FAS Homepage |Gov't Secrecy | Library | NISPOM ||Search |Join FAS


Industrial Security Letter

ISL 97-1
Department of Defense
July 1997

Inside This Issue

After many years of using our traditional format for the ISL, we have decided to change our look. Please let us know how you like it and whether you have additional recommendations for change.

Industrial Security Letters (ISL) will be issued periodically to inform Industry, User Agencies and DoD Activities of develop-ments relating to industrial security. The contents of these letters are for information and clarification of existing policy and requirements. Local reproduction of these letters in their original form for the internal use of addressees is authorized. Suggestions and articles for inclusion in the Letter will be appreciated. Articles and ideas contributed will become the property of DIS. Contractor requests for copies of the Letter and inquiries concerning specific information should be addressed to the cognizant security office, for referral to the Deputy Director for Policy, HQDIS, as appropriate. Our web page is also available for your use.

Defense Investigative Service
1340 Braddock Place
Alexandria, VA 22314-1651


Special Notice

FAREWELL MESSAGE FROM GREG GWASH
DEPUTY DIRECTOR FOR OPERATIONS, DIS

O n July 11, 1997, I will be leaving the Defense Investigative Service and accepting a position in aerospace and defense industry in the Pacific Northwest. It has been nearly seven years since I came to Washington as Deputy Director (Industrial Security), and much has changed since then. For me, highlights have included the reinvention of the Industrial Security Program from a compliance-based activity to a service oriented, threat based program, and we brought counterintelligence expertise into DIS. Now we have the capability to recognize and neutralize many of the foreign intelligence threats to our sensitive information and systems, while implementing cost effective security countermeasures to reduce vulnerabilities. No longer do we impose blanket security requirements "because the book says so." It's called "risk management"!

Around the same time, the National Industrial Security Program was implemented. I am concerned, however, that the flexibility offered by the NISPOM has been offset by the loss of scheduled visits and regular communication and contact between the FSO and IS Rep. Yet, industrial security continues to grow ever more complex, with global security issues, secure communication networks and economic espionage. I offer two suggestions as I depart. First, industry and government need to continue to improve communications between them. The government's resources are being challenged to do more with less. FSOs and IS Reps have improved the "partnership" immeasurably in the past few years, and we all appreciate how interdependent we really are. Voluntary reporting of incidents and activities by FSOs can help IS Reps focus their limited time on important counterintelligence or security matters. Second, FSOs should take advantage of the government counter-intelligence information now being made available to industry. This will help make security requirements credible to your management and cleared employees. It will provide the rationale behind the requirements, and it prompts further reporting of needed information. We must all work together as a team to protect our Nation's intellectual property.

It has been a great honor to lead the men and women of both the Industrial Security Program and the Personnel Security Investigations Program this past year as Deputy Director for Operations. The ultimate integration of those two complementary activities lies ahead, and I am confident that DIS' government and industrial customers will benefit from that merger. I thank each member of the DIS family for their tireless efforts on behalf of our national security. I also want to express my gratitude to the thousands of security professionals in industry and government who also deserve great praise for accomplishing their difficult jobs in an outstanding manner. I salute each and every one of you. Farewell, Greg.


Defense Industrial Security Clearance Office (DISCO)

On March 31, 1997, the Customer Service Branch (CSB) at DISCO expanded its hours. Callers may now contact the CSB from 8:00 a.m. to 8:00 p.m., Monday through Friday. Callers requesting the status of industrial security clearance applications should call (614) 692-2265. Callers who are experiencing difficulties, have questions regarding the processing of a security clearance application, need assistance in completing security clearance appli-cations forms or have other National Industrial Security Program questions should call (614) 692-2253, 692-2254, 692-3724 and 692-1389. Questions or assistance requests may also be sent by e-mail to the following: [email protected].


NISPOM ISSUES

1. Key Management Personnel.

ISL 95L-2, Item 11, "The Importance of Annotating the Forms OODEP." Although the NISPOM no longer uses the term, the ISL requested that Personnel Security Questionnaires (PSQs) continue to be annotated "OODEP" across the top of the form in order to expedite the handling of the form. As of this publication, PSQs should now be marked "KMP" (Key Management Personnel) across the top for applications sent in hard copy. Electronic versions of the EPSQ should reflect the term "KMP" in Part 1 of the SF 86. (i.e., block I, Position Title).

