National Industrial Security Program


National Industrial Security Program

The National Industrial Security Program, or NISP, is the nominal authority (in the United States) for managing the needs of private industry to access classified information.

The NISP was established in 1993 by Executive Order 12829.[1] The National Security Council nominally sets policy for the NISP, while the Director of the Information Security Oversight Office is nominally the authority for implementation. Under the ISOO, the Secretary of Defense is nominally the Executive Agent, but the NISP recognizes four different Cognizant Security Agencies, all of which have equal authority: the Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission.[2]

Contents

NISP Operating Manual (DoD 5220.22-M)

A major component of the NISP is the NISP Operating Manual, also called NISPOM, or DoD 5220.22-M.[3] The NISPOM establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of 2010, the current NISPOM edition is dated 28 Feb 2006. Chapters and selected sections of this edition are:

Data sanitization

DoD 5220.22-M is sometimes cited as a standard for sanitization to counter data remanence. The NISPOM actually covers the entire field of government-industrial security, of which data sanitization is a very small part (about two paragraphs in a 141 page document).[4] Furthermore, the NISPOM does not actually specify any particular method. Standards for sanitization are left up to the Cognizant Security Authority. The Defense Security Service provides a Clearing and Sanitization Matrix (C&SM) which does specify methods.[5] As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction is acceptable.

Unrelated to NISP or NISPOM, NIST also publishes a Data Sanitization standard, including methods to do so.[6]


Revised Informaton

The above information is out of date. The currently correct document is ISFO Process Manual V3 14 June 2011. This document is available by request only, and is not directly available online. The document has gone through many revisions and name changes. Currently it is slated to be updated twice a year.

The new version has had the section on disk sanitization greatly rewritten.

Chapters and selected sections of the new edition are:

  • 1 Preface
  • 2 Introduction
  • 3 Purpose
  • 4 Introduction of NIST 800-53 Controls
  • 5 SECURITY CONTROLS
    • 5.1 MANAGEMENT CONTROLS
      • 5.1.1 SECURITY PLANNING (PL)
        • 5.1.1.1 Roles and Responsibilities
          • 5.1.1.1.1 Office of the Designated Approving Authority (ODAA)
          • 5.1.1.1.2 Information System Security Professional (ISSP)
          • 5.1.1.1.3 Information Systems Security Manager (ISSM)
          • 5.1.1.1.4 ISSMs for Multiple Facility Organizations (MFO)
          • 5.1.1.1.5 Information System Security Officer (ISSO)
          • 5.1.1.1.6 Network ISSO
          • 5.1.1.1.7 Users of Information Systems (IS)
        • 5.1.1.2 Information System (IS) Types
          • 5.1.1.2.1 Multiuser Standalone (MUSA)
          • 5.1.1.2.2 Local Area Networks (LAN)
          • 5.1.1.2.3 Interconnected System/Wide Area Network (WAN)
          • 5.1.1.2.4 Virtualization
          • 5.1.1.2.5 Special Categories
            • 5.1.1.2.5.1 Single-User, Standalone Systems (SUSA)
            • 5.1.1.2.5.2 Periods Processing
            • 5.1.1.2.5.3 Pure Servers
            • 5.1.1.2.5.4 Test Equipment
            • 5.1.1.2.5.5 Special Purpose, Tactical, Embedded Systems
            • 5.1.1.2.5.6 Copiers
      • 5.1.2 SECURITY ASSESSMENT AND AUTHORIZATION (CA)
        • 5.1.2.1 Types of Security Plans
          • 5.1.2.1.1 System Security Plan (SSP)
          • 5.1.2.1.2 Master System Security Plan (MSSP)
        • 5.1.2.2 Information System Connections
          • 5.1.2.2.1 Network Security Plans (NSP)
            • 5.1.2.2.1.1 Memorandum of Understanding (MOU)/Interconnected Systems Agreement (ISA)
              • 5.1.2.2.1.1.1 MOU Requirements
              • 5.1.2.2.1.1.2 MOU Content
              • 5.1.2.2.1.1.3 MOU Sample
            • 5.1.2.2.1.2 Defense Information Systems Network (DISN) Connections
          • 5.1.2.2.2 International System Security Plans
        • 5.1.2.3 Types of Networks
          • 5.1.2.3.1 Unified Networks
          • 5.1.2.3.2 Interconnected Networks
          • 5.1.2.3.3 Network Security Plans (NSP)
        • 5.1.2.4 Plan of Action & Milestone (POA&M)
          • 5.1.2.4.1 Plan of Action and Milestone Template (POA&M)
      • 5.1.3 CONFIGURATION MANAGEMENT (CM)
        • 5.1.3.1 Configuration Management Process
      • 5.1.4 PROGRAM MANAGEMENT (PM)
      • 5.1.5 RISK ASSESSMENT (RA)
        • 5.1.5.1 Risk Assessment Requirements
        • 5.1.5.2 Enhanced Controls
      • 5.1.6 SYSTEM AND SERVICES ACQUISITION (SA)
        • 5.1.6.1 Certification and Accreditation (C&A)
          • 5.1.6.1.1 C&A Life Cycle
          • 5.1.6.1.2 C&A Process
            • 5.1.6.1.2.1 Certification
            • 5.1.6.1.2.2 Review
            • 5.1.6.1.2.3 Accreditation
            • 5.1.6.1.2.4 Verification
        • 5.1.6.2 Software Protections
    • 5.2 OPERATIONAL CONTROLS
      • 5.2.1 AWARENESS AND TRAINING (AT)
        • 5.2.1.1 Security Education
        • 5.2.1.2 Cleared Contractor Training
      • 5.2.2 CONTINGENCY PLANNING (CP)
        • 5.2.2.1 Contingency Planning
        • 5.2.2.2 System Recovery and Assurances
      • 5.2.3 INCIDENT RESPONSE (IR)
        • 5.2.3.1 Classified Spills
          • 5.2.3.1.1 Incident Response Plan
          • 5.2.3.1.2 Sanitizing and Declassifying
          • 5.2.3.1.3 Classified Spill Cleanup Procedures
          • 5.2.3.1.4 Wiping Utility
          • 5.2.3.1.5 DSS-Approved Classified Spill Cleanup Plan
          • 5.2.3.1.6 Contamination Cleanup Procedures
      • 5.2.4 MAINTENANCE (MA)
        • 5.2.4.1 Maintenance
        • 5.2.4.2 Cleared Maintenance Personnel
        • 5.2.4.3 Uncleared (or Lower-Cleared) Maintenance Personnel
        • 5.2.4.4 Remote Maintenance
      • 5.2.5 MEDIA PROTECTION (MP)
        • 5.2.5.1 Media Protection
        • 5.2.5.2 Hardware Marking
        • 5.2.5.3 Trusted Download
          • 5.2.5.3.1 Trusted Download Procedures
            • 5.2.5.3.1.1 DSS Authorized File Type/Formats
            • 5.2.5.3.1.2 DSS File Transfer Procedures
            • 5.2.5.3.1.3 DSS Authorized Procedure (Windows-Based)
            • 5.2.5.3.1.4 DSS Authorized Procedure (Unix)
            • 5.2.5.3.1.5 Alternate Trusted Download Risk Acceptance Letter (RAL) Example
        • 5.2.5.4 Mobile Systems
          • 5.2.5.4.1 Mobile Processing Procedures
        • 5.2.5.5 Clearing and Sanitization
          • 5.2.5.5.1 Clearing
          • 5.2.5.5.2 Sanitizing
          • 5.2.5.5.3 Magnetic Tape
          • 5.2.5.5.4 Organization Destruction Options
          • 5.2.5.5.5 DSS Clearing and Sanitization Matrix
      • 5.2.6 PHYSICAL AND ENVIRONMENTAL PROTECTION (PE)
        • 5.2.6.1 Physical Security (8-308, 5-306, 5-308, 6-104)
        • 5.2.6.2 Hardware and Software Protection
        • 5.2.6.3 Protected Distribution System (PDS)
        • 5.2.6.4 Emergency Procedures (5-104)
        • 5.2.6.5 TEMPEST (11-100)
      • 5.2.7 PERSONNEL SECURITY (PS)
        • 5.2.7.1 Personnel Security Clearance Verification
        • 5.2.7.2 Personnel Sanctions
      • 5.2.8 SYSTEM AND INFORMATION INTEGRITY (SI)0
        • 5.2.8.1 Flaw Remediation
        • 5.2.8.2 Unclassified Software Review
        • 5.2.8.3 Antivirus
    • 5.3 TECHNICAL CONTROLS
      • 5.3.1 ACCESS CONTROL (AC)
        • 5.3.1.1 Access Control
        • 5.3.1.2 Separation of Function
        • 5.3.1.3 Logon Banner
        • 5.3.1.4 Session Controls
          • 5.3.1.4.1 Successive Login Attempt Controls
          • 5.3.1.4.2 User Inactivity
          • 5.3.1.4.3 Logon Notification (PL-2/PL-3)
        • 5.3.1.5 USB Devices and Ports
        • 5.3.1.6 Radio Frequency ID (RFID) Tags
        • 5.3.1.7 Secure Wireless LANs (S-WLAN)
        • 5.3.1.8 Foreign Ownership, Control & Influence (FOCI)
      • 5.3.2 AUDIT AND ACCOUNTABILITY (AU)
        • 5.3.2.1 Audit Requirements
        • 5.3.2.2 Security Seals
      • 5.3.3 IDENTIFICATION AND AUTHENTICATION (IA)
        • 5.3.3.1 Identification and Authentication Management
        • 5.3.3.2 Generic or Group Accounts (8-505)
        • 5.3.3.3 Password Policy
        • 5.3.3.4 BIOS Password
      • 5.3.4 SYSTEM AND COMMUNICATIONS PROTECTION (SC)
        • 5.3.4.1 Data Transmission Protection
        • 5.3.4.2 Network Management and Protections
          • 5.3.4.2.1 Controlled Interfaces
        • 5.3.4.3 Classified Voice over IP (VOIP)/Video Teleconferencing (VTC)
        • 5.3.4.4 Thin Client Systems
        • 5.3.4.5 Masking/Coding/Disassociation
  • 6 System Security Plan Submission Process
    • 6.1 Variances
  • 7 Defense Industrial Base Cyber Security Accreditation Process (DIBNET)
  • 8 Reference List
  • 9 Glossary

References

  1. ^ "Executive Order 12829". FAS website. http://www.fas.org/irp/offdocs/eo12829.htm. Retrieved 2007-04-01. 
  2. ^ "NISP Brochure" (PDF). DSS. Archived from the original on 2006-04-20. http://web.archive.org/web/20060420050102/http://www.dss.mil/isec/nispbrochure.pdf. Retrieved 2007-04-01.  (59 KB)
  3. ^ "Download NISPOM". DSS. http://www.dss.mil/isp/fac_clear/download_nispom.html. Retrieved 2010-11-10. 
  4. ^ DoD (2006-02-28). "National Industrial Security Program Operating Manual (NISPOM)" (PDF). DSS. pp. 8–3-1. https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/nispom2006-5220.pdf#page=75. Retrieved 2008-11-13.  (1.92 MB)
  5. ^ "DSS Clearing & Sanitization Matrix" (PDF). DSS. 2007-06-28. http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf. Retrieved 2011-04-26.  (98 KB)
  6. ^ "Special Publication 800-88: Guidelines for Media Sanitization" (PDF). NIST. September 2006. http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf. Retrieved 2007-12-08.  (542 KB)

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • National Industrial Recovery Act — Front page of the National Industrial Recovery Act, as signed by President Franklin D. Roosevelt on June 16, 1933. The National Industrial Recovery Act (NIRA), officially known as the Act of June 16, 1933 (Ch. 90, 48 Stat. 195, formerly codified… …   Wikipedia

  • Security clearance — For use by the United Nations, see Security Clearance (UN) A security clearance is a status granted to individuals allowing them access to classified information, i.e., state secrets, or to restricted areas after completion of a thorough… …   Wikipedia

  • Security guard — Private factory guard Occupation Activity sectors Security Description A security guard (or security officer) is a person who is paid to protect pro …   Wikipedia

  • National Institutes of Technology — …   Wikipedia

  • National Security Agency — NSA redirects here. For other uses, see NSA (disambiguation). For the Bahraini intelligence agency, see National Security Agency (Bahrain). National Security Agency Agency overview …   Wikipedia

  • National Institute of Standards and Technology — NIST redirects here. For other uses, see NIST (disambiguation). National Institute of Standards and Technology Agency overview Headquarters Gaithersburg, Maryland …   Wikipedia

  • security and protection system — Introduction       any of various means or devices designed to guard persons and property against a broad range of hazards, including crime, fire, accidents, espionage, sabotage, subversion, and attack.       Most security and protection systems… …   Universalium

  • National Security Council (India) — The National Security Council (NSC) of India is the apex agency looking into the political, economic, energy and strategic security concerns of India. It was established by the A B Vajpayee government on 19 November 1998, with Brijesh Mishra as… …   Wikipedia

  • National Institute of Open Schooling — NIOS redirects here. For other uses, see Nios (disambiguation). NIOS National Institute of Open Schooling Formation November 3, 1989 (1989 11 03) (22 years ago) Type …   Wikipedia

  • National Commission for Minorities — Republic of India This article is part of the series: Politics and Government of India …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.