrieved 2011-04-26. (98 KB)
- ^ "Special Publication 800-88: Guidelines for Media Sanitization" (PDF). NIST. September 2006. http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf. Retrieved 2007-12-08. (542 KB)
Methods Schemes Utilities Developers BlanccoLegal Health Insurance Portability and Accountability Act · Personal Information Protection and Electronic Documents Act · Gramm–Leach–Bliley Act · SB 1386 · Sarbanes–Oxley ActCategories:- Establishments by United States executive order
- United States intelligence agencies
- United States Department of Defense agencies
- Classified documents
- Data security
- United States government secrecy
Wikimedia Foundation. 2010.