[Federal Register Volume 85, Number 245 (Monday, December 21, 2020)]
[Rules and Regulations]
[Pages 83300-83364]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-27698]
[[Page 83299]]
Vol. 85
Monday,
No. 245
December 21, 2020
Part III
Department of Defense
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
32 CFR Part 117
National Industrial Security Program Operating Manual (NISPOM); Final
Rule
��Federal Register / Vol. 85, No. 245 / Monday, December 21, 2020 /
Rules and Regulations��
[[Page 83300]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 117
[Docket ID: DOD-2020-OS-0045]
RIN 0790-AK85
National Industrial Security Program Operating Manual (NISPOM)
AGENCY: Office of the Under Secretary of Defense for Intelligence &
Security, Department of Defense (DoD).
ACTION: Final rule with request for comment.
-----------------------------------------------------------------------
SUMMARY: The Department of Defense (DoD) is codifying the National
Industrial Security Program Operating Manual (NISPOM) in regulation.
The NISPOM establishes requirements for the protection of classified
information disclosed to or developed by contractors, licensees,
grantees, or certificate holders (hereinafter referred to as
contractors) to prevent unauthorized disclosure. In addition to adding
the NISPOM to the Code of Federal Regulations (CFR), this rule
incorporates the requirements of Security Executive Agent Directive
(SEAD) 3, ``Reporting Requirements for Personnel with Access to
Classified Information or Who Hold a Sensitive Position.'' SEAD 3
requires reporting by all contractor cleared personnel who have been
granted eligibility for access to classified information. This NISPOM
rule provides for a single nation-wide implementation plan which will,
with this rule, include SEAD 3 reporting by all contractor cleared
personnel to report specific activities that may adversely impact their
continued national security eligibility, such as reporting of foreign
travel and foreign contacts. NISP Cognizant Security Agencies (CSAs)
shall conduct an analysis of such reported activities to determine
whether they pose a potential threat to national security and take
appropriate action. Finally, the rule also implements the provisions of
Section 842 of Public Law 115-232, which removes the requirement for a
covered National Technology and Industrial Base (NTIB) entity operating
under a special security agreement pursuant to the NISP to obtain a
national interest determination as a condition for access to proscribed
information.
DATES: Effective date: This rule is effective February 24, 2021.
Comments must be received by February 19, 2021.
ADDRESSES: You may submit comments, identified by docket number and/or
Regulatory Information Number (RIN) and title, by any of the following
methods:
Federal Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
Mail: DoD cannot receive written comments at this time due
to the COVID-19 pandemic. Comments should be sent electronically to the
docket listed above.
Instructions: All submissions received must include the agency name
and docket number or RIN for this Federal Register document. The
general policy for comments and other submissions from members of the
public is to make these submissions available for public viewing at
http://www.regulations.gov as they are received without change,
including any personal identifiers or contact information.
FOR FURTHER INFORMATION CONTACT: Valerie Heil, 703-692-3754.
SUPPLEMENTARY INFORMATION:
I. Overview of the NISP and NISPOM
In April 1990, President George Bush directed the National Security
Council to explore the creation of a single, integrated industrial
security program to improve security protection and provide cost
savings. Prior to this, contractors doing business with different U.S.
Government (USG) agencies which required access to classified
information had to meet different requirements to protect the same
levels of classified information, e.g., the type of safe to protect a
specific classified item could vary across both contracts and agencies.
The diversity of industrial security requirements levied on contractors
by an estimated 21 USG agencies created a significant burden on both
industry and government and increased the cost of the goods and
services provided to the USG.
Representatives from government and industry participated in an
initiative which led to the creation of Executive Order (E.O.) 12829
``National Industrial Security Program (NISP)'' (available at https://www.archives.gov/files/isoo/policy-documents/eo-12829-with-eo-13691-amendments.pdf). With the National Security Council providing overall
policy direction, this E.O. established the NISP as the single
integrated program to protect classified information and preserve our
Nation's economic and technological interests. Nothing in the E.O.
shall supersede the authority of the Secretary of Energy or the Nuclear
Regulatory Commission under the Atomic Energy Act of 1954, as amended,
or the authority of the Director of National Intelligence (or any
Intelligence Community element) under the Intelligence Reform and
Terrorism Prevention Act of 2004, the National Security Act of 1947, as
amended, or Executive Order No. 12333 of December 8, 1981, as amended,
or the authority of the Secretary of Homeland Security, as the
Executive Agent for the Classified National Security Information
Program established under Executive Order 13549 of August 18, 2010
(Classified National Security Information Program for State, Local,
Tribal, and Private Sector Entities). The Information Security
Oversight Office (ISOO), a component of the National Archives and
Records Administration (NARA), was tasked with overseeing overall
implementation of the NISP with the goal of:
Holding classification activity to the minimum necessary
to protect the national security;
ensuring the safeguarding of classified national security
information in both USG and industry in a cost-effective and efficient
manner; and
promoting declassification and public access to
information as soon as national security considerations permit.
ISOO issues implementing directives and produces an annual report
to the President on the NISP. E.O. 12829 also established the National
Industrial Security Program Policy Advisory Committee (NISPPAC), a
federal advisory committee comprised of both Government and industry
representatives, which is responsible for recommending changes in
industrial security policy. The NISPPAC, chaired by the Director of the
ISOO, also advises ISOO on all issues concerning the policies of the
NISP, including recommended changes to those policies, and serves as a
forum to discuss policy issues in dispute. The NISPPAC industry members
represent all types and sizes of NISP cleared entities, whose scope of
operations range from a one person entity, having a single classified
contract to some of the largest U.S. entities, having numerous
classified contracts. All NISPPAC industry members have expertise
comprising the primary functions of an industrial security program, to
include information, personnel, physical, and information system
security.
Five USG executive branch agencies--DoD, DOE, the Nuclear
Regulatory Commission (NRC), the Office of the Director of National
Intelligence (ODNI), and the Department of Homeland Security (DHS)--
have been designated as Cognizant Security Agencies (CSAs) and have
specific responsibilities within the NISP. For DoD, the Defense
Counterintelligence and Security Agency (DCSA) is the Cognizant
[[Page 83301]]
Security Office (CSO) for DoD Components and non-DoD agencies where an
industrial security agreement is in place. DCSA, as the DoD CSO, DOE,
and NRC each has the following responsibilities:
Administers the NISP.
provides security oversight.
conducts security review actions.
provides security education and training.
provides supplementary procedures for unique mission
requirements (e.g. DoD publishes industrial security letters (ISLs),
which provide DoD-specific guidance and clarification on NISP policies
and supplementary procedures to its unique CSO mission requirements
(available at: https://www.dcsa.mil/mc/ctp/tools/)).
assesses, authorizes and oversees contractor information
systems used to process classified information.
makes temporary national security eligibility
determinations pursuant to SEAD 8, Temporary Eligibility (available at:
https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-8_Temporary_Eligibility_U.pdf), for contractor personnel who require
access to classified information.
DHS receives NISP industrial security services from DoD due to its
industrial security services agreement and also has the following
responsibilities:
Prescribes procedures for the portions of this rule that
pertain to the CCIPP.
retains authority over access to information under the
CCIPP.
inspects and monitors contractor, licensee, certificate
holder, and grantee programs and facilities that involve access to
CCIPP.
ODNI has the following responsibilities:
Prescribes procedures for the portions of this rule
pertaining to intelligence sources, methods, and activities, including,
but not limited to, SCI.
retains authority over access to intelligence sources,
methods, and activities, including SCI.
provides guidance on the security requirements for
intelligence sources and methods of information, including, but not
limited to, SCI.
DOE and NRC provide similar industrial security oversight actions,
including national security eligibility determinations for contractor
personnel, authorization of contractor information systems to process
classified information, as well as monitoring and inspecting those
contractors under DOE or NRC security cognizance, respectively. In
2004, the Intelligence Reform and Terrorism Prevention Act (IRTPA)
(Pub. L. 108-458) created the position of the Director of National
Intelligence (DNI) and recognized the ODNI as a CSA. E.O. 13691
``Promoting Private Sector Cybersecurity Information Sharing,''
February 13, 2015 (available at https://obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-sharing), amended E.O. 12829 to make DHS the
fifth CSA in 2015.
II. NISP Implementation
DoD is the Executive Agent of the NISP and has the largest NISP
contractor population of the five CSAs. DCSA inspects and monitors
cleared entities, also referred to as contractors, who require access
to classified information during all phases of the contracting,
licensing, and grant (hereinafter referred to as contracting or
contract) process to include the preparation and submission of bids and
proposals, negotiation, award, performance, and termination. It also
determines eligibility for access to classified information for
contractors performing on classified contracts with DoD and with those
USG agencies which have an industrial security agreement with DoD. The
Department currently has industrial security agreements with 33
agencies (list available at: https://www.dcsa.mil/mc/ctp/nisp/). DCSA
field elements provide oversight of contractor compliance, authorize
contractor information systems to process classified information, and
conduct security review actions for approximately 12,500 cleared
contractor entities which includes headquarters, divisions,
subsidiaries and branch offices of industrial, educational, commercial,
or other non-USG entities which are performing on classified contracts.
Under the NISP, the USG establishes requirements for the protection
of classified information to be safeguarded in a manner equivalent to
its protection within the executive branch of USG, where practicable.
When bound by contract, industry must comply with the NISPOM and any
CSA-specific supplementary guidance for unique CSA mission
requirements. Industry implements those requirements for the protection
of classified information with advice, assistance, and oversight from
the applicable CSA.
When a Government Contracting Activity (GCA), an element of an
agency that has authority regarding acquisition or grant functions,
awards a contract that has been determined to require access to
classified information, the contract is considered to be a ``classified
contract.'' The GCA checks with its applicable CSA to determine if the
awarded legal entity already has an entity eligibility determination
(also referred to as a facility security clearance (FCL)). GCAs will
ordinarily include enough lead-time in the acquisition cycle to
accomplish all required security actions. In many instances, advanced
planning can ensure that access to classified information will not be
required in the pre-award process. This would preclude processing an
entire bidder list for FCLs. When access to classified information is
not a factor in the pre-award phase, but will be required for contract
performance, only the successful bidder or offeror will be processed
for an FCL.
Before an entity can have access to classified information during
its contract performance, it must have an FCL. If the legal entity does
not already have an FCL when awarded a classified contract, a GCA must
sponsor the entity for an FCL. Or, an entity already part of the NISP
(i.e., a prime contractor) may sponsor another entity in order to
subcontract part of its classified business. To sponsor an entity, the
GCA or prime contractor puts in a request, often referred to as a
sponsorship letter, to the appropriate CSA for the entity to access
classified information in connection with a legitimate government
requirement, which may include a foreign government requirement.
With an approved FCL, an entity is then eligible for access to
information classified at the level of the FCL (i.e., TOP SECRET,
SECRET or CONFIDENTIAL) when competing for a classified contract. Among
other requirements, an entity must have sponsorship based on a valid
government requirement for access to classified information. The USG
agency sponsoring an entity for an FCL must include the applicable
security requirements clause or equivalent in the contract (e.g., for
DoD this is the Federal Acquisition Regulation (FAR) 52.204-2
``Security Requirements,'' or the terms and conditions of a grant award
under 2 CFR part 200.210) to require compliance with the NISPOM.
A GCA provides the security requirements for a classified contract
in a contract security classification specification as part of the
contract. For DoD, the DD form 254, ``Department of Defense Contract
Security Classification Specification,'' OMB Control number 0704-0567,
is part of the classified contract and provides the contractor (or a
subcontractor) with security requirements and the classification
[[Page 83302]]
guidance necessary to execute a specific classified contract. See
https://www.esd.whs.mil/Portals/54/Documents/DD/forms/dd/dd0254.pdf and
available at https://www.dcsa.mil/is/nccs/) for the current version of
this collection. A contract security classification specification with
its attachments, supplements, and incorporated references, provides
security classification guidance (lists the applicable security
classification guides for a contractor to use) to a contractor in
connection with a classified contract. It is designed to identify the
classified areas of information involved in the classified effort and,
particularly, to identify the specific items of information within
these areas that require protection. This rule provides NISP
contractors security requirements which align to 32 CFR part 2001, in a
manner equivalent to the protection of classified information within
the executive branch of the USG. If a GCA determines that additional
safeguards are essential in specific contracts, the GCA can impose more
operational security provisions above the requirements of this rule.
The GCA can also determine that additional physical or technical
security requirements are needed in a contract above the requirements
of this rule. Even though the contract security classification is
contract-specific, it is not always all-inclusive. Additional security
requirements are sometimes included in other parts of a contract. All
related materials for approved information collection are available at:
https://www.reginfo.gov/public/do/PRAMain. In addition, specific
locations for finalized collection instruments, to include the
designated OMB Control Number is included where information collections
are cited in this rule.
