Industry Questions at the October 2011 Aerospace Industries Association Meeting in Orlando, Florida

  1. How are employees with overdue Periodic Reinvestigations (PRs) selected for the 30-day notice of eligibility termination? What code is entered into record – termination or loss of jurisdiction?

    Defense Industrial Security Clearance Office (DISCO) will request an e-QIP via Joint Personnel Adjudicative System (JPAS) for all cleared contractor personnel when a PR is overdue. If the e-QIP is not received within 30 days of the request, DISCO will enter "Loss of Jurisdiction" in JPAS.  For additional information please refer the frequently asked question on "What happens when the requests for periodic reinvestigations (PRs) are not submitted within required time frames?".

  2. What is your guidance relating to an IS Rep prefacing his/her assessment with “I don't give anything but satisfactory.”

    DSS assigns security ratings based on the new “Ratings Matrix” implemented in 2011. Ratings are based on quantifiable point values. Any questions or concerns regarding security ratings should be referred to the Field Office Chief if the issue cannot be resolved with the IS Rep.

  3. Is there a mechanism to determine / find out if an IS Rep has previously submitted Cogswell Award nominations?

    No. To ensure that all eligible companies are equally considered for the award, DSS identifies all facilities with two consecutive Superior ratings. Field Office Chiefs must explain to their Regional Director why an eligible facility is not nominated. Once a facility is nominated, DSS uses a robust evaluation process, to include vetting each nominee with over 30 government agencies to determine the awardees.

  4. If not prohibited by a Department of Defense Form 254 (DD 254), what are the guidelines to permit data sharing across Wide Area Networks (WANs), Local Area Networks (LANs), and multi-user standalones? What is the difference between co-mingling and data sharing?

    NISPOM 5-505, 5-506, and 5-509 provides guidance for data sharing and disclosure to DoD Activities, other Federal Agencies and other cleared contractors no matter the transportation mechanism (network, CD/DVD, etc.). As for co-mingling and data sharing, the process of storing different program data on a hard drive may introduce additional security protection measures. Examples of co-mingling data are the storing of information with additional security requirements; NATO, COMSEC, FGI or other program data. Data sharing is the releasing of data to an external system/program.

  5. This week I was told that a wholly owned subsidiary does not fall under the Multiple Facility Organization (MFO) umbrella and that DD 254's must be written for them to work on classified contracts. Why?

    In accordance with NISPOM paragraph 5-503, disclosure of classified information between parents and its subsidiaries or between subsidiaries is accomplished in the same manner as disclosure between a prime contractor and a subcontractor, (5-502). Industrial Security Letter (ISL) 2011-03 reinforces the need for a contractual relationship between the parent and the subsidiary, and the need to provide appropriate classification guidance. Appropriate classification guidance for the classified information to be disclosed must be conveyed with the agreement or procurement action in the form of a Contract Security Classification Specification (DD Form 254), a security classification guide provided by the Government Contracting Activity (GCA), or other written security classification guidance.

  6. Can we get guidelines on Security-in-depth (SID) requirements? What are the requirements? It is hard to do a cost benefit analysis when there is subjectivity and different interpretations between sites.

    Security-in-depth is defined in the NISPOM as a determination made by the Cognizant Security Agency (CSA) that a contractor's security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility.

    There is no common template that can be applied for SID since an assessment of safeguards in place and the local threat must be considered in its application of measures and approval. Approval of SID is determined for each specific area and should include the following:

    • The contractor has documented the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility where open storage is approved.
    • During self-inspections, the contractor must review the effectiveness of these controls and report any changes affecting those controls to DSS.
    • At a minimum, the contractor has considered the following elements in their security-in-depth assessment:
    • Perimeter controls
    • Badge systems when the size of the population of the facility render personal recognition impracticable
    • Controlled access to sections of the facility where classified work is performed
    • Access control devices when circumstances warrant
    • Additional elements as determined by DSS

  7. Do you have any foreign contact obligation bound by affection, influence common interests, etc. in the last seven years? How do Senior Executives at global companies answer this question without reporting numerous contacts? Is there a logical and reasonable approach to this question?

    All subjects should list foreign contacts that they have a close or continuing contact with, are bound by affection, influence, and or obligation. The requirements for completing information on the SF 86 are the same for all individuals seeking a personnel security clearance.

  8. Please clarify the difference between a security violation and a NISPOM noncompliance. For example, if an employee fails to secure the approved locking device on a closed area, but the electronic access device shows that no one entered the area, should a violation be issued?

    In accordance with the NISPOM a security violation is the failure to comply with the policy and procedures established that could reasonably result in the loss or compromise or suspected compromise of classified information whereas noncompliance is the failure to employ a requirement of the NISPOM. While noncompliance may lead to a security violation, not all acts of noncompliance may cause loss, compromise or suspected compromise of classified material. In regards to security violations, determining what is “reasonable” is the key to understanding what constitutes a security violation. One method to determine reasonability is to examine the event or issue of noncompliance and determine if it warrants a further inquiry to determine if there was a loss, compromise or suspected compromise of classified information. If so, then this is most likely a preliminary inquiry to a security violation, and the event in questions should be handled and processed as a violation.

  9. Does DSS have any insight to increasing education and training for our government counterparts, specifically government program managers on platform/program threat assessments to assist in the identification of critical program information to develop Information Assurance, Anti-tamper, Program Protection plans, etc. / and Contracting Officer Representative (COR) or Contracting Officer Security Representative (COSR) on how to write an appropriate DD 254 for the work, and other areas where education and training is required and encouraged for Industry, but seems non-existent in DoD Security?

    The DSS Center for the Development of Security Excellence (CDSE) provides DoD and Industry training and education aimed at improving the professionalization of the security community. In 2011, CDSE recorded 200,046 course completions. DSS also is actively involved in policy discussions with other DoD components resulting in better defined training requirements. Below are specific training courses offered by CDSE and other government training activities on the specific subjects referenced above.

    • DSS Center for Development of Security Excellence (CDSE)
      • DD Form 254
      • Critical Program Information
      • Cyber Security Awareness
      • Security Professional Education Development Program (SPeD)
    • The Defense Acquisition University (DAU)
      • Program Protection Planning
      • Anti-Tamper
      • Threat Assessments
      • Risk Management
      • Defense Trade Controls
    • The Joint Counterintelligence Training Academy (JCITA)
      • CI Support to Research Development and Acquisition. (CIRDA)

  10. The DoD DISAM (Int'l Security) course is a three-day, intensive class that used to be taught over a five-day period. Are there any plans to develop modules or courses that would focus on components of the larger DISAM course?

    DSS does not currently have plans to develop courses focusing on the larger DISAM course.

  11. Department of State (DoS) website guidance to dual citizens, who have Israeli citizenship: Must travel to Israel using an Israeli passport. How does DoS guidance influence or impact DoD guidance for cleared personnel? (e.g. if a cleared duel-citizen has surrendered his/her passport to the FSO.)

    Dual citizen cleared personnel cannot exercise their foreign citizenship. Industry is to submit an adverse information report on any cleared employee who uses or requests the return of a relinquished foreign passport.

  12. What is the status of DSS involvement outside the continental United States?

    Currently, DSS is providing industrial security oversight to United States European Command (USEUCOM) and United States Africa Command (USAFRICOM). In addition to supporting the commands with industrial security issues, DSS is also providing support to the cleared contractor communities. In September and December 2011, DSS conducted cleared contractor visitor group assessments at Stuttgart, Germany and Molesworth, United Kingdom. These assessments were a terrific learning experience for both the contractors and DSS. Based on the feedback from the assessments, DSS is hosting quarterly security roundtables to foster a strong working relationship with the overseas contractor community and share the lessons learned from the assessments.

    Future overseas oversight will be dependent on available resources and manpower. DSS will continue to keep the contractor community informed as the overseas mission is further defined. As manpower and resources are unavailable to establish a permanent presence, DSS will continue to provide support to the overseas cleared contractor personnel through TDY support to overseas locations.

  13. Understanding Chapter 10 in the new NISPOM appears to be the most difficult area to develop one policy. What is DSS' current policy/guidance on U.S. persons employed at contractor's site – either in direct support of unclassified DoD information or U.S. person contractor site support personnel?

    The current version of the NISPOM, dated 2006, is still in effect and the provisions of Chapter 10 apply. The second part of the question is not specific enough to provide an answer.