2. Change Regarding Citizenship Information Requirements on the SF 86.

Citizenship status of foreign born relatives has long been an important issue in the security and counter-intelligence communities. With the government-wide switch to the new SF 86, this vital information has been more difficult for DIS to verify. This is because the SF 86 does not require the Subject to provide all of the information needed to conduct an efficient computer search of the INS Central Index System (CIS). Names in the CIS are catalogued by alien registration number even if the person has been naturalized. Without the alien registration number, an automated search of the CIS search is often unsuccessful, resulting in a time consuming manual review of records.

In order to avoid delays in clearance processing, DIS is requesting that Subjects be encouraged to provide both the alien registration number and the naturalization or citizenship number of the following relatives if they are foreign-born:

The current version of the SF 86 does not require INS information on some of these relatives. However, DIS must verify the citizenship or alien status of all these individuals if they are foreign born. If the information isn't provided on the form, verification is delayed until DIS obtains the information.

Once the SF 86 is revised, these extra measures should become unnecessary. Until then, case completion time delays can be reduced by asking Subjects to provide this essential information.

3. EPSQ Announcement.

DIS is pleased to announce that we are now accepting EPSQ submissions on diskettes. Even though we prefer the EPSQ to be electronically transmitted via the Internet or CompuServe, this is currently not an option for our entire customer base. However, since the EPSQ software validates the data entered in each field, which results in lower rejection rates (26% for paper copies to less than 3% for EPSQs), the diskette is acceptable. We encourage all of our customers who are currently submitting printed paper EPSQs to mail the diskette rather than paper forms to PIC. If you choose to use this option, the EPSQ must be submitted on a 3.5" high density, 1.44 mb diskette, and the data must include both Subject and Security Officer information; diskettes containing only Subject information cannot be processed. Step-by-step instructions are below.

  • Create, Validate, Print, Certify, and Prepare the EPSQ file before copying to a diskette
  • Label the diskette with:
  • Place the signed copy of the "Authorization for Release of Information" (and fingerprint card(s), if applicable) in the same envelope as the diskette; mail them, with a self-addressed envelope, to: No diskettes will be returned to the sender. If diskettes are damaged, contain a virus or contain improperly prepared files, they will be destroyed by DIS and a "Rejection Notification" will be mailed to the sender. Please ensure that the original data is stored at the senders security office in the event a resubmission becomes necessary.

    For customer support, please contact the DIS Customer Service Center at 1-800-542-0237 or DSN 283-7731.

    4. Report of the Commission on Protecting and Reducing Government Secrecy.

    The Report was released in March of 1997 and provides some insight on the reasons for classification and declassification of government sensitive information. The report also identifies some inherent problems that exist once a determination is made to classify information. The report makes 16 recommendations that focus on: the classification and declassification of information, to include, personnel security, financial disclosure, use of the Polygraph and Automated Information Security. It is not clear at this time what type of impact the report will have on the National Industrial Security Program, however, we will provide periodic updates in future ISLs.

    If you would like a copy of the report, it can be found on the Internet at the Government Printing Office's (GPO) World Wide Web address: http://www.access.gpo.gov/int.

    5. EO 12958.

    Executive Order (EO) 12958, Classified National Security Information, was signed by the President on April 17, 1995 and became effective on October 14, 1995. The Order presents an updated system for managing the protection of national security information.

    The Order reaffirms both the two basic classification processes: original classification and derivative classification, and the three levels of classified information. But it also sets new standards. The government original classification authority must now be able to identify or describe the damage to national security that would be expected if the information were improperly disclosed. Also, information will normally be classified only for 10 years, and will require specific action to extend classification beyond those 10 years, if necessary.

    The Order eliminates the "OADR" declassification instruction. Original classifiers may no longer use the indefinite duration indicator, "Originating Agency's Determination Required (OADR)." Specific declassification instructions, most often a date or event, must now be shown.

    EO 12958 requires more detailed document marking. All government agencies must now portion mark documents unless relieved from this requirement by the Information Security Oversight Office. Original classifiers must be identified by name and position title, or by a specific personal identifier, and a concise reason for the classification must be provided. In derivative classification, the source or sources of classification must continue to be shown, as well as declassification instructions.

    Specific Reasons Established For Classifying Information:

    To be eligible for classification, information must now fall within one or more of the following categories of information listed in section 1.5 of the Order:

    a. Military plans, weapons systems, or operations,

    b. Foreign government information,

    c. Intelligence activities (including special activities), intelligence sources or methods, or cryptology,

    d. Foreign relations or foreign activities of the United States, including confidential sources,

    e. Scientific, technological, or economic matters relating to the national security,

    f. United States Government programs for safeguarding nuclear materials or facilities

    g. Vulnerabilities or capabilities of systems, installations, projects or plans relating to the national security

    Prohibitions Against Classifying Information:

    The Order clearly states that, if there is significant doubt about the need to originally classify information, it may not be classified. Further, information may not be classified for the purpose of:

    a. Concealing violations of law, inefficiency, or administrative error;

    b. Preventing embarrassment to a person, organization, or agency;

    c. Restraining competition, or,

    d. Preventing or delaying the release of information that does not require protection in the interest of national security.

    Basic scientific research information not clearly related to the national security may not be classified. Information may not be reclassified after it has been declassified and officially released to the public.

    Levels and Definitions of Classified Information:

    Under EO 12958, there are still three levels of classification: Top Secret, Secret and Confidential. The classification damage level descriptions have not changed, but one key phrase has been added to each definition. The original classification authority must now be able to specifically "identify or describe" the damage to the national security caused by unauthorized disclosure if the classified information becomes the subject of a classification challenge or a request for access (for example, under the Freedom of Information Act or the Privacy Act).

    Top Secret information is defined as information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

    Secret information is information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

    Confidential information is information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

    Duration Of Classification:

    Declassification is the authorized changing of information from classified to unclassified. When information is originally classified, the classifier must now attempt to identify a date or event upon which the information will be declassified. The standard in this Order is that information should normally remain classified for no longer than 10 years. But the Order also recognizes that there are some circumstances in which information must stay classified longer than 10 years because disclosure would cause damage to national security even after 10 years. In such cases, under Section 1.6(d) of the Order, the original classi-fication authority may exempt information from the "10-year rule" only if, after 10 years, disclosure would be expected to:

    a. Reveal an intelligence source, method or activity, or a cryptologic system or activity (X1),

    b. Reveal information that would assist in the development or use of weapons of mass destruction (X2),

    c. Reveal information that would impair the development or use of technology within a United States weapons system (X3),

    d. Reveal United States military plans or national security emergency preparedness plans (X4),

    e. Reveal foreign government information (X5),

    f. Damage relations between the United States and a foreign government, reveal a confidential source, or seriously undermine diplomatic activities that are reasonably expected to be ongoing for a period longer than 10 years (X6),

    g. Impair the ability of responsible United States Government officials to protect the President, the Vice-President, and other individuals for whom protection services, in the interest of national security, are authorized (X7),

    h. Violate a statute, treaty, or international agreement (X8),

    The designators in parentheses following each item show the exemption categories specified in Section 1.6(d) of the Executive Order. Either the designator or a brief description of the exemption will now be applied when marking documents containing exempted information.

    The Order permits such extensions up to 25 years, when most classified information must be declassified. However, in a very small number of situations, some information may remain classified for longer periods.

    Original And Derivative Classification Authority:

    Original classification is the initial determination that, in the interest of national security, information requires protection against unauthorized disclosure. Original classification takes a piece of information that has never been classified and makes it classified. Only a few, senior government officials are original classification authorities. Original classification authority is used only in those instances when the information is not already covered by any security classification guide.

    The majority of cleared government employees, and all cleared employees in industry, who process classified information may be derivative classifiers. This means incorporating, paraphrasing, restating, or generating in new form information that is already classified. All derivative classifiers refer to some source of classification guidance (usually a classified source document or a classification guide) when marking newly developed materials consistent with the markings on the source or the instructions in the guide.

    Because there is no original classification authority in industry, there is also no original authority in industry to declassify information without receiving specific, appropriate authority to do so from the Government Contracting Activity (GCA). Some of the declassification policy of Executive Order 12958 applies only to information designated as "permanently valuable" or as "permanent historical infor-mation". Contractor facilities are not presumed to hold such information unless specifically informed so in writing by a GCA.