In addition, depending upon the CSA with security cognizance, an
entity's legal headquarters may need to implement additional
information collections, such as:
DD Form 441, ``DoD Security Agreement'' for DoD is an
agreement between DCSA and the cleared legal entity for the entity to
comply with the NISPOM security requirements, to be subject to
inspections and to allow for a 30 day notice by the entity or DCSA to
terminate the agreement (e.g., if there is no longer a valid USG
requirement for access to classified information (available at https://www.esd.whs.mil/Portals/54/Documents/DD/forms/dd/dd0441_2020.pdf);
NRC Form 441, ``Security Agreement'' for NRC, the
provisions of the NRC Form 441 are similar to those included in the DD
Form 441 (available at https://www.nrc.gov/reading-rm/doc-collections/forms/nrc441info.html).
DOE does not have a separate Form 441, but instead, binds
the contractor to the FCL (and security requirements) via the contract,
along with meeting all other requirements in this rule.
As part of FCL processing, an entity must complete a Standard Form
(SF) 328, ``Certificate Pertaining to Foreign Interest,'' OMB Control
number 0704-0579, (available at https://www.gsa.gov/forms-library/certificate-pertaining-foreign-interests, for a CSA to review and make
a determination whether the entity is under foreign ownership, control
or influence (FOCI) to a degree that renders it ineligible for an FCL.
The CSA will consider a U.S. entity to be under FOCI when a foreign
interest has the power to direct or decide issues affecting the
entity's management or operations in a manner that could either result
in unauthorized access to classified information; or adversely affect
performance of a classified contract or agreement. The U.S. entity may
also be considered to be under FOCI when a foreign interest or
government is currently exercising, or could exercise, that power,
whether directly or indirectly, such as through ownership of the U.S.
entity's securities, by contractual arrangements, or other means.
Further, if a foreign interest or government has the ability to control
or influence the election or appointment of members of the entity's
governing board, the entity may be considered to be under FOCI. When a
CSA has determined that an entity is under FOCI, the primary
consideration will be the protection of classified information. The CSA
will take whatever action is necessary to protect classified
information, in coordination with other affected agencies as
appropriate. A U.S. entity that is in process for an FCL for access to
classified information and subsequently determined to be under FOCI, is
ineligible for access to classified information unless and until
effective security measures have been put in place to negate or
mitigate FOCI to the satisfaction of the CSA.
Once an entity becomes a contractor in the NISP with an existing
FCL, a GCA can select and award a classified contract to the entity as
part of the acquisition process. The GCA attaches the ``Contract
Security Classification Specification: (e.g., for DoD, it is the DD
Form 254, available at https://www.esd.whs.mil/Portals/54/Documents/DD/forms/dd/dd0254.pdf and available at https://www.dcsa.mil/is/nccs/), to
all such contracts requiring access to classified information.
II. SEAD 3 Requirements and the NISPOM
In 2008, with the publication of E.O. 13467, ``Reforming Processes
Related to Suitability for Government Employment, Fitness for
Contractor Employees, and Eligibility for Access to Classified National
Security Information'' (available at https://obamawhitehouse.archives.gov/the-press-office/2016/09/29/executive-order-amending-executive-order-13467-establish-roles-and), the DNI was
assigned the role of the Security Executive Agent (SecEA), for the
development, implementation, and oversight of effective, efficient, and
uniform policies and procedures governing the conduct of investigations
and adjudications for eligibility for access to classified information
and eligibility to hold a sensitive position.
In December 2016, the SecEA issued SEAD 3, ``Reporting Requirements
for Personnel with Access to Classified Information or Who Hold a
Sensitive Position'' (available at https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-Reporting-U.pdf), to executive branch
agencies or covered individuals with an effective date of June 12,
2017. SEAD 3 defines covered individuals as:
A person who performs work for or on behalf of the
executive branch who has been granted access to classified information
or holds a sensitive positions, but does not include the President or
the Vice President.
a person who performs work for or on behalf of a state,
local, tribal, or private sector entity, as defined in E.O. 13549, who
has been granted access to classified information or holds a sensitive
position, but does not include duly elected or appointed governors of a
state or territory, or an official who has succeeded to that office
under applicable law; and
a person working in or for the legislative or judicial
branches who has been granted access to classified information or holds
a sensitive position and the investigation or determination was
conducted by the executive branch, but does not include members of
Congress, Justices of the Supreme Court, or Federal judges appointed by
the President.
covered individuals are not limited to government
employees and include all persons, not excluded under paragraphs
D.5(a), (b), or (c) of SEAD 3, who have access to classified
information or who hold sensitive positions, including, but not limited
to, contractors, subcontractors, licensees, certificate holders,
grantees, experts,
[[Page 83303]]
consultants, and government employees.
SEAD 3 identifies required reporting of data elements that are
contained in the Standard Form-86, ``Questionnaire for National
Security Positions'' (available at https://www.opm.gov/forms/pdf_fill/sf86.pdf), which applicants and clearance holders complete during the
initial and periodic reinvestigation processes, respectively. SEAD 3
requires these elements to be reported prior to participation in such
activities or otherwise as soon as possible following the start of
their involvement. Most notably, SEAD 3 requires covered individuals to
obtain prior agency approval before conducting unofficial foreign
travel.
For this rule, SEAD 3 applies only for those contractor personnel
who have been granted eligibility for access to classified information
through the NISP. In accordance with paragraph E.4 of SEAD 3, NISP
CSAs, acting on behalf of Heads of agencies or designees, for the NISP
contractors under their security cognizance may determine that
operational and mission needs preclude strict adherence to these
reporting requirements. In those instances, a NISP CSA may provide CSA
guidance to supplement unique CSA mission requirements to the
contractors under its security cognizance of equivalent notification,
briefing and reporting to be accomplished.
III. Requirements From Section 842 of Public Law 115-232
Currently, the NISPOM and 32 CFR part 2004 require that GCAs, in
coordination with the applicable CSAs and controlling agencies (ODNI
for Sensitive Compartmented Information (SCI), DOE for Restricted Data
(RD) or NSA for Communications Security (COMSEC)), complete a National
Interest Determination (NID) before granting access to proscribed
information to an entity that is owned or controlled by a foreign
interest and cleared under a Special Security Agreement (SSA). The term
``proscribed information'' means information that is--
(A) classified at the level of top secret;
(B) communications security information (excluding controlled
cryptographic items when un-keyed or utilized with unclassified keys);
(C) Restricted Data (as defined in section 11 of the Atomic Energy
Act of 1954, as amended (42 United States Code (U.S.C.) 2014));
(D) special access program information under section 4.3 of E.O.
13526 (75 FR 707; 50 U.S.C. 3161 note) or successor order; or
(E) designated as sensitive compartmented information, as defined
in Intelligence Community Directive 703, ``Protection of National
Intelligence, Including Sensitive Compartmented Information''
(available at https://www.dni.gov/files/documents/ICD/ICD%20703.pdf).
An SSA is one of the mechanisms used by the USG to mitigate FOCI to
an acceptable level as determined by the CSA. A company is considered
to be operating under FOCI whenever a foreign interest has the power,
direct or indirect, whether or not exercised, and whether or not
exercisable, to direct or decide matters affecting the management or
operations of that company in a manner which may result in unauthorized
access to classified information or may adversely affect the
performance of classified contracts. The following factors relating to
a company, the foreign interest, and the government of the foreign
interest are reviewed in the aggregate in determining whether a company
is under FOCI:
[ssquf] Record of economic and government espionage against U.S.
targets
[ssquf] Record of enforcement and/or engagement in unauthorized
technology transfer
[ssquf] The type and sensitivity of the information that shall be
accessed
[ssquf] The source, nature and extent of FOCI
[ssquf] Record of compliance with pertinent U.S. laws, regulations and
contracts
[ssquf] The nature of any bilateral and multilateral security and
information exchange agreements that may pertain
[ssquf] Ownership or control, in whole or in part, by a foreign
government.
Section 842 of Public Law 115-232 and this final rule provide that
a covered NTIB entity operating under an SSA pursuant to the NISP,
shall not be required to obtain a NID as a condition for access to
proscribed information, effective October 1, 2020. DoD notified the DoD
components and 33 non-DoD agencies with which DoD has industrial
security agreements that NIDs pursuant to the provisions of Section 842
of Public Law 115-232 are no longer required as of October 1, 2020.
DCSA is no longer submitting NID requests to ODNI for SCI, DOE for RD,
or NSA for COMSEC, respectively that fall within the provisions of
Section 842 of Public Law 115-232.
As provided for in the law, the Under Secretary of Defense for
Intelligence and Security, on behalf of the Secretary, granted waivers
of NIDs for those categories of proscribed information under the
control of the Secretary of Defense, to 20 contractors that met the
criteria in summer 2019 with the waivers expiring as of October 1,
2020, since the statute went into effect. Those contractors, pursuant
to Section 842 of Public Law 115-232 had to meet the following criteria
as part of the waiver determination:
(1) A demonstrated successful record of compliance with the NISP
assessed by the CSA; and
(2) previously been approved for access to proscribed information
as indicated in CSA FCL records.
The law is limited to ``a person that is a subsidiary located in
the United States--
(A) for which the ultimate parent entity and any intermediate
parent entities of such subsidiary are located in a country that is
part of the national technology and industrial base (as defined in
section 2500 of title 10, United States Code); and
(B) that is subject to the FOCI requirements of the NISP.''
Legal Authority for the NISP
In addition to E.O. 12829, which, establishes the NISP and requires
the Secretary of Defense to issue and maintain the NISPOM, the
following are other relevant authorities for the program.
E.O. 10865 ``Safeguarding Classified Information within
Industry,'' February 20, 1960, as amended (available at https://www.archives.gov/federal-register/codification/executive-order/10865.html), addresses the protection of classified information that is
disclosed to, or developed by contractors.
E.O. 12968, ``Access to Classified Information,'' August
2, 1995, as amended (available at https://www.govinfo.gov/content/pkg/FR-1995-08-07/pdf/95-19654.pdf), establishes a uniform personnel
security program for individuals who will be considered for initial or
continued access to classified information.
E.O. 13526, ``Classified National Security Information,''
December 29, 2009 (available at https://www.archives.gov/files/isoo/pdf/cnsi-eo.pdf), prescribes a uniform system for classifying,
safeguarding and declassifying national security information.
E.O. 13587, ``Structural Reforms to Improve the Security
of Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information,'' October 7, 2011 (available at https://www.govinfo.gov/app/details/CFR-2012-title3-vol1/CFR-2012-title3-vol1-eo13587), directs structural reforms to ensure responsible sharing and
safeguarding of classified information on computer networks consistent
with
[[Page 83304]]
appropriate protection for privacy and civil liberties.
E.O. 13691; Promoting Private Sector Cybersecurity
Information Sharing,'' February 13, 2015 (available at https://obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-sharing),
encourages the voluntary formation of organizations engaged in the
sharing of information related to cybersecurity risks and incidents to
establish mechanisms to continually improve their capabilities and
functions as well as to better allow them to partner with the Federal
government on a voluntary basis.
E.O. 12333; ``United States Intelligence Activities,''
December 4, 1981, as amended (available at https://www.archives.gov/federal-register/codification/executive-order/12333.html, provides
general principles that in addition to and consistent with applicable
laws are intended to achieve the proper balance between the acquisition
of essential information and the protection of individual interests.
Title 42 U.S.C. 2011 et seq. (also known as and referred
to in this rule as ``The Atomic Energy Act of 1954,'' as amended
(AEA));
Title 50 U.S.C. chapter 44 (also known as ``The National
Security Act of 1947, as amended);
Title 50 U.S.C. 3501 et seq. (also known as ``The Central
Intelligence Agency Act of 1949,'' as amended);
Public Law 108-458 (also known as the ``Intelligence
Reform and Terrorism Prevention Act of 2004''), which includes
development of uniform and consistent policies and procedures to ensure
effective, efficient and timely completion of security clearances.
Finally, 32 CFR part 2004 ``National Industrial Security
Program,'' May 7, 2018, establishes uniform standards for the NISP, and
helps agencies implement requirements in E.O. 12829, and establishes
agency responsibilities for implementing the insider threat provisions
of E.O. 13587.
III. Changes Made by This Rule and Expected Impact
The NISPOM was first published in 1995 as DoD Manual 5220.22.
