National Industrial Security Program
Encyclopedia
The National Industrial Security Program, or NISP, is the nominal authority (in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...

) for managing the needs of private industry
Private sector
In economics, the private sector is that part of the economy, sometimes referred to as the citizen sector, which is run by private individuals or groups, usually as a means of enterprise for profit, and is not controlled by the state...

 to access classified information
Classified information in the United States
The United States government classification system is currently established under Executive Order 13526, the latest in a long series of executive orders on the topic. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the...

.

The NISP was established in 1993 by Executive Order 12829. The National Security Council
United States National Security Council
The White House National Security Council in the United States is the principal forum used by the President of the United States for considering national security and foreign policy matters with his senior national security advisors and Cabinet officials and is part of the Executive Office of the...

 nominally sets policy for the NISP, while the Director of the Information Security Oversight Office
Information Security Oversight Office
The Information Security Oversight Office is responsible to the President for policy and oversight of the government-wide security classification system and the National Industrial Security Program...

 is nominally the authority for implementation. Under the ISOO, the Secretary of Defense is nominally the Executive Agent, but the NISP recognizes four different Cognizant Security Agencies, all of which have equal authority: the Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...

, the Department of Energy
United States Department of Energy
The United States Department of Energy is a Cabinet-level department of the United States government concerned with the United States' policies regarding energy and safety in handling nuclear material...

, the Central Intelligence Agency
Central Intelligence Agency
The Central Intelligence Agency is a civilian intelligence agency of the United States government. It is an executive agency and reports directly to the Director of National Intelligence, responsible for providing national security intelligence assessment to senior United States policymakers...

, and the Nuclear Regulatory Commission
Nuclear Regulatory Commission
The Nuclear Regulatory Commission is an independent agency of the United States government that was established by the Energy Reorganization Act of 1974 from the United States Atomic Energy Commission, and was first opened January 19, 1975...

.

NISP Operating Manual (DoD 5220.22-M)

A major component of the NISP is the NISP Operating Manual, also called NISPOM, or DoD 5220.22-M. The NISPOM establishes the standard procedures and requirements for all government contractors, with regards to classified information. , the current NISPOM edition is dated 28 Feb 2006. Chapters and selected sections of this edition are:

  • Chapter 1 - General Provisions and Requirements
  • Chapter 2 - Security Clearances
    Security clearance
    A security clearance is a status granted to individuals allowing them access to classified information, i.e., state secrets, or to restricted areas after completion of a thorough background check. The term "security clearance" is also sometimes used in private organizations that have a formal...

    • Section 1 - Facility Clearances
    • Section 2 - Personnel Security Clearances
    • Section 3 - Foreign Ownership, Control, or Influence (FOCI)
  • Chapter 3 - Security Training and Briefings
  • Chapter 4 - Classification
    Classified information
    Classified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...

     and Marking
  • Chapter 5 - Safeguarding Classified Information
  • Chapter 6 - Visits and Meetings
  • Chapter 7 - Subcontracting
    Subcontractor
    A subcontractor is an individual or in many cases a business that signs a contract to perform part or all of the obligations of another's contract....

  • Chapter 8 - Information System
    Information systems
    Information Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...

     Security
  • Chapter 9 - Special Requirements
    • Section 1 - RD and FRD
    • Section 2 - DoD Critical Nuclear Weapon Design Information (CNWDI)
      Critical Nuclear Weapon Design Information
      Critical Nuclear Weapon Design Information is a U.S. Department of Defense category of Top Secret Restricted Data or Secret Restricted Data that reveals the theory of operation or design of the components of a thermonuclear or fission bomb, warhead, demolition munition, or test device...

    • Section 3 - Intelligence Information
    • Section 4 - Communication Security (COMSEC)
      Communications security
      Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended recipients. In the United States Department of Defense culture, it is often referred to by the abbreviation...

  • Chapter 10 - International Security Requirements
  • Chapter 11 - Miscellaneous Information
    • Section 1 - TEMPEST
      TEMPEST
      TEMPEST is a codename referring to investigations and studies of compromising emission . Compromising emanations are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any...

    • Section 2 - Defense Technical Information Center
      Defense Technical Information Center
      The Defense Technical Information Center is the premier repository for research and engineering information for the United States Department of Defense. DTIC's Suite of Services is available to DoD personnel, defense contractors, potential defense contractors, federal government personnel and...

       (DTIC)
    • Section 3 - Independent Research and Development (IR&D) Efforts
  • Appendices

Data sanitization

DoD 5220.22-M is sometimes cited as a standard for sanitization
Sanitization (classified information)
Sanitization is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience. When dealing with classified information, sanitization attempts to reduce the document's classification level, possibly yielding an unclassified...

 to counter data remanence
Data remanence
Data remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...

