TheNational Industrial Security Program, orNISP, is the nominal authority in theUnited States for managing the needs ofprivate industry to accessclassified information.[1]
The NISP was established in 1993 byExecutive Order 12829.[2] TheNational Security Council nominally sets policy for the NISP, while the Director of theInformation Security Oversight Office is nominally the authority for implementation. Under the ISOO, theSecretary of Defense is nominally the Executive Agent, but the NISP recognizes four different Cognizant Security Agencies, all of which have equal authority: theDepartment of Defense, theDepartment of Energy, theCentral Intelligence Agency, and theNuclear Regulatory Commission.[3]
Defense Counterintelligence and Security Agency administers the NISP on behalf of the Department of Defense and 34 otherfederal agencies.
A major component of the NISP is theNISP Operating Manual, also calledNISPOM, orDoD 5220.22-M. The NISPOM establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of 2017[update], the current NISPOM edition is dated 28 Feb 2006. Chapters and selected sections of this edition are:[4]
DoD 5220.22-M is sometimes cited as a standard forsanitization to counterdata remanence. The NISPOM actually covers the entire field of government–industrial security, of which data sanitization is a very small part (about two paragraphs in a 141-page document).[5] Furthermore, the NISPOM does not actually specify any particular method. Standards for sanitization are left up to the Cognizant Security Authority. TheDefense Security Service provides aClearing and Sanitization Matrix (C&SM) which does specify methods.[6] As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; onlydegaussing or physical destruction is acceptable.[7]
