Below are answers to the most frequently asked questions regarding policies affecting the National Industrial Security Program. Please keep in mind that the below responses may not be all inclusive. There may be situations where additional requirements may apply; please refer to the National Industrial Security Program Operating Manual (NISPOM) for additional clarification.
1. In light of the recent end of life for Windows XP, can DSS provide their position on continued use of operating systems which are no longer supported by the vendor, making them legacy operating systems?
DSS, in addressing this question regarding the use of Windows XP, provides the following updated guidance:
When information systems (IS) are accredited by DSS and subsequently the O/S loses vendor support, continued operation IAW the SSP is authorized; however, the contractor must submit an updated Information System Tracking Form to their respective ISSP, no later than 60 days from the date of this posting or the date of end of support, listing all the affected UIDs and documenting their plans for upgrade and/or providing Risk Acknowledgement Letters or contractual documentation language which requires the use of the legacy O/S. Contractors will identify their plans in the remarks section of the IS Tracking Form. The IS Tracking Form may be found under the Downloads section of the ODAA webpage.
Additionally, the ISSM must add an entry to each individual IS POA&M and submit to DSS for approval prior to the facility's next SVA. Individual IS POA&M entries must include specific activities necessary to provide an effective and timely transition to an operating system with continued vendor support at the time of reaccreditation. In those cases where a legacy O/S cannot, or will not, be upgraded due to operational necessity or incompatibilities with program requirements, or the manufacturing process, the ISSM must submit the contractual requirements or the government customer must provide a letter (signed by the Contracting Officer, the Contracting Officer's Representative, the Contracting Officer's Technical Representative, or the Government Program Manager) stating there is a program requirement to use the legacy O/S and the GCA acknowledges the risk associated with its use.
Standard test equipment and/or peripherals with unsupported operating systems do not require a RAL or POAM (note: this is true test equipment...examples include but are not limited to logic/spectrum analyzers, oscilloscopes, signal tracers/generators, frequency synthesizers, meters, etc...)
Specialized test equipment, which is not feasible to upgrade by the contractor or vendor due to unit and/or certification costs (examples include but are not limited to EMI, RFI, Anechoic, Altitude, and Environmental chambers; vibration test units, wind tunnels, etc.), will be included on the Information System Tracking Form and do not require a RAL or POAM, but will require RDAA and/or ODAA approval once the current accreditation expires.
Information systems running unsupported operating systems on and/or connected to a test rack which are used to control all the other components will need to be upgraded or have an approved POAM/RAL once the current accreditation expires.
It is understood the number of workstations may vary during fulfillment of the contract and the contractor may elect to add workstations to an existing system when there is a RAL or contractual requirement to do so; however, when additional growth in the program occurs (e.g. follow on contracts) the contractor should elect the use of compliant OS when possible.
Self-certification will not be granted for new information systems requiring the use of legacy O/S; however, the ISSM may replace workstations (as necessary) on currently accredited information systems which operate with the legacy O/S to maintain the effectiveness of the program. If an MSSP contains multiple O/S, that MSSP may still be used for self-certification of new IS using only those O/S which have continued support by the vendor.
2. Are UNIX O/S included in this guidance? Since there is no real vendor, how do we determine when it is no longer supported? Are we going to have a list of "legacy" operating systems to share with industry?
Yes, known versions of Unix based O/S which are unsupported by the vendor are included in the guidance for legacy O/S. It is up to the ISSM to determine and identify these O/S to ODAA when they become unsupported. Each instance will be considered on a case by case basis and no "list" will be maintained by DSS.
3. Is the contractor required to establish a POAM for their current systems or as a part of their reaccreditation package? Also, will a POAM be required if the systems are contractually required?
If an O/S becomes unsupported, a POAM is required for the current system to identify the vulnerability and plan for reaccreditation with an approved O/S. Reaccredited systems will not have legacy O/S, so no associated POA&M entry is necessary unless the legacy O/S is operationally required. If the legacy O/S is still operationally required at the time of reaccreditation, a POA&M will be required addressing the vulnerability, along with a letter from the customer addressing the operational necessity and acknowledging the risk associated with its continued use.
4. Are contractors in states that have enacted laws authorizing the medical use of marijuana, or in states that have enacted laws authorizing the use, possession, production, processing and distribution of marijuana, required to report use, possession, production, processing, or distribution of marijuana by cleared contractor personnel?
YES, any of these activities must be reported as adverse information in accordance with NISPOM paragraph 1-302.a.
5. Does the requirement for 100% accountability of TS documents apply to paper documents only, or does it also apply to documents stored on electronic media?
The NISPOM defines a document as "Any recorded information, regardless of the nature of the medium or the method or circumstances of recording." When documents are in electronic form and stored on another medium (e.g. hard drive or optical disc) each TS document on the medium must be accounted for individually.
6. If multiple documents are stored on the electronic media, are NISP contractors required to maintain accountability of each TS digital document stored on a system's hard drive or account for the TS hard drive only?
When documents are in electronic form and stored on another medium (e.g. hard drive or optical disc) each TS document on the medium must be accounted for individually, in addition to the medium itself (if removable).
7. When electronic media (e.g. hard drive or optical disc) containing Top Secret documents are lost, should reporting identify just the media or each individual document?
Any such report of loss must identify each individual document and item when a loss occurs. When multiple items are placed on the same medium, each having their own control number, they must be accounted for separately.
8. Is the contractor required to re-mark classified material received from any source that is improperly marked?
No. The contractor is required to ensure that documents they prepare, and the documents prepared by their subcontractor, to meet the performance requirements of a contract are properly marked. That may require the contractor to seek clarification of markings from the GCA/preparer when improperly marked material is incorporated, paraphrased, restated or generated in a new form and it impacts proper derivative classification/marking of the new material. In all cases, if the improper markings impact the proper handling of the classified material, the contractor will seek clarification from the GCA/preparer.
9. Where can I find information on marking and derivative classification?
CDSE courseware on derivative classification can be found at:
CDSE job aid on derivative classification The Derivative Classification Training Job Aid at the Center for Development of Security Excellence (CDSE)website has detailed guidance:
In addition to the above derivative classification training, the following marking course and training material provides additional information and guidance on derivative classification marking requirements:
10. (6/26/13) Cleared contractors, and DSS personnel alike, have recognized that different sections on the DD Form 254 are being used to specify and authorize the use of an automated information system (AIS) in performance of classified contracts. These inconsistencies have generated the following questions: “What items on the DD Form 254 authorize the use of an Automated Information System (AIS) for processing classified information?” and “What must be annotated on the DD Form 254 prior to submitting a request for ODAA approval?”
The simple answer is by marking item 11.c. as “YES”, the GCA (or Prime contractor) authorizes the contractor to receive and generate classified material in the performance of that specific contract. It is understood that AIS are a primary means for receiving and generating information; therefore, when 11.c. is marked “YES”, it justifies the contractor submitting a system security plan(s) for approval by DSS/ODAA to fulfill contractual obligations. No other annotations are required on the form.
11. Can the DD Form 254, "Department of Defense (DoD) Contract Security Classification Specification" be used to convey security requirements for other than classified material to contractors?
The DD Form 254 is one part of the documents included in a classified contract. Its purpose is to convey security classification guidance and to advise contractors on the handling procedures for classified material. The GCA may use the DD Form 254 to provide guidance regarding unclassified information associated with the classified contract. Block 10.j is intended to indicate "For Official Use Only" (FOUO), Block 10.k can be used for any type of information. If Block 10.j or 10.k is checked then details should be provided in Block 13.
DSS provides oversight of classified information under the National Industrial Security Program. The GCA is responsible for oversight of unclassified information provided to contractors. The fact that the DD Form 254 provides guidance on unclassified information does not change the oversight responsibilities.
The DSS Center for Development and Security Excellence (CDSE) guide for preparing the DD Form 254 can be found here.
12. How is removable media marked and labeled?
DSS recognizes these forms of media as special types of material (NISPOM 4-210.a.) generally containing multiple files and coming in all shapes and sizes, which makes marking and labeling more difficult than for individual documents. Such media often contain both unclassified and classified documents and may include multiple categories of information and/or handling caveats. Therefore, the highest classification of any classified item contained within the media (overall marking) along with any and all associated categories/caveats (e.g., CNWDI, NATO) shall be conspicuously marked (stamped, printed, etched, written, engraved, painted, or affixed by means of a tag, sticker, decal, or similar device) on the exterior of such material (or, if such marking is not possible, on documentation that accompanies the media) so it is clear to the holder. If each document on a removable device contains all of the required information for that document, only the overall classification and associated caveats markings must be marked on the exterior of the device. Other notations such as names, addresses, subjects/titles, source of classification and declassification instructions are not necessary on the exterior of removable media.
13. What items are considered to be removable media?
Removable media is any type of storage device that can be removed from a computer while the system is running. This includes removable media which is inserted into readers and drives integrated into the system (e.g., Optical discs (CDs, DVDs, Blu-ray Discs), memory cards (CompactFlash card, Secure Digital card, Memory Stick), floppy disks, Zip disks, and magnetic tapes), as well as those readers and drives which themselves are removable (e.g., USB Flash Drives and External Hard Disk Drives).