  14. There seems to be a heavy, almost exclusive, reliance on Suspicious Contract Reports (SCRs) to determine/assess the Foreign Intelligence Service (FIS) threat profile against a targeted contractor. Does DSS have plans to ensure a comprehensive Counterintelligence (CI) program that includes more than SCR analysis, and involves other U.S. government agencies including Federal Bureau of Investigation (FBI), Air Force Office of Special Investigation (AFOSI), Naval Criminal Investigative Service (NCIS), etc.?

    In accordance with DoD Instruction 5200.39, DSS is required to publish an unclassified and classified product detailing suspicious contacts occurring within industry and provide appropriate dissemination of these reports to the DoD CI community, National entities, and the cleared contractor community. DSS accomplishes this requirement by publishing a classified and unclassified version of the annual Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry. DSS has significantly expanded its analytical product line to incorporate all available sources of information. Products such as our Gray Torch (company assessments), Bronze Dragon (program assessments), and Crimson Shield (monthly highlights of significant activity) incorporate information and intelligence derived from all available sources to provide relevant and timely articulation of the threat to partners in cleared industry and the government.

  15. Was mentioned that adverse information reports are to be submitted up to the time a “cleared” employee is terminated from the company. Can you please clarify if “cleared” employee is any employee with eligibility vs. in access? If we have removed their current access, but they keep eligibility, are we required to report AI?

    Yes, adverse information concerning employees with eligibility will be reported in accordance with NISPOM Section 1-302a. A cleared employee is any person who is eligible for access to classified information. All adverse information should be reported on a subject who has a valid eligibility; termination from employment or removal of access does not obviate the security manager's responsibility to report.

  16. DSS recently released a new Industrial Security Letter (ISL) regarding adverse information, including garnishments. Our company has received varied instruction from DSS IS Reps on garnishments of cleared employees as adverse information in JPAS – for example; one DSS IS Rep has instructed all garnishments held by cleared employees must be reported, whereas another DSS IS Rep in another region has instructed that only garnishments that aren't being paid are to be reported. The challenge – the company received the garnishment orders from various sources and handled via payroll automatically, so we are looking for clarification on what's to be reported.

    Certain states mandate that various types of payment (for example, child support) be collected via wage garnishment regardless of whether the person responsible for payment is current or in arrears. In such instances, if the contractor employee is not in arrears, the wage garnishment is not reportable. If wage garnishment is directed because the employee failed to meet their financial obligation and is in arrears, the wage garnishment is reportable

  17. The new ISL addresses incident reporting. Garnishments - do we report when court ordered not in the rears. The ISL is not clear.

    See previous response above.

  18. Windows XP Updated and WIN7/WIN2008 baselines: You stated that these are in progress. Do you have a date in mind when these will be ready? Will you have a comment period prior to the release? How will they be promulgated, through an ISL? Do you need help in the development and testing of these baselines?

    The DSS Windows XP/2003 Baseline Technical Security Configurations (BTSC) has been revised and will be sent to the National Industrial Security Program Policy Advisory Committee (NISPPAC) for testing/review. Once comments and considerations are received from NISPPAC the BTSC will be revised as appropriate and coordinated for release to industry. The goal is to have the revised Windows XP/2003 BTSC made available as a document request from as soon as the end of the calendar year or first quarter of 2012.

    Windows 7 baseline: The DSS Windows 7 BTSC is currently in draft form. Currently, there is no date set for its release, but prior to its release the Windows 7 BTSC will be shared with the NISPPAC for testing/review.

    LINUX baseline: You stated that the draft copy drifting around industry is an 80% solution. When do you plan to have it ready for industry to review? Can we help in getting it ready?
    The LINUX baseline is currently in draft form and is being reviewed internally. Once the draft has been promulgated and coordinated internally it will be shared with industry for review and feedback. We are currently anticipating a finished product in mid spring of 2012.

  19. You stated that we may be allowed some latitude to adjusting the templates to better meet our systems and users' needs. Specifically I requested permission to adjust the template to include company specific enhanced forms without compromising the narrative of the templates. We believe all of our "enhancements" will improve our security posture and will improve our users understanding of NISP requirements.