Updates to the NISPOM have included Conforming Change 1, March 28, 2013
and NISPOM Change 2 in May 21, 2016. The most current version of the
NISPOM (Change 2) is available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf?ver=2019-06-06-145530-170. In
addition to codifying the NISPOM in the CFR and adding the requirements
of SEAD 3 and Section 842 of Public Law 115-232, DoD is also removing
32 CFR part 117, subpart C, ``National Industrial Security Program''
because it is duplicative of 32 CFR part 2004, ``National Industrial
Security Program'' and removing 32 CFR part 117, subpart B, because it
is also duplicative of other industrial security provisions set forth
in 32 CFR part 2004. These administrative removals support a
recommendation from the DoD Regulatory Reform Task Force created under
E.O. 13777, Enforcing the Regulatory Reform Agenda (available at
https://www.govinfo.gov/content/pkg/FR-2017-03-01/pdf/2017-04107.pdf),
and by themselves create no changes in current DoD policy. Upon the
effective date of 32 CFR part 117, DoD will no longer publish the DoD
Manual 5220.22, NISPOM as a DoD policy issuance.
Specific changes in this rule that are not in the current NISPOM,
include the following.
Sec. 117.8: Reporting Requirements. Sec. 117.8(a)
General includes that contractors must submit reports pursuant to this
rule, SEAD 3 and CSA guidance to supplement unique CSA mission
requirements. SEAD 3 reporting establishes a single nationwide
implementation plan for covered individuals, which for this rule
provides reporting by contractors and their employees eligible for
access to classified information. SEAD 3 requirements will be
implemented for all contractor cleared personnel to report specific
activities that may adversely impact their continued national security
eligibility. Contractor cleared personnel must be aware of risks
associated with foreign intelligence operations and/or possible
terrorist activities directed against them in the United States and
abroad, and have a responsibility to recognize and avoid personal
behaviors and activities that adversely affect their national security
eligibility. NISP CSAs shall conduct an analysis of such reported
activities, such as foreign travel or foreign contacts, to determine
whether they pose a potential threat to national security and take
appropriate action. Contractors will be responsible for collecting the
foreign travel data from cleared employees, providing pre- and post-
travel briefings to those cleared employees when necessary, and
tracking and reporting those foreign travel activities of its cleared
employees through the CSA designated system of record for personnel
security clearance data.
Sec. 117.9(m) Limited entity eligibility determination
(Non-FOCI) and, Sec. 117.11(e) Limited entity eligibility
determination due to FOCI. In accordance with 32 CFR part 2004, ``NISP
Directive,'' provisions for granting two new types of limited entity
facility clearance eligibility determinations (FCLs) to meet government
requirements for narrowly scoped requirements for a companies to access
classified information.
Sec. 117.11(d)(2)(iii)(A) Requirement for National
Interest Determinations (NIDs): This paragraph provides for the
implementation of the provisions of Section 842 of Public Law 115-232,
which was effective on October 1, 2020, and eliminates requirements for
a covered NTIB entity operating under an SSA to obtain a NID for access
to proscribed information: Top Secret, Special Access Program,
Communications Security, Sensitive Compartmented Information, and
Restricted Data. This provision will allow covered NTIB entities to
begin performing on contracts that require access to proscribed
information without having to wait on a NID, and thus removing costly
contract performance delays.
Sec. 117.15(e)(2) TOP SECRET Information: Permits
specific determinations by a CSA with respect to requirements for TOP
SECRET accountability (e.g., the CSA can determine that TOP SECRET
material stored in an electronic format on an authorized classified
information system does not need to be individually numbered in series
provided the contractor has in place controls in place to address
accountability, need to know and retention). As stated in this
paragraph: ``. . . Contractors will establish controls for TOP SECRET
information and material to validate procedures are in place to address
accountability, need to know and retention, e.g., demonstrating that
TOP SECRET material stored in an electronic format on an authorized
classified information system does not need to be individually numbered
in series. These controls are in addition to the information management
system and must be applied, unless otherwise directed by the applicable
CSA, regardless of the media of the TOP SECRET information, to include
information processed and stored on authorized information systems.
Unless otherwise directed by the applicable CSA, the contractor will
establish the following additional controls . . .''
Sec. 117.15(d)(4) Installation: Clarifies that an
Intrusion Detection System (IDS) shall be installed by a Nationally
Recognized Testing Laboratory (NRTL)-approved entity to make it clear
that any NRTL-approved entity may do such
[[Page 83305]]
installations. ``The IDS will be installed by a NRTL-approved entity or
by an entity approved in writing by the CSA . . .''
Sec. 117.7(b)(2) Senior Management Official: Clarifies
responsibilities of the Senior Management Official of each cleared
entity to better reflect the critical role and accountability of this
position for entity compliance with the NISPOM. This change further
emphasizes the essential role of the Senior Management Official with
the entity's security staff to ensure NISPOM compliance.
Sec. 117.13(d)(5) Clarifies to the contractor that upon
completion of a classified contract, the ``contractor must return all
government provided or deliverable information to the custody of the
government. Such clarification ensures the contractor is not retaining
official government records without specific authorization from the
government customer. ``(i) If the GCA does not advise to the contrary,
the contractor may retain copies of the government material for a
period of 2 years following the completion of the contract. The
contract security classification specification, or equivalent, will
continue in effect for this 2-year period. (ii) If the GCA determines
the contractor has a continuing need for the copies of the government
material beyond the 2-year period, the GCA will issue a final contract
security classification specification, or equivalent, for the
classified contract and will include disposition instructions for the
copies.''
Costs
The DoD invites comment from the members of the public on the costs
estimated to implement this rule.
A. Baseline
The Defense Counterintelligence and Security Agency (DCSA), as the
DoD designated NISP cognizant security office, has collected
information about baseline costs using an OMB-approved information
collection process employing statistical methods for contractors' NISP
implementation (OMB Control Number 0704-0458, ``Industry Cost
Collection Report Survey.'' The most recent data collected by DCSA on
contractors' NISP implementation costs are for fiscal year (FY) 2017
and reported in the ISOO 2017 annual report to the President. DCSA has
used this survey collection methodology for contractors' NISP
implementation under DoD security cognizance for over 11 years. A NISP
government and industry working group developed the survey in 1995 and
predecessor office to the OUSD(I&S) initially ran the annual survey.
The Information Security Oversight Office (ISOO) placed a moratorium on
conducting this survey after 2017 until a new NISP survey methodology
is developed.
DCSA began the costs analysis for the baseline costs for fiscal
year 2017 by randomly selecting active NISP contractor facilities that
have existing DoD approval for classified storage at their own physical
locations and having those facilities submit security costs. The
randomly selected contractor facilities also have an active facility
security clearance and a permanent Commercial and Government Entity
(CAGE) Code. In addition to the randomly selected cleared facilities
having approved classified storage, DCSA categorizes these contractor
facilities for the survey based on the size, scope, and complexity of
each contractor's security program.
The general methodology used to estimate security costs incurred by
contractor cleared facilities with approved storage of classified
information is based on the costs incurred by respondent contractors
for the protection of classified information. The methodology captures
the most significant portion of industry's costs, which is labor.
Security labor in the survey is defined as personnel whose positions
exist to support operations and staff in the implementation of
government security requirements for the protection of classified
information. Guards who are required as supplemental controls are
included in security labor. The respondent contractors are requested to
compile their cleared facility's current annual security labor cost in
burdened, current year dollars with the most recent data being from the
2017 survey. The labor cost, when identified as an estimated percent of
each contractor's total security costs, enables the respondent
contractors to calculate their total security costs.
Information collected is compiled to create an aggregate estimated
cost of NISP classification-related activities. Only the aggregate data
is reported. There is a 95% confidence that the full enterprise
industrial security total baseline cost does not exceed $1.486 billion
for fiscal year 2017.
------------------------------------------------------------------------
NISP cost estimates (2017) Benefits of NISP rule
------------------------------------------------------------------------
Number of Facilities with Approved
Classified Storage (Of Over 12,000
NISP Cleared Facilities):
3658............................... A single, integrated, cohesive
industrial security program to
protect classified information
and to preserve our Nation's
economic and technological
interests.
Facilities Randomly Selected and
Responding to Data Collection:
1038............................... Maximum uniformity and
consistency by contractors who
support the Executive branch
to effectively protect and
safeguard classified
information through all phases
of the contracting process for
any classified information an
Agency releases to a
contractor.
Estimated Total NISP Security Costs for
Facilities with Approved Classified
Storage (With 95% Margin of Error to
give 95% Upper Confidence Limit):
$1,413,150,249 + $72,968,977 = Contractors must comply, when
$1,486,119,226. levied by the FAR security
requirements clause or
equivalent clauses in
contracts involving access to
classified information, with
uniform procedures for the
proper safeguarding of
classified information to
reduce the risk of
unauthorized disclosure of
classified information.
------------------------------------------------------------------------
-------------------------------------------------------------------------
Based on the data collected from the survey, we can be 95% confident the
true 2017 total NISP security cost for contractor facilities with
approved classified storage is less than $1.486B.
Assumptions and Notes:
Of over 12,000 NISP cleared facilities, 3,658 facilities
are approved for classified storage and 1,038 responded to the
survey.
[[Page 83306]]
Companies were selected at random according to survey
methodology.
The applicable NISP CSA, based on a valid requirement for
access to classified information (e.g., contract or bid), funds the
costs for evaluating and processing a contractor for an entity
eligibility determination (facility clearance) and the costs of
personnel security vetting requirements for required access to
classified information by any contractor employees.
The security cost profile for non-responding companies is
assumed to be similar to that of responding companies.
Outlying survey data points were removed from data
analysis.
Overall DoD contract spending for 2017 was $331 billion;
but DoD does not have such data for these contractor cleared
facilities in the NISP for performance on contracts requiring
access to classified information.
DoD has not collected security costs from those contractor
cleared facilities that are not authorized to store classified
information at their own contractor locations.
------------------------------------------------------------------------
DoD noted that the largest contractor cleared facilities account
for the highest security costs, and skew the average security costs for
non-small businesses much higher. The average security cost for the
largest contractor cleared facilities is approximately $4.8 million per
facility. If the largest facilities are removed from the cost estimate,
then the average security cost for a non-small business with approval
for storage of classified information is reduced to $432,312 from
$864,662. Of the approximately 1,000 facilities selected for the small
entities analysis described in section 4 of this initial regulatory
flexibility analysis, about 68% were contractor cleared facilities that
were not included in the 2017 NISP cost estimate because they don't
have approval to store classified information or process classified
information on an information system or network at the contractors' own
cleared facilities. DoD estimated the costs impacting small entities
from the approximately 32% of the remaining small businesses, as those
would have approval to store classified information or process
classified information on an information system or network at one of
the contractor's own cleared facilities. Those security costs are
estimated to be approximately $316 million or 21% of the $1.486 billion
of the estimated NISP costs to contractors in 2017. When contractor
cleared facilities' responses to the ISOO cost collection survey were
cross referenced with the DoD small business analysis (using the Small
Business Administration (SBA) Dynamic Small Business Search), DoD
estimated an average security cost for a small business with approved
storage of classified information of $133,612. One of the requirements
for a facility security clearance is a security agreement between the
applicable NISP CSA and the contractor legal entity. Such a security
agreement sets forth compliance, oversight and administration
termination provisions. The agreement also indicates that it does not
obligate USG funds and the USG shall not be liable for any costs or
claims of the contractor arising out of the security agreement. It is
recognized, however, the parties may provide in other written contracts
with GCAs for security costs, which may be properly chargeable, if so
determined by the applicable GCA. This rule provides that a contractor
must implement changes no later than 6 months from the date of a
published change to this rule to allow the contractor to discuss what
impact, if any, the changes have on existing classified contracts with
the applicable GCAs.
B. Public Cost Analysis of the Changes to the Baseline From This Rule
1. Projected Public Costs. In summary, the estimated public costs are
present value costs of 150.26 million and annualized costs estimated to
be $10.52 million.
2. Cost Analysis. Throughout, labor rates are adjusted upward by
100% to account for overhead and benefits.
a. Regulatory Familiarization. There will be an initial step to
become familiar with the format of the rule, the changed requirements
and what actions the cleared entities must take to comply with the
changes in this rule. To become familiar with the rule format and the
new requirements, cleared entities will review the Federal Register
notice with the new 32 CFR part 117. It is estimated that 12,400
cleared entities will need to become familiar with the rule. Of those
approximately 12,400 cleared entities, an estimated 8,036 are small
business entities and 4,348 are large business entities. The FSO at
each entity (small or large) must become familiar with the rule to be
able to use it on a daily basis in the FSO role to supervise and direct
security measures necessary for implementing the applicable security
requirements to ensure the protection of classified information. Using
the published Office of Personnel Management General Schedule (GS)
salary schedule for fiscal year (FY) 2020, the estimated labor rate for
an FSO of a small business entity firm is the equivalent of a GS11 step
5 and for an FSO of a large business entity as the equivalent of a
GS13, step 5. It is estimated that it will take 10 hours in the first
year, 5 hours in years 2 and 3, 3 hours in years 4 to 7, and then 2
hours annually up to year 20 for an FSO to become familiar with the
rule, as this will be the first time that the NISPOM is in a rule
format instead of as a DoD policy issuance, as well as familiarization
with the changes. These assumptions imply costs of $9.89 million in
year one; $4.95 million in years 2 and 3; $2.97 million in each year 4
through 7; and, $1.98 million in each year 8 through 20.
b. Evaluation of Existing Classified Contracts To Implement Changes
No Later than Six Months from Effective Date.
