Ssa-niss

SUPPORTING STATEMENT – PART A

By Defense Security Service (DSS).

National Industrial Security System (NISS) Information Collection Approval

A.  JUSTIFICATION

1.  Need for the Information Collection

Executive Order 12829, “National Industrial Security Program” (NISP) Section 201-202 directs that “the Secretary of Defense serve as the Executive Agent for inspecting and monitoring the contractors, licensees, and grantees who require or will require access to, or who store or will store classified information; and for determining the eligibility for access to classified information of contractors, licensees, and grantees and their respective employees.” The National Industrial Security Program Operating Manual (NISPOM) (DoD 5220.22-M) prescribes specific requirements to protect classified information released by U.S. Government agencies to contractors. The Secretary of Defense, as Executive Agent, has the authority to issue, after consultation with affected agencies, standard forms or other standardization that will promote the implementation of the NISP. Contractors participating in the NISP are subject to a Facility Security Clearance (FCL) Orientation Meeting to determine their eligibility to participate in the NISP. Additionally, contractors are subject to periodic Security Vulnerability Assessments (SVAs) to ensure that safeguards employed are adequate for the protection of classified information.

Department of Defense Directive 5104.42, “Subject: Defense Security Service” outlines the mission, organization and management, responsibilities and functions, relationships, authorities, and administration of DSS. DSS is a Defense Agency under the authority, direction, and control of the Under Secretary of Defense for Intelligence (USD(I)). As it pertains to this request for authority to collect information, DSS is responsible for the following:

• Managing, administering, and implementing the DoD portion of the NISP for DoD components, and 31 non-DoD agencies pursuant to E.O. 12829

• Exercising authority delegated to the Secretary of Defense for the issuance of security clearances to contractor employees, pursuant to E.O. 12829.

2.  Use of the Information

DSS performs its Mission to enable contractor performance on classified contracts, provide proactive oversight, and incident response to ensure compliance in accordance with the NISPOM. The National Industrial Security System (NISS) will become the repository of records related to the collection and maintenance of information pertaining to contractor facility security clearances (FCL) and contractor capabilities to protect classified information in its possession. The information is utilized to determine if a company and its key management personnel are eligible for issuance of a facility clearance in accordance with NISPOM requirements. In addition, information is utilized to inform Government Contracting Activities (GCAs) of contractor’s ability to maintain facility clearance status and/or storage capability as well as to analyze vulnerabilities identified within security programs and ensure proper mitigation actions are taken to preclude unauthorized disclosure of classified information.

The National Industrial Security System (NISS) is scheduled to deploy August 2017. Industry and Government personnel will have access to the system through a multifactor authentication requirement and establish accounts to maintain the accuracy of business records, standard forms, key management personnel, as well as provide reports to DSS on events that may have an impact on their FCL. The system will include automated workflows to facilitate ease of information submission (as opposed to the current manual process) as well as DSS oversight of contractor security posture, authorization and accreditation of information systems, ensure accuracy of contract, technology, program, and overall facility data.

Users will access the NISS through a web browser and fill out information through webforms, providing content in free text, check box, pick lists, drop-down, and file upload content. Information provided is digitally stored in the DSS data center in Quantico, Virginia. Correspondence from the system to users also includes system-generated email notifications to inform the users of progress along workflows or that new information is available for them within the system.

To access NISS, users will sign-in through the National Industrial Security Program (NISP) Central Access Information Security System (NCAISS), with a landing page that displays all appropriate disclosures associated with the Privacy Act Statement through a “Notice” prior to users logging in the system. NCAISS is a web portal that provides identity and access management services to authenticate users and provide access to different DSS applications. To register, from the NCAISS login page (https://ncaiss.dss.mil), users click on the "Register for an account" button to navigate to the self-enrollment form. Once the Self Enrollment form opens, users fill out the required information and associate their Common Access Card (CAC) or Personal Key Infrastructure from an External Certificate Authority (PKI/ECA) and click "Next." They are then given the opportunity to review their information and continue. Once they have submitted their form, NCAISS creates their account and notifies the user via email that their account is ready for use. After creating their NCAISS user account, users can then request NISS specific system access indicating their user role type.

