April 2017Mark A. Bradley, Director

The Evolving NISP: Navigating the Road Ahead

2

NISPOM revision

Revision to NISP Directive (32 CFR 2004)

DHS’s Classified Critical Infrastructure Protection Program

CUI program implementation

National Industrial Security Program (NISP)

3

“…single, cohesive, integrated program to ensure the protection of classified information in the hands of industry”

§ Established by E.O. 12829§ Implemented through 32 CFR 2004, NISP Directive§ NISPPAC addresses policy issues with government and industry§ 5 CSAs: DoD, DOE, NRC, ODNI, DHS§ DoD is Executive Agent

– Issues NISPOM for industry– Provides oversight services for executive branch agencies that are not one of the

CSAs

NISPOM Revision

Who: § DoD as Executive Agent§ NISPPAC NISPOM Rewrite Working Group chaired by ISOO

What:§ Updates 2006 NISPOM version§ Goal: up-to-date NISP operations

– Changing threat landscape– Cybersecurity environment

Major changes:§ Focuses solely on classified information. Removes references to “unclassified”.§ Removes government agency responsibilities§ Incorporates Risk Management Framework (RMF) for information systems§ Incorporates new national-level reporting requirements§ References other national-level policies as they apply, vice duplicating within the NISPOM

When:§ Estimated 2018 as a Federal Rule

4

NISP Directive (32 CFR 2004)

5

ISOO responsible for issuing the Directive to implement the NISP

Current version issued in 2010- Updated original 2006 version- Incorporated requirements and timelines for

NIDs

§ Establishes responsibilities for NISP agencies–ISOO–Executive Agent–CSAs–GCAs

32 CFR 2004 Revision

6

§ Adds insider threat responsibilities and requirements for NISP agencies (E.O. 13587)

§ Recognizes ODNI as a CSA (Intelligence Reform & Terrorism Prevention Act)

§ Recognizes DHS as a CSA and incorporates White House approved provisions for the DHS Critical Infrastructure Protection Program (CIPP) (E.O. 13691)

§ Fills policy gaps for NISP agencies to align with NISPOM provisions for contractors– Consistent standards for determinations of contractor eligibility for access to classified information– Consistent standards to determine and mitigate FOCI and make NIDs– Contract security classification responsibilities– Oversight of contractor industrial security programs– Terminology and definitions to accommodate all 5 CSAs

§ STATUS: Interagency and public review periods completed. Expect OMB to open another interagency review period before issuing as a final rule.

National Industrial Security Program Policy Advisory Committee (NISPPAC)

7

Addresses policy issues and other NISP matters of interest and concern

§ ISOO Director chairs§ 16 government and 8 industry members

– Subject to FACA– Meeting notices in the Federal Register– Meets 3x/year

§ Working groups– Personnel security– Assessment and authorization (information systems in industry)– Insider threat– NID– NISPOM rewrite

§ Next meeting: Wed. May 10, 2017, National Archives

NISPPAC INDUSTRY MEMBERS§ William Davidson Keypoint Government Services

Term: 2013-2017 e-mail: william.davidson@keypoint.us.com

§ Phil Robinson Squadron Defense GroupTerm: 2013-2017 e-mail: phillip.robinson@ssldma.com

§ Michelle Sutphin * BAE SystemsTerm: 2014-2018 e-mail: michelle.sutphin@baesystems.com* Industry Spokesperson

§ Martin Strones Strones EnterprisesTerm: 2014- 2018 e-mail: mstrones@gmail.com

§ Dennis Keith Harris CorporationTerm: 2015-2019 e-mail: Dkeith@harris.com

§ Quinton Wilkes L-3 Communications CorporationTerm: 2015-2019 e-mail: Quinton.Wilkes@L3T.com

§ Kirk Poulsen Leidos, IncTerm: 2016-2020 e-mail: Kirk.A.Poulsen@leidos.com

§ Robert Harney Northrup GrummanTerm: 2016-2020 e-mail: Robert.Harney@ngc.com

Why protect CUI?

§ The loss or improper safeguarding of CUI could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.― significant degradation in mission capability to an extent and duration that the organization is

able to perform its primary functions, but the effectiveness of the functions is significantly reduced;

― significant damage to organizational assets; ― significant financial loss; or ― significant harm to individuals that does not involve loss of life or serious life threatening

injuries

§ The loss or improper safeguarding of CUI has a direct impact on national security

9

Impacts to National Security§ The OPM Data breach is a significant CUI incident

- Personnel files of 4.2 million former and current government employees. - Security clearance background investigation information on 21.5 million individuals.

OPM failed to implement a longstanding requirement to use multi-factor authentication for network access.

“The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known.”

– The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation September 7, 2016.

10

Government expense (to notify and protect those impacted) = $350 Million

32 CFR 2002§ Implements the CUI Program

– Establishes policy for designating, handling, and decontrolling information that qualifies as CUI

– Effective : November 14, 2016

§ Describes, defines, and provides guidance on the minimum protections (derived from existing agency practices) for CUI

– Physical and Electronic Environments– Marking– Sharing– Destruction– Decontrol

§ Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities)

11

NIST Special Publication 800-171 (Revision 1)

12

• Agencies must use NIST SP 800-171 when establishing security requirements to protect CUI’sconfidentiality on non-Federal information systems.

• The NIST 800-171 is intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations.

• Establishes requirements for protecting CUI at the Moderate Confidentiality Impact Value.

• Non-tailorable requirements

• Flexibility in how to meet requirements

Federal Acquisition Regulation (FY18)

13

To promote standardization, the CUI Executive Agent plans to sponsor a Federal Acquisition Regulation (FAR) clause that uniformly apply the requirements contained in the 32 CFR Part 2002 and NIST SP 800-171 to industry.

Contracts

Implementation

§ CUI Notice 2016-01, Implementation Guidance for the Controlled Unclassified Information Program

– Allows for flexibility in meeting established milestones.

§ Implementation activities began on November 14, 2016 (effective date of 32 CFR 2002)

§ Implementation includes:– Policy– Training– Physical Safeguarding– Systems – Self Inspection– Contracts and agreements

14

Executive Branch Implementation = 3-5 years

ISOO Web Resources

§ ISOO web page:– http://www.archives.gov/isoo/

§ ISOO policy documents:– E.O. 12829:

• https://www.archives.gov/files/isoo/policy-documents/eo-12829-with-eo-13691-amendments.pdf

– Implementing Directive (32 C.F.R. Part 2004):• https://www.archives.gov/files/isoo/policy-documents/32-cfr-part-2004.pdf• https://www.archives.gov/files/isoo/policy-documents/32-cfr-part-2004-

amendment.pdf

§ NISP and NISPPAC pages– Member listings– Charter and Bylaws– Minutes of NISPPAC meetings

§ CUI web page:– https://www.archives.gov/cui

15