Each of the legal U.S. cleared entities must comply no more than
six months from the effective date of this NISPOM rule. During that six
months, each legal cleared entity has the opportunity to review
existing classified contracts to determine if there is any impact that
they want to discuss with the applicable GCAs about possible equitable
adjustment. Decisions on any requests for equitable adjustment will be
made by the applicable contracting officer. Legal entities enter into
contracts, licenses or grants; it is estimated that the average of
8,036 small business cleared entities are each a legal entity. It is
estimated that each of those small business cleared legal entities will
review an average of 3 existing classified contracts for possible
equitable adjustment for a total of 24,108 contracts requiring 3 hours
each for review in 2021. Using the published Office of Personnel
Management GS salary schedule for FY20, the estimated labor rate for an
FSO of a small business entity firm is the equivalent of a GS11 step 5
and for an FSO of a large business entity as the equivalent of a GS13,
step 5. Of the large business entities, it is estimated that 2,100
large business cleared entities are legal entities, while the remaining
large business entities are divisions or branch offices. It is
estimated that each of those large business cleared legal entities will
review an average of 30 existing classified contracts for possible
equitable adjustment for a total of 63,000 contracts requiring 8 hours
each for review in 2021. It is estimated that it will take more time
for review by the
[[Page 83307]]
large business cleared entities due to more complicated contracts.
These assumptions imply costs of $54.96 million in year one and no
further costs as this action is taken only in the first year.
c. Train SECRET cleared employees on requirements to submit foreign
travel reports. The FSO at each entity (small or large) must ensure
that its SECRET cleared employees are trained on the requirements. Such
training by the FSO is estimated to take 1 hour in 2021 and a half an
hour in each of the following years up to year 20. Using the published
Office of Personnel Management GS salary schedule for FY20, the
estimated labor rate for an FSO of a small business entity firm is the
equivalent of a GS11 step 5 and for an FSO of a large business entity
as the equivalent of a GS13, step 5. These assumptions imply total
costs of $0.99 million in 2021 as year one; and, $0.49 million in each
year 2 through 20.
d. Submit foreign travel reports and receive any pre-travel threat
briefings or post travel briefings based on the threat. All cleared
employees must submit foreign travel reports and receive any pre-travel
briefings or post travel briefings from the FSO-based on threat
according to this rule, SEAD 3 and CSA-provided guidance for unique
mission requirements. It is estimated that the number of foreign travel
reports submitted annually will be 483,681 to comply with this rule.
That estimate is based on analysis of calendar year 2019 unofficial
foreign travel reported by DoD civilians and military in the DoD
Aircraft and Personnel Automated Clearance System (APACS), a web-based
tool for the creation, submission and approval of aircraft diplomatic
clearances and personnel travel clearances (i.e. Country, Theater and
Special Area, as applicable with individual DoD Foreign Clearance Guide
(FCG), https://www.fcg.pentagon.mil country pages) designed to aid USG
travelers on official government and unofficial (i.e., leave) travel.
For calendar year 2019, there were 126,131 travelers and 113,214 travel
requests submitted into APACS. APACS requirements are published on the
DoD Foreign Clearance Guide (FCG), https://www.fcg.pentagon.mil. Thus
an annual estimate of .89 expected foreign travel trips by traveler
(113,214 divided by 126,131). In the small business analysis, there
were a total of 18,242 cleared employees in the 658 small entities
sampled and 63,598 cleared employees in the remaining 356 non-small
businesses. Of the total cleared employees in the small business
analysis (as reported in the National Industrial Security System),
approximately 22.3% were at small entities and 77.7% were at non-small
businesses. Known number of new travelers expected to be effected by
this rule is 543,462 SECRET cleared contractor personnel under DoD
security cognizance and the estimated trips at .89 per traveler is
(543,462 x .89 = 483,681 estimated trips). Assuming the ratio for those
employees reporting foreign travel into APACS is the same as SECRET
cleared employees would report, of the estimated 483,681 foreign trips
by SECRET cleared employees, it can be estimated that approximately
107,812 (22.3% of 483,681) will be taken by contractors at small
entities, and 375,869 (77.7% of 483,681) by contractors at non-small
businesses. It is estimated that it will take a half an hour for a
SECRET cleared employee to report foreign travel in 2021 and in each of
the following years up to year 20 to report foreign travel and receive
any pre-travel or post-travel briefings. The estimated average labor
rate for a SECRET cleared employee to report foreign travel is the
equivalent of a GS11 step 5. These assumptions imply costs of $16.81
million in each year one through 20.
e. Fewer contract performance delays by the small number of U.S.
contractors with NTIB ownership operating under an SSA. Section 842 of
Public Law 115-232, is limited to a small number of U.S. cleared legal
entities in the NISP for which the ultimate parent entity and any
intermediate parent entities of such subsidiary are located in a
country that is part of the NTIB; and that is subject to the FOCI
requirements of the NISP. There are currently 20 U.S. cleared legal
entities with their associated cleared divisions, subsidiaries or
branch (estimated to be another 100 cleared entities) to whom Section
842 of Public Law 115-232 applies. Section 881 of Public Law 114-328
expanded the legal definition of the NTIB to include the United Kingdom
and Australia. The NTIB is comprised of the United States, the United
Kingdom of Great Britain and Northern Ireland, Canada and Australia.
NTIB is based on the principle that defense trade between the United
States and its closest allies enables a host of benefits, including
increased access to innovation, economies of scale, and
interoperability (10 U.S.C. 2500).
Section 842 of Public Law 115-232 is deregulatory by statute and
this rule. There are no estimated costs to the small number of entities
impacted because they are required already to submit any new or change
to FOCI information for their initial and continued FCL, respectively,
via the SF 328, Certificate Pertaining to Foreign Interests in the NISP
as do all other U.S. cleared legal entities. 32 CFR part 2004 provides
a CSA up to 30 days to assess the submitted NID and then another 30
days for a controlling agency to make a NID for the type of proscribed
information under the purview of each (ODNI for SCI, DOE for RD or NSA
for COMSEC). Thus, with Section 842 of Public Law 115-232, there has
been minimum 60 day delay for a NID involving an NTIB covered entity
which has impacted the timeliness of contract performance. There are
estimated costs savings as this small number of cleared entities and
their entity cleared employees designated to work on specific
classified contracts involving proscribed information will no longer
have to wait at least 60 days for NIDs after contract award for access
to proscribed information when all other requirements have been met for
access to classified information and contract performance. Using the
published Office of Personnel Management GS salary schedule for FY20,
the labor rate for an FSO and an estimated 8 cleared employees in each
of the 2 small business entities impacted is the equivalent of a GS11
step 5 with a time savings of 320 hours for each year 1 through 20. The
labor rate for an FSO and an estimated 19 cleared employees in each of
the 18 large business entities impacted is the equivalent of a GS13
step 5 with a time savings of 320 hours for each year 1 through 20.
These assumptions imply cost savings of $11.81 million in each year.
C. USG Cost Analysis of the Changes to the Baseline From This Rule
1. Projected USG Cost/Cost Savings. In summary, the estimated USG
cost/cost savings are present value costs of $10.82 million and
annualized costs of $0.76 million. Throughout, labor rates are adjusted
upward by 100% to account for overhead and benefits.
2. Cost analysis.
a. Regulatory Familiarization. There will be an initial step to
become familiar with the clause requirements and what actions the USG
executive branch agencies must take to comply with the changes in this
rule. To become familiar with the new requirements, USG executive
branch agencies may review the Federal Register notice with the new 32
CFR part 117. It is estimated that 38 USG executive branch agencies
will become familiar with the rule (i.e., the five Cognizant Security
Agencies (DoD, DOE, NRC, ODNI, DHS) and the 33 USG agencies which
currently have an industrial security services agreement
[[Page 83308]]
with DoD pursuant to 32 CFR part 2004). The estimated labor rate used
for the cost calculation is the equivalent of a GS12 step 5 for the
designated NISP lead at each of those 38 agencies. It is estimated that
it will take 8 hours in the first year as well as in each of the
following through year 20 to become familiar and remain familiar with
the rule, as this will be the first time that the NISPOM is in a rule
format instead of as a DoD policy issuance, as well as familiarization
with the changes. These assumptions imply costs of approximately $25
thousand each year.
b. Training the USG civilian employees of NISP CSAs who provide
oversight of contractor compliance with this rule. It is estimated that
the NISP CSAs (i.e., DoD, DOE, NRC, ODNI and DHS) must train a total of
800 personnel who provide oversight of contractor compliance with this
rule in the first year with annual refresher training in subsequent
years. The largest number of personnel would be trained by DoD. The
initial training is estimated to take 24 hours in 2021 to ensure those
government personnel conducting oversight are versed in the changed
requirements to assess compliance by cleared entities. The second year
refresher training will be 16 hours with 8 hours of refresher training
in each of years 3 through 20. The average labor rate for these 800
government headquarters and field personnel is estimated to be a GS13
step 5. These assumptions imply costs of $1.90 million in year one;
$1.27 million in year 2; and, $0.63 million in each year 3 through 20.
c. Accepting submissions of foreign travel reports by SECRET
cleared entity personnel. DoD, with the largest population of cleared
entity personnel, already has the data fields for foreign travel
reporting in the Defense Information System for Security and will not
have to make more changes to that automated system to accept submission
of these reports. There are no expected costs or costs savings.
d. No longer draft, coordinate and submit proposed national
interest determinations (NIDs) for access to proscribed information for
the small number of U.S. contractors with NTIB ownership operating
under an SSA. There will be a small cost savings because DoD Components
(i.e., Departments of the Army, Navy and Air Force, DARPA, DIA, NGA,
NRO, NSA and assorted smaller organizations) will no longer have to
take an estimated 40 hours a year to draft, coordinate and submit NIDs
for the small number of U.S. contractors with NTIB ownership operating
under an SSA. There will be minimal administrative changes to the DoD
information system to remove the NID requirement for the small number
of NTIB covered entities. DoD already must evaluate any changes
submitted to FOCI information for U.S. cleared legal entities under its
security cognizance which would include a determination if one of these
cleared legal entities remains a covered NTIB entity. On average, DoD
receives an estimated one FOCI changed condition report annually from
an NTIB covered cleared legal entity. An estimated 10 government
personnel with an estimated labor rate of a GS11 step 5 would save 40
hours in year 1 through year 20. These assumptions imply costs saving
of approximately $28 thousand each year.
e. Update training materials, job aids and associated tools for
U.S. cleared legal entities and USG agencies on these changes to the
NISPOM. CSAs will have to update existing training materials and
products used by U.S. cleared legal entities and USG agencies so that
they have all needed information on the changes being implemented in
this NISPOM rule. Examples of those training materials and products
range from online or in person training, job aids and web tools. DoD
provides NISP training materials to the largest population, to include
USG agencies and U.S. cleared legal entities, and estimates the time
impact in year one is 1,128 hours for each of six individuals to update
all the training materials with 564 hours in year two and 282 hours
each year for maintenance of those materials in year 3 through year 20.
The labor rate for those 6 personnel is estimated to be a GS13 step 5.
These assumptions imply costs of $0.67 million in year one; $0.34
million in year 2; and $0.17 million in each year 3 through 20.
C. Total Costs/Cost Savings
In summary the estimated public and USG costs/cost savings are (1)
present value costs of $150.26 million and annualized costs of $10.52
million for the public; and, (2) present value cost of $10.82 million
and annualized costs of $0.76 million for the USG. Throughout, labor
rates are adjusted upward by 100% to account for overhead and benefits.
Benefits
Following the September 2013 Navy Yard shooting, the President
directed the Office of Management and Budget (OMB) to lead a review of
suitability and security clearance procedures for Federal employees and
contractors (see https://www.archives.gov/files/isoo/oversight-groups/nisp/2014-suitability-and-processes-report.pdf). This review assessed
USG policies, programs, processes, and procedures involving
determinations of federal employee suitability, contractor fitness, and
personnel security. The interagency working group also evaluated the
collection, sharing, processing, and storage of information used to
make suitability, credentialing, and security decisions. It found the
need for
better information sharing,
increased oversight over background investigations, and
consistent application of standards and policies for both
Federal employees and contractors.
The report identified 13 recommendations to improve how the
Government performed suitability determinations and security clearances
and the creation of SEAD 3 is a partial response to recommendation A.2.