    Therefore, notwithstanding the widespread publicity accorded the Order's provisions for automatically declassifying information more than 25 years old, note that Section 3.4 of the Order, which covers automatic declassification, does not apply to information in records that have not been officially scheduled for retention by the National Archives and Records Administration. Because most classified material held by contractor facilities has not been scheduled for such retention, the automatic declassification provisions do not apply.

    Contractors should not automatically declassify any classified information held in their possession without specific written authorization from the GCA (or its successor organization) having subject matter responsibility for that information. Questions or concerns regarding classified material over 25 years old that is still being held by industry should be directed to the GCA or CSA. Please recognize that it will take the GCA's some time to review such material and provide guidance regarding declassification.

    The Order also specifically exempts Restricted Data and Formerly Restricted Data from the automatic declassification requirements in Section 3.4, because such information is classified under the Atomic Energy Act of 1954, as amended.

    The Order is implemented throughout the Federal Government by an implementing directive promulgated by the Information Security Oversight Office. This directive was published in the Federal Register at 32 CFR Part 2001 on October 13, 1995.

    Additional information and excellent examples of the new marking requirements are located on the National Industrial Security Bulletin Board. To access the NISB, and download a copy of the Department of Defense Security Institute's Desk Reference Guide to Executive Order 12958, follow the instructions in the NISB User's Guide found in ISL 95L-1.

    6. Facility and Employee Clearance Information on the Internet.

    It has recently come to DIS' attention that some contractors are indicating their facility and employee clearance levels on the Internet. You are reminded that NISPOM paragraph 2-100c prohibits the use of the FCL for advertising or promotional purposes. This prohibition is also reiterated in the Facility Clearance Letter 381-R. References to employee clearance levels and contractor performance on classified contracts on the Internet would constitute advertising.

    7. Use Of Federal Express For Overnight Transmission Of Secret And Confidential Classified Information Within The Continental United States.

    We are pleased to approve use of the GSA commercial air contract carrier for the overnight delivery of information and material, currently Federal Express (FedEx), to transmit SECRET and CONFIDENTIAL classified information to and among cleared contractor facilities and US Government agencies. Facility Security Officers must establish procedures to assure the proper protection of classified packages at each facility intending to use this service and these procedures must be formally approved by the Cognizant Security Office prior to starting such transmissions. Contractors must establish an approved street address for incorporation by DIS in the Central Verification Activity (CVA) before such shipments may begin.

    The following requirements apply and must be reflected in the procedures approved by the CSO:

    a. FedEx may be used for the urgent overnight trans-mission of SECRET and CONFIDENTIAL material within the continental United States when overnight delivery cannot reasonably be accomplished by the U.S. Postal Service. However, classified Communications Security (COMSEC) information, NATO and foreign government information may not be transmitted via FEDEX.

    b. FedEx carrier personnel should not be notified that the package contains classified material.

    c. Material must be prepared for transmission as described in NISPOM paragraph 5-401a, except that a FedEx mailing envelope may be used as the outer wrapper.

    d. The outer address label shall be addressed to the "Security Office" or the "Facility Security Officer" of the destination facility.

    e. Senders may not use a Post Office Box as the destination address because FedEx cannot deliver to a P.O. Box. Instead, a street delivery address approved for overnight shipments by the recipient's CSO shall be obtained from the CVA for contractors or from the security office of a government agency. Identifi-cation of a contractor's address in the CVA listing as an authorized overnight delivery address indicates CSO approval of the receiving facility's ability to securely accept such packages.

    f. To ensure direct delivery to the addressee, the release signature block (# 7) on the FedEx Airbill Label may not be executed. The use of external (street side) collection boxes is prohibited.

    g. As a general rule, packages may be shipped on Monday through Thursday only to ensure that FedEx does not have possession of a package over a weekend.

    h. Employees who handle incoming FedEx shipments addressed to the Security Office or the Facility Security Officer must be cleared.

    Note: If you use the DIS Web Page to transmit questions or topics for articles, send them to the attention of the ISL Desk.