. The NISPOM actually covers the entire field of government-industrial security, of which data sanitization
Sanitization (classified information)
Sanitization is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience. When dealing with classified information, sanitization attempts to reduce the document's classification level, possibly yielding an unclassified...

 is a very small part (about two paragraphs in a 141 page document). Furthermore, the NISPOM does not actually specify any particular method. Standards for sanitization are left up to the Cognizant Security Authority. The Defense Security Service
Defense Security Service
The Defense Security Service is an agency of the United States Department of Defense . Within areas of DoD responsibility, DSS is tasked with facilitating personnel security investigations, supervising industrial security, and performing security education and awareness training. It is not a...

 provides a Clearing and Sanitization Matrix (C&SM) which does specify methods. As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing
Degaussing
Degaussing is the process of decreasing or eliminating an unwanted magnetic field. It is named after Carl Friedrich Gauss, an early researcher in the field of magnetism...

 or physical destruction is acceptable.

Unrelated to NISP or NISPOM, NIST
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...

also publishes a Data Sanitization standard, including methods to do so.

Revised Informaton

The above information is out of date. The currently correct document is ISFO Process Manual V3 14 June 2011. This document is available by request only, and is not directly available online. The document has gone through many revisions and name changes. Currently it is slated to be updated twice a year.

The new version has had the section on disk sanitization greatly rewritten.