Note: Examples are not all inclusive. If you are unsure if your equipment falls into this category, contact your local DSS Representative (i.e. Information System Security Professional) for assistance.
14. Are easily removed hard drives (e.g. sled mounted and those found in laptops) considered removable media and should they be marked as such?
No, these devices do not fit the definition of removable media since they generally cannot be removed while the system is running. Users should take care not to confuse these devices with external hard drives, which are removable media.
Although not considered removable media, these items have similar marking requirement (8-306a) to bear a conspicuous label stating the highest classification and most restrictive caveats.
15. What types of removable media needs to be marked?
All types of removable media, regardless of their impact to the operation of a system. This includes, but is not limited to: Floppy Disks, CDs, DVDs, Blu-ray Discs, USB or Flash Drives, External Hard Disk Drives (connected via USB port), etc.
Additionally, unclassified media and systems located in areas approved by the CSA for classified processing must also be marked and labeled so that the overall classification and associated caveats are apparent to the user.
16. The NISPOM requires weekly audit trail analysis. What is meant by weekly? Does that mean once a calendar week or every seven days?
The NISPOM (8-602a.(3)) states audit analysis shall be scheduled and performed at least weekly and shall be documented in the SSP.
There are many variables that could impact the completion of audit trail analysis on a routine basis, which is why a weekly requirement is called for in the NISPOM rather than a strict seven days. Workload priorities, personnel matters, and system availability (just to name a few) may factor in the timeliness of contractor’s audit trail reviews.
17. Are contractors required to submit adverse information reports for an employee with clearance eligibility in JPAS, even if the employee currently does not require access to classified information?
Contractors should report adverse information coming to their attention concerning any employee who has current eligibility reflected in JPAS, in accordance with PDF NISPOM 1-302. Also refer to ISL 2011-04.
18. Do contractors have to record the most recent NATO Annual Refresher Briefing date in the Joint Personnel Adjudication System (JPAS)?
Paragraph 10-706 of the NISPOM only requires the NATO initial briefing date and the NATO debriefing date should be recorded in JPAS. The contractor should retain a verifiable record of the most recent NATO Annual Refresher Briefing.
19. Is DSS required to provide NATO Annual Refresher Briefing to the Facility Security Officer (FSO)?
As DSS is required to provide the NATO initial briefing to the FSO, DSS should also provide the NATO Annual Refresher Briefing.
20. What are the intrusion detection (alarm sensor) requirements to support the supplemental protection requirements of NISPOM 5-302 and 5-307a for GSA-approved security containers storing TOP SECRET material that are not located in an approved closed area?
NISPOM Chapter 5, Section 9 "Intrusion Detection Systems" outlines the application of IDS when required as supplemental protection.
When GSA-approved security containers storing TOP SECRET classified material are located within a room that can be alarmed, the room shall be protected with an intrusion detection systems (IDS) meeting the requirements outlined in NISPOM paragraph 5-904 where the area will be compliant with UL "Extent 3" as described in UL-2050.
When the GSA-approved security container storing TOP SECRET classified material itself is to be protected (rather than being in an alarmed area) the container shall be protected with an IDS providing "Complete" protection which requires the use of alarm sensors on or within the GSA-approved security container storing classified material where IDS is used for supplemental protection. "Complete" protection consists of protection on all surfaces and contacts on each outer door or contacts on the lock and bolt mechanism of each outer door. If all of the drawers or doors of a GSA-approved container lock with a single mechanism and if none can be left unlocked or open when the mechanism is set, a single contact mounted on the control drawer or door on which the mechanism is installed is acceptable. Alternatively, surface protection may consist of linings that comply with the Standard for Linings and Screens applied to a safe or safe cabinet that completely surround the safe. The protection shall be arranged so that an alarm will be initiated if an opening 4 inches (102 mm) in diameter or larger is made in the safe or safe door by any method of attack. To ensure compliance with the extent of protection of "complete" the UL Certified Alarm Services Companies recommends to the user the appropriate sensor type to be installed to meet UL-2050 certification requirements.
21. What can a company do to facilitate the final eligibility determination for an employee who is currently assigned overseas but has an interim clearance?
Contractors can provide advance notice to the Personnel Security Management Office for Industry (PSMO-I) by submitting a Research, Recertify, Upgrade (RRU) request via JPAS advising of the subject's return to a location where an interview can be conducted.
22. What happens when the requests for periodic reinvestigations (PRs) are not submitted within required timeframes?
Contractor personnel with access granted at the Top Secret, Secret, and Confidential levels must be reinvestigated at 5-, 10- and 15-year intervals, respectively, from the closing date of the previous investigation. To facilitate compliance with submission timeframes, contractors may submit an employee's e-QIP for a PR up to 30 days in advance of the due date. To monitor compliance with PR submission requirements, the Personnel Security Management Office for Industry (PSMO-I) produces monthly reports of overdue PRs and notifies contractors via JPAS of personnel for whom a PR request must be submitted. If the PR request is not submitted within 30 days from issuance of the overdue notification, PSMO-I will remove the employee's eligibility this will show up as a Loss of Jurisdiction (LOJ) in JPAS. Upon receipt of the LOJ, contractors must remove the individual's access to classified information and annotate this in JPAS. Once the PR request is submitted, PSMO-I will remove the LOJ and eligibility will be restored.
PSMO-I notifications, such as those for overdue PRs or LOJ, are only posted within JPAS for 30 days. Contractors are reminded to access JPAS accounts within timeframes that do not exceed 30 days.
23. Is it necessary for the contractor to maintain the hard copy original "signature pages" (releases and certification) of the SF-86 while the investigation is on-going?
Contractors may maintain the entire SF-86 electronically, including signature pages with scanned signatures, as long as it is retrievable if needed and the confidentiality of the document is protected in accordance with NISPOM paragraph 2-202.b. Retained documentation should also be destroyed in accordance with NISPOM 2-202.b.
24. Can the Joint Personnel Security Adjudication System (JPAS) be used to verify citizenship when processing individuals for personnel security clearances?
No. Paragraph 2-208 of the NISPOM describes acceptable proof of citizenship. JPAS may not be used to verify citizenship; however, the fact that an individual has a current active clearance in JPAS can be the basis for assuming that US citizenship was verified as part of the initial investigative process. Individuals who have had a break in access should be asked if there has been any change in their citizenship status since they last worked in a cleared position.
25. How long should companies retain NATO Briefing/Debriefing Certificates and Annual Refresher Briefing Records for employees who require access to NATO Classified Information?
26. What documentation is needed to demonstrate the need for a FCL or to verify the validity of a classified contract?
DD Form 254, security aspects letter, statement of work (SOW), requests for proposal, quote and/or information, cooperative research and development agreement (CRADA), Government Contracting Activity (GCA) sponsored independent research & development (IR&D), etc. can all be used to validate a classified contract. DCSA may also coordinate with the applicable GCA to confirm the need for the classified prime or subcontract.
27. Why does industry need to demonstrate the need for a FCL or to verify the validity of a classified contract?
DCSA is responsible for validating the eligibility requirements as described in NISPOM 2-102a-d for all FCL sponsorships. Review of relevant documentation by DCSA personnel assists in validating the eligibility requirement for a FCL.
28. I only need access to JPAS, SWFT, or DISS per my contract as a SSP. Do I need a FCL?
No; these systems do not require the user to access classified information and therefore a contract for the sole purpose of accessing these systems does not constitute a classified contract or a need for a FCL.
29. Our FCL was terminated upon classified contract close-out before we were able to obtain a new contract. What happened?
In accordance with DD Form 441, DCSA will provide all contractors with 30-days written notice of the intent to terminate the FCL when there is no longer a need for access to classified information. If a contractor is unable to provide a justification for an FCL within that timeframe, DCSA will initiate FCL termination.
30. May security consultants and other SSPs participate in Security Vulnerability Assessments (SVAs)?
Yes; they may participate in SVAs in order to support the FSO. However, it should be noted that the role of consultants and/or SSPs is to supplement and assist the FSO with management of the contractor’s security program, not oversight. The FSO is ultimately responsible for security program implementation and must have the ability to effectively supervise and direct security measures consistent with the requirements of the NISPOM. This effectiveness is evaluated during a SVA.
31. Can security consultants only work for one cleared company at a time?
No; there is no existing guidance prohibiting consultants from working for more than one cleared company.
32. How must I pay my SSPs and security consultants?
The NISPOM does not dictate how a company must pay and compensate their employees or consultants (i.e. W2, 1099, etc.). However, the employee or consultant must have a relationship with the company. DCSA personnel may inquire about payment methods and request to view related documentation in order to validate this relationship.
33. As a SSP, my company does not have a FCL. Can I have another cleared contractor hold my clearances and access classified information through that company?
Cleared contractors may process self-incorporated consultants for a PCL in accordance with NISPOM paragraph 2-213 provided the consultant and members of his/her immediate family are the sole owners of the consultant’s company, and only the consultant requires access to classified information. In such cases, a facility security clearance (FCL) is not required. Should other employees of the consultant’s company require access to classified information, it would constitute a classified subcontract, and as such, a DD Form 254 must be issued by the prime contractor, and the consultant’s firm will require an FCL.