Home > Compliance > NISPOM Compliance
Print PagePrint this Page

NISPOM Compliance


What is NISPOM?
The National Industrial Security Program Operating Manual (NISPOM) provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the National Industrial Security Program (NISP). Chapter 8 addresses the information system security that must be in place. NISPOM was reissued February 28, 2006.

Who is affected by NISPOM?
The Defense Security Service administers the NISP for 23 federal agencies by providing oversight, advice, and assistance to over 11,000 contractor facilities that are cleared for access to classified information. Cleared contractors and any other company or organization that has access to classified information must comply with NISPOM.

What are the requirements of NISPOM?
NISPOM Chapter 8 ("Information System Security") outlines protection requirements for classified data (Sec. 6). Some of the relevant provisions follow:
Data Transmission (Trans). Information protection is required whenever classified information is to be transmitted through areas or components where individuals not authorized to have access to the information may have unescorted physical or uncontrolled electronic access to the information or communications media (e.g., outside the system perimeter). (8-605)
Changes to Data (Integrity). The control of changes to data includes deterring, detecting, and reporting of successful and unsuccessful attempts to change data. Control of changes to data may range from simply detecting a change attempt to the ability to ensure that only authorized changes are allowed. (8-604)
Access Controls (Access). The Information System (IS) shall store and preserve the integrity of the sensitivity of all information internal to the IS. (8-606)
For data transmission, NISPOM specifies one of the protection methods to be used: "National Security Agency (NSA)-approved encryption mechanisms appropriate for the encryption of classified information."

How do organizations comply with NISPOM?
The NISPOM requirements regarding the handling and protection of classified information are broad. As they pertain to electronic data, NISPOM requires contractors to implement robust data security measures that protect the confidentiality of classified information on the network or over shared outside networks (data transmission). Companies must also ensure data integrity through technologies that guaranteed the information is unaltered.

What are the penalties for NISPOM non-compliance?
NISPOM requires contractors to report events that impact their facility clearance (FCL), an employee's personnel clearance (PCL), the ability to properly safeguard classified information, or an indication that classified information has been lost or compromised. Failure to comply with NISPOM's data security provisions could result in loss of facility clearance and jeopardize government contracts.

How does CipherOptics help?
CipherEngine assures the confidentiality, authenticity, and integrity of data in motion on any network. Our approach to protecting both your network is to deny access to everyone, and permit by exception. With that approach as our driving force, our solutions provide you with both encryption and authentication of all your critical information on the LAN or wireless LAN.

Using powerful 256-bit AES encryption that is approved by the NSA for "sensitive" information, CipherOptics hardware-accelerated encryption appliances authenticate packets and protect data. Using the robust secure hash algorithm SHA-1, our network encryptors verify the integrity of the data, rejecting any packets that have been manipulated or altered. Secure hash can also be used to thwart unauthorized intrusion at the network level. Our network encryptors' deterministic firewall feature can reject any packets that lack the proper encryption-based authentication of a trusted endpoint. This effectively blocks all unauthenticated traffic from outside the network.

In support of NISPOM, CipherOptics CipherEngine can also cryptographically segment data for secure communities of interest by separating data of different security levels that travel on the same network.

CipherOptics network encryptors are FIPS-140-2-compliant and available on government buying vehicles. They are field-proven in some of the most security-conscious networks in the world and are the preferred solution of many agencies for securing high-speed IP networks. Customers include the Social Security Administration, Department of Energy, Department of Agriculture, the U.S. Coast Guard, NASA, U.S. Army and the National Security Agency.

To discuss how CipherOptics can help you can comply with NISPOM, call 1-877-878-6655 or feel free to ask us a question.

Learn More About:
Network Encryption
Ethernet Encryptors
IP Encryptors
Policy and Key Management

Helpful Resources
Full National Industrial Security Program Operating Manual