    DIS Integration Efforts

    "Counterintelligence (CI) Integration in the Defense Investigative Service"

    Many readers are probably aware that DIS has two primary missions: to conduct personnel security investigations (PSI) and to provide industrial security (IS) support for over 11,000 cleared industrial facilities worldwide. Several years ago, DIS received a mandate to change the way we do business in these two missions. We realized the previous reliance on strict compliance with risk avoid-ance procedures was no longer appropriate. Instead, DIS reconsidered the ultimate purpose behind its two pri-mary missions, which had always been to prevent unauthorized disclosure of US classified materials, and recognized that an infusion of CI thinking into DIS activties was needed. As a result, a small program was begun within DIS called the CI Integration Initiative. Part of this initiative was the establishment of a small CI Office. This CI Office is currently staffed with three Special Agents (one from each of the military service CI organizations) and six DIS employees, three of which are CI Analysts. Six CI Specialists are assigned to support our five regions throughout the country. A sixth CI Specialist is at the Personnel Investigations Center (PIC) in Baltimore, Maryland, with an additional CI Specialist to be added in the near future. DIS also recently detailed a CI Specialist to the National Counterintelligence Center.

    In light of the above integra-tion efforts and as a result of downsizing and reinvention initiatives throughout the Executive Branch and the defense industry, DIS has moved toward adopting a more threat-appropriate, cost- effective and rational approach to applying effec-tive security countermeasures within industry.

    The cornerstone of our IS reinvention effort is to work with cleared industry in implementing effective risk management within the guidelines of the National Industrial Security Program Operating Manual (NISPOM). This risk management process requires each of our IS Representatives (ISR) to first learn all they can about their facilities and identify what assets need protection. These key or critical assets may be personnel with clearances, classified contracts, or sensitive defense technologies. Second, the ISR has to try and identify threats to each of their facilities. This is not an easy task. In fact, identifying the threat and obtaining threat information is the most difficult part of the risk management process. Third, the ISR and the facility Security Officers (FSOs) work together to assess vulnerabilities associated with the facility's critical assets. Finally, the ISR, FSOs, and facility management work together to implement effective security countermeasures (SCM) to mitigate the vulnerabilities associated with the known threats to the critical facility assets. This is what we mean when we say that security countermeasures are applied to a facility in a threat-appropriate, cost-effective, and rational manner.

    As was said, the most difficult aspect of the risk management process is identifying the threat and obtaining threat information. This became a key function of the CI Office. We made a commitment to our reinvention effort and, despite down-sizing during the past several years, we made a decision to invest additional resources in this CI Office. The CI Office assumed the role of acting as a clearinghouse to obtain threat information from other agencies and deliver it to DIS field elements for briefing to defense industry. The intention is to provide industry with answers to who is targeting them, what are they targeting, and what techniques are being used to target them for the more efficient application of threat-appropriate SCM to protect that technology.

    The potential benefits of this CI integration effort became evident almost immediately and continued to grow. A crucial source for good threat information, addressing the needs of defense industry, is the willingness of cleared companies and individuals to report suspected foreign collection activity. A second major role of the CI Office is to assist DIS field elements in educating defense industry to recognize and report inappropriate or illicit foreign attempts to collect sensitive US technology. Reports of suspicious contacts with foreign entities, a reporting requirement in the NISPOM, now have a DIS venue for being analyzed and responded to with threat information from the US Intelligence community. In coordination with program offices, user agencies and the CI community, DIS acts as a facilitator to those cleared defense contractors likely to be targeted for collection by a foreign entity. Likewise, reports of suspicious contacts in the form of analytical referrals are referred by DIS to appropriate CI activities within the US intelligence community. Many are then published as intelligence information reports (IIRs) by other agencies. These analytical referrals and IIRs populate databases and provide analysts with facts, necessary to write assess-ments and inform policy and decision makers, that were once possibly not available. In FY 96, DIS produced over 313 analytical referrals to other US agencies.

    Based on US defense industry reporting of suspicious activity, DIS has observed trends of low-level collection interest and activity by foreign companies and governments during the past several years. These foreign collection modus operandi (MO) exhibit subtle changes to adapt to rapidly changing international political and economic environments.

    Foreign collection continues to focus on economic and Science and Technology (S&T) information and products. Programs associated with dual-use technologies are often consistent targets for both foreign government and foreign commercially sponsored collection activity. Although many countries considered to be traditional foreign collection threats continue their collection activities, DIS continues to observe increased collection activity by nontraditional threat countries. Subtle changes in collection MOs are evidenced by a transition in reliance from clandestine activity to the use of overt and legal activity to mask illicit collection activities. While the purely clandestine efforts of foreign intelligence services (FIS) are still active, there is a significant growing reliance on the use of commercial activities to provide access to targeted technologies. Areas of foreign collection activity and interest, as identified by US defense industry reporting, included most of the major technology categories from the Military Critical Technology List (MCTL).