    We are currently working on a universal template that will incorporate all system types, as well as SSP or MSSP, which can be configured through drop-down lists, removing the requirement to start over when an incorrect template is used. These forms will also allow unlimited additions of pages for uploading images. We will look into the ability to add actual documents to the forms vs. strictly images or scanned images of those documents.

    Why do we need so many master plans when one facility plan explaining how we protect classified systems would be sufficient? The individual profiles certainly give all the relevant data as far as system makeup and protection activities. Multiple master plans actually dilute the policy value of one master plan and create a management nightmare for both DSS and industry. Industry is definitely willing to help craft an enduring master plan that not only educates ISSMs, but assist smaller organizations in building solid compliance programs.
    ISL 2007-1 clarifies the requirements associated with master system security plans and ISSM self-certification defined in NISPOM Chapter 8. ODAA will review the ISL and ISFO Process Manual guidance in an effort to identify ways to streamline procedures related to master system security plans.

    Based on direction from a RDAA, when the operating system is not capable of meeting the 14 character requirement, we do not need to treat it as non-compliant. Why would this require a POAM since the only fix is to upgrade the OS which is not possible (in many cases)? Why based on this guidance would we annotate the OS failing to meet character requirements in our certification?

    The ISSM should document how he/she plans to mitigate the vulnerability. There are three options: 1) The item can be mitigated and documented in the SSP, 2) A POAM can be included for a future upgrade to a compliant OS, or 3) Obtain a Risk Acceptance Letter (RAL) from the customer. In all three cases, the SSP needs to reflect/document the system's non-compliance with password requirements.

    We understand that the NIS protocol is no longer supported by SUN Microsystems. We have a number of ISSPs giving us conflicting guidance on the requirement to upgrade to NIS+ or another third party solution.

    The Network Information System (NIS) protocol if used is not a secure mechanism for providing authentication and authorization services. For example, one known security issue is if NIS is used for authentication, password hashes are sent around the network in clear text and can be easily captured and cracked, making client systems vulnerable. Because of the known security issues with NIS, the recommendation is to migrate to NIS+ or LDAP as possible alternatives. However, the ODAA allows for the use of legacy hardware/software as longs as it's documented in the (M) SSP and GCA concurrence (i.e. RAL). Further guidance on the use of NIS will be addressed in the DSS UNIX/LINUX BTSC.

  20. Will there be a comment period on the ISFO Process Manual prior to its release, what changes do you anticipate and how can we help in enacting these changes?

    The next iteration of the ISFO Process Manual is on track for rework in first half of 2012. The items that are currently slated for modification/addition are:

    1. Removal of FOCI section Foreign Ownership, Control and Influence (FOCI) (This section was mostly internal process).
    2. Section 6: System Security Plan Submission Process. Clarified that the option for submissions that cannot be compressed under 10MB may be sent via CD-ROM through a carrier. Original statement made it appear that only FOUO could be sent this way.
    3. Section 6: System Security Plan Submission Process. Changing/adding to the SSP submission email to include the number of workstations/PCs/CPUs on an information system.
    4. Trusted Download. Linux and Solaris procedures for trusted download.
    5. Removal of password length requirement from the ISFO Process Manual. The password length requirement will be added to the appropriate Baseline Technical Security Configuration (BTSC) document for each operating system. Other items that may only apply to specific operating systems will also be removed and incorporated into their appropriate BTSC.
    6. Clarification for Copiers. Will clarify that a separate accreditation is required for standalone copiers/printers, etc. , only. Multifunction networked printers/copiers (e.g. Xerox Work centers, etc.) that are attach to a network should be included as a peripheral in the originating (M)SSP hardware baseline.

  21. Finally, we are excited about the matrix. Is it possible that once the NISPOM is released we update the self- inspection checklist to incorporate all the issues addressed in the ISFO Process Manual? This would help us map and manage our performance and ensure no surprises arise during the inspection. It will also assist in meeting the greater emphasis being placed on self- assessment in the new NISPOM as well as the EO 13587.

    Yes. DSS will be responsive to any updates in the new NISPOM regarding processes and procedures to include updating the self-inspection checklist. DSS continues to enhance the checklist to accurately reflect requirements and capture the elements that are reviewed during an inspection.