National Industrial Security Program

From Wikipedia, the free encyclopedia

The National Industrial Security Program, or NISP, is the nominal authority (in the United States) for managing the needs of private industry to access classified information.

The NISP was established in 1993 by Executive Order 12829[1]. The National Security Council nominally sets policy for the NISP, while the Director of the Information Security Oversight Office is nominally the authority for implementation. Under the ISSO, the Secretary of Defense is the nominally the Executive Agent, but the NISP recognizes four different Cognizant Security Agencies, all of which have equal authority: The Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission.[2]

[edit] NISP Operating Manual (DoD 5220.22-M)

A major component of the NISP is the NISP Operating Manual, also called NISPOM, or DoD 5220.22-M [3]. The NISPOM establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of 2006, the current NISPOM edition is dated 28 Feb 2006. Chapters and selected sections of this edition are:

  • Chapter 1 - General Provisions and Requirements
  • Chapter 2 - Security Clearances
    • Section 1 - Facility Clearances
    • Section 2 - Personnel Security Clearances
    • Section 3 - Foreign Ownership, Control, or Influence (FOCI)
  • Chapter 3 - Security Training and Briefings
  • Chapter 4 - Classification and Marking
  • Chapter 5 - Safeguarding Classified Information
  • Chapter 6 - Visits and Meetings
  • Chapter 7 - Subcontracting
  • Chapter 8 - Information System Security
  • Chapter 9 - Special Requirements
  • Chapter 10 - International Security Requirements
  • Chapter 11 - Miscellaneous Information
    • Section 1 - TEMPEST
    • Section 2 - Defense Technical Information Center (DTIC)
    • Section 3 - Independent Research and Development (IR&D) Efforts
  • Appendices

[edit] Misunderstanding as a data sanitization standard

DoD 5220.22-M is sometimes cited as a standard for sanitization to counter data remanence. This is incorrect. The NISPOM covers the entire field of government-industrial security, of which data sanitization is a very small part (about two paragraphs in a 100 page document)[4]. Furthermore, the NISPOM does not actually specify any particular method. Standards for sanitization are left up to the Cognizant Security Authority. The Defense Security Service provides a Clearing and Sanitization Matrix[5] which does specify methods; access to the current C&SM is restricted here.

[edit] References

  1. ^ Text of Executive Order 12829 at FAS
  2. ^ NISP Brochure (PDF, 59 KB) at DDS
  3. ^ NISPOM web page at DSS
  4. ^ NISPOM, 28 Feb 2006 Edition, Section 8-301, Page 8-3-1.
  5. ^ DSS Information Assurance Home Page, "Guidance" Section
In other languages