SEAD-3 requires enhanced additional reporting of foreign travel,
foreign contacts and conduct/behavior that might jeopardize an
individual from maintaining access or eligibility to access classified
information. Many of the requirements are a direct result of recent
national security breaches by trusted insiders who have disclosed
classified information to news media or foreign entities causing
significant harm to the interests of the United States.
SEAD 3 was designed to strengthen the safeguarding of national
security equities, such as national security information, personnel,
facilities, and technologies. These reporting requirements are
important because individuals who incur a continuing security
obligation need to be aware of the risks associated with foreign
intelligence operations and/or possible terrorist activities directed
against them in the U.S. and abroad, and to be aware they possess or
have access to information that is highly sought after by foreign
adversaries and competitors, including, but not limited to:
Classified or sensitive information vital to national and
economic security
Emerging technologies and pioneering research and development
Information relating to critical infrastructure sectors
Proprietary secrets
Security or counterintelligence information
In particular, the risk of becoming an intelligence target
increases greatly during foreign travel, be it for official or
unofficial purposes. NISP Contractor cleared personnel can become the
target of a foreign intelligence or security service at any time in any
country.
[[Page 83309]]
Collecting additional information on travel will help ensure basic
counterintelligence awareness is implemented to effectively protect
both the individual and the USG against foreign attempts to collect
sensitive, proprietary, or classified information. Such measures could
include arranging a pre-travel briefing from the entity Facility
Security Officer. Reminders include, but are not limited to the
following, which can be provided to:
Do not leave items that would be of value to a foreign
intelligence service unattended in hotel rooms or stored in hotel
safes.
Limit sensitive discussions--hotel rooms or other public
places are not suitable locations to discuss sensitive information.
Not use computer or facsimile equipment at foreign hotels
or business centers for sensitive matters.
Not divulge information to anyone unauthorized to hear it.
Ignore or deflect intrusive inquiries or conversation
about business or personal matters.
Keep a laptop computer as carry-on baggage--never check it
with other luggage and, if possible, remove or control storage media.
Confirm before the foreign travel whether it is necessary or even
advisable to take a laptop computer.
Report any suspicious contacts or incidents to the entity
FSO to report to the applicable CSA.
Contractors in the NISP also have a responsibility for recognizing
and avoiding personal behaviors and activities that may impact their
continued eligibility for access to classified information. This
includes, but is not limited to the following activities which may be
of potential security, insider threat, or counterintelligence concern
An unwillingness to comply with rules, regulations, or
security requirements
Unexplained affluence or excessive indebtedness
Alcohol abuse
Illegal use or misuse of drugs or drug activity
Apparent or suspected mental health issues where there is
reason to believe it may impact the individual's ability to protect
classified information or other information prohibited by law from
disclosure
Criminal conduct
Any activity that raises doubts as to whether the individual's
continued national security eligibility is clearly consistent with
national security interests
Misuse of U.S. Government property or information systems
This rule will result in fewer contract performance delays by the
small number of U.S. contractors with NTIB ownership operating under an
SSA. With Section 842 of Public Law 115-232 implemented there will no
longer be at least a 60 day minimum delay for USG contracting
activities and NTIB covered entities to wait for NIDs after contract
award for access to proscribed information when all other requirements
have been met. When a GCA submits a NID to the applicable CSA, there is
an initial 30 days to process the request, which includes verification
of the NID requirement. If the NID also includes a requirement for
controlling agency concurrence (i.e., ODNI for SCI, DOE for RD or NSA
for COMSEC), the CSA submits the request to the applicable controlling
agencies who then have 30 more days for its analysis and decision.
Section 842 of Public Law 115-232 is deregulatory by statute as
reflected in this rule. Congress required that the NTIB policy
framework foster a defense free-trade area among the defense-related
research and development sectors of the United States, Canada,
Australia and the United Kingdom. Section 881 of Public Law 114-328
(the National Defense Authorization Act for Fiscal Year 2017) expanded
the legal definition of the NTIB to include the United Kingdom and
Australia. Congress expanded the NTIB in 2017 based on the principle
that defense trade between the United States and its closest allies
enables a host of benefits, including increased access to innovation,
economies of scale, interoperability, and to reduce the barriers to the
seamless integration between the NTIB which supplies defense articles
to the Armed Forces and enhances allied interoperability of forces.
Section 842 of Public Law 115-232 also continues the congressional
intent to remove barriers to the seamless integration of the transfer
of knowledge, goods, and services among the persons and organizations
of the NTIB for national security challenges across a variety of
technology areas.
Alternatives
No action. If there were no action (i.e., no NISPOM rule nor DoD
Manual 5220.22), USG agencies would not have single set of requirements
to be levied on contractors through a FAR security requirements clause
or equivalent to protect classified information in contracts. Without
that single set of requirements consistently levied for classified
contracts by USG agencies, there would be a loss of classified
information to adversaries. There would not be a streamlined process
for clearing contractors to work on contracts involving classified
information. This would leave each USG agency to clear its own
contractors, which could take months or years. The ability for the USG
to fill crucial mission gaps using contractors would be severely
impacted. There would be no standardized way under which contractors
would be required to physically store classified information. The USG
would have no insight into insider threats from contractor personnel
who have access to the USG's most sensitive and critical programs.
There would be an adverse impact on national security. The results of
this alternative are not preferred.
Next Best Alternative. Each USG agency would establish a rule for
contractor protection of classified information disclosed or released
to contractors. Differing standards will result in inconsistent
standards, confusion, and higher costs for compliance if a contractor
has contracts requiring access to classified information with multiple
USG agencies and has to comply with different agency requirements.
Further, such an alternative would result in additional time needed for
contractors to put in place mechanisms to meet multiple and differing
sets of requirements. This inconsistency and confusion due to differing
standards also increases the likelihood of loss of classified
information and insider threats going undetected. The results of this
alternative are not preferred.
The Preferred Alternative. This final rule provides a single
statement of requirements for contractors to comply with for maximum
uniformity and consistency, for the protection of classified
information, to include the reporting of foreign travel and foreign
contacts by cleared contractor personnel in accordance with Security
Executive Agent policies. This final rule provides for the proper
protection of classified information disclosed or released by U.S.
agencies in all phases of the contracting, license or grant processes.
This rule will prevent the theft of classified national security assets
and information by adversaries and insider threats. This is the
preferred alternative.
IV. Exception to Notice and Comment
This rule directly involves matters relating to public grants or
contracts, and is therefore expressly exempt from notice and comment
procedures under 5 U.S.C. 553(a)(2). Compliance with this rule is
levied by a Federal Acquisition Regulation security requirements clause
[[Page 83310]]
or equivalent. It establishes requirements for the protection of
classified information disclosed to or developed by contractors,
licensees, grantees, or certificate holders. Industry implements these
requirements to protect national security interests, cleared persons,
and the integrity of the classified information. Although DoD has
determined that an exception to the notice and comment requirements of
Sec. 553 applies, it still seeks public comments on this rule.
Thereafter, DoD will consider comments received on this rule in
determining whether to make any changes in a subsequent rule.
V. Regulatory Analysis
Executive Order 12866, ``Regulatory Planning and Review'' and E.O.
13563, ``Improving Regulation and Regulatory Review''
E.O.s 12866 and 13563 direct agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distribute impacts, and equity). E.O. 13563 emphasizes the
importance of quantifying both costs and benefits, of reducing costs,
of harmonizing rules, and of promoting flexibility. Accordingly, the
rule has been reviewed by the Office of Management and Budget (OMB)
under the requirements of these E.O.s. This rule has been designated a
significant regulatory action and determined to be economically
significant, under section 3(f) of E.O. 12866 as it has an annual
effect on the economy of $100 million or more or affects in a material
way the economy or a sector of the economy. Security costs relate
specifically to protection of classified information by cleared U.S.
entities.
Executive Order 13771, ``Reducing Regulation and Controlling Regulatory
Costs''
This rule is not subject to the requirements of E.O. 13771, because
the rule is issued with respect to a national security function of the
United States.
Public Law 96-354, ``Regulatory Flexibility Act'' (5 U.S.C. 601)
The DoD certifies that this final rule would not, if promulgated,
have a significant economic impact on a substantial number of small
business entities in accordance with the Regulatory Flexibility Act (5
U.S.C. 601) requirements since a contractor cleared legal entity may,
in entering into contracts requiring access to classified information,
negotiate for security costs determined to be properly chargeable by a
GCA. The DoD invites comment from members of the public who believe
there will be a significant impact.
Small entities to which this rule will apply provide products and
services to the executive branch, e.g., in the areas of administration,
consulting, information security and technology, cybersecurity,
research and development, design, production and manufacturing,
including circumstances where physical security measures cannot
preclude aural or visual access to classified information. These small
business entities, as well as non-small business entities, have entered
into a contract, license or grant for which access to classified
information is required. Compliance with this rule, also referred to as
the NISPOM, is levied by a FAR security requirements clause or
equivalent. The requirements for an entity eligibility determination do
not include USG collection of applicable North American Industry
Classification System (NAICS) codes. While this type of information is
available in the Federal Procurement Data System (FPDS), entity
eligibility determinations (often referred to as facility clearances)
are not available in FPDS. DoD has no efficient mechanism to cross
check NAICS codes from FPDS with facility clearance data. DoD assesses
there are a wide variety of NAICS codes associated with contracts
requiring access to classified information. For example, the following
NAICS codes may be associated with contracts requiring access to
classified information: 561720 janitorial services; 561210 facility
support services; 541611 administrative management and general
management services; 561110 office administrative services; 541690
other scientific and technical consulting services; 541330 engineering
services; 561611 investigation services; and likely many others, since
contracts that require a facility clearance for access to classified
information are not industry specific.
Based on the number of small businesses registered within the SBA
Dynamic Small Business Search, the overall industrial base of federal
government small businesses is 313,651. Approximately 1,000 facilities
were randomly selected from the NISP to determine if the selected
facilities were registered within the SBA Dynamic Small Business
Search. With 95% confidence, it can be estimated that there are between
7,672 and 8,400 small entities impacted by this rule. The general
methodology to determine a random sample and the estimated number of
small business entities impacted by this rule is outlined in the
following table. The random selection is dependent on the contractor
facility having an active facility security clearance and permanent
CAGE Code.
------------------------------------------------------------------------
NISP small entities estimate
------------------------------------------------------------------------
Total cleared contractor facilities
enrolled in the DoD National
Industrial Security System (NISS) as
of May 14, 2020:
12,384.............................
Randomly Selected facilities from the
current cleared contractor population:
1,014..............................
The proportion of cleared contractor
facilities in the simple random sample
enrolled in the SBA Database:
658/1,014 = 64.89%................. Equates to 8,036 facilities as
small business entities.
Margin of Error for proportion enrolled
in SBA database (95% confidence):
2.94%.................. Equates to 364
facilities cleared contractor
facilities.
The interval estimate for the number of
small businesses in the NISP:
8,036 364 =............ 7,672 to 8,400 cleared
contractor facilities.
------------------------------------------------------------------------
[[Page 83311]]
-------------------------------------------------------------------------
Based on the simple random sample, we can be 95% confident that the true
proportion of active cleared contractor facilities enrolled in the SBA
database is between 62.0% and 67.8%. Based on cleared contractor
enrollment as of May 14, 2020, the percentages equate to an interval
estimate between 7,672 and 8,400 small business entities which are
cleared contractor facilities and impacted by this rule.
Assumptions and Notes:
Facilities self-enrolled in the SBA database are, in fact,
small businesses. The following link was used to determine if a
facility was a small business by searching CAGE codes showing all
NAICS for which a business is a small business: https://web.sba.gov/pro-net/search/dsp_dsbs.cfm.
The SBA database is generally a self-certifying database.
The SBA does not make any representation as to the accuracy of any
of the data included, other than certifications relating to 8(a)
Business Development, HUBZone or Small Disadvantaged Business
status. The SBA strongly recommends that contracting officers
diligently review a bidder's small business self-certification
before awarding a contract.
Facilities were selected from the active NISS population
using a simple random sample (1,014 selected of 12,384 enrolled
facilities).
Selection of each facility is independent of all other
facilities selected (N * .10 >n).
The sample is large enough (n = 1014) that we can assume
the sampling distribution of sample proportions is approximately
normal (n * p>10 and n * (1-p) >10).
------------------------------------------------------------------------
Congressional Review Act
The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by
the Small Business Regulatory Enforcement Fairness Act of 1996,
generally provides that before a rule may take effect, the agency
promulgating the rule must submit a rule report, which includes a copy
of the rule, to each House of the Congress and to the Comptroller
General of the United States. We will submit a report containing this
rule and other required information to the U.S. Senate, the U.S. House
of Representatives, and the Comptroller General of the United States. A
major rule cannot take effect until 60 days after it is published in
the Federal Register. This final rule is a ``major rule'' as defined by
5 U.S.C. 804(2) because it is also economically significant under
section 3(f) of E.O. 12866 with an annual effect on the economy of $100
million or more.
Sec. 202, Public Law 104-4, ``Unfunded Mandates Reform Act''
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA) (2
U.S.C. 1532) requires agencies to assess anticipated costs and benefits
before issuing any rule whose mandates require spending in any 1 year
of $100 million in 1995 dollars, updated annually for inflation. This
final rule will not mandate any requirements for State, local, or
tribal governments, nor will it affect private sector costs.
Public Law 96-511, ``Paperwork Reduction Act'' (44 U.S.C. Chapter 35)
It has been determined that 32 CFR part 117 does impose reporting
or recordkeeping requirements under the Paperwork Reduction Act of
1995. DoD is not proposing changes to the DoD collections based on this
final rule, nor have any of the other NISP CSAs indicated proposed
changes based on this rule. The DOE and NRC have collections based on
their respective authorities as a NISP CSA; but neither has a
collection for a Contract Security Classification Specification because
DOE and NRC each complete that specification for both prime contracts
and subcontracts. By accepting the contract, the contractor obligates
itself to fulfill the requirements specified in applicable DOE
Acquisition Regulation (DEAR) clauses (available at https://www.energy.gov/management/downloads/searchable-electronic-department-energy-acquisition-regulation) and identified DOE Directives. The DOE
Directives contain a contractor requirements document that conveys
security obligations and the statutes for civil penalties for security
violations. The Nuclear Regulatory Commission Acquisition Regulation
part 2052.204-70 includes the security requirements levied on the
contractor (available at https://www.acquisition.gov/nrcar/nrcar-part-2052-solicitation-provisions-and-contract-clauses#P41_1774). For ease
of review of this rule, the collections are discussed below. Materials
associated with all of the collections can reviewed at www.reginfo.gov.
OMB Control Number 0704-0194, DD Form 441, DoD Security
Agreement.
OMB Control Number: 0704-0571, National Industrial
Security System, is a DoD information collection used to conduct its
monitoring and oversight of contractors.
OMB Control Number 0704-0567, DoD Contract Security
Classification Specification, this collection is used by both DoD and
agencies which have an industrial security agreement with DoD.
OMB Control Number 0704-0573, Defense Information System
for Security, is a DoD automated system for personnel security,
providing a common, comprehensive medium to record, document, and
identify personal security actions within DoD including submitting
adverse information, verification of security clearance status,
requesting investigations, and supporting continuous evaluation
activities. It requires personal data collection to facilitate the
initiation, investigation and adjudication of information relevant to
DoD security clearances and employment suitability determinations for
active duty military, civilian employees and contractors seeking such
credentials.
OMB Control Number 0704-0496, Joint Personnel Adjudication
System, an information system which requires personal data collection
to facilitate the initiation, investigation and adjudication of
information relevant to DoD security clearances and employment
suitability determinations for active duty military, civilian employees
and contractors seeking such credentials.
OMB Control Number 0704-0579, Certificate Pertaining to
Foreign Interests SF (328) which is a common form which can be used by
all CSAs.
OMB Control Number 3150-0047, 10 CFR part 95, Facility
Security Clearance and Safeguarding of National Security Information
and Restricted Data, is an NRC information collection used to obtain an
FCL and for safeguarding Secret and Confidential National Security
Information and Restricted Data. Licensees under 10 CFR part 95 fall
within two categories, those who possess, use or transmit classified
matter at their site or a cleared contractor site, and those licensees
and contractors who only need access to classified matter at a
government or appropriately cleared non-government site.
OMB Control Number 1910-1800, Security Package, is a DOE
information collection used by DOE to conduct its monitoring and
oversight of contractors under its security cognizance and to provide a
platform for other CSAs, GCAs or prime contractors to verify whether a
contractor has a DOE-granted FCL.
Executive Order 13132, ``Federalism''
E.O. 13132 establishes certain requirements that an agency must
meet when it promulgates an final rule (and subsequent final rule) that
imposes substantial direct requirement costs on
[[Page 83312]]
State and local governments, preempts State law, or otherwise has
Federalism implications. This final rule will not have a substantial
effect on State and local governments.
List of Subjects in 32 CFR Part 117
Classified information; Government contracts; USG contracts,
National Industrial Program (NISP); Prime contractor, Subcontractor.
0
Accordingly, the Department of Defense amends chapter I of title 32 of
the CFR by adding part 117 to read as follows:
PART 117--NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL
(NISPOM)
Sec.
117.1 Purpose.
117.2 Applicability.
117.3 Definitions.
117.4 Policy.
117.5 Information collections.
117.6 Responsibilities.
117.7 Procedures.
117.8 Reporting requirements.
117.9 Entity eligibility determination for access to classified
information.
117.10 Determination of eligibility for access to classified
information for contractor employees.
117.11 Foreign Ownership, Control, or Influence (FOCI).
117.12 Security training and briefings.
117.13 Classification.
117.14 Marking requirements.
117.15 Safeguarding classified information.
117.16 Visits and meetings.
117.17 Subcontracting.
117.18 Information system security.
117.19 International security requirements.
117.20 Critical Nuclear Weapon Design Information (CNWDI).
117.21 COMSEC.
117.22 DHS CCIPP.
117.23 Supplement to this rule: Security Requirements for
Alternative Compensatory Control Measures (ACCM), Special Access
Programs (SAPs), SCI, RD, Formerly Restricted Data (FRD),
Transclassified Foreign Nuclear Information (TFNI), and Naval
Nuclear Propulsion Information (NNPI).
117.24 Cognizant Security Office information.
Authority: 32 CFR part 2004; E.O. 10865; E.O. 12333; E.O. 12829;
E.O. 12866; E.O. 12968; E.O. 13526; E.O. 13563; E.O. 13587; E.O.
13691; Public Law 108-458; Title 42 U.S.C. 2011 et seq.; Title 50
U.S.C. Chapter 44; Title 50 U.S.C. 3501 et seq.
Sec. 117.1 Purpose.
(a) This rule implements policy, assigns responsibilities,
establishes requirements, and provides procedures, consistent with E.O.
12829, ``National Industrial Security Program''; E.O. 10865,
``Safeguarding Classified Information within Industry''; 32 CFR part
2004; and DoD Instruction (DoDI) 5220.22, ``National Industrial
Security Program (NISP)'' (available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/522022p.pdf?ver=2018-05-01-073158-710) for the protection of classified information that is
disclosed to, or developed by contractors of the U.S. Government (USG)
(hereinafter referred to in this rule as contractors).
(b) This rule, also in accordance with E.O. 12829, E.O.
13587,''Structural Reforms To Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding of Classified
Information''; E.O. 13691, ``Promoting Private Sector Cybersecurity
Information Sharing''; E.O. 12333, ``United States Intelligence
Activities''; 42 U.S.C. 2011 et seq. (also known as and referred to in
this rule as the ``AEA of 1954,'' as amended); '' 50 U.S.C. Ch. 44
(also known as the ``National Security Act of 1947,'' as amended); 50
U.S.C. 3501 et seq. (also known as the ``Central Intelligence Agency
Act of 1949,'' as amended); Public Law 108-458 (also known as the
``Intelligence Reform and Terrorism Prevention Act of 2004''); and 32
CFR part 2004:
(1) Prescribes industrial security procedures and practices, under
E.O. 12829 or successor orders, to safeguard USG classified information
that is developed by or disclosed to contractors of the USG.
(2) Prescribes requirements, restrictions, and other safeguards to
prevent unauthorized disclosure of classified information and protect
special classes of classified information.
(3) Prescribes that contractors will implement the provisions of
this rule no later than 6 months from the effective date of this rule.
Sec. 117.2 Applicability.
(a) This rule applies to:
(1) The Office of the Secretary of Defense, the Military
Departments, the Office of the Chairman of the Joint Chiefs of Staff
and the Joint Staff, the Combatant Commands, the Office of the
Inspector General of the Department of Defense, the Defense Agencies,
the DoD Field Activities, and all other organizational entities within
the DoD (referred to collectively in this rule as the ``DoD
Components'').
(2) All executive branch departments and agencies.
(3) All industrial, educational, commercial, or other non-USG
entities granted access to classified information by the USG executive
branch departments and agencies or by foreign governments.
(4) The release of classified information by the USG to
contractors, who are required to safeguard classified information
released during all phases of the contracting, agreement (including
cooperative research and development agreements), licensing, and grant
processes, i.e., the preparation and submission of bids and proposals,
negotiation, award, performance, and termination. Also, it applies in
situations involving a contract, agreement, license, or grant when
actual knowledge of classified information is not required, but
reasonable physical security measures cannot be employed to prevent
aural or visual access to classified information, because there is the
ability and opportunity to gain knowledge of classified information. It
also applies to any other situation in which classified information or
FGI that is furnished to a contractor requires protection in the
interest of national security, but which is not released under a
contract, license, certificate or grant.
(b) This rule does not:
(1) Limit in any manner the authority of USG executive branch
departments and agencies to grant access to classified information
under the cognizance of their department or agency to any individual
designated by them. The granting of such access is outside the scope of
the NISP and is accomplished pursuant to E.O. 12968, E.O. 13526, E.O.
13691, the AEA, and applicable disclosure policies.
(2) Apply to criminal proceedings in the courts or authorize
contractors or their employees to disclose classified information in
connection with any criminal proceedings. Defendants and their
representative in criminal proceedings in U.S. District Courts, Courts
of Appeal, and the U.S. Supreme Court may gain access to classified
information in accordance with 18 U.S.C. Appendix 3, Section 1, also
known as and referred to in this rule as the ``Classified Information
Procedures Act,'' as amended.
Sec. 117.3 Acronyms and Definitions.
(a) Acronyms. Unless otherwise noted, these acronyms and their
terms are for the purposes of this rule.
ACCM alternative compensatory control measures
AEA Atomic Energy Act of 1954, as amended
AUS Australia
CAGE commercial and government entity
CCIPP classified critical infrastructure protection program
CDC cleared defense contractor
CFIUS Committee on Foreign Investment in the United States
CFR Code of Federal Regulations
[[Page 83313]]
CI Counterintelligence
CIA Central Intelligence Agency
CNSS Committee on National Security Systems
CNWDI critical nuclear weapons design information
COMSEC communications security
COR central office of record
CSA cognizant security agency
CSO cognizant security office
CUSR Central United States Registry
DCSA Defense Counterintelligence and Security Agency
DD Department of Defense (forms only)
DDTC Directorate of Defense Trade Controls
DGR designated government representative
DHS Department of Homeland Security
DNI Director of National Intelligence
DoD Department of Defense
DoDD Department of Defense Directive
DoDI Department of Defense Instruction
DoDM Department of Defense Manual
DOE Department of Energy
ECP electronic communications plan
E.O. Executive order
FBI Federal Bureau of Investigation
FCL facility (security) clearance
FGI foreign government information
FOCI foreign ownership, control, or influence
FRD Formerly Restricted Data
FSCC Facility Security Clearance Certificate (NATO)
FSO facility security officer
GCA government contracting activity
GCMS government contractor monitoring station
GSA General Services Administration
GSC government security committee
IDE intrusion detection equipment
IDS intrusion detection system
IFB invitation for bid
ISOO Information Security Oversight Office
ISSM information system security manager
ISSO information systems security officer
ITAR International Traffic in Arms Regulations
ITPSO insider threat program senior official
KMP key management personnel
LAA limited access authorization
MFO multiple facility organization
NATO North Atlantic Treaty Organization
NDA nondisclosure agreement
NIAG NATO Industrial Advisory Group
NID national interest determination
NISP National Industrial Security Program
NISPOM National Industrial Security Program Operating Manual
NIST National Institute for Standards and Technology
NNPI Naval Nuclear Propulsion Information
NNSA National Nuclear Security Administration
NPLO NATO Production Logistics Organization
NRC Nuclear Regulatory Commission
NRTL nationally recognized testing laboratory
NSA National Security Agency
NSI national security information
NTIB National Technology and Industrial Base
OCA original classification authority
OMB Office of Management and Budget
PA proxy agreement
PCL personnel (security) clearance
RD Restricted Data
RFP request for proposal
RFQ request for quotation
SAP special access program
SCA security control agreement
SCI sensitive compartmented information
SD Secretary of Defense (forms only)
SEAD Security Executive Agent directive
SF standard form
SMO senior management official
SSA special security agreement
SSP systems security plan
TCP technology control plan
TFNI Transclassified Foreign Nuclear Information
TP transportation plan
UK United Kingdom
UL Underwriters' Laboratories
U.S.C. United States Code
USD (I&S) Under Secretary of Defense for Intelligence and Security
USG United States Government
USML United States Munitions List
VAL visit authorization letter
VT voting trust
(b) Definitions. Unless otherwise noted, these terms and their
definitions are for the purposes of this rule.
