Policy News/Archives

4/17/2014 DSS releases ISL 2014-01

DSS releases ISL 2014-01, "GSA Carriers for Overnight Delivery of SECRET and CONFIDENTIAL Classified Materials"; rescinding ISL 2006-02, Article 18. The ISL prohibits the use of drop boxes and provides additional guidance on documenting processes and approvals for using commercial overnight express carriers for the shipment of SECRET and CONFIDENTIAL classified information. View ISL 2014-01.

4/10/2014

DSS provides "Validation of Personnel with Eligibility for Access to Classified Information" notice to industry. Click here to view notice.

2/26/2014

Guidance on Managing Personnel Security Clearance Records in the Joint Personnel Adjudication System (JPAS) - Break in Access and Break in Employment Click Here

1/06/2014 Notice: The Derivative Classification Training job aid listed as a training resource in ISL 2013-06 has been revised.

The revision does not change the training requirements outlined in ISL 2013-06. It reflects a new page design and minor content updates that provide additional clarity to the training requirements for derivative classifiers. The link to the job aid in the ISL will direct users to the revised version or the job aid can be accessed directly here.

12/31/2013 Notice regarding contractor inadvertent exposure to classified information in the public domain

DSS reposts as a reminder the notice to Contractors cleared under the National Industrial Security Program regarding inadvertent exposure to potentially classified information in the public domain which was originally posted on 6/11/2013. Click here to read the notice.

12/03/2013 Changes to United States Postal Service Express Mail and Use of Labels

NISPOM Paragraph 5-403b allows the transmission of classified material up to the SECRET level within and directly between the United States and its territorial areas by use of U.S. Postal Service (USPS) Express Mail. Effective July 2013, the USPS changed the name of Express Mail to Priority Express Mail and updated the label to reflect that change. The new Priority Express Mail label requires that you actually check the "signature is required" box, whereas with the prior Express Mail label, the signature was automatically obtained as a part of Express Mail delivery, unless indicated otherwise. Please note that you may see use of either the "Express Mail" or "Priority Express Mail" labels until existing stocks of "Express Mail" labels are depleted. In either case, it is the sender's responsibility to ensure that the recipient's signature is obtained when sending SECRET information through the U.S. Postal Service via express mail.

10/31/2013 DSS Industrial Policy notice on derivative classification training resources "

The DTIC link for "Derivative Classification Training," http://cdsetrain.dtic.mil/derivative/index.htm listed under training resources in ISL 2013-06, "Derivative Classification Responsibilities," is now available and provides access to the derivative classification training course.

10/04/2013 DSS release of ISL 2013-06, "Derivative Classification Responsibilities"

DSS releases ISL 2013-06, which provides clarification to contractors for specific NISPOM Conforming Change 1 requirements in Chapter 4 related to derivative classification. Click here to view ISL 2013-06.

08/27/2013 DSS will resume processing Top Secret PRs for industry

Because of a funding shortfall and the impact of sequestration on the FY13Personnel Security Investigations for Industry Program budget, the Defense Security Service suspended submission of most Top Secret periodic reinvestigation (PR) requests for cleared industry personnel beginning on June 14, 2013. After carefully monitoring and managing industry submissions for initial clearance and reinvestigation requests, DSS has determined that sufficient funding is now available to resume processing deferred Top Secret PRs effective Aug. 28, 2013, for the remainder of the fiscal year. DSS will continue to closely monitor the program's expenditures and will determine if any further actions are necessary.

08/08/2013 Derivative Classification Training and Recordkeeping Guidance

Conforming Change 1 to the NISPOM in paragraph 4-102 requires that contractor cleared personnel must be trained initially and at least once every 2 years on the topics set forth in NISPOM paragraph 4-102 before being authorized to make derivative classification decisions.