NISS will be the primary collection instrument for DSS oversight of the NISP and in addition to maintaining data associated with cleared facilities and their oversight also subsume existing collection forms to include the Personnel Security Investigation (PSI) Projection Survey (OMB Control Number 0704-0417) and Request for Information (RFI) (OMB Control Number 0704-0526). Both of these currently approved collections will expire, and upon expiring, will not be renewed as they are part of the NISS collection approval. The burden contained in the PSI Projection Survey and RFI are included in the NISS burden estimate below. One goal of the NISS application is to immediately alleviate most of the burden and eventually eliminate the current manual process of Industry personnel manually entering information into multiple forms and then DSS personnel manually entering the information collected from these form into a computer system. When the NISS application reaches full operational capability, the intention is to stop collecting information from various forms and use NISS as the single authoritative source for collection and maintenance of this information. As a note, the Standard Form (SF) 328 Certificate Pertaining to Foreign Interest (Rev. 3/2017 OMB Control Number 0704-0194) is a digitized form within the NISS and aggregates into NISS. However, it is used for multiple purposes within the Government, and therefore NISS is not subsuming this collection. Therefore, the SF 328 burden is not included in the NISS burden estimate below.

3.  Use of Information Technology

Information Technology is the sole use for the purposes of this collection as the NISS is a technological solution to support current DSS business needs. Each year DSS expects 11,671 electronic respondents for this collection, consisting of industry and government personnel participating in the NISP. This collection will be 100% electronic. For every cleared contractor facility, a NISS account will be needed to streamline a facility’s entry and active participation in the NISP to facilitate work on classified contracts. The use of NISS will automate several workflows and decrease duplication of manual effort for DSS, Contractors, and Government Contracting Activities (GCA). Contractors will be responsible for maintenance of their NISS accounts.

4.  Non-duplication

NISS will be the only system to collect information with regard to DSS administration and implementation of the NISP. No other collection vehicles exist to gather this information.

5.  Burden on Small Business

The collection of information does not have a significant impact on small businesses or other entities. DSS is requesting the minimum amount of information necessary for evaluation to which the company has agreed to supply per the DD Form 441 Security Agreement. Based on contractor responses for those smaller businesses participating in the NISP, the system omits portions not relevant to their activities.

6.  Less Frequent Collection

If this data is not collected, this will hinder DSS’s ability to accurately evaluate performance related to the administration and implementation of the NISP as outlined in E.O. 12829. The initial information collection will be completed over the course of approximately one year. The follow up information collections will not begin until after that time and will take place sporadically with a portion of respondents depending on the need for evaluation/assessment and/or monitoring/assisting.

7.  Paperwork Reduction Act Guidelines

The proposed data collection activities are consistent with the guidelines set forth in 5 CFR 1320.6 (Controlling Paperwork Burden on the Public- General Information Collection Guidelines). There are no special circumstances affecting this collection.

8.  Consultation and Public Comments

The 60 Day Notice was posted to the Federal Register on August 22, 2017 (82 FR 39778).

The 30 Day Notice was Posted to the Federal Register on January 26, 2018 (83 FR 3696).

• Part A: PUBLIC NOTICE

• This Notice was posted in Federal Register Volume 82, No. 161, beginning on page 39778 (82 FRN 39778). The date posted was August 22, 2017.

• The comment period closed on October 23, 2017 at 11:59pm EST. No comments were received.

• Part B: CONSULTATION

• No additional consultation apart from soliciting public comments through the 60-day Federal Register Notice was conducted for this submission.

9.  Gifts or Payment

No payments or gifts will be provided to respondents.

10.  Confidentiality

Information provided by the responding population will be handled by DSS as “For Official Use Only,” sensitive commercial information. Respondents will be provided with sufficient information to be assured of their privacy, and clearly understand their privacy rights when accessing the system. The log-in screen to the system will explicitly provide the Privacy Act Statement. A copy of the Privacy Act Statement has been provided with this package for OMB’s review.

A draft copy of the SORN V10-01 OMB, “National Industrial Security System”, has been provided with this package for OMB’s review.

A copy of the PIA, “Privacy Impact Assessment for the National Industrial Security System (NISS) Defense Security Service (DSS)” has been provided with this package for OMB’s review.

Retention and purging of electronic and hard copy files will be in conformance with guidelines identified in schedule NC1-446-81-2 Item 2, "Industrial Security Facility Case Files." Draft Records Schedule: DAA-0446-2017-0001was submitted to NARA for approval. A summary of the Draft Records Schedule: DAA-0446-2017-0001 follows:

• Electronic Files will be included and maintained with the same retention as paper files including in the NISS.

• Hard Copy Printouts and Electronic Records

  • Retention Period: Destroy when no longer needed

  • Destroy two years after facility security clearance is terminated. Files with Foreign Ownership Control and Influence (FOCI) material will be retained for 15 years then destroyed in accordance with NC1-446-85-2, item 12.

