NISPOM.US

Obama Announces U.S.-Canada Beyond the Border and Regulatory Cooperation Council Initiatives

Fri, 13 Jan 2012 22:20:02 -0000

The White House
Office of the Press Secretary
December 07, 2011

Fact Sheet: U.S.-Canada Beyond the Border and Regulatory Cooperation Council Initiatives

Today, the United States and Canada enjoy the largest bilateral trade and investment relationship in the world. Total trade and investment between the United States and Canada topped $1.1 trillion in 2010, and those numbers are growing.

The United States and Canada are each other’s largest export market, with roughly 20 percent of all U.S. goods exports destined to Canada. U.S. exports to Canada already support 1.7 million jobs, and in 2010 U.S. exports to Canada grew more than U.S. exports to the rest of the world. Canada is the top export destination for 36 U.S. states.

We share common infrastructure, including bridges, tunnels, pipelines, and electricity grids, and our supply chains are integrally linked, with a single good often crossing the shared border multiple times during its production cycle.

Recognizing these dynamics, on February 4, 2011, President Barack Obama and Prime Minister Stephen Harper announced two initiatives to ensure that the vital economic partnership that joins our two countries continues to be the cornerstone of our economic competitiveness and security as we together face the challenges of the 21st century.

Since the Leaders’ announcement, representatives from across the United States Government have worked with their Canadian counterparts to formulate the Beyond the Border (BTB) Action Plan and the Regulatory Cooperation Council (RCC) Action Plan being unveiled today.

Together, these initiatives build on our well-established bilateral cooperation on trade, investment, emergency preparedness, security, and defense. BTB and RCC are complementary and promote transparency, efficiency, and the free and secure flow of people and trade across our borders while maintaining and expanding our already robust relationships that keep people, goods, and services safe and secure.

Beyond the Border

The BTB Action Plan sets out joint priorities for achieving a new long-term security partnership in four key areas, guided by mutual respect for sovereignty and our separate constitutional and legal frameworks that protect individual privacy:

• addressing threats early;
• promoting trade facilitation, economic growth, and jobs;
• strengthening cross-border law enforcement; and
• protecting shared critical infrastructure, including enhancing continental and global cybersecurity.

The BTB Executive Steering Committee (ESC) will hold annual meetings to advance shared border management efforts and identify areas for further progress. To ensure continued transparency and accountability, the BTB ESC will generate a joint, public “Beyond the Border Implementation Report” to summarize BTB cooperation annually. Implementation of the BTB Action Plan will be carried out in close consultation with the wide array of interested stakeholders through appropriate lead agencies and will be subject to normal regulatory, legislative, and appropriations processes.

Through implementation of the BTB Action Plan, the United States and Canada will address threats at the earliest possible point by enhancing our common understanding of the shared threat environment through joint, integrated threat assessments, and by improving our intelligence and national security information sharing. We will enhance domain awareness in air, maritime, and land environments, cooperate to counter violent extremism, and develop harmonized commercial passenger and cargo screening processes that will expedite the secure passage of people and goods. We will conduct joint assessments of plant, animal, and food systems in third countries to keep our food supplies safe.

Additionally, the United States and Canada will enhance our trusted traveler and trader programs by aligning requirements, enhancing member benefits, and providing applicants with the opportunity to submit one application to be enrolled in multiple programs. We will strive to facilitate business travel across our border, provide a single “window” for importers to submit information needed to comply with customs and other regulations, promote supply chain connectivity by harmonizing low-value shipment processes, and increase public transparency regarding application of border fees, with a view to providing greater accountability for costs to businesses and promoting trade competitiveness.

To keep the flow of goods and people moving smoothly, we will enhance and expand the work of the twenty land border Binational Port Operations Committees established in 2011, coordinate our border infrastructure investment at key border crossings and at small and remote ports of entry to, where possible, align hours of operation and co-manage facilities.

Building on existing cross-border law enforcement frameworks, we will implement a “Next Generation” pilot project to cooperate on national security and transnational criminal investigations and provide law enforcement radio interoperability.

Finally, under the BTB Action Plan the United States and Canada will develop and enhance cross-border critical infrastructure and resilience, protect vital government and critical digital infrastructure of binational importance, and make cyberspace safer for all our citizens, while expanding our joint leadership on international cybersecurity efforts. We also intend to mitigate the impact of binational disasters on communities by establishing procedures to manage land and maritime traffic in the event of a border area emergency, and enhance our collective preparedness for security threats of all types -- health, chemical, biological, radiological, nuclear, and explosive.

Regulatory Cooperation

The February Statement on Regulatory Cooperation recognized the critical importance of our $1 trillion annual bilateral trade and investment relationship and established the RCC with a two-year mandate to promote economic growth, job creation, and benefits to our consumers and businesses through increased regulatory transparency and coordination. The United States and Canada intend to eliminate unnecessary burdens on cross-border trade, reduce costs, foster cross-border investment, and promote certainty for the general public and businesses, particularly small- and medium-sized enterprises operating near the border, by coordinating, simplifying, and ensuring where possible the compatibility of regulations.