Access means the ability and opportunity to gain knowledge of
classified information.
Access Permittee means the holder of an Access Permit issued
pursuant to the regulations set forth in 10 CFR part 725, ``Permits For
Access to Restricted Data.''
ACCM are security measures used by USG agencies to safeguard
classified intelligence or operations when normal measures are
insufficient to achieve strict need-to-know controls and where SAP
controls are not required.
Adverse information means any information that adversely reflects
on the integrity or character of a cleared employee, that suggests that
his or her ability to safeguard classified information may be impaired,
that his or her access to classified information clearly may not be in
the interest of national security, or that the individual constitutes
an insider threat.
Affiliate means each entity that directly or indirectly controls,
is directly or indirectly controlled by, or is under common control
with, the ultimate parent entity.
Agency(ies) means any ``Executive agency'' as defined in 5 U.S.C.
105; any ``Military department'' as defined in 5 U.S.C. 102; and any
other entity within the executive branch that releases classified
information to private sector entities. This includes component
agencies under another agency or under a cross-agency oversight office
(such as ODNI with CIA), which are also agencies for purposes of this
rule.
Alarm service company means an entity or branch office from which
all of the installation, service, and maintenance of alarm systems are
provided, and the monitoring and investigation of such systems are
either provided by its own personnel or with personnel assigned by this
location.
Alarm system description form means a form describing an alarm
system and monitoring information.
Approved security container means a GSA approved security container
originally procured through the Federal Supply system. The security
containers bear the GSA Approval label on the front face of the
container, which identifies them as meeting the testing requirements of
the assigned federal specification and having been maintained according
to Federal Standard 809.
Approved vault means a vault built to Federal Standard 832 and
approved by the CSA.
AUS community consists of the Government of Australia entities and
Australian non-governmental facilities identified on the DDTC website
(https://pmddtc.state.gov/) at the time of export or transfer.
Authorized person means a person who has a favorable determination
of eligibility for access to classified information, has signed an
approved nondisclosure agreement, and has a need-to-know.
Branch office means an office of an entity which is located
somewhere other than the entity's main office location. A branch office
is simply another location of the same legal business entity, and is
still involved in the business activities of the entity.
CCIPP means security sharing of classified information under a
designated critical infrastructure protection program with such
authorized individuals and organizations as determined by the Secretary
of Homeland Security.
CDC means a subset of contractors cleared under the NISP who have
classified contracts with the DoD.
Certification means comprehensive evaluation of an information
system component that establishes the extent to which a particular
design and implementation meets a set of specified security
requirements.
Classification guide means a document issued by an authorized
original classifier that identifies the elements of information
regarding a specific subject that must be classified and prescribes the
level and duration of classification and appropriate declassification
instructions.
Classified contract means any contract, license, agreement, or
grant requiring access to classified information by a contractor and
its
[[Page 83314]]
employees for performance. A contract is referred to in this rule as a
``classified contract'' even when the contract document and the
contract provisions are not classified. The requirements prescribed for
a ``classified contract'' also are applicable to all phases of
precontract, license or grant activity, including solicitations (bids,
quotations, and proposals), precontract negotiations, post-contract
activity, or other government contracting activity (GCA) programs or
projects which require access to classified information by a
contractor.
Classified covered information system means an information system
that is owned or operated by or for a cleared defense contractor and
that processes, stores, or transmits information created by or for the
DoD with respect to which such contractor is required to apply enhanced
protection (e.g., classified information). A classified covered
information system is a type of covered network consistent with the
requirements of Section 941 of Public Law 112-239 and 10 U.S.C. 391.
Classified information means information that has been determined,
pursuant to E.O. 13526, or any predecessor or successor order, and the
AEA of 1954, as amended, to require protection against unauthorized
disclosure in the interest of national security and which has been so
designated. The term includes NSI, RD, and FRD.
Classified meetings means a conference, seminar, symposium,
exhibit, convention, training course, or other such gathering during
which classified information is disclosed.
Classified visit means a visit during which a visitor will require,
or is expected to require, access to classified information.
Classifier means any person who makes a classification
determination and applies a classification category to information or
material. The determination may be an original classification action or
it may be a derivative classification action. Contractors make
derivative classification determinations based on classified source
material, a security classification guide, or a contract security
classification specification, or equivalent.
Cleared commercial carrier means a carrier that is authorized by
law, regulatory body, or regulation to transport SECRET and
CONFIDENTIAL material and has been granted a SECRET facility clearance
in accordance with the NISP.
Cleared employees means all employees of industrial or commercial
contractors, licensees, certificate holders, or grantees of an agency,
as well as all employees of subcontractors and personal services
contractor personnel, and who are granted favorable eligibility
determinations for access to classified information by a CSA or are
being processed for eligibility determinations for access to classified
information by a CSA. A contractor may give an employee access to
classified information in accordance with the provisions of Sec.
117.10(a)(1)(iii).
Closed area means an area that meets the requirements of this rule
for safeguarding classified material that, because of its size, nature,
or operational necessity, cannot be adequately protected by the normal
safeguards or stored during nonworking hours in approved containers.
CNWDI means a DoD category of TOP SECRET RD or SECRET RD
information that reveals the theory of operation or design of the
components of a thermonuclear or fission bomb, warhead, demolition
munition, or test device. Specifically excluded is information
concerning arming, fusing, and firing systems; limited life components;
and total contained quantities of fissionable, fusionable, and high
explosive materials by type. Among these excluded items are the
components that DoD personnel set, maintain, operate, test or replace.
Compromise means an unauthorized disclosure of classified
information.
COMSEC means the protective measures taken to deny unauthorized
persons information derived from USG telecommunications relating to
national security and to ensure the authenticity of such
communications.
CONFIDENTIAL means the classification level applied to information,
the unauthorized disclosure of which reasonably could be expected to
cause damage to the national security that the original classification
authority (OCA) is able to identify or describe.
Consignee means a person, firm, or Government (i.e., USG or foreign
government) activity named as the receiver of a shipment; one to whom a
shipment is consigned.
Consignor means a person, firm, or Government (i.e., USG or foreign
government) activity by which articles are shipped. The consignor is
usually the shipper.
Constant surveillance service means a transportation protective
service provided by a commercial carrier qualified by the Surface
Deployment and Distribution Command to transport CONFIDENTIAL
shipments. The service requires constant surveillance of the shipment
at all times by a qualified carrier representative; however, an FCL is
not required for the carrier. The carrier providing the service must
maintain a signature and tally record for the shipment.
Consultant means an individual under contract, and compensated
directly, to provide professional or technical assistance to a
contractor in a capacity requiring access to classified information.
Continuous evaluation as defined in SEAD 6 is a personnel security
investigative process to review the background of a covered individual
who has been determined to be eligible for access to classified
information or to hold a sensitive position at any time during the
period of eligibility. Continuous evaluation leverages a set of
automated records checks and business rules, to assist in the ongoing
assessment of an individual's continued eligibility. It supplements,
but does not replace, the established personnel security program for
scheduled periodic reinvestigations of individuals for continuing
eligibility.
Continuous monitoring program means a system that facilitates
ongoing awareness of threats, vulnerabilities, and information security
to support organizational risk management decisions.
Contracting officer means a USG official who, in accordance with
departmental or agency procedures, has the authority to enter into and
administer contracts, licenses or grants and make determinations and
findings with respect thereto, or any part of such authority. The term
also includes the designated representative of the contracting officer
acting within the limits of his or her authority.
Contractor means any industrial, educational, commercial, or other
entity that has been granted an entity eligibility determination by a
CSA. This term also includes licensees, grantees, or certificate
holders of the USG with an entity eligibility determination granted by
a CSA. As used in this rule, ``contractor'' does not refer to
contractor employees or other personnel.
Cooperative agreement means a legal instrument which, consistent
with 31 U.S.C. 6305, is used to enter into the same kind of
relationship as a grant (see definition of ``grant'' in this subpart),
except that substantial involvement is expected between USG and the
recipient when carrying out the activity contemplated by the
cooperative agreement. The term does not include ``cooperative research
and development agreements'' as defined in 15 U.S.C. 3710a.
[[Page 83315]]
Cooperative research and development agreement means any agreement
between one or more Federal laboratories and one or more non-Federal
parties under which the Government, through its laboratories, provides
personnel, services, facilities, equipment, intellectual property, or
other resources with or without reimbursement (but not funds to non-
Federal parties) and the non-Federal parties provide funds, personnel,
services, facilities, equipment, intellectual property, or other
resources toward the conduct of specified research or development
efforts which are consistent with the missions of the laboratory;
except that such term does not include a procurement contract or
cooperative agreement as those terms are used in sections 6303, 6304,
and 6305 of title 31.
Corporate family means an entity, its parents, subsidiaries,
divisions, and branch offices.
Counterintelligence means information gathered and activities
conducted to protect against espionage, other intelligence activities,
sabotage, or assassinations conducted for or on behalf of foreign
powers, organizations or persons, or international terrorist
activities, but not including personnel, physical, document or
communications security programs.
Courier means a cleared employee, designated by the contractor,
whose principal duty is to transmit classified material to its
destination, ensuring that the classified material remains under their
constant and continuous protection and that they make direct point-to-
point delivery.
CRYPTO means the marking or designator that identifies unencrypted
COMSEC keying material used to secure or authenticate
telecommunications carrying classified or sensitive USG or USG-derived
information. This includes non-split keying material used to encrypt or
decrypt COMSEC critical software and software based algorithms.
CSA means an agency designated as having NISP implementation and
security responsibilities for its own agencies (including component
agencies) and any entities and non-CSA agencies under its cognizance.
The CSAs are: DoD; DOE; NRC; ODNI; and DHS.
CSO means an organizational unit to which the head of a CSA
delegates authority to administer industrial security services on
behalf of the CSA.
CUI means information the USG creates or possesses, or that an
entity creates or possesses for or on behalf of the USG, that a law,
regulation, or USG-wide policy requires or permits an agency to handle
using safeguarding or dissemination controls. However, CUI does not
include classified information or information a non-executive branch
entity possesses and maintains in its own systems that did not come
from, or was not created or possessed by or for, an executive branch
agency or an entity acting for an agency.
Custodian means an individual who has possession of, or is
otherwise charged with, the responsibility for safeguarding classified
information.
Cybersecurity means prevention of damage to, protection of, and
restoration of computers, electronic communications systems, electronic
communications services, wire communication, and electronic
communication, including information contained therein, to ensure its
availability, integrity, authentication, confidentiality, and
nonrepudiation.
Cyber incident means actions taken through the use of computer
networks that result in an actual or potentially adverse effect on an
information system or the information residing therein.
Declassification means a date or event which coincides with the
lapse of the information's national security sensitivity, as determined
by the OCA. Declassification occurs when the OCA has determined that
the classified information no longer requires, in the interest of
national security, any degree of protection against unauthorized
disclosure, and the information has had its classification designation
removed or cancelled.
Defense articles means those articles, services, and related
technical data, including software, in tangible or intangible form,
which are listed on the United States Munitions List (USML) of the
International Traffic in Arms Regulations (ITAR), as modified or
amended. Defense articles exempt from the scope of ITAR section 126.17
are identified in Supplement No. 1 to Part 126 of the ITAR.
Defense services means:
(1) Furnishing assistance (including training) to foreign persons,
whether in the United States or abroad, in the design, development,
engineering, manufacture, production, assembly, testing, repair,
maintenance, modification, operation, demilitarization, destruction,
processing or use of defense articles;
(2) Furnishing to foreign persons any controlled technical data,
whether in the United States or abroad; or
(3) Providing military training of foreign units and forces,
regular and irregular, including formal or informal instruction of
foreign persons in the United States or abroad or by correspondence
courses, technical, educational, or information publications and media
of all kinds, training aid, orientation, training exercise, and
military advice.
Derivative classification means the incorporating, paraphrasing,
restating, or generating in new form information that is already
classified, and marking the newly developed material consistent with
the classification markings that apply to the source information.
Derivative classification includes classifying information based on
classification guidance. Duplicating or reproducing existing classified
information is not derivative classification.
Document means any recorded information, regardless of the nature
of the medium, or the method or circumstances of recording.
Downgrade means a determination by a declassification authority
that information classified and safeguarded at a specified level will
be classified and safeguarded at a lower level.
Embedded system means an information system that performs or
controls a function, either in whole or in part, as an integral element
of a larger system or subsystem, such as, ground support equipment,
flight simulators, engine test stands, or fire control systems.
Empowered official is defined in 22 CFR part 120.