• NISS tracks facility clearance information including facility clearance requests, facility verification requests and notifications that are sent when facility information changes. The system also provides standard and customized reports. The major components of the system are described below:

  • Facilities Management allows the user to search facilities, view their facilities, and generate standard and ad hoc reports. Provides the capability for Industrial Security personnel to input actions performed directly related to oversight of cleared contractors, and the time associated with those actions. Facility Clearance Request allows the user to search and submit clearance requests. A clearance request is submitted when a user agency, facility, or other entity requests a clearance for the facility and initiates the clearance process. Email notifications are sent to the requestors when the clearance is issued. Facility Verification Requests allows the user to search existing verification requests, submit verification requests, and view their verifications. A Facility Verification Request is submitted when a requestor (User agency or a facility) wishes to be notified when certain information about a facility changes. Notifications allow the user to view all their notifications for facilities they submitted verification requests for. User Management allows the user to update user information. The system also provides separate online user’s manuals for the external and internal users.

  • Select data from the following documents are entered into NISS from Industrial Security Case Files (physical and electronic files):

    • Sponsorship Letter

    • DD Form 254, Contract Security Classification Specification

    • DD Form 441, Department of Defense Security Agreement

    • DD Form 441-1, Appendage to the Department of Defense Security Agreement

    • List of Key Management Personnel (KMP)

    • SF 328, Certificate Pertaining to Foreign Interest

  • NISS contains the following types of information:

    • Facility Overview

      • Overview

      • FCL Information

      • Addresses

      • KMP

      • Contacts

      • Prior Names and Alias

    • Business Information

      • General Business Information

      • Legal Structure

      • Government Customers and Programs

      • Classified Subcontractors

      • SAM

      • CSI

    • Foreign Ownership Control and Influence (FOCI) & International

      • Adjudication

      • Foreign Visits

      • Foreign Travel

      • Foreign Government Information

      • Exports

      • Foreign Sales and Subsidiaries

      • Freight Forwarding Countries

    • Safeguarding & Information System (IS)

      • Safeguarding

      • General Safeguarding

      • COMSEC

      • Safeguarding Off-Sites

      • Safeguarding Notes

      • IS General Information Form

    • Actions & Documentation

      • Sponsorship Submissions

      • Telephonic Surveys

      • Briefings

      • Facility Profile Documents

11.  Sensitive Questions

Questions pertaining to sexual behavior or attitudes, religious beliefs, race and/or ethnicity are not collected. Collection of Social Security Numbers are collected, with justification provided as part of this package (please refer to SSN Justification Memo).

12.  Respondent Burden, and its Labor Costs

a.  Estimation of Respondent Burden

• Responses per Respondent: 1

• Number of Respondents: 11,671

• Number of Total Annual Responses: 11,671

• Hours per Response: 1

• Total Annual Burden Hours: 11,671

b.  Labor Cost of Respondent Burden

• Number of Total Annual Responses: 11,671

• Response Time: 1 hour

• Respondent Hourly Wage: $35.74, basing approximate salary of a GS-13, Step 1

  • https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/17Tables/html/GS_h.aspx

• Labor Burden Per Response: $35.74

• Total Labor Burden: $417,121.54

13.  Respondent Costs Other Than Burden Hour Costs

There is no cost associated with these tools for the respondent. Access to the system and respondent account requires an email address and Internet access, tools which cleared contractor facilities already have in place and/or have procedures in place to otherwise access online activities.

14. Cost to the Federal Government

• Number of Total Annual Responses: 11,671

• Response Time: 1 hour

• Respondent Hourly Wage: $35.74, basing approximate salary of a GS-13, Step 1

  • https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/salary-tables/17Tables/html/GS_h.aspx

• Labor Burden Per Response: $35.74

Total Labor Burden: $417,121.54

Operational and Maintenance Cost: There are no administrative costs (printing, mailing, distributing and reviewing) since all action is taken through this automated information collection system. The projected annual O&M cost is $3,500,000 which includes system sustainment (data center hardware. MilCloud, supporting personnel) and system licensing.

Total Cost to the Federal Government: (O+M, Labor Cost): $3,500,000 + $417,121.54 = $3,917,121.54

15.  Reasons for Change in Burden

This is an existing collection currently in use and in violation without an OMB control number. Note, this activity is currently already being performed through manual collection techniques and legacy software applications. The deployment of the NISS is expected to reduce overall respondent submission and government processing time by implementation of a workflow system that automates data capture and use (e.g. single data entry then used across the process instead of repeated entry of data to multiple forms).

16.  Publication of Results

The information collected will not be published. The data collection is primarily evaluated by DSS to administer and implement the NISP, pursuant to Executive Order 12829. Congressional reports are provided on an annual basis with the total number of cleared facilities within the NISP, aggregate security vulnerability assessment ratings, and information system accreditation timelines.

17.  Non-Display of OMB Expiration Date

Approval is not sought for avoiding display of the expiration date for OMB approval of the information collection.

18.  Exceptions to "Certification for Paperwork Reduction Submissions"

This submission describing data collection requests no exceptions to the Certificate for Paperwork Reduction Act (5 CFR 1320.9).