In March, a Federal Register Notice requested that the public submit ideas for suggested changes to existing regulations that would ease the transport and sale of goods and services on the other side of the border. Given the integrated nature of our economies, greater alignment and better mutual reliance on our regulatory approaches will lead to lower costs for consumers and businesses, create more efficient supply chains, increase trade and investment, generate new export opportunities, and create jobs on both sides of the border. Building on the numerous comments received from the public, we have agreed to focus our initial work on:

• agriculture and food;
• transportation;
• health, personal care products, and workplace chemicals; and
• the environment.

As we implement the Action Plans for BTB and RCC, U.S. and Canadian departments and agencies will continue to incorporate public feedback they receive through traditional mechanisms such as Federal Register Notices, websites, public meetings, and other public engagement.

For more than forty years, the increasing integration of the economies of the United States and Canada has been the key to our two countries’ prosperity and security. With these initiatives, we intend to work together to reduce and eliminate barriers to trade and investment, securing our shared competitiveness for the 21st century.

DSS Counterintelligence Directorate Releases "Targeting U.S. Technologies: A Trend Analysis Reporting from Defense Industry"

Wed, 19 Oct 2011 20:40:58 -0000

10/19/11) The DSS Counterintelligence Directorate has released the unclassified publication, "Targeting U.S. Technologies: A Trend Analysis Reporting from Defense Industry." This report analyzes suspicious contact reports received from defense industry in fiscal year 2010. It is available online at http://www.dss.mil/counterintel/2011-unclassified-trends.pdf

DoD, GSA, and NASA Propose Privacy Training Requirements

Mon, 17 Oct 2011 17:20:58 -0000

DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 24 and 52
[FAR Case 2010–013; Docket 2010–0013;
Sequence 1]
RIN 9000–AM02
Federal Acquisition Regulation;
Privacy Training, 2010–013

AGENCY: Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information.

DATES: Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before December 13, 2011 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in
response to FAR case 2010–013 by any
of the following methods:

• Regulations.gov: http://www.regulations.gov.
Submit comments via the Federal eRulemaking portal by inputting ‘‘FAR Case 2010–013’’ under the heading ‘‘Enter Keyword or ID’’ and
selecting ‘‘Search.’’ Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘FAR Case 2010–013.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2010–013’’ on your attached
document.

• Fax: (202) 501–4067.

• Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.

Instructions: Please submit comments only and cite FAR Case 2010–013, in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement Analyst, at (202) 501–2364 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501–4755. Please cite FAR Case 2010–013.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart 24.3, entitled ‘‘Privacy Training,’’ and related clause to ensure that contractors identify employees who require access
to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government,
and who, therefore, are required to complete privacy training initially upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have
completed the required training and, upon request, provide those records to the Government. This rule does not apply to commercial items.

These requirements are consistent with subsection (e), Agency requirements, and subsection (m), Government contractors, of the Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding personally identifiable information include the E–Government Act of 2002, the Federal Information Security Management Act (FISMA) of 2002, and Federal guidance from the Office of Management and Budget (OMB), e.g., OMB Memorandum M–07– 16, entitled ‘‘Safeguarding Against and Responding to the Breach of Personally Identifiable Information,’’ issued May 22, 2007; OMB Memorandum M–10–23, entitled ‘‘Guidance for Agency Use of Third-Party Web sites and Applications,’’ issued June 25, 2010 (this memorandum contains the most current definition of personally identifiable information, and clarifies the definition provided in M–07–16); and OMB Circular No. A–130, entitled ‘‘Management of Federal Information Resources,’’ which address significant requirements for safeguarding and handling personally identifiable information and reporting any theft, loss, or compromise of such information. In addition, FAR subpart 24.1 requires that Federal agencies contracting for the design, development, or operation of a system of records on individuals must extend all Privacy Act safeguards to the contractor and its employees working on the contract. Minimum requirements for privacy training are proposed for the coverage in order to ensure consistency across the Government. For example, any privacy training must address the protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. The proposed FAR text includes seven mandatory elements of the privacy training, including any agency-specific requirements. Many agencies currently require that designated contractor employees complete agency-developed privacy training, but, in some circumstances, an agency may provide a contractor with the Privacy Act requirements and have the contractor develop the training package. While the use of an agency-developed privacy training package is the most common approach, and the approach embodied in the clause at FAR 52.224–XX, Privacy Training, the proposed FAR language provides an Alternate I to the FAR clause for those cases where the agency prefers to have the contractor create the privacy training package. Additionally, the proposed FAR language provides an Alternate II to the FAR clause for those instances when it’s determined to be in the best interest of the Government for a contractor employee to attend agency provided privacy training.

Under the proposed FAR rule, a contractor employee who requires access to a Government system of records will be granted or allowed to retain such access only if the individual has (1) Completed privacy training and (2) met all other applicable agency requirements.

II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

III. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows:

This proposed rule was initiated to ensure that contractor personnel who handle personally identifiable information; design,
develop, maintain, or operate a system of records on behalf of the Government; or require access to a Government-owned system of records are properly trained on the requirements of applicable laws and appropriate safeguards to ensure the security and confidentiality of personally identifiable information.
Such training of contractor employees is required by provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government Act of 2002, the Office of Management and Budget (OMB) Memorandum M–07–16, and existing Privacy Act clauses (52.224–1 and 52.224–2). Various other statutes, applicable authorities, and memoranda address the responsibility of Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements pertaining to the handling and safeguarding of personally identifiable information. The list includes, but is not limited to the following:
• The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. 3541);
• OMB Memorandum M–06–15, Safeguarding Personally Identifiable Information; and
• OMB Circular No. A–130, Management of Federal Information Resources.

