• Field Operations
• Overview
• Field Office Locations
• Facility Clearance Branch (FCB)
• Office of Designated Approving Authority (ODAA)
• Industry Tools
• NISPOM/ISLs (Security Library)
• Foreign Ownership, Control or Influence
• Overview
• Contact Us
• FOCI Policy
• FOCI Conferences
• FOCI Mitigation Instruments
• National Interest Determinations
• Outside Director/Proxy Holder Information
• Sample Technology Control Plan
• FOCI Collocation
• FOCI FAQs
• International Division
• Overview
• Limited Access Authorizations (LAAs) for Non-U.S. Citizens
• Policy
• Overview
• Contact Us
• Policy FAQs
• NISPOM/ISLs (Security Library)
• Policy News/Archives
• Agency Agreements

Home + Industrial Security + Policy + Policy FAQs

Policy Frequently Asked Questions

Contact Policy

Below are answers to the most frequently asked questions regarding policies affecting the National Industrial Security Program. Please keep in mind that the below responses may not be all inclusive. There may be situations where additional requirements may apply; please refer to the National Industrial Security Program Operating Manual (NISPOM) for additional clarification.

Marking Removable Media

(It’s important to note that the intent of the markings is to ensure that the classification of the item is clear to the holder (NISPOM 4-200) so that proper protection can be provided.)

Q:  How is removable media marked and labeled?

A:  DSS recognizes these forms of media as special types of material (NISPOM 4-210.a.) generally containing multiple files and coming in all shapes and sizes, which makes marking and labeling more difficult than for individual documents. Such media often contain both unclassified and classified documents and may include multiple categories of information and/or handling caveats. Therefore, the highest classification of any classified item contained within the media (overall marking) along with any and all associated categories/caveats (e.g., CNWDI, NATO) shall be conspicuously marked (stamped, printed, etched, written, engraved, painted, or affixed by means of a tag, sticker, decal, or similar device) on the exterior of such material (or, if such marking is not possible, on documentation that accompanies the media) so it is clear to the holder. If each document on a removable device contains all of the required information for that document, only the overall classification and associated caveats markings must be marked on the exterior of the device. Other notations such as names, addresses, subjects/titles, source of classification and declassification instructions are not necessary on the exterior of removable media.

Q:  What items are considered to be removable media?

A:  Removable media is any type of storage device that can be removed from a computer while the system is running. This includes removable media which is inserted into readers and drives integrated into the system (e.g., Optical discs (CDs, DVDs, Blu-ray Discs), memory cards (CompactFlash card, Secure Digital card, Memory Stick), floppy disks, Zip disks, and magnetic tapes), as well as those readers and drives which themselves are removable (e.g., USB Flash Drives and External Hard Disk Drives).

Note:  Examples are not all inclusive. If you are unsure if your equipment falls into this category, contact your local DSS Representative (i.e. Information System Security Professional) for assistance.

Q:  Are easily removed hard drives (e.g. sled mounted and those found in laptops) considered removable media and should they be marked as such?

A:  No, these devices do not fit the definition of removable media since they generally cannot be removed while the system is running. Users should take care not to confuse these devices with external hard drives, which are removable media.

Although not considered removable media, these items have similar marking requirement (8-306a) to bear a conspicuous label stating the highest classification and most restrictive caveats.

Q:  What types of removable media needs to be marked?

A:  All types of removable media, regardless of their impact to the operation of a system. This includes, but is not limited to: Floppy Disks, CDs, DVDs, Blu-ray Discs, USB or Flash Drives, External Hard Disk Drives (connected via USB port), etc.

Additionally, unclassified media and systems located in areas approved by the CSA for classified processing must also be marked and labeled so that the overall classification and associated caveats are apparent to the user.

Q:  The NISPOM requires weekly audit trail analysis. What is meant by weekly? Does that mean once a calendar week or every seven days?

A:  The NISPOM (8-602a.(3)) states audit analysis shall be scheduled and performed at least weekly and shall be documented in the SSP.

There are many variables that could impact the completion of audit trail analysis on a routine basis, which is why a weekly requirement is called for in the NISPOM rather than a strict seven days. Workload priorities, personnel matters, and system availability (just to name a few) may factor in the timeliness of contractor’s audit trail reviews.

Adverse Information Reporting

Q:  Are contractors required to submit adverse information reports for an employee with clearance eligibility in JPAS, even if the employee currently does not require access to classified information?

A:  Contractors should report adverse information coming to their attention concerning any employee who has current eligibility reflected in JPAS, in accordance with NISPOM 1-302.  Also refer to ISL 2011-04. 

Answers to FAQs regarding NATO Annual Refresher Briefings

Q: Do contractors have to record the most recent NATO Annual Refresher Briefing date in the Joint Personnel Adjudication System (JPAS)?

A: Paragraph 10-706 of the NISPOM only requires the NATO initial briefing date and the NATO debriefing date should be recorded in JPAS. The contractor should retain a verifiable record of the most recent NATO Annual Refresher Briefing.

Q: Is DSS required to provide NATO Annual Refresher Briefing to the Facility Security Officer (FSO)?

A: As DSS is required to provide the NATO initial briefing to the FSO, DSS should also provide the NATO Annual Refresher Briefing.

Intrusion Detection System (IDS) for Containers Requiring Supplemental Protection

Q: What are the intrusion detection (alarm sensor) requirements to support the supplemental protection requirements of NISPOM 5-302 and 5-307a for GSA-approved security containers storing TOP SECRET material that are not located in an approved closed area?

