Monday, July 29, 2013

Security through the NISPOM

The National Industrial Security Program (NISP) was established by Executive Order 12829 on January 6, 1993 to safeguard in a cost effective and efficient manner classified information held by contractors, licensees, and grantees of the U.S. Government. The DoD, DoE, NRC and CIA all adhere to the NISP. The National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M) prescribes the requirements, restrictions and other safeguards that are necessary to prevent unauthorized, as well as control the authorized, disclosure of classified information released to contractors by U.S. Government Executive Branch Departments and Agencies. Industrial Security Letters (ISL) are binding NISPOM addendums issued between NISPOM publications. The Defense Security Service (DSS) is the office delegated to administer industrial security in a contractor’s facility on behalf of the contracting service agency. Their objectives are to foster greater security awareness in response to the potential threat to the facility and ensure that the security measures imposed are rational, appropriate and cost-effective.

To be eligible for receipt of a ‘classified contract’ the Contractor must first implement Facility Clearance (FCL) risk-management principles, security controls, personnel clearances (vetting) and supporting writt en ‘standard practice procedures’, as well as pass a site inspection conducted by the DSS. Where appropriate, the Contractor must also comply with Foreign Ownership Control and Influence (FOCI) mitigation measures, as well as establish procedures to ensure compliance with U.S. export control laws before executing any agreement with a foreign interest that involves access to classified information by a foreign national. (Please see the DMG Briefing Notes on FCL and FOCI). Further, NISPOM 1-304 requires that contractors establish and enforce policies that provide for appropriate administrative actions taken against employees who violate NISPOM requirements.

Implementing the NISPOM

Due to the immense risks posed to companies and employees for violating the NISP, it is important that companies doing business in the U.S. and engaging with foreign entities create, implement, and maintain physical controls and security procedures compliant with the NISPOM. Accomplishing this alone and without experience is a daunting task. Some help can be had from your sponsor and the Government agencies responsible for ensuring compliance, but when you need an extra boost, DMG is here and ready.

No comments:

Post a Comment