The proposed rule requires all contractors with contracts that require employees to have access to personally identifiable information to complete training that addresses the statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. This rule requires the contractor to identify its employees who require access, ensure that those employees complete agency-provided privacy training before being granted access and annually thereafter, and maintain records of the training. In a few cases, the content of the training will not be provided by the agency but will be created by the contractor in accordance with Alternate I to the clause at FAR 52.224–XX.

Alternate II to the clause at FAR 52.224–XX if it is determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training. This rule does not apply to commercial items.

Information obtained from the Federal Procurement Data System for Fiscal Year 2009 demonstrates that 98,864 small business concerns were awarded contracts and 197,728 firms were awarded subcontracts. However, only contracts for the types of work identified in the paragraphs above will be subject to the privacy-training requirement. We estimated that approximately one-half of one percent of all small business Government prime contractors and subcontractors will be required to conduct privacy training as follows:

Small business prime contractors
........................................ 98,864
Small business subcontractors + 197,728
Total small businesses ..... 296,592
Percent w/privacy-training requirement............................. × 0.005
Number of small businesses impacted ............................... 1,483

Recordkeeping associated with this proposed rule is minimal; there are no required formats or templates for the records, and they will be retained by the contractor in most cases. The Government only will request a contractor’s training records on an exception basis, i.e., if the Government has a particular reason to check on a contractor’s compliance with the training requirement. The Regulatory Secretariat will be submitting a copy of the Interim Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2010–013) in correspondence.

IV. Paperwork Reduction Act

The Paperwork Reduction Act (44U.S.C. chapter 35) applies. The proposed rule contains information collection requirements. Accordingly, the Regulatory Secretariat has submitted a request for approval of a new information collection requirement concerning ‘‘Privacy Training’’ to the Office of Management and Budget.

A. Public reporting burden for this collection of information is estimated to average one hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The recordkeeping requirements are minor, and records generally will be retained within the contractor’s organization. While a contractor is required to identify its employees who require initial privacy training and annual privacy training thereafter, there is no requirement to collect this information in a particular format or provide it to the Government, other than on an exception basis, i.e., when there is an indication that the contractor is not complying with the training requirements.

The annual reporting burden is estimated as follows:
Respondents ............................. 148
Responses per respondent ...... 1
Total annual responses .... 148
Preparation hours per response................................... 1
Total response burden hours .............................. 148

B. Request for Comments Regarding Paperwork Burden.
Submit comments, including suggestions for reducing this burden, not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, NEOB, Washington, DC 20503, and a copy to the General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.

Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of functions of the FAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology.

Requester may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat (MVCB), Attn: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB Control Number 9000–0182, FAR Case 2010–013, Privacy Training, in correspondence.

List of Subjects in 48 CFR Parts 24 and 52

Government procurement.
Dated: October 6, 2011.
Laura Auletta,
Acting Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy.
Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 52 as set forth below:

1. The authority citation for 48 CFR parts 24 and 52 continues to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

PART 24—PROTECTION OF PRIVACY
AND FREEDOM OF INFORMATION
2. Add subpart 24.3 to read as follows:

Subpart 24.3—Privacy Training
Sec.
24.301 Privacy Training.

24.302 Contract clause.

Subpart 24.3—Privacy Training
§ 24.301 Privacy training.

(a) Contractors are responsible for conducting initial privacy training, and annual privacy training thereafter, for employees who—
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see subpart 24.1 and 39.105).

(b) Agencies shall provide contractors with the privacy training materials (in a format deemed appropriate) necessary to satisfy the requirement described in paragraph (a) of this section unless, on an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials (see 24.302(b)).

(c) Privacy training shall, at a minimum, address—
(1) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
(2) The handling and safeguarding of personally identifiable information;
(3) The authorized and official use of a Government system of records;
(4) Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
(5) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government;
(6) Breach notification procedures(i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and
(7) Any agency-specific privacy training requirements.

(d) The contractor is responsible for ensuring that employees identified in paragraph (a) of this section complete the required training and maintain evidence of appropriate training completed. The contractor is required,upon request, to provide evidence of completion of privacy training for all applicable employees.

(e) Each contractor employee who requires access to a Government system of records, handles personally identifiable information, or designs, develops, maintains, or operates a Government system of records, shall be granted or allowed to retain such access only if the individual—
(1) Has completed agency-mandated privacy training that, at a minimum, addresses the elements in paragraph (c) of this section; and
(2) Has met all other applicable agency requirements.

§ 24.302 Contract clause.
(a) When contractor employees will have access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records, the contracting officer shall insert the clause at FAR 52.224–XX, Privacy Training, in solicitations and contracts.
(b) When the contracting officer elects to have the contractor provide its own privacy training materials, use Alternate I in lieu of paragraph (a) of the basic clause.
(c) When an agency elects to provide privacy training to contractor employees, use Alternate II in lieu of paragraph (a) of the basic clause.

PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

3. Add section 52.224–XX to read as follows:
52.224–XX Privacy Training. As prescribed in 24.302(a), insert the following clause:

Privacy Training (Date)
(a) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using the Government-provided privacy training materials, for employees who—
(1) Require access to a Government system of records;
(2) Handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105).

(b) The Contractor shall ensure that its employees, as identified in paragraph (a) of this clause, complete the required training in a timely manner. In addition, the Contractor shall maintain privacy training records, and, upon request, shall provide to the Contracting Officer evidence of privacy training completed for applicable employees.

(c) The Contractor shall not grant any employee access to a Government system of records or personally identifiable information until the employee has completed privacy training, as required by this clause, and has met all other applicable agency requirements.

(d) The substance of this clause, including this paragraph (d), shall be included in all subcontracts under this contract, when subcontractor employees will (1) have access to a Government system of records, (2) handle personally identifiable information, or (3) design, develop, maintain, or operate a system of records on behalf of the Federal Government.

(End of clause)

Alternate I (Date). If the agency elects to have the Contractor provide its own privacy training materials, substitute the following paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using its own privacy training materials, for employees who—
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105).

(2) The privacy-training materials shall, at a minimum, address—
(i) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
(ii) The handling and safeguarding of personally identifiable information;
(iii) The authorized and official use of a Government system of records;
(iv) Restrictions on the use of personally owned equipment to process, access, or store personally identifiable information;
(v) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or a system of records on behalf of the Federal Government;
(vi) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised); and
(vii) Any agency-specific privacy training requirements specified by the Contracting Officer.

Alternate II (Date). If the agency elects to provide privacy training to contractor employees, substitute the following paragraph (a) for paragraph (a) of the basic clause:
(a)(1) The Government shall provide initial privacy training, and annual privacy training thereafter, to contractor employees who—
(i) Require access to a Government system of records;
(ii) Handle personally identifiable information; or
(iii) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also subpart 24.1 and 39.105).
(2) The Government will conduct privacy training to Contractor employees in the same format given its own employees (e.g., lecture, computer-based training, Web-based training, video conferencing, etc.).

[FR Doc. 2011–26546 Filed 10–13–11; 8:45 am]

ISL 2011-04 - September 23, 2011 - (1-302a) Adverse Information

Thu, 13 Oct 2011 18:53:07 -0000

ISL 2011-04
September 23, 2011

(1-302a) Adverse Information

“National Industrial Security Program Operating Manual” (NISPOM) requires that contractors report to DSS any adverse information coming to their attention concerning their cleared employees (Cleared employees: All contractor employees granted personnel security clearances (PCLs) and all employees being processed for PCLs (Appendix C, “Definitions,” NISPOM). Adverse information consists of any information that negatively reflects on the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security.

Examples of adverse information include culpability for security violations meeting the criteria of paragraph 1-304, NISPOM, use of illegal drugs, excessive use of alcohol, wage garnishments or other indications of financial instability, repeated instances of failing to follow established security procedures, the unauthorized release of classified information and/or unauthorized access to classified information systems, or other violations of information systems security requirements.

Contractors are reminded that any adverse information coming to their attention regarding cleared employees must be reported for the full duration of the individual’s employment with the company. An individual’s anticipated departure or termination of employment, for whatever reason, and whether imminent or not, does not change the contractor’s reporting responsibility.

Adverse information reports submitted pursuant to NISPOM 1-302a should be recorded as an incident report in the Joint Personnel Adjudication System (JPAS). The Defense Industrial Security Clearance Office (DISCO) will make a final determination of continued eligibility.

Obama Issues Cybersecurity Executive Order

Fri, 07 Oct 2011 17:46:55 -0000

The White House
Office of the Press Secretary

For Immediate Release October 07, 2011

Executive Order -- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information

EXECUTIVE ORDER

STRUCTURAL REFORMS TO IMPROVE THE SECURITY OF CLASSIFIED NETWORKS AND THE RESPONSIBLE SHARING AND SAFEGUARDING OF CLASSIFIED INFORMATION

By the authority vested in me as President by the Constitution and the laws of the United States of America and in order to ensure the responsible sharing and safeguarding of classified national security information (classified information) on computer networks, it is hereby ordered as follows:

Section 1. Policy. Our Nation's security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely. Computer networks have individual and common vulnerabilities that require coordinated decisions on risk management.

This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals. These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government. These policies and minimum standards will address all agencies that operate or access classified computer networks, all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the Federal Government), and all classified information on those networks.

Sec. 2. General Responsibilities of Agencies.

Sec. 2.1. The heads of agencies that operate or access classified computer networks shall have responsibility for appropriately sharing and safeguarding classified information on computer networks. As part of this responsibility, they shall:

(a) designate a senior official to be charged with overseeing classified information sharing and safeguarding efforts for the agency;

(b) implement an insider threat detection and prevention program consistent with guidance and standards developed by the Insider Threat Task Force established in section 6 of this order;

(c) perform self-assessments of compliance with policies and standards issued pursuant to sections 3.3, 5.2, and 6.3 of this order, as well as other applicable policies and standards, the results of which shall be reported annually to the Senior Information Sharing and Safeguarding Steering Committee established in section 3 of this order;

(d) provide information and access, as warranted and consistent with law and section 7(d) of this order, to enable independent assessments by the Executive Agent for Safeguarding Classified Information on Computer Networks and the Insider Threat Task Force of compliance with relevant established policies and standards; and

(e) detail or assign staff as appropriate and necessary to the Classified Information Sharing and Safeguarding Office and the Insider Threat Task Force on an ongoing basis.

