Yesterday the Department of Defense published a final rule in the Federal Register (85 FR 83300-83364) that codifies the National Industrial Security Program Operating Manual (NISPOM) as 32 CFR Part 117. The NISPOM establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders to prevent unauthorized disclosure. This final rule becomes effective on February 24th, 2021.
Coverage
According to the new §117.2 this rule applies to: “All industrial, educational, commercial, or other non-USG entities granted access to classified information by the USG executive branch departments and agencies or by foreign governments” {§117.2(3)}.
Section 117.2(b)(1) goes on to clarify that this rule does not:
“Limit in any manner the authority of USG executive branch departments and agencies to grant access to classified information [emphasis added] under the cognizance of their department or agency to any individual designated by them. The granting of such access is outside the scope of the NISP and is accomplished pursuant to E.O. 12968, E.O. 13526, E.O. 13691, the AEA, and applicable disclosure policies.”
Section 177.22 specifically provides DHS with the “authority to determine the eligibility for personnel security clearances and to administer the sharing of relevant classified NSI with certain private sectors or non-federal partners for the purpose of furthering cybersecurity information sharing [emphasis added] among critical infrastructure partners pursuant to E.O. 13691” {§177.22(b)(1)}. It then goes on to clarify that participating entities “will cooperate with DHS security officials to ensure the entity is in compliance with requirements in this rule” {§177.22(b)(2)}.
Security Requirements
Entities granted access to, or generating, classified information are responsible for complying with all of the requirements of this rule. Major areas of interest will include:
117.3
– Definitions,
117.4
– Policy,
117.6
– Responsibilities,
117.7
– Procedures,
117.8
– Reporting requirements,
117.10
– Determination of eligibility for access to classified information for
contractor employees,
117.11
– Foreign Ownership, Control, or Influence (FOCI),
117.15
– Safeguarding classified information,
117.18
– Information system security,
117.21
– COMSEC, and
117.22 – DHS classified critical infrastructure protection program (CCIPP).
The reporting requirements of §178.8 require special note. As required in §117.8(1) contractors and their cleared employees are required to report:
• Certain events that may have an
effect on the status of the entity's or an employee's eligibility for access to
classified information,
• Events that indicate an insider
threat to classified information or to employees with access to classified
information,
• Events that affect proper
safeguarding of classified information; and
• Events that indicate classified information has been, or is suspected to be, lost or compromised.
Commentary
I have long maintained that the governmental classification
of cybersecurity threat information is a major impediment to information
sharing because of the cost involved in being able to properly receive, store,
and disseminate classified information. With the codification of the NISPOM, it
should no be clear exactly why I have raised these objections over the years.
DHS is going to have to make special efforts to ensure that non-classified
information on cyber threats is made readily available. Fortunately, the public
reporting on the recent SUNBURST vulnerabilities would seem to indicate that
CISA has taken that responsibility to heart.
Posts
No comments:
Post a Comment