A: NISPOM Chapter 5, Section 9 "Intrusion Detection Systems" outlines the application of IDS when required as supplemental protection.

When GSA-approved security containers storing TOP SECRET classified material are located within a room that can be alarmed, the room shall be protected with an intrusion detection systems (IDS) meeting the requirements outlined in NISPOM paragraph 5-904 where the area will be compliant with UL "Extent 3" as described in UL-2050.

When the GSA-approved security container storing TOP SECRET classified material itself is to be protected (rather than being in an alarmed area) the container shall be protected with an IDS providing "Complete" protection which requires the use of alarm sensors on or within the GSA-approved security container storing classified material where IDS is used for supplemental protection. "Complete" protection consists of protection on all surfaces and contacts on each outer door or contacts on the lock and bolt mechanism of each outer door. If all of the drawers or doors of a GSA-approved container lock with a single mechanism and if none can be left unlocked or open when the mechanism is set, a single contact mounted on the control drawer or door on which the mechanism is installed is acceptable. Alternatively, surface protection may consist of linings that comply with the Standard for Linings and Screens applied to a safe or safe cabinet that completely surround the safe. The protection shall be arranged so that an alarm will be initiated if an opening 4 inches (102 mm) in diameter or larger is made in the safe or safe door by any method of attack. To ensure compliance with the extent of protection of "complete" the UL Certified Alarm Services Companies recommends to the user the appropriate sensor type to be installed to meet UL-2050 certification requirements.

Q. What can a company do to facilitate the final eligibility determination for an employee who is currently assigned overseas but has an interim clearance?

A. Contractors can provide advance notice to the Defense Industrial Security Clearance Office (DISCO) by submitting a Research, Recertify, Upgrade (RRU) request via JPAS advising of the subject's return to a location where an interview can be conducted.

Q. What happens when the requests for periodic reinvestigations (PRs) are not submitted within required timeframes?

A. Contractor personnel with access granted at the Top Secret, Secret, and Confidential levels must be reinvestigated at 5-, 10- and 15-year intervals, respectively, from the closing date of the previous investigation.  To facilitate compliance with submission timeframes, contractors may submit an employee's e-QIP for a PR up to 90 days in advance of the due date.  To monitor compliance with PR submission requirements, the Defense Industrial Security Clearance Office (DISCO) produces monthly reports of overdue PRs and notifies contractors via JPAS of personnel for whom a PR request must be submitted.   If the PR request is not submitted within 30 days from issuance of the overdue notification, DISCO will remove the employee's eligibility this will show up as a Loss of Jurisdiction (LOJ) in JPAS.  Upon receipt of the LOJ, contractors must remove the individual's access to classified information and annotate this in JPAS.  Once the PR request is submitted, DISCO will remove the LOJ and eligibility will be restored.

DISCO notifications, such as those for overdue PRs or LOJ, are only posted within JPAS for 30 days.  Contractors are reminded to access JPAS accounts within timeframes that do not exceed 30 days.

Contractors are reminded that they are responsible to ensure JPAS is continuously updated to accurately reflect the status of their cleared contractors.

Q: Is it necessary for the contractor to maintain the hard copy original "signature pages" (releases and certification) of the SF-86 while the investigation is on-going?

A: Contractors may maintain the entire SF-86 electronically, including signature pages with scanned signatures, as long as it is retrievable if needed and the confidentiality of the document is protected in accordance with NISPOM paragraph 2-202.b. Retained documentation should also be destroyed in accordance with NISPOM 2-202.b.

Q: Can the Joint Personnel Security Adjudication System (JPAS) be used to verify citizenship when processing individuals for personnel security clearances?

A: No. Paragraph 2-208 of the NISPOM describes acceptable proof of citizenship. JPAS may not be used to verify citizenship; however, the fact that an individual has a current active clearance in JPAS can be the basis for assuming that US citizenship was verified as part of the initial investigative process. Individuals who have had a break in access should be asked if there has been any change in their citizenship status since they last worked in a cleared position.

Q: When should the provisions of Executive Order 13526 (Classified National Security Information), dated December 29, 2009, regarding classification and marking guidance, be implemented by contractors operating under the National Industrial Security Program?

A: The requirements will be included in the NISPOM. Until the revised NISPOM is issued, the provisions of E.O. 13526 do not apply to cleared contractors, unless specifically required by contract.

Retention of NATO Briefing Records

Q: How long should companies retain NATO Briefing/Debriefing Certificates and Annual Refresher Briefing Records for employees who require access to NATO Classified Information?

A: Initial Briefing Certificate: The contractor should retain the initial briefing certificate for an employee who has been given access to NATO classified information until the employee no longer requires access, and has been debriefed.

Annual Refresher Briefing: The contractor should retain the current annual refresher briefing record on file until the next annual refresher briefing is completed or the employee is debriefed, whichever occurs first. This requirement applies to all levels of NATO classified information.

Debriefing Certificate – NATO CONFIDENTIAL and SECRET information: The contractor should retain the debriefing certificate for an employee who no longer requires access to NATO CONFIDENTIAL and NATO SECRET information for two years after the debriefing.

Debriefing Certificate – NATO TOP SECRET and all ATOMAL information: The contractor should retain the debriefing certificate for an employee who no longer requires access to NATO TOP SECRET and all ATOMAL information for three years after the debriefing.

Best Practice: For ease of record keeping, use a single form to record both the initial briefing and the debriefing.