(a) General. (1) Contractor information systems that are used to capture, create, store, process, or distribute classified information must be properly managed to protect against unauthorized disclosure of classified information. The contractor will implement protective measures using a risk-based approach that incorporates minimum standards for their insider threat program in accordance with CSA-provided guidance.

(2) The CSA will issue guidance based on requirements for federal systems, pursuant to 44 U.S.C. Ch. 35 of subchapter II, also known as the “Federal Information Security Modernization Act,” and as set forth in National Institute of Standards and Technology (NIST) Special Publication 800-37 (available at: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final), Committee on National Security Systems (CNSS) Instruction 1253 (available at: https://www.cnss.gov/CNSS/openDoc.cfm?QwPYrAJ5Ldq+s+jvttTznQ==), and other applicable CNSS and NIST publications (e.g., NIST Special Publication 800-53).

(b) Information system security program. The contractor will maintain an information system security program that supports overall information security by incorporating a risk-based set of management, operational, and technical security controls in accordance with CSA-provided guidance. The contractor will incorporate into the program:

(1) Policies and procedures that reduce information security risks to an acceptable level and address information security throughout the information system life cycle.

(2) Plans and procedures to assess, report, isolate, and contain data spills and compromises, to include sanitization and recovery methods.

(3) Information system security training for authorized users, as required in CSA provided guidance.

(4) Policies and procedures that address key components of the contractor's insider threat program, such as:

(i) User activity monitoring network activity, either automated or manual.

(ii) Information sharing procedures.

(iii) A continuous monitoring program.

(iv) Protecting, interpreting, storing, and limiting access to user activity monitoring automated logs to privileged users.

(5) Processes to continually evaluate threats and vulnerabilities to contractor activities, facilities, and information systems to ascertain the need for additional safeguards.

(6) Change control processes to accommodate configuration management and to identify security relevant changes that may require re-authorization of the information system.

(7) Methods to ensure users are aware of rights and responsibilities through the use of banners and user agreements.

(c) Contractor responsibilities—(1) Certification. The contractor will:

(i) Certify to the CSA that the security program for information systems to process classified information addresses management, operation, and technical controls in accordance with CSA-provided guidelines.

(ii) Provide adequate resources to the information system security program and organizationally align to ensure prompt support and successful execution of a compliant information system security program.

(2) ISSM. Contractors that are or will be processing classified information on an information system will appoint an employee ISSM. The contractor will confirm that the ISSM is adequately trained, has sufficient experience, and possesses technical competence commensurate with the complexity of the information system. The ISSM will:

(i) Oversee the development, implementation, and evaluation of the contractor's information system program for contractor management, information system personnel, users, and others as appropriate.

(ii) Coordinate with the contractor's insider threat senior program official so that insider threat awareness is addressed in the contractor's information system security program.

(iii) Develop, document, and monitor compliance of the contractor's information system security program in accordance with CSA-provided guidelines for management, operational, and technical controls.

(iv) Verify self-inspections are conducted at least every 12 months on the contractor's information systems that process classified information, and that corrective actions are taken for all identified findings.

(v) Certify to the CSA in writing that the systems security plan (SSP) is implemented for each authorized information systems, specified in the SSP; the specified security controls are in place and properly tested; and the information system continues to function as described in the SSP.

(vi) Brief users on their responsibilities with regard to information system security and verify that contractor personnel are trained on the security restrictions and safeguards of the information system prior to access to an authorized information system.

(vii) Develop and maintain security documentation of the security authorization request to the CSA. Documentation may include:

(A) SSPs.

(B) Security assessment reports.

(C) Plans of actions and milestones.

(D) Risk assessments.

(E) Authorization decision letters.

(F) Contingency plans.

(G) Configuration management plans.

(H) Security configuration checklists.

(I) System interconnection agreements.

(3) Information systems security officer (ISSO). The ISSM may assign an ISSO. If assigned, the ISSO will:

(i) Verify the implementation of the contractor's information system security program as delegated by the ISSM.

(ii) Ensure continuous monitoring strategies and verify corrective actions to the ISSM.

(iii) Conduct self-inspections and verify corrective actions to the ISSM.

(4) Information system users. All information system users will:

(i) Comply with the information system security program requirements as part of their responsibilities for protecting classified information.

(ii) Be accountable for their actions on an authorized information system.

(iii) Not share any authentication mechanisms (including passwords) issued for the control of their access to an information system.

(iv) Protect authentication mechanisms at the highest classification level and most restrictive classification category of information to which the mechanisms permit access.

(v) Be subject to monitoring of their activity on any classified network, understanding that the results of such monitoring can be used against them in a criminal, security, or administrative proceeding or action.

(vi) Notify the ISSM or ISSO when access to a classified system is no longer required.

(d) Information system security life-cycle. The CSA-provided guidance on the information system security life-cycle is based on the risk management framework outlined in NIST special publication 800-37 that emphasizes:

(1) Building security into information systems during initial development.

(2) Maintaining continuous awareness of the current state of information system security.

(3) Keeping contractor management informed to facilitate risk management decisions.

(4) Supporting reciprocity of information system authorizations.

(e) Risk management framework. The risk management framework is a seven-step process used for managing information system security-related risks. These steps will be used to help ensure security capabilities provided by the selected security controls are implemented, tested, validated, and approved by the USG authorizing official with a degree of assurance appropriate for the information system. This process accommodates an on-going risk mitigation strategy.

(1) Prepare. The contractor will execute essential activities at the organization, mission and business process, and system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.

(2) Categorize. The contractor will categorize the information system and the information processed, stored, and transmitted by the information system based on an impact analysis. Unless imposed by contract, the information system baseline is moderate-confidentiality, low-integrity, and low-availability.

(3) Select. The contractor will select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

(4) Implement. The contractor will implement the security controls and document how the controls are deployed within the information system and the operational environment.

(5) Assess. The contractor will assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. The contractor will review and certify to the CSA that all systems have the appropriate protection measures in place.

(6) Authorize. The CSA will use the information provided by the contractor to make a timely, credible, and risk-based decision to authorize the system to process classified information. The CSA must authorize the system before the contractor can use the system to process classified information.

(7) Monitor. The contractor will monitor and assess selected security controls in the information system on an ongoing basis:

(i) Effectiveness of security controls.

(ii) Documentation of changes to the information system and the operational environment.

(iii) Analysis of the security impact of changes to the information system.

(iv) Making appropriate reports to the CSA.

(f) Unclassified information systems that process, store, or transmit CUI. While outside the requirements of the NISPOM, contractors will comply with contract requirements regarding contractor information systems that process, store, or transmit CUI.