    Additionally, defense industry reporting continues to reflect increasing trends of foreign collection activity involving proprietary strategic management information, to include bid proposals, price structuring, and marketing plans.

    While many, if not most interactions between US defense industry and foreign interests are benign and advantageous, the defense industry reported various foreign collection MOs to include:

    Just as the drawdown and changing political environment prompted reinvention within the IS mission of DIS, the PSI mission was also effected. The focus of the CI Integration Initiative within the PSI mission of DIS is to recognize and surface potential CI issues for resolution. To achieve this goal, a structured arrangement was formed consisting of the CI Office, the investigative field elements, and the PIC. Each plays a role in the early identification and referral of possible cases of unauthorized access. The CI Office educates DIS field personnel to recognize and surface potential CI issues, reviews information that surfaces, guides the field elements in the conduct of investigative activities to more fully develop information which may be of CI significance, and refers information to the CI investigative agencies at the appropriate time for those agencies to assume investigative responsibility. The PIC acts as a conduit for information between the CI Office and the field, implements the guidance of the CI Office through the scoping of investigative leads to the field, and serves as a key element in the recognition of potential CI issues not recognized at the field level. The field elements actually perform the bulk of this work, gathering information and conducting numerous interviews, while keeping alert to information of possible CI significance. To aid field personnel in this, the CI Office developed a field guide entitled "Recognition of Potential CI Issues." Key features of this guide are its description of foreign collection techniques, a description of scenarios which may be indicative of foreign espionage activity targeting individuals or organizations, and a listing of potential espionage indicators. Once a matter has been brought to the attention of the CI Office, it is tracked until the potential CI issue has been resolved or a CI investigative agency has taken the lead. If the matter is clearly of CI significance, it is designated as a CI Issue Case. Those cases which may be of CI significance, but which need further investigative activity before the CI significance can be acted upon by another agency, are developed to the point where the issue is resolved or where they too can be designated as a CI Issue Case. The objective is to facilitate the referral of possible espionage cases to the appropriate investigative agencies. In FY 96 the CI Office reviewed 717 potential CI issues. Of these, 121 were significant enough to be designated as CI Issue Cases. To date, 73 of these cases have been referred to various CI investigative agencies for further investigation. DIS has become a force multiplier to the US CI community in countering the foreign intelligence threat.

    The US is increasingly challenged to balance coalition military missions and international marketing with sound security counter-measures. Through its CI Integration Initiative, DIS has adapted to this environment and will continue to provide vital, necessary services to the Department of Defense and the defense industry.


    Special Access Programs:

    Executive Order 12958 specifies that within the Executive Branch, only the departments of Defense, Energy, and State and the Director, Central Intelligence Agency, may create a Special Access Program (SAP). This section of the ISL is being published on behalf of the Office of the Under Secretary of Defense for Policy (OUSD(P) and the Office of the Deputy to the Under Secretary of Defense (Policy) for Policy Support (ODTUSD(P)PS). The OUSD(P) has been designated by the Secretary of Defense as the organization which is responsible for SAP security matters through the Special Access Program Oversight Committee management structure. On their behalf, representatives of the Directorate of Special Programs, ODTUSD(P)PS, and DIS will discuss several topics related to the expeditious and effective implementation of the Supplement to the National Industrial Security Program Operating Manual (NISPOM-SUP). The NISPOM-SUP provides a set of enhanced security options which are available to augment the National Industrial Security Program Operating Manual (NISPOM) baseline security provisions in certain sensitive SAPs. The focus of both the NISPOM and the NISPOM-SUP is to implement more uniform and cost-effective security measures which can still provide adequate protection needed for our nation's most sensitive classified programs.

    1. OSD SPECIAL ACCESS PROGRAM OVERSIGHT COMMITTEE.

    The Special Access Program Oversight Committee (SAPOC) was established by DoD Directive 0-5205.7. On January 5, 1994, the Deputy Secretary of Defense (DEPSECDEF) made some significant changes in the DoD SAP management and control structures. These changes standardized and formalized the SAP approval, termination, revalidation, and restructuring process through the SAPOC. A Senior Review Group (SRG) was also established to provide the main support to the SAPOC. In addition, a SAP Coordinating Office (SAPCO) was established to provide the primary staff support to the SAPOC process.

    The functions of the SAPOC process are to: (a) provide departmental oversight and management over all DoD SAPs; (b) monitor programs to ensure compliance with applicable executive orders, laws, regulations, policies, and procedures; and (c) ensure that all required information is provided to Congress. Utilizing the SAPOC process, SAPs are reviewed and validated annually. This review focuses on the status of each SAP, including cost, schedule, security counter-measures, and performance. It validates the need for continued security compartmentation, or restructures the program to another SAP or collateral program. The review also ensures that redundancy is eliminated among similar programs.

    In addition to the DEPSECDEF, who is the SAPOC Chairman, other permanent members are: the Under Secretary of Defense (USD) for Acquisition and Technology (A&T); USD for Policy; Assistant Secretary of Defense for Command, Control, Communications, and Intelligence; General Counsel; DoD Comptroller; and Vice Chairman of the Joint Chiefs of Staff. The Director of Special Programs, OUSD(A&T), a general officer, serves as Director of the SAPCO and as a permanent member and Executive Secretary of the SAPOC. SAPOC membership is not delegated, although the Chairman may request others to support the SAPOC when needed.

    2. SPECIAL REVIEW OF CONTRACTS.

    Under the auspices of the DEPSECDEF in his role as SAPOC Chairman, the USD (Policy) and the USD (A&T) jointly signed a letter, dated August 19, 1996, concerning security policy for SAPs. The letter directed the military departments and federal agencies to immediately implement the NISPOM and NISPOMSUP on all new DoD contracts requiring special access protection. It stipulated that all existing DoD contracts for SAPs must be reviewed for implementation, and that existing program specific security requirements can be retained only where it is clearly not cost-effective to implement the NISPOM and the NISPOMSUP. Finally, the letter advised that a follow-up review on the NISPOM/NISPOMSUP implementation requirement will be conducted no later than the first quarter of 1997.

    3. SINGLE PROCESS INITIATIVE.

    The Single Process Initiative (SPI) is receiving increased emphasis as a component of the DoD acquisition reform program. This initiative encourages contractors to standardize so that a single process is used for a function at each facility. This initiative should eliminate multiple processes for functions such as quality control, contract administration, security administration and oversight at contractor facilities, and it should encourage the use of commercial practices where appropriate.

    Under the SPI, contractors are strongly encouraged to identify opportunities for standardizing SAP security requirements utilizing the NISPOMSUP. General questions concerning the SPI process should be directed to the Defense Contract Management Command which has been delegated authority to implement SPIs by the Office of the Secretary of Defense. Questions pertaining directly to a specific SAP should be addressed to the organization having security and/or contract cognizance over the program.

    4. DEFENSE INVESTIGATIVE SERVICE'S ROLE IN SAPs.

    DIS is the Cognizant Security Office (CSO) for requirements contained in the NISPOM. In addition, DIS is generally the Cognizant Security Agency (CSA) for requirements under the NISPOMSUP for DoD contractors participating in Army SAPs. Other DoD SAP Central Offices either retain CSA responsibilities and exercise direct security oversight for their SAPs, or "carve in" DIS to oversee activities at contractor locations. In either case, it is DoD policy to consult with all concerned parties when levying requirements under the NISPOMSUP to provide the maximum degree of uniformity and reciprocity consistent with individual SAP sensitivities.

    DIS' full cognizance over collateral security and responsibility for security oversight of many SAPs within DoD contractor facilities provide its personnel insight into issues affecting uniform implementation and standardization of security requirements. As an advisor to DoD security policymakers, DIS provides its own "lessons learned" and other valuable feedback directly from the contractor community to the ODTUSD(P)PS. This capability enables DIS personnel to offer policy recommendations and suggestions that often are codified in DoD directives and regulations, as well as recommendations that may appear in revisions to the NISPOM and NISPOMSUP.

    5. SAP POINTS OF CONTACT.

    In those programs where DIS is the CSA, contractors are encouraged to discuss general issues of concern dealing with implementation of the NISPOMSUP with their DIS representatives. When a military service or SAP Central Office has retained CSA responsibility, contractors should raise their concerns with the military service representatives or the appropriate Central Office. If questions or concerns remain, the appropriate office within the Office of the Secretary of Defense is the next level to contact. The Under Secretary of Defense for Policy (USD(P) is the proponent for implementation of the NISPOMSUP. Accordingly, contractors with suggestions for improvement or who have NISPOMSUP-related policy issues are encouraged to contact the USD(P)'s representative to the SAP community, the Director for Special Programs, ODTUSD(P)PS, at (703) 614-0578.

    Customer Service Bulletin Board

    Electronic Personnel Security Questionnaire Customer Service
    Phone: 1-(800) 542-0237
    Hours: 0700-1700

    Industrial Security Letter Desk
    Phone: (703) 325-5381
    E-mail: [email protected]

    DIS Web Page
    http://www.dis.mil

    FCL Verifications:
    (410) 865-2720 or 2721

    DISCO Customer Service Branch:
    PSQ: (614) 692-2265


    Change 1 to the National Industrial Security Program Operating Manual (NISPOM)

    The issuance of Executive Order 12958 and its implementing directive necessitated that changes be made to the NISPOM.

    The Acting Assistant Secretary of Defense for Command, Control, Communications and Intelligence approved Change 1 on July 17, 1997. It is appended to this ISL and effective immediately.

    Following is a brief summary of the changes made in Change 1 and a rationale for the changes. (Replacing EO 12356 with EO 12958 is not listed.)

    Paragraph and Summary Rationale:

    1-103. - Agency agreements have been signed with the Administrator, Agency for International Development and the Executive Director for Operations of the Nuclear Regulatory Commission.

    1-105. - The Marking Supplement to the "Industrial Security Manual for Safeguarding Classified Information" has been canceled. It will not be replaced. The Defense Department's Marking Pamphlet is available from your industrial Security representative and may be used as guidance.

    2-201a. - Standard Form 86 has replaced the DD Form 398.

    2-201b. - Added the Local Agency Check to the National Agency Check and Credit Check. Replaced DD Form 398-2 with SF 86.

    2-218. - Replaced DD Forms 398 and 398-2 with SF 86.

    3-107. - Added a requirement for annual refresher training and maintenance of a record of such training. This change was mandated by the implementing directive to EO 12958. FSOs have significant latitude in implementing this requirement.

    4-101. - Explains original classification provisions of EO 12958.

    4-103. - Encourages users of classification guides to notify the originator of the guide when it may need to be changed.

    4-104. - Details the "challenge to classification" provisions of EO 12958 and explains the Interagency Security Classification Appeals Panel process.

    4-208 . - Identifies new markings for derivatively classified documents.

    4-209b. - Provides downgrading and declassi-fication instructions for extracts containing classified information.

    4-210b. - Adds the new requirement that messages must contain a "Derived From" line.

    5-205 . - Adds the requirement that "working papers" be marked in the same manner prescribed for a finished document if transmitted outside the facility or retained for more that 180 days. This change was mandated by the Implementing Directive to EO 12958.

    10-303. - Provides marking instructions for foreign government information.

    Appendix C. - Changes the definitions of Confidential, Secret and Top Secret to conform with the definitions in EO 12958.

    The following page changes should be made to your NISPOM:

    Remove 1-1-1 thru 1-1-3 and insert new pages 1-1-1 thru 1-1-3.

    Remove 2-2-1 thru 2-2-5 and insert new pages 2-2-1 thru 2-2-4.

    Remove 3-1-1 and insert new page 3-1-1.

    Remove 4-1-1 thru 4-2-6 and insert new pages 4-1-1 thru 4-2-6.

    Remove 5-2-1 and insert new page 5-2-1.

    Remove 9-1-1 thru 9-1-3 and insert new pages 9-1-1 thru 9-1-3.

    Remove 10-3-1 thru 10-3-2 and insert new pages 10-3-1 thru 10-3-2.

    Remove 11-3-1 and insert new page 11-3-1.

    Remove C-1 thru C-8 and insert new pages C-1 thru C-9.




    FAS Homepage |Gov't Secrecy | Library | NISPOM ||Search |Join FAS