Security
3 min read
The National Industrial Security Program (NISP), the authority within the United States for access to classified data by government contractors. Have outlined requirements to ensure continued availability and integrity of classified data, and prevent its unauthorised disclosure. The operating manual (NISPOM) affects all government agencies and commercial contractors who have access to classified data. NISPOM compliance is crucial for entities that handle classified information to ensure the protection, handling, and safeguarding of such information.
NISPOM (National Industrial Security Program Operating Manual), sets comprehensive standards to establish requirements for protecting classified information disclosed to or developed by: contractors, licensees, grantees, or certificate holders to prevent prohibited disclosure. Within this article, we will highlight new changes to the manual, as well as valuable information and requirements set by NISPOM in regards to cybersecurity and log management. In order to aid your businesses navigation of NISPOM and guarantee your compliance.
Why Meeting NISPOM Requirements Are Vital
To begin with, the greatest change to note from the previous version of NISPOM is the switch from being a DoD (Department of Defense) manual to now being a federal rule. This is important because your business could now face greater consequences for not being compliant, including legal prosecution, as this change gives NISPOM more weight in court.
Within the updated NISPOM are new requirements for cleared contractors and their senior management officials. Who will now be held accountable by the DCSA (Defense Counterintelligence and Security Agency) if they fail to meet these requirements.
A new rule outlined for cleared personnel is reporting requirements. These have been pulled from SEAD 3. Previously, this only applied to government employees, not industry. Now anyone holding a personnel clearance (PCL), must report foreign travel. Those with higher level clearances, will have to report, among other things, foreign passports, marriages and bankruptcies. Read these requirements in depth here.
Concerning senior management officials, their role has been clearly defined as being responsible for the company’s strategy and policy. More precise responsibilities of the role include: remaining fully informed of the facility’s classified operations, making decisions based on classified threat reporting, and retaining accountability for the management and operations of the facility. Due to this clear definition of the role, emphasis is marked on a change from a one-size fits all approach for compliance to a risk-based approach. Meaning there will be a greater accountability of the SMO to tailor their security to their program’s needs rather than just meeting the basic standards.
NISPOM: Cybersecurity
NISPOM includes provisions related to cybersecurity and system security management to ensure the protection of classified information and systems. It’s an important section of the manual and therefore paramount that it’s understood fluently. Key cybersecurity considerations within the manual include:
Information System Security Program: NISPOM highlights the need for robust measures to protect classified information systems. This includes implementing access controls, authentication mechanisms, encryption, firewalls, intrusion detection systems as well as other security technologies to safeguard against cyber threats.
Initial Security Briefings: prior to being granted access to classified information, contractors will provide employees with an initial security briefing. Which includes: threat awareness (including insider threat awareness), counterintelligence awareness, overview of the information security classification system, reporting obligations and requirements, cybersecurity training and security procedures and duties.
Risk Management Framework: A seven-step process used for managing information system security related risks. This process accommodates an on-going risk mitigation strategy and includes: prepare, categorise, select, implement, assess, authorise and monitor. Read the process in full here.
NISPOM: Log Management
Within the manual it is stated that contractor information systems that are used to capture, create, store, process or distribute must be properly managed to protect against unauthorised disclosure of classified information. Log management is included in this. Key log managementconsiderations within the manual include:
Monitoring Logs: In regards to policies and procedures that address components of the insider threat program. There should be a strategy implemented for protecting, interpreting, storing and limiting access to user activity monitoring automated logs.
Accountability Records: Logs, receipts and destruction certificates are required for NATO classified information. Cosmic top secret (CTS) and all ATOMAL documents will be recorded on logs maintained separately from other NATO logs and will be assigned unique serial control numbers.
Security Monitoring: Logs are essential for ongoing security monitoring. By analysing logs in real-time or through periodic reviews, organisations can detect and respond to security events promptly. This includes identifying suspicious activities, detecting potential threats or vulnerabilities and initiating appropriate countermeasures.
Whilst this article doesn’t outline every aspect of NISPOM, it highlights key changes to the manual and important information regarding log management and cybersecurity, allowing you to be compliant with the requirements. You can read NISPOM in full here.
If you found this article informative then why not read our other articles on the leading container monitoring tools or OpenSearch dashboards vs Kibana next?