Aerospace and defense contractors that work with the US Department of Defense are required to comply with one or more regulations governing security and the handling of classified information. The National Industrial Security Program (NISP) provides compliance requirements for private industry handling classified information on behalf of the US government. Specifically, the NISP publishes the National Industrial Security Program Operating Manual (NISPOM). NISPOM Chapter 8 provides certification and accreditation requirements for facilities processing or handling classified information. Similarly, the Director of Central Intelligence Directive 6/3 (DCID 6/3) defines the certification and accreditation processes for information technology projects that require Top Secret (TS) or Secure Compartmentalized Information (SCI) clearances.
President George Bush initiated the National Industrial Security in the early nineties by executive order 12829 (National Industrial Security Program, 1993). NISPOM Chapter 8 provides regulations for,
Information systems (IS) that are use-d to capture, create, store, process or distribute classified information must be properly managed to protect against unauthorized disclosure of classified information, loss of data integrity to ensure the availability of the data and system. (NISPOM, 2006)
NISPOM is a comprehensive manual that includes instructions for all aspects, including physical security, background checks, and other issues separate from information processing. NISPOM Chapter 8 specifically addresses information systems, including access controls, auditing, and data destruction. Contractors seeking certification and accreditation under NISPOM must be working with one of four agencies: Department of Defense, Department of Energy, Central Intelligence Agency, or Nuclear Regulatory Commission. Inspections are conducted by the Defense Security Services when working with the Department of Defense. Each of the NISP agencies has implemented independent processes for certification and accreditation. The Department of Defense process is generally recognized as the superior implementation. (Govea, 2000) NISPOM is scheduled to eventually be replaced by the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP).
DCID 6/3 is a directive from the Director of Central Intelligence (DCI) regarding processing of TS and SCI information. DCID 6/3 defines information systems according to one of five protection levels. In addition, DCID 6/3 has more detail regarding physical security and encryption than NISPOM Chapter 8. Many aspects of access control, auditing, and data destruction are similar between DCID 6/3 and NISPOM Chapter 8, although DCID 6/3 has additional requirements. NISPOM Chapter 8 compliant systems roughly map to protection levels 1 – 3 under DCID 6/3. (DCID 6/3 Manual, 2010) The maximum penalties for failing to properly handle classified information under DCID 6/3 and NISPOM Chapter 8 are the same – federal charges for treason and, potentially, execution.
There are several compliance requirements that an aerospace and defense contractor working for the US government may have to follow. NISPOM Chapter 8 and DCID 6/3 represent two of the numerous certification and accreditation processes. The National Institute of Standards and Technology is working to standardize government compliance requirements.
Anonymous. (2010). National Industrial Security Program. Wikipedia. Retrieved from the Internet on May 16, 2010 http://en.wikipedia.org/wiki/National_Industrial_Security_Program
DCID 6/3 Manual. (2010). DCID 6/3 Manual. Federation of American Scientists. Retrieved from the Internet on May 16, 2010 http://www.fas.org/irp/offdocs/DCID_6-3_20Manual.htm
Govea, G. E. (2007). Comparing information protection practices. Security Management. 44 (9).
National Industrial Security Program. (1993). Executive Order 12829. Federation of American Scientists. Retrieved from the Internet on May 16, 2010 http://www.fas.org/irp/offdocs/eo12829.htm
NISPOM. (2006). National Industrial Security Program Operating Manual. Defense Security Services. Retrieved from the Internet on May 16, 2010 https://www.dss.mil/isp/odaa/nispom06.html