The Industrial Security Letter (ISL) that provides Cognizance Security Agency guidance on implementing the training requirements for Derivative Classifiers is pending approval by the Under Secretary of Defense for Intelligence. Until the ISL is released contractors should have a plan in place FOR IMPLEMENTATION or begin initiating training to meet the requirements of Conforming Change 1. Having a plan in place or initiating training will meet the intent of the NISPOM requirements. When issued the ISL will provide a date by which training must be completed by contractors.

  • Cleared contractor cleared personnel who can document that they have completed initial derivative classifier training required by NISPOM paragraph 4-102, do not need to take additional training until 2 years have elapsed from the date of their initial training.

  • Contractors can develop and implement internal training programs or use an existing training course that includes, at a minimum, the topics set forth in NISPOM paragraph 4-102 to meet the NISPOM requirements of derivative classification training for contractor personnel who are authorized to make derivative classification decisions.

  • Contractors will retain records of the date of the most recent training (initial or refresher) and type of training derivative classifiers receive. Records of training must be available for review during DSS security vulnerability assessments. Records may consist of training attendance records, certificates, or other documentation verifying that personnel assigned duties as derivative classifiers have successfully completed the training requirements.

Training Resources

The Derivative Classification Training Job Aid at the Center for Development of Security
Excellence (CDSE) website has detailed guidance:
http://www.cdse.edu/documents/cdse/DerivativeClassification.pdf.

Contractors who wish to use CDSE products can find their courseware on derivative classification at:

In addition to the above derivative classification training, the following marking course and training material provides additional information and guidance on derivative classification marking requirements.

08/07/2013 Standard Form 312 is revised

The "Classified Information Nondisclosure Agreement, Standard Form 312 (SF 312)" was revised by the DNI to reflect language required by two new statutes; 2011 Public Law 112-74 Financial Services and General Government Appropriations Act and 2012 Public Law 112-199 Whistleblower Protection Enhancement Act (WPEA). The Office of the Director of National Intelligence posting can be found here. The revised SF 312 dated 7-2013 is posted in the General Services Administration (GSA) forms library on their website and can be directly downloaded here. There is no requirement to resign and execute a new SF 312, previously executed forms are still valid.

07/23/2013 >DSS provides an update on ISL 2013-03, "Transfers of Defense Articles to Australia without a License or Other Written Authorization"

DSS released the ISL on March 20, 2013; a final rule document was published in the Federal Register on May 30, 2013, indicating that the treaty entered into force on May 16, 2013 http://www.pmddtc.state.gov/FR/2013/78FR32362.pdf. As of May 16, 2013, the requirements of the ISL are in effect. Click here to view ISL 2013-03.

07/08/2013

DSS Industrial Policy Division post guidance on Cleared Contractors Responsibilities for Subcontractor and Self-Employed Consultants Personnel Security Clearances (PCL) and Facility Clearances (FCL).
NISPOM 2-212 authorizes Cleared Contractors to process self-incorporated consultants for a PCL provided the consultant and members of his/her
immediate family are the sole owners of the consultant's firm, and only the consultant requires access to classified information. In such cases, a facility security clearance (FCL) is not required. Should other employees of the consultant's firm require access to classified information, the cleared contractor must issue a classified subcontract to the consultant's firm and sponsor them for an FCL if they don't already have one. NISPOM 2-200b prohibits prime contractors from managing subcontractor employees' PCLs (e.g., submitting a PCL to the CSA on the subcontractor's behalf). A subcontractor must be sponsored for an FCL if one does not exist and is responsible for processing PCLs for its employees and maintaining the accuracy of the employees' access records in JPAS.

07/02/2013 DSS releases ISL 2013-05

DSS releases ISL 2013-05, to address reporting requirements of cyber intrusions under NISPOM 1-301, "Reports to be Submitted to the FBI." This ISL replaces ISL 2010-02, "Reporting Requirements for Cyber Intrusions (NISPOM 1-301)," which has been rescinded. View ISL 2013-05.

07/01/2013 AIS authorization on the DD Form 254

DSS Industrial Policy Division releases an FAQ to identify which sections in the DD Form 254 authorizes the use of Automated Information Systems by cleared contractors. Click here to view the FAQ.

06/11/2013 Notice regarding contractor inadvertent exposure to classified information in the public domain.

DSS releases notice to Contractors cleared under the National Industrial Security Program regarding inadvertent exposure to potentially classified information in the public domain. Click here to read the notice.

06/11/2013 DSS release of ISL 2013-04 "Overseas Private Investment Corporation (OPIC)"
DSS releases ISL 2013-04, updating the list of Federal agencies that have entered into an agreement with DoD for Industrial Security services. Click HERE to view ISL 2013-04.
05/22/2013 Use of Drop Boxes for Classified Overnight Delivery Prohibited
NISPOM 5-403e authorizes the use of commercial delivery companies approved by the CSA that provide nationwide, overnight service with computer tracking and reporting features for overnight transmission of SECRET and CONFIDENTIAL material.

As indicated in Industrial Security Letter (ISL) 2006-02, Article 18, "General Services Administration Carriers for Overnight Delivery of SECRET and CONFIDENTIAL Classified Information," the use of drop boxes is prohibited.
04/15/2013 Director of National Intelligence Issues New Security Clearance Guidance
On April 5, 2013, the Director of National Intelligence James R. Clapper issued new security clearance guidance containing revised instructions for completing Question 21 of the SF 86, "Questionnaire for National Security Positions." The guidance, which was issued on an interim basis pending formal revision of the policy, addresses sexual assault and the seeking of mental health counseling, and applies to all executive branch departments and agencies. More information on the guidance can be found here.
04/03/2013 DoD Releases Change 1 to DoD 5220.22-M, "National Industrial Security Program Operating Manual (NISPOM)
On March 28, 2013, the Department of Defense approved Change 1 to DoD 5220.22-M, "National Industrial Security Program Operating Manual." The change includes the addition of the Office of Personnel Management (OPM) as a NISP signatory, recognizes the Director of National Intelligence (DNI) as a Cognizant Security Agency (CSA) vice the Central Intelligence Agency (CIA), it incorporates National Policy for derivative classification and marking requirements, and incorporates US-UK Treaty provisions for the Transfers of Defense Articles to the United Kingdom without a License or Other Written Authorization. The implementation of changes to this Manual by contractors shall be effected no later than 6 months from the date of the published change, with the exception of changes related to US-UK Treaty Requirements in Chapter 10, Section 8 of this Manual, which must be implemented immediately.
Change 1 to DoD 5220.22-M can be found at: http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf
A Summary of Changes can be found at: http://www.dtic.mil/whs/directives/corres/pdf/522022m_summaryofchanges.pdf
03/25/2013 DSS releases ISL 2013-03, Transfers of Defense Articles to Australia without a License or Other Written Authorization
This Industrial Security Letter (ISL) promulgates updated guidance for information and interpretation of existing paragraphs in Chapters 4 and 10 of the National Industrial Security Program Operating Manual (NISPOM) based on the requirements of that Treaty, for exports and transfers of Defense Articles to Australia. This guidance is effective upon entry into force of the Treaty.
A Rule document will be published in the Federal Register announcing the effective date.
Click here to view ISL 2013-03.
02/27/2013 Mandatory Training for JPAS Industry Users
The Defense Manpower Data Center (DMDC) has posted guidance for mandatory Cyber Awareness Challenge and Personal Identifiable Information (PII) training. Specific guidance on the training can be found on the DMDC JPAS website in the JPAS Policy Changes document and in the JPAS Account Management Policy, paragraph 4.1.3.
02/08/2013 DSS releases ISL 2013-01, Facility Clearance (FCL) Eligibility Requirements (NISPOM 2-102b)
DSS releases ISL 2013-01, to address FCL eligibility for American Indian/Alaska Native tribal entities or those entities that are organized and existing under the laws of any of the tribes recognized by the Assistant Secretary – Indian Affairs, U.S. Department of the Interior.  The ISL further addresses FCL processing for federally-chartered tribal corporations formed under Section 17 of the Indian Reorganization Act (25 U.S.C. § 477) and companies chartered under the laws of a U.S. state, the District of Columbia, or an organized U.S. territory and owned in whole or part by Indian tribes. View ISL 2013-01.
10/19/2012 Information Security Oversight Office (ISOO) Notice 2012-04, "Additional Guidance on Standards for Security Equipment”
ISOO Notice 2012-04 provides additional guidance to the Federal government on the safeguarding of classified national security information in General Services Administration approved security containers and addresses the procurement of GSA-approved security containers. Cleared contractors under the National Industrial Security Program should be aware of the information outlined in the ISOO notice when purchasing GSA-approved security containers and are reminded that in accordance with NISPOM Chapter 5 that containers used for the safeguarding of classified material shall be GSA-approved.
For further assistance regarding these requirements for cleared contractors, contact Policy_HQ@dss.mil.
Contact isoo@nara.gov with questions regarding the ISOO Notice 2012-04.
07/20/2012 DSS Industrial Policy provides answers to FAQs regarding NATO Annual Refresher briefings.
05/22/2012 STATUS OF National Industrial Security Program Operating Manual (NISPOM) REVISION: DoD is continuing informal coordination with the National
Industrial Security Program Policy Advisory (NISPPAC) on revisions to the NISPOM, DoD Manual 5220.22-M guidance to cleared contractors.

Once the informal NISPPAC coordination is completed, DoD must:

  1. Conduct DoD formal coordination of the revised draft;
  2. Gain concurrence of the other 3 CSAs (Department of Energy, Nuclear
    Regulatory Commission and Office of the Director of National Intelligence);
  3. Consult with the 24 non-DoD agencies for which DoD provides industrial services;
  4. Post the NISPOM draft in the Federal Register for public comment; and
  5. Promulgate the revised NISPOM."
05/17/2012 DSS Releases ISL 2012-03 FSO Training (NISPOM 3-102)
DSS releases ISL 2012-03, which aligns the FSO training requirements with the recently updated FSO training curricula being delivered by the DSS Center for Development of Security Excellence. This ISL provides clarification on the FSO orientation and FSO Program Management Course requirements referenced in the NISPOM, and rescinds previously published guidance. Click here to view ISL 2012-03.
05/03/2012 Information Security Oversight Office (ISOO) Notice 2012-03, "Additional Guidance on Supplemental Controls Required for Safeguarding Classified National Security Information."
PDF ISOO Notice 2012-03 provides guidance on the requirements for intrusion detection systems (IDS) used to safeguard classified national security information as outlined in 32 CFR 2001.43(b). This guidance does not currently apply to cleared contractors. Cleared contractors must continue following the IDS requirements outlined in National Industrial Security Program Operating Manual paragraph 5-900.

Contact isoo@nara.gov with questions regarding the ISOO Notice 2012-03.