Chapters and selected sections of the new edition are:
  • 1 Preface
  • 2 Introduction
  • 3 Purpose
  • 4 Introduction of NIST 800-53 Controls
  • 5 SECURITY CONTROLS
    • 5.1 MANAGEMENT CONTROLS
      • 5.1.1 SECURITY PLANNING (PL)
        • 5.1.1.1 Roles and Responsibilities
          • 5.1.1.1.1 Office of the Designated Approving Authority (ODAA)
          • 5.1.1.1.2 Information System Security Professional (ISSP)
          • 5.1.1.1.3 Information Systems Security Manager (ISSM)
          • 5.1.1.1.4 ISSMs for Multiple Facility Organizations (MFO)
          • 5.1.1.1.5 Information System Security Officer (ISSO)
          • 5.1.1.1.6 Network ISSO
          • 5.1.1.1.7 Users of Information Systems (IS)
        • 5.1.1.2 Information System (IS) Types
          • 5.1.1.2.1 Multiuser Standalone (MUSA)
          • 5.1.1.2.2 Local Area Networks (LAN)
          • 5.1.1.2.3 Interconnected System/Wide Area Network (WAN)
          • 5.1.1.2.4 Virtualization
          • 5.1.1.2.5 Special Categories
            • 5.1.1.2.5.1 Single-User, Standalone Systems (SUSA)
            • 5.1.1.2.5.2 Periods Processing
            • 5.1.1.2.5.3 Pure Servers
            • 5.1.1.2.5.4 Test Equipment
            • 5.1.1.2.5.5 Special Purpose, Tactical, Embedded Systems
            • 5.1.1.2.5.6 Copiers
      • 5.1.2 SECURITY ASSESSMENT AND AUTHORIZATION (CA)
        • 5.1.2.1 Types of Security Plans
          • 5.1.2.1.1 System Security Plan (SSP)
          • 5.1.2.1.2 Master System Security Plan (MSSP)
        • 5.1.2.2 Information System Connections
          • 5.1.2.2.1 Network Security Plans (NSP)
            • 5.1.2.2.1.1 Memorandum of Understanding (MOU)/Interconnected Systems Agreement (ISA)
              • 5.1.2.2.1.1.1 MOU Requirements
              • 5.1.2.2.1.1.2 MOU Content
              • 5.1.2.2.1.1.3 MOU Sample
            • 5.1.2.2.1.2 Defense Information Systems Network (DISN) Connections
          • 5.1.2.2.2 International System Security Plans
        • 5.1.2.3 Types of Networks
          • 5.1.2.3.1 Unified Networks
          • 5.1.2.3.2 Interconnected Networks
          • 5.1.2.3.3 Network Security Plans (NSP)
        • 5.1.2.4 Plan of Action & Milestone (POA&M)
          • 5.1.2.4.1 Plan of Action and Milestone Template (POA&M)
      • 5.1.3 CONFIGURATION MANAGEMENT (CM)
        • 5.1.3.1 Configuration Management Process
      • 5.1.4 PROGRAM MANAGEMENT (PM)
      • 5.1.5 RISK ASSESSMENT (RA)
        • 5.1.5.1 Risk Assessment Requirements
        • 5.1.5.2 Enhanced Controls
      • 5.1.6 SYSTEM AND SERVICES ACQUISITION (SA)
        • 5.1.6.1 Certification and Accreditation (C&A)
          • 5.1.6.1.1 C&A Life Cycle
          • 5.1.6.1.2 C&A Process
            • 5.1.6.1.2.1 Certification
            • 5.1.6.1.2.2 Review
            • 5.1.6.1.2.3 Accreditation
            • 5.1.6.1.2.4 Verification
        • 5.1.6.2 Software Protections
    • 5.2 OPERATIONAL CONTROLS
      • 5.2.1 AWARENESS AND TRAINING (AT)
        • 5.2.1.1 Security Education
        • 5.2.1.2 Cleared Contractor Training
      • 5.2.2 CONTINGENCY PLANNING (CP)
        • 5.2.2.1 Contingency Planning
        • 5.2.2.2 System Recovery and Assurances
      • 5.2.3 INCIDENT RESPONSE (IR)
        • 5.2.3.1 Classified Spills
          • 5.2.3.1.1 Incident Response Plan
          • 5.2.3.1.2 Sanitizing and Declassifying
          • 5.2.3.1.3 Classified Spill Cleanup Procedures
          • 5.2.3.1.4 Wiping Utility
          • 5.2.3.1.5 DSS-Approved Classified Spill Cleanup Plan
          • 5.2.3.1.6 Contamination Cleanup Procedures
      • 5.2.4 MAINTENANCE (MA)
        • 5.2.4.1 Maintenance
        • 5.2.4.2 Cleared Maintenance Personnel
        • 5.2.4.3 Uncleared (or Lower-Cleared) Maintenance Personnel
        • 5.2.4.4 Remote Maintenance
      • 5.2.5 MEDIA PROTECTION (MP)
        • 5.2.5.1 Media Protection
        • 5.2.5.2 Hardware Marking
        • 5.2.5.3 Trusted Download
          • 5.2.5.3.1 Trusted Download Procedures
            • 5.2.5.3.1.1 DSS Authorized File Type/Formats
            • 5.2.5.3.1.2 DSS File Transfer Procedures
            • 5.2.5.3.1.3 DSS Authorized Procedure (Windows-Based)
            • 5.2.5.3.1.4 DSS Authorized Procedure (Unix)
            • 5.2.5.3.1.5 Alternate Trusted Download Risk Acceptance Letter (RAL) Example
        • 5.2.5.4 Mobile Systems
          • 5.2.5.4.1 Mobile Processing Procedures
        • 5.2.5.5 Clearing and Sanitization
          • 5.2.5.5.1 Clearing
          • 5.2.5.5.2 Sanitizing
          • 5.2.5.5.3 Magnetic Tape
          • 5.2.5.5.4 Organization Destruction Options
          • 5.2.5.5.5 DSS Clearing and Sanitization Matrix
      • 5.2.6 PHYSICAL AND ENVIRONMENTAL PROTECTION (PE)
        • 5.2.6.1 Physical Security (8-308, 5-306, 5-308, 6-104)
        • 5.2.6.2 Hardware and Software Protection
        • 5.2.6.3 Protected Distribution System (PDS)
        • 5.2.6.4 Emergency Procedures (5-104)
        • 5.2.6.5 TEMPEST (11-100)
      • 5.2.7 PERSONNEL SECURITY (PS)
        • 5.2.7.1 Personnel Security Clearance Verification
        • 5.2.7.2 Personnel Sanctions
      • 5.2.8 SYSTEM AND INFORMATION INTEGRITY (SI)0
        • 5.2.8.1 Flaw Remediation
        • 5.2.8.2 Unclassified Software Review
        • 5.2.8.3 Antivirus
    • 5.3 TECHNICAL CONTROLS
      • 5.3.1 ACCESS CONTROL (AC)
        • 5.3.1.1 Access Control
        • 5.3.1.2 Separation of Function
        • 5.3.1.3 Logon Banner
        • 5.3.1.4 Session Controls
          • 5.3.1.4.1 Successive Login Attempt Controls
          • 5.3.1.4.2 User Inactivity
          • 5.3.1.4.3 Logon Notification (PL-2/PL-3)
        • 5.3.1.5 USB Devices and Ports
        • 5.3.1.6 Radio Frequency ID (RFID) Tags
        • 5.3.1.7 Secure Wireless LANs (S-WLAN)
        • 5.3.1.8 Foreign Ownership, Control & Influence (FOCI)
      • 5.3.2 AUDIT AND ACCOUNTABILITY (AU)
        • 5.3.2.1 Audit Requirements
        • 5.3.2.2 Security Seals
      • 5.3.3 IDENTIFICATION AND AUTHENTICATION (IA)
        • 5.3.3.1 Identification and Authentication Management
        • 5.3.3.2 Generic or Group Accounts (8-505)
        • 5.3.3.3 Password Policy
        • 5.3.3.4 BIOS Password
      • 5.3.4 SYSTEM AND COMMUNICATIONS PROTECTION (SC)
        • 5.3.4.1 Data Transmission Protection
        • 5.3.4.2 Network Management and Protections
          • 5.3.4.2.1 Controlled Interfaces
        • 5.3.4.3 Classified Voice over IP (VOIP)/Video Teleconferencing (VTC)
        • 5.3.4.4 Thin Client Systems
        • 5.3.4.5 Masking/Coding/Disassociation
  • 6 System Security Plan Submission Process
    • 6.1 Variances
  • 7 Defense Industrial Base Cyber Security Accreditation Process (DIBNET)
  • 8 Reference List
  • 9 Glossary
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK