Resources

Aloha-ISAC is providing these links for information purposes only.
 

NBIS

NBIS is the DOD System of Record for personnel security and will replace the Defense Information System for Security (DISS), which itself was designed to replace the Joint Personnel Adjudication System (JPAS). Users within the federal government and private industry will use NBIS to conduct comprehensive personnel security management for all cleared personnel.

DCSA NBIS Training Portal
adobe_pdf_file_icon_24x24 DCSA NBIS Account Management Policy Document v 1.2.2

Adding a Second User to Administer NBIS

Adding secondary admins to NBIS does not require the submission of the PSSAR form to DCSA. The initial admin of the company NBIS account can add additional users. The general steps are as follows:

  1. Obtain an active PKI compliant smartcard (CAC, PIV card, ECA PKI Certificate or other approved DoD PKI on a smartcard/token) prior to getting an NBIS account.
  2. Meet the minimum personnel security requirements for access to NBIS (a favorably adjudicated T1 background investigation).
  3. Work with your SMO or organization’s leadership to determine your appropriate role(s) and responsibilities within NBIS. See the NBIS Account Management Policy Document for more information on user roles.
  4. Have the user complete a PSSAR form (DD Form 2962).See the NBIS PSSAR Guidance document for guidance.
  5. Have the user complete the necessary training and save the completed certificates.
    1. DoD Cyber Awareness Challenge Training https://public.cyber.mil/training/cyber-awareness-challenge/
    2. PII Training https://securityawareness.usalearning.gov/piiv2/index.htm
  6. Log into NBIS and navigate to Org Management and then Users.
  7. Click Create User, add the SSN of the user to be added as a NBIS admin, and click Continue.
  8. Complete the PII information of the user and click Continue.
  9. Provide a Persona Name, Primary Phone Number, Primary Email Address, checkbox Notification Preferences, and choose the Time Zone.
  10. Under New Attachments, add the completed training certificates and PSSAR form.
  11. Choose the User Roles that were specified in the PSSAR form and click Complete User Profile.
  12. Ask the user to initiate an account at https://vetting.nbis.mil/enterprise/ by clicking on New User.

Continuous Vetting

Collection of the SF-86 form for reinvestigations are now on a 5-year periodicity.

adobe_pdf_file_icon_24x24  Industry_Continuous_Vetting_Guidance


Security Training

CDSE Security Awareness Hub

Security Violations

adobe_pdf_file_icon_24x24 Administrative Inquiry (AI) Process Job Aid
adobe_pdf_file_icon_24x24 Administrative Inquiry (AI) Guidelines for Information Systems (IS)


References

DCSA: Maintaining Personnel Security Clearances

 

Cleared Contractors Responsibilities for Subcontractor and Self-Employed Consultants Personnel Security Clearances (PCL) and Facility Clearances (FCL).

NISPOM 2-212 authorizes Cleared Contractors to process self-incorporated consultants for a PCL provided the consultant and members of his/her immediate family are the sole owners of the consultant’s firm, and only the consultant requires access to classified information. In such cases, a facility security clearance (FCL) is not required. Should other employees of the consultant’s firm require access to classified information, the cleared contractor must issue a classified subcontract to the consultant’s firm and sponsor them for an FCL if they don’t already have one. NISPOM 2-200b prohibits prime contractors from managing subcontractor employees’ PCLs (e.g., submitting a PCL to the CSA on the subcontractor’s behalf). A subcontractor must be sponsored for an FCL if one does not exist and is responsible for processing PCLs for its employees and maintaining the accuracy of the employees’ access records in JPAS.

DD 254: Department of Defense Contract Security Classification Specification
 Instructions for Completing DD Form 254
(Note that the forms above will not show up in your browser. You will need to hover over the top portion of the browser window and click the download arrow to download the PDF to your computer – in Windows, check your Downloads folder.)

 Guide for the Preparation of DD Form 254
 Training: Short Lesson
 Training: Full Lesson

 Reporting The Threat Brochure (for personnel)
 Reporting Job Aid (What, How, and Who to Report and Incident)
ISL 2006-02: (1-302) Reporting Participation in Rehabilitation Programs as Adverse Information
 ISL 2009-03: Reportable Changes Pertinent to Foreign Interests
ISL 2011-04: (1-302a) Adverse Information
ISL 2013-05: (1-301) Reporting Requirements to Cyber Intrusions
 Suspicious Contact Report Form (submission form for suspicious contacts)

Controlled Unclassified Information

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 minimum security standards. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in the National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

The SP 800-171, Rev. 1 lists 14 families of security requirements (110 specific controls) for protecting the confidentiality of Controlled Unclassified Information.