Presidential Proclamation--National Cybersecurity Awareness Month

Fri, 07 Oct 2011 14:52:23 -0000

The White House
Office of the Press Secretary

For Immediate Release October 03, 2011
Presidential Proclamation--National Cybersecurity Awareness Month
NATIONAL CYBERSECURITY AWARENESS MONTH, 2011

BY THE PRESIDENT OF THE UNITED STATES OF AMERICA

A PROCLAMATION

Americans, along with people around the world, depend on the Internet and digital tools for all aspects of our lives -- from mobile devices to online commerce and social networking. This fundamental reliance is why our digital infrastructure is a strategic national asset, and why its security is our shared responsibility. This month, we recognize the role we all play in ensuring our information and communications infrastructure is interoperable, secure, reliable, and open to all.

Early in my Administration, we began updating our Nation's cybersecurity programs and policies. We developed a comprehensive plan that ensures a coordinated national response to major disruptive cyber events. This May, we also proposed to the Congress a plan to strengthen protection of our power grids, water systems, and other critical infrastructure. And because we have seen the benefits and risks of cyber- and information-related technologies play out across the world, this year we laid out the first comprehensive international vision for the future of the Internet. It sets an agenda for partnering with other nations and better defines how we can ensure the secure, free flow of information and promote universal rights, privacy, and prosperity.

Every American has a stake in securing our networks and personal information, and we are working across the public and private sectors to ensure coordinated and planned responses to cyber incidents, as we do with natural disasters. The vast majority of our critical information infrastructure is owned and operated by businesses and enterprises across America. To help protect them, my Administration is collaborating with the private sector on best security practices, while continuing to provide the resources necessary for innovation -- including expanded broadband access and smarter electric grids.

Cybersecurity is a necessity for both businesses and consumers, and that is why we released the National Strategy for Trusted Identities in Cyberspace. This plan improves security for consumers conducting e-commerce by helping prevent fraud and identity theft and by making it easier for businesses to operate online. We are also working with community-based organizations and public- and private-sector partners to empower digital citizens to make safe choices online through our "Stop. Think. Connect." campaign.

The same American ingenuity that put a man on the moon also created the Internet, launching an information revolution. We must now harness that spirit of innovation to develop the next generation of accessible, secure technologies to build a safer, more prosperous future for all Americans.

NOW, THEREFORE, I, BARACK OBAMA, President of the United States of America, by virtue of the authority vested in me by the Constitution and the laws of the United States, do hereby proclaim October 2011 as National Cybersecurity Awareness Month. I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.

IN WITNESS WHEREOF, I have hereunto set my hand this third day of October, in the year of our Lord two thousand eleven, and of the Independence of the United States of America the two hundred and thirty-sixth.

BARACK OBAMA

DoD Requests Public Input on Commercial Item Handbook

Wed, 05 Oct 2011 17:35:53 -0000

On July 1, 2009, DoD published a request for public input on the draft Commercial Item Handbook issued by the Office of the Secretary of Defense (Acquisition, Technology, and Logistics) in November 2001. Comments were received and incorporated. A draft of the updated Commercial Item Handbook can be found at http://www.acq.osd.mil/dpap/cpic/draftcihandbook08012011.docx. DoD is seeking industry input on the contents before finalizing the Handbook.

You may submit comments to the Office of the Director, Defense Procurement and Acquisition Policy, Attention OUSD(AT&L)DPAP/CPIC, 3060 Defense Pentagon, Washington, DC 20301-3060. Comments also may be submitted by e-mail to CI_Handbook@osd.mil.

DISCO News

Wed, 14 Sep 2011 16:17:26 -0000

(09/09/11) Organizational Information Required on an SF312 (Effective 10/1/2011). As of Oct. 1, 2011, the Defense Industrial Security Clearance Office will no longer accept an SF312, Classified Information Nondisclosure Agreement, without the organizational information (located in block 11). Please ensure all required blocks are complete or the SF312 will be considered incomplete and returned for correction.

Note: reprinted below for reference is a 2006 notice re SF312:
Classified Information non-Disclosure Agreements (SF-312) Guidance
Last Updated July 2006

NISPOM Paragraph 3-105 requires that an individual issued an initial personnel security clearance (PCL) execute a Classified Information Nondisclosure Agreement (SF-312) prior to being granted access to classified information and that the completed form is forwarded to the Cognizant Security Agency for retention. The Facility Security Officer (FSO) should annotate in the Joint Personnel Adjudication System (JPAS) the date the SF-312 was executed and submit the completed original SF-312 to Defense Industrial Security Clearance Office (DISCO) for retention.

If JPAS reflects an SF-312 was previously executed, it is not necessary to complete another form.

If the FSO is unable to annotate JPAS, DISCO will do so upon receipt of the form. The date entered in JPAS should be the date the employee signed the form and it should not be changed since DISCO uses this date to file and retrieve the SF-312 from the archives.

The form should be mailed to:

Defense Industrial Security Clearance Office
600 10th Street
Fort Meade, MD 20755

You will be notified and a new SF-312 will be required for any SF-312 not meeting the following criteria:

Employee Social Security Number is incomplete or omitted
Signature of employee is typed or omitted
Witness signature is typed or omitted
Employee and witness signature dates must be the same

A copy of Form 312 is available via the downloads area of this website

NEW - Security Rating Matrix

Thu, 01 Sep 2011 15:40:00 -0000

8/26/11 - On August 29, 2011, the Defense Security Service (DSS) will begin utilizing a newly designed security rating process to determine ratings assigned at the conclusion of a DSS National Industrial Security Program (NISP) inspection. The phased implementation will be deployed by Region as follows:

Capital Region: August 29, 2011
Northern Region: September 26, 2011 (TENTATIVE)
Southern/Western Region: October 24, 2011 (TENTATIVE)
DSS recognizes the importance of a consistent, objective approach to issuing security ratings as part of its security oversight role. The new security rating process utilizes a calculation worksheet. The worksheet is a DSS tool, designed to standardize and improve consistency during the rating process. It is numerically based, quantifiable, and accounts for all aspects of a facility's involvement in the NISP.

At the conclusion of all inspections, DSS will share the rating results to include positive areas of a security program, security findings, and suggested improvements identified during the inspection. For your reference, please see the

security rating calculation template

and

Industry Frequently Asked Questions

Questions Posed at National Defense Industrial Association Meeting with Answers from the Defense Security Service

Thu, 01 Sep 2011 15:36:53 -0000

Questions Posed at National Defense Industrial Association Meeting with Answers from the Defense Security Service

August 25, 2011

DSS representatives were invited to speak at a meeting of the National Defense Industrial Association that took place from 22-26 May 2011. The following questions were posed to DSS during that meeting. The answers have been prepared by DSS based on current industrial security policy and practices, and are being posted to the DSS public web site for the information of all companies participating in the National Industrial Security Program. Questions or concerns about this document should be addressed to ISFO@dss.mil.

Question 1: Can we get direct access to the C & A documents on your website rather than having to request them?

Answer: Not at this time; however, DSS is working to roll out a solution to place ODAA documents behind secure logon. Accessing the ODAA document repository through secure login will require DoD PKI or Common Access Cards (CAC). The decision to remove C&A templates from the DSS public website a few years ago was based on a desire to minimize distribution and publication of information system configuration settings outside of NISP participants. Other DoD agencies post some of their baseline standards and C&A documents on public sites while restricting access to portions of the information to individuals whose identity is authenticated with PKI. DSS will continue to provide the documents through email upon request by NISP contractor sites/ISSMs, etc.

Information on PKI can be found at iase.disa.mil/pki/eca/index.html for DoD PKI through the Defense Information Systems Agency (DISA) External Certification Program (ECA)

Question 2: What direction has the Defense Security Service (DSS) received from the Department of Defense (DoD) with respect to DoD 8570.01M? What does the DSS believe may come down in the future 1-2 years?

Answer: DSS has received no specific guidance from DoD regarding the applicability of DoD 8570.01-M to contractors. As DSS sees it, DoD 8570.01-M requirements applicable to contractors would have to be incorporated in the applicable contract. DSS has seen DoD 8570.01-M requirements incorporated in a few contracts to date. It is possible that Government Contracting Activities will require certification of certain personnel in accordance with DoD 8570.01-M more frequently in the future, in particular for Information System Security Managers (ISSMs) responsible for SIPRnet and other systems connected to the Global Information Grid (GiG), however DSS cannot predict this with any certainty.

Question 3: Memorandums of Understanding (MOU's) are government to government agreements/understandings. Industry often has to author these documents and it is very cumbersome to discover who, how, what, why and involve the correct stake holders. It seems we need a better MOU process…how can the DSS help?

Answer: After the need for system interconnection and the requirement for an MOU/MOA have been identified, the contractor may provide a copy of the DSS MOU template to the other government DAA office (typically the GCA or related office), or may refer this to the ODAA at DSS HQ through the local ISSP/Field Office. The most efficient way to process an MOU is to provide a copy of the DSS template to the other Government DAA office, along with instructions to contact the DSS ISSP and/or the ODAA at ODAA@dss.mil directly to initiate coordination of the MOU. The non-DSS DAA office and DSS ODAA will coordinate the MOU for signature and provide a copy back to the field sites upon completion.

Question 4: Do you send out a summary of the industry Q & A sessions to your field personnel to ensure they are aware of the outcomes of our meetings?

Answer: The "public DSS website contains Q & As for all commonly asked NISPOM related questions. The site is updated weekly; however, more detailed questions are dealt with on a case-by-case basis. We will ensure this summary is posted on both our internal and external DSS sites.

Question 5: Can the DSS web site include a Frequently Asked Questions that is updated as DSS Headquarters (HQ) makes determinations based on individual company inquiries when the resolution is of interest to industry as a whole?

Answer: The DSS website does include answers to Frequently Asked Questions that would be of interest to the contractor community as a whole.

Question 6: Where is it written when an Administrative Inquiry (AI) is initially reported, when an initial AI is sent to the DSS Field Office, and when a final AI is submitted? What is the expected timeline for disciplinary action?

Answer: This is a three part question, with each part answered separately below.

a.The policy for conducting administrative inquires can be found at NISPOM paragraph 1-303.

b. The NISPOM does not identify the specific number of days allowed for completing the preliminary inquiry, initial report or final report, but rather, uses language to express the need for industry to expedite the processing of violations and the conducting of the administrative inquiry. NISPOM 1-303a directs contractors to "immediately" conduct a preliminary inquiry. NISPOM 1-303b states that the report to the CSA shall be "promptly" submitted. And lastly, at paragraph 1-303c, the NISPOM directs the company to submit the final report "upon completion".

DSS has provided training and guidance to industry on appropriate timeframes associated with conducting administrative inquiries in line with NISPOM requirements. For example, specific timeframes for each of these requirements can be found in the Defense Security Service Administrative Inquiry Process Job Aid (available from the DSS Center for Development of Security Excellence (CDSE) at [insert URL]) This guide outlines the following timeframes, which are not mandatory, but recommended.

Preliminary Inquiry and Initial Report -
Top Secret: within 24-hours (1-day)
Secret/Confidential: within 72-hours (3-days)

Final Report –
Top Secret/Secret/Confidential: within 15-days of discovery

c. Individual Culpability Reporting procedures are outlined in NISPOM 1-304. This paragraph stipulates that a statement of administrative action should be included along with the final report to the CSA, and it also defines what criteria to use for determining if a culpability report is justified.

Question 7: DSS Industrial Security (IS) reps continue to send emails to senior industry leaders announcing upcoming reviews/inspections and asking that the Facility Security Office (FSO) fill out pre-inspection forms…is that your policy?

Answer: NISPOM 1-206a(2), "Security Reviews" states that, "Contractors will normally be provided notice of a forthcoming review." DSS finds that emails are the most effective means by which IS Reps can notify companies of the upcoming reviews. DSS has also found that collecting inspection relevant information prior to the inspection date helps scope the actual inspection and therefore helps to increase the efficiency of the review. DSS internal policy advises to notify the senior company official and the Facility Security Officer and that only the FSO should be receiving the pre-inspection forms.

Question 8: If an industry facility only manages "carve out" activity, is it the DSS policy to terminate their facility security clearance?

Answer: It depends on the specific circumstances. If the carve-out activity is a DoD component and is at the Home office of a company, DSS will process and maintain the facility clearance. However, if the carve-out activity is at a division office of a multiple facility organization, and there is no other requirement to store classified at the division site, DSS will not ordinarily maintain the facility clearance. Finally, if the carve-out is held by another NISP signatory such as ODNI, CIA, DOE, and there are no other contracts, DSS will have no security cognizance.

Question 9: If industry hires someone who is currently cleared and JPAS shows United States (U.S.) citizenship, do we have to verify their U.S. citizenship again or can we use their JPAS information?

Answer: No. NISPOM 2-208 describes acceptable proof of citizenship. JPAS entries regarding citizenship may not be used to verify citizenship; however, the fact that an individual has a current active clearance in JPAS can be the basis for assuming that US citizenship was verified as part of the initial investigative process. Individuals who have had a break in access should be asked if there have been any changes in their citizenship status since they last worked in a cleared position. This question is addressed in the FAQ section of the DSS public website. The link is: http://www.dss.mil/isp/policy_faqs.html.

Question 10: May we retain classified threat information for more than one year if it is not received under a specific contract but relevant to the industry operation as a whole?

Answer: NISPOM 5-703b, "Disposition of Classified Material Not Received under a Specific Contract", requires that contractors must return or destroy (at the direction of the GCA) material not received under a specific contract, within one year. If unique circumstances exist that dictate retention of classified information past the normal retention period, contractors should discuss their circumstances and this requirement with the assigned IS Rep.

Question 11: If a company conducts a thorough self review and identifies discrepancies that are still being corrected, will the DSS indicate the open items as administrative or serious findings during the review?

Answer: DSS will normally not cite any findings that a company identifies during a self-inspection and which the company has implemented effective action to correct. However, if the deficiency remains unresolved at the time of the inspection, DSS will cite it as a finding to ensure the issue is corrected.

Question 12: There seems to be an interest in establishing a process to challenge inspection results. Would the DSS support a formal system and/or process to accomplish this?

Answer: A process to discuss/challenge inspection ratings already exists. Facilities should officially discuss their concerns with the cognizant IS Rep. If issues remain unresolved, the company should elevate the issue to the Field Office Chief, then the Regional Director and if needed to the Director, Industrial Security Field Operations.

Question 13: Industry needs a formal standardized approach for board resolution (FOCI) annual certification to the DSS, how can DSS help?

Answer: DSS will explore the possibility of creating a suggested template or posting further guidance for Board Resolution annual certifications to assist Industry.

Question14: Is the intent for industry to have all our employees obtain a derivative classification e-learn account to satisfy the derivative classification training requirement?

Answer: The derivative classification training requirement will be addressed in the revised NISPOM, when published. DSS does not now plan to require contractors to have an e-learning account with CDSE.

Question 15: With a perceived heavy emphasis on Suspicious Contact Report numbers in the DSS rating process, what is being done to credit the framework signatory facilities with the reporting provided to DC3?

Answer: As participation in the DIB Cyber Security Task Force/DC3 is voluntary, that is not considered as part of the rating.

Question 16: When the DSS HQ receives an Advanced Persistent Threat report does it share that information with the appropriate regional counterintelligence specialist?

Answer: All threat information received by DSS and related to contractors is provided to the appropriate DSS Field CI personnel.

Question 17: Many of our cleared corporate KMP's serve in various positions at our subsidiaries. We are being required to exclude them from access at the subsidiaries as they are not principal officers. Is this consistent with the DSS policy?