For further assistance regarding IDS requirements for cleared contractors, contact Policy_HQ@dss.mil.
05/02/2012 USD(I) reissues DoD 5100.76-M, "DoD Physical Security of Sensitive Conventional Arms, Ammunition, and Explosives (AA&E) Manual"
On April 17, 2012, the Under Secretary of Defense for Intelligence (USD(I)) reissued DoD 5100.76-M, "DoD Physical Security of Sensitive Conventional Arms, Ammunition, and Explosives (AA&E)" PDF This manual supersedes the DoD 5100.76-M manual, dated August 12, 2000.
04/25/2012 The guidance found within ISL 2012-02 is now in effect.
On April 13, 2012, Department of State announced the official enforcement of the United States (US) and the United Kingdom (UK) Defense Trade Control Treaty.  This enforcement implements the guidance of ISL 2012-02, as of April 13, 2012.  Please click here for additional information.
02/23/2012 DSS Releases ISL 2012-01
This ISL amends the list of federal agencies that DoD has entered into agreements with for industrial security services. Please PDF click here to obtain additional information.
11/14/2011 Attention All Users
September 14, 2011, the Deputy Secretary of Defense released the "Improving Implementation of Policy Guidance for Foreign Ownership, Control, or Influence (FOCI)" memorandum. This is an internal memorandum that directs actions by the heads of the Military Departments, Defense Agencies and other DoD Components. It does not direct actions by our Industry partners.
05/02/2011 DSS releases ISL 2011-02
This ISL provides guidance regarding Puerto Rico birth certificates as acceptable proof of citizenship when issued on or after, July 1, 2010. This ISL also clarifies when COMSEC material is considered "proscribed"
information. Please PDF click here to obtain additional information.
02/11/2011 DSS provides notice to contractors cleared under the National Industrial Security Program (NISP) regarding protecting classified information and the integrity of government data on cleared contractor information technology (IT) systems. The widespread distribution of the documents posted on WikiLeaks has prompted the requirement to use other than normal spill procedures, as identified in this notice:
In light of the damage caused to our national security by the unauthorized disclosure of U.S. Government documents by WikiLeaks, the Acting Undersecretary of Defense (Intelligence) directed the Defense Security Service to notify cleared companies of their obligations to protect classified information and to follow established and authorized procedures for accessing classified information. This notice reiterates basic, existing obligations and principles governing the protection of classified information for contractors cleared under the NISP. PDF Click here to view the notice.
01/24/2011 DSS Guidance to Industry Reference USCYBERCOM Communications Tasking Order (CTO) 10-133, "Protection of Classified Information on Department of Defense (DoD) Secret Internet Protocol Router Network (SIPRnet)":
DSS understands there have been several questions regarding the issuance of the recent USCYBERCOM CTO 10-133. Please be advised this issuance applies only to contractors with whose information systems have connectivity to the SIPRNet. Additional guidance can be obtained through your local DSS ISFO/ODAA representative.
12/13/2010 DSS provides a security reminder to Industry regarding accessing publically posted classified information:
Industry is reminded that accessing or downloading classified or potentially classified information to an IT system not certified and accredited to process classified information constitutes a security violation. PDF Click here for additional information.
07/14/2008 Use of non-GSA-approved security containers NISPOM paragraph 5-303 applies to contractors the provision of Classified National Security Information Directive No. 1 which prohibits the use of non-GSA-approved security containers for the storage of classified material effective October 1, 2012. The Department of Defense will not waive the requirement to terminate the use of non-GSA approved security containers for the storage of classified information. PDF More guidance is available here.
12/08/2008 Reminder from Defense Security Service - NISPOM Requirement to Check for Malicious Code On Nov. 15, 2008, the Commander, U.S. Strategic Command released the message, SUBJ: Suspension of Removable Flash Media (FOUO). DSS has received questions from cleared contractors on whether the message applies to them. The order to suspend the use of removable flash media applies to DoD networks and computer systems only. The message does not apply to contractor systems. Cleared contractors are reminded that their classified security programs are governed by the National Industrial Security Program Operating Manual (NISPOM).

NISPOM paragraph 8-305 requires that all Information Systems (IS), regardless of their operating system, be protected against malicious code. NISPOM paragraph 8-101f(5) requires that the Information Systems Security Manager (ISSM) implement and maintain security features, policies, and procedures that detect and deter incidents caused by malicious code, viruses, intruders or unauthorized modifications to software or hardware.

Removable media may have embedded malicious software (malware). The NISPOM paragraph 8-302 requirement to examine all commercial hardware and software before being placed into use on the IS applies to such removable media. Software must be tested to ensure that it does not contain features detrimental to the security of the IS. All security-related software must be tested to verify that the security features function as specified. The ISSM has the responsibility to ensure that IS employs the appropriate software to check and remove viruses or other malicious code and that all files, data, or external communications are checked before being introduced into the IS.

DSS recommends that contractors increase their awareness of and vigilance against potential security and cyber threats through the application of best security practices whether at work, home, or on travel.