Answer: When the parent company is cleared, cleared KMP's from the parent entity do not need to be excluded if they are also serving in a position at the subsidiary. If however, the parent company is uncleared and excluded from access to classified information, the exclusion from access will normally be accomplished by a resolution adopted by the parent company, with a corollary resolution and acknowledgment of the parent company's resolution adopted by the subsidiary. The subsidiary's acknowledgement of the parent company's exclusion must specifically list interlocking officers and directors and state a commitment that those officers and directors will not disclose classified information to the parent company. Below is the text for the resolution that accomplishes this exclusion.

"BE IT FURTHER RESOLVED that (Insert Subsidiary) acknowledges certificates executed by the individuals listed below who are officers or directors of (Insert Parent) and (Insert Subsidiary), that they will not disclose classified information to (Insert Parent) or any of its agents."

Question 18: Regarding SIPRnet contractors are not authorized to work directly with the Host Based Security System (HBSS) help desk. If we have a problem we have to go through our sponsor. HBSS is mandatory and a very technical piece of software. Can the DSS help enable direct communication with the HBSS helpdesk?

Answer: This was a misconception based on guidance from a POC at a DISA office a few months ago. Contractors can call the DISA HBSS help desk directly at 800-490-1643 for assistance with HBSS technical questions or email okcpeoservicedesk@csd.disa.mil. Requests for HBSS images (software) will need to be requested by the sponsor (Civilian/Military) of the SIPRNet circuit by contacting the HBSS help desk.

Additional information can be found online at https://patches.csd.disa.mil (CAC enabled) and http://www.disa.mil/hbss/.

Question 19: When will there be a baseline for Windows, Windows 2008, Linux, Unix, and Solaris?

Answer:DSS is in the process of updating its Windows XP/2003 configuration standard as well as developing Solaris and Windows 7 guides to be released in the fall of 2011. The general security settings documented in the ISFO Process Manual, Version 3 are common for all operating systems.

Question 20: Industry continues to experience inconsistent guidance from the DSS regarding networked systems that span different DSS regions. What is the best guidance to follow regarding these conflicts and how can we address the root cause effectively?

Answer: DSS is striving to improve consistency by updating internal and external process guidance. The best guidance is found in the ISFO C&A Manual which outlines the standards for WAN systems. It is important for ISSMs to realize that interconnection requirements for unified systems are different than those for interconnected systems. Choosing the correct architecture for the information system will aid in a better understanding and application of the associated requirements. ISSMs may refer to the C&A manual or contact the cognizant ISSP's supervisor in cases where questions regarding inconsistency arise. If situations arise where requirements appear to be applied differently across regions, questions may be forwarded to ODAA@dss.mil. The ODAA will review the information provided and reply with the DSS response to all parties involved.

Question 21: Does the DSS have a technical training plan for their evolving Information Systems Security Professionals?

Answer: As DoD employees, DSS ISSPs are subject to the requirements of DoD Manual 8570.01-M, "DoD Information Assurance Workforce Improvement Program", which provides guidance and procedures for the training, certification and management of the DoD employees who conduct Information Assurance functions. Long term, the DSS Center for Development Security Excellence is working to develop a certification training program for Information System Security Professionals. The near term goal is to focus on internal advanced ISSP training.

Question 22: Regarding Windows standards…will it require SHA-256 encryption? Windows XP does not support this level, will it require all to upgrade their Windows version?

Answer: DSS Windows baselines standards do not address hashing algorithms at this time. Transition to SHA-256 without any mission operations breakage is challenging. The impacts to this transition are not fully understood and Federal, DoD and Industry partners are not ready yet. Expect DSS to incorporate appropriate standards as they become available.

Question 23: Regarding SIPRnet, our sponsor is paying for ARL for CNDSP and we are also required to have HBSS – why? Can the CNDSP provide the HBSS support?

Answer: DSS was informed on August 3, 2011, that Army Research Lab (ARL), the primary CNDSP for cleared contractors, will be providing HBSS as a service. Until recently, ARL did not offer HBSS as a service. SIPRNET sponsors should contact ARL for more information regarding the CNDSP and HBSS support they are able to provide.

Question 24: Regarding SIPRNet, Industry can't purchase the sanitization software by National Security Agency (NSA) rule. The new guidance received does not seem implementable…how can the DSS help?

Answer: This problem was identified and resolved after CTO-133 was implemented. DSS worked with DISA, NSA, and others to ensure that contractors would be able to obtain the sanitization tools. Contractors can obtain the tools with the assistance of their Government sponsor(s). Guidance is implementable for industry with sponsorship assistance. The NSA's File Sanitization Tool (FiST) is required prior to using Flash Media on the SIPRnet. To clarify, removable media is defined by the CTO as CD/DVD, flash media, Tape, removable hard drives. "Flash media" is defined as memory sticks, thumb drives and camera memory cards. Furthermore, removable media per the CTO does not include items such as tape/disk backup unless the media is intended for distribution. If a contractor is utilizing Flash Media as defined above, the contractor's government sponsor can contact the NSA Program Management Office (PMO) for procurement by Military Interdepartmental Procurement Request (MIPR) at: FIST_PMO@nsa.gov or 410-854-5131/5119. Contractors cannot directly purchase from NSA PMO.