Entity is a generic and comprehensive term which may include sole
proprietorships, partnerships, corporations, limited liability
companies, societies, associations, institutions, contractors,
licensees, grantees, certificate holders, and other organizations
usually established and operating to carry out a commercial,
industrial, educational, or other legitimate business, enterprise, or
undertaking, or parts of these organizations. It may reference an
entire organization, a prime contractor, parent organization, a branch
or division, another type of sub-element, a sub-contractor, subsidiary,
or other subordinate or connected entity (referred to as ``sub-
entities'' when necessary to distinguish such entities from prime or
parent entities). It may also reference a specific location or
facility, or the headquarters or official business location of the
organization, depending upon the organization's business structure, the
access needs involved, and the responsible CSA's procedures. The term
``entity'' as used in this rule refers to the particular entity to
which an agency might release, or is releasing, classified information,
whether that entity is a parent or
[[Page 83316]]
subordinate organization. The term ``entity'' in this rule includes
contractors.
Entity eligibility determination means an assessment by the CSA as
to whether an entity is eligible for access to classified information
of a certain level (and all lower levels). Entity eligibility
determinations may be broad or limited to specific contracts,
sponsoring agencies, or circumstances. A favorable entity eligibility
determination results in eligibility to access classified information
under the cognizance of the responsible CSA to the level approved. When
the entity would be accessing categories of information such as RD or
SCI for which the CSA for that information has set additional
requirements, CSAs must also assess whether the entity is eligible for
access to that category of information. Some CSAs refer to their
favorable entity eligibility determinations as FCLs. However, a
favorable entity eligibility determination for the DHS CCIPP is not
equivalent to an FCL and does not meet the requirements for FCL
reciprocity. A favorable entity eligibility determination does not
convey authority to store classified information.
Escort means a cleared person, designated by the contractor, who
accompanies a shipment of classified material to its destination. The
classified material does not remain in the personal possession of the
escort but the conveyance in which the material is transported remains
under the constant observation and control of the escort.
Extent of protection means the designation (such as ``Complete'')
used to describe the degree of alarm protection installed in an alarmed
area.
Facility means a plant, laboratory, office, college, university, or
commercial structure with associated warehouses, storage areas,
utilities, and components, that, when related by function and location,
form an operating entity.
FCL means an administrative determination that, from a security
viewpoint, an entity is eligible for access to classified information
of a certain level (and all lower levels) (e.g., a type of favorable
entity eligibility determination used by some CSAs). An entity
eligibility determination for the DHS CCIPP is not the equivalent of an
FCL and does not meet the requirements for FCL reciprocity.
FGI means information that is:
(1) Provided to the United States by a foreign government or
governments, an international organization of governments, or any
element thereof with the expectation, expressed or implied, that the
information, the source of the information, or both, are to be held in
confidence; or
(2) Produced by the United States pursuant to, or as a result of, a
joint arrangement with a foreign government or governments, an
international organization of governments, or any element thereof,
requiring that the information, the arrangement, or both are to be held
in confidence.
Foreign interest means any foreign government, agency of a foreign
government, or representative of a foreign government; any form of
business enterprise or legal entity organized, chartered or
incorporated under the laws of any country other than the United States
or its territories, and any person who is not a citizen or national of
the United States.
Foreign national means any person who is not a citizen or national
of the United States.
Foreign person is defined in 31 CFR 800.224 for CFIUS purposes.
FRD means classified information removed from the Restricted Data
category upon a joint determination by the DOE and DoD that such
information relates primarily to the military utilization of atomic
weapons and that such information can be adequately safeguarded as
classified defense information.
Freight forwarder (transportation agent) means any agent or
facility designated to receive, process, and transship U.S. material to
foreign recipients. In the context of this rule, it means an agent or
facility cleared specifically to perform these functions for the
transfer of U.S. classified material to foreign recipients.
GCA means an element of an agency that the agency head has
designated and delegated broad authority regarding acquisition
functions. A foreign government may also be a GCA.
Governing board means an entity's board of directors, board of
managers, board of trustees, or equivalent governing body.
Grant means a legal instrument which, consistent with 31 U.S.C.
6304, is used to enter into a relationship: (a) Of which the principal
purpose is to transfer a thing of value to the recipient to carry out a
public purpose of support or stimulation authorized by a law of the
United States, rather than to acquire property or services for the
USG's direct benefit or use; or, (b) In which substantial involvement
is not expected between DoD and the recipient when carrying out the
activity contemplated by the award. Throughout this rule, the term
grant will include both the grant and cooperative agreement.
Grantee means the entity that receives a grant or cooperative
agreement.
Hand carrier means a cleared employee, designated by the
contractor, who occasionally hand carries classified material to its
destination in connection with a classified visit or meeting. The
classified material remains in the personal possession of the hand
carrier except for authorized overnight storage.
Home office means the headquarters of a multiple facility entity.
Industrial security means that portion of information security
concerned with the protection of classified information in the custody
of U.S. industry.
Information means any knowledge that can be communicated or
documentary material, regardless of its physical form or
characteristics.
Information security means the system of policies, procedures, and
requirements established pursuant to executive order, statute, or
regulation to protect information that, if subjected to unauthorized
disclosure, could reasonably be expected to cause damage to national
security. The term also applies to policies, procedures, and
requirements established to protect unclassified information that may
be withheld from release to the public.
Information system means an assembly of computer hardware,
software, and firmware configured for the purpose of automating the
functions of calculating, computing, sequencing, storing, retrieving,
displaying, communicating, or otherwise manipulating data, information
and textual material.
Insider means cleared contractor personnel with authorized access
to any USG or contractor resource, including personnel, facilities,
information, equipment, networks, and systems.
Insider threat means the likelihood, risk, or potential that an
insider will use his or her authorized access, wittingly or
unwittingly, to do harm to the national security of the United States.
Insider threats may include harm to contractor or program information,
to the extent that the information impacts the contractor or agency's
obligations to protect classified NSI.
Joint venture means an association of two or more persons or
entities engaged in a single defined project with all parties
contributing assets and efforts, and sharing in the management, profits
and losses, in accordance with the terms of an agreement among the
parties.
KMP means an entity's senior management official (SMO), facility
security officer (FSO), insider threat program senior official (ITPSO),
and all other entity officials who either hold majority interest or
stock in, or have
[[Page 83317]]
direct or indirect authority to influence or decide issues affecting
the management or operations of, the entity or classified contract
performance.
L access authorization means an access determination that is
granted by DOE or NRC based on a Tier 3 or successor background
investigation as set forth in applicable national-level requirements
and DOE directives. Within DOE and NRC, an ``L'' access authorization
permits an individual who has an official ``need to know'' to access
Confidential Restricted Data, Secret and Confidential Formerly
Restricted Data, Secret and Confidential Transclassified Foreign
Nuclear Information, or Secret and Confidential National Security
Information, required in the performance of official duties. An ``L''
access authorization determination is required for individuals with a
need to know outside of DOE, NRC, DoD, and in limited cases NASA, to
access Confidential Restricted Data.
LAA means security access authorization to CONFIDENTIAL or SECRET
information granted to non-U.S. citizens requiring only limited access
in the course of their regular duties.
Material means any product or substance on or in which information
is embodied.
Matter means anything in physical form that contains or reveals
classified information.
Media means physical devices or writing surfaces including but not
limited to, magnetic tapes, optical disks, magnetic disks, large-scale
integration memory chips, and printouts (but not including display
media) onto which information is recorded, stored, or printed within an
information system.
MFO means a legal entity (single proprietorship, partnership,
association, trust, or corporation) composed of two or more entities
(facilities).
National of the United States means a person who owes permanent
allegiance to the United States. All U.S. citizens are U.S. nationals;
however, not all U.S. nationals are U.S. citizens (for example, persons
born in American Samoa or Swains Island).
NATO information means information bearing NATO markings,
indicating the information is the property of NATO, access to which is
limited to representatives of NATO and its member nations unless NATO
authority has been obtained to release outside of NATO.
NATO visits means visits by personnel representing a NATO entity
and relating to NATO contracts and programs.
Need-to-know means a determination made by an authorized holder of
classified information that a prospective recipient has a requirement
for access to, knowledge of, or possession of the classified
information to perform tasks or services essential to the fulfillment
of a classified contract or program.
Network means a system of two or more information systems that can
exchange data or information.
NNPI is classified or unclassified information concerning the
design, arrangement, development, manufacture, testing, operation,
administration, training, maintenance, and repair of the propulsion
plants of naval nuclear-powered ships and prototypes, including the
associated shipboard and shore-based nuclear support facilities.
Non-DoD executive branch agencies means the non-DoD agencies that
have entered into agreements with DoD to receive NISP industrial
security services from DoD. A list of these agencies is on the Defense
Counterintelligence and Security Agency website at https://www.dcsa.mil.
Non-Federal information system is defined in 32 CFR part 2002.
NRTL means a private sector organizations recognized by the
Occupational Safety and Health Administration to perform certification
for certain products to ensure that they meet the requirements of both
the construction and general industry Occupational Safety and Health
Administration electrical standards. Each NRTL is recognized for a
specific scope of test standards.
NSI means information that has been determined pursuant to E.O.
13526 or predecessor order to require protection against unauthorized
disclosure and marked to indicate its classified status.
NTIB means the industrial bases of the United States and Australia,
Canada, and the United Kingdom.
NTIB entity means a person that is a subsidiary located in the
United States for which the ultimate parent entity and any intermediate
parent entities of such subsidiary are located in a country that is
part of the national technology and industrial base (as defined in
section 2500 of title 10, United States Code); and that is subject to
the foreign ownership, control, or influence requirements of the
National Industrial Security Program.
Nuclear weapon data means Restricted Data or Formerly Restricted
Data concerning the design, manufacture, or utilization (including
theory, development, storage, characteristics, performance and effects)
of nuclear explosives, nuclear weapons or nuclear weapon components,
including information incorporated in or related to nuclear explosive
devices. Nuclear weapon data is matter in any combination of documents
or material, regardless of physical form or characteristics.
OCA means an individual authorized in writing, either by the
President, the Vice President, or by agency heads or other officials
designated by the President, to classify information in the first
instance.
Original classification means an initial determination that
information requires, in the interest of national security, protection
against unauthorized disclosure. Only USG officials who have been
designated in writing may apply an original classification to
information.
Parent means an entity that owns at least a majority of another
entity's voting securities.
PCL means an administrative determination that an individual is
eligible, from a security point of view, for access to classified
information of the same or lower category as the level of the personnel
clearance being granted.
Prime contract means a contract awarded by a GCA to a contractor
for a legitimate USG purpose.
Prime contractor means the contractor who receives a prime contract
from a GCA.
Privileged user means a user that is authorized (and, therefore,
trusted) to perform security-relevant functions that ordinary users are
not authorized to perform.
Proscribed information means:
(1) TOP SECRET information;
(2) COMSEC information or material, excluding controlled
cryptographic items when unkeyed or utilized with unclassified keys.
(3) RD;
(4) SAP information; or.
(5) SCI.
Protective security service means a transportation protective
service provided by a cleared commercial carrier qualified by DoD's
Surface Deployment and Distribution Command to transport SECRET
shipments.
Q access authorization means an access determination that is
granted by DOE or NRC based on a Tier 5 or successor background
investigation as set forth in applicable national-level requirements
and DOE directives. Within DOE and the NRC, a ``Q'' access
authorization permits an individual with an official ``need to know''
to access Top Secret, Secret and Confidential Restricted Data, Formerly
Restricted Data, Transclassified Foreign
[[Page 83318]]
Nuclear Information, National Security Information, or special nuclear
material in Category I or II quantities, as required in the performance
of official duties. A ``Q'' access authorization is required for
individuals with a need to know outside of DOE, NRC, DoD, and in a
limited case NASA, to access Top Secret and Secret Restricted Data.
Remote terminal means a device communicating with an automated
information system from a location that is not within the central
computer facility.
Restricted area means a controlled access area established to
safeguard classified material that, because of its size or nature,
cannot be adequately protected during working hours by the usual
safeguards, but is capable of being stored during non-working hours in
an approved repository or secured by other methods approved by the CSA.
RD means all data concerning (1) design, manufacture, or
utilization of atomic weapons; (2) the production of special nuclear
material; or (3) the use of special nuclear material in the production
of energy, but does not include data declassified or removed from the
RD category pursuant to section 142 of the AEA.
SAP means any program that is established to control access and
distribution and to provide protection for particularly sensitive
classified information beyond that normally required for TOP SECRET,
SECRET, or CONFIDENTIAL information. A SAP can be created or continued
only as authorized by a senior agency official delegated such authority
pursuant to E.O. 13526.
Schedule 13D means a form required by the Securities and Exchange
Commission when a person or group of persons acquires beneficial
ownership of more than 5% of a voting class of a company's equity
securities registered under Section 12 of the ``Securities Exchange Act
of 1934'' (available at: https://www.sec.gov/fast-answers/answerssched13htm.html).
SCI means a subset of classified national intelligence concerning
or derived from intelligence sources, methods or analytical processes
that is required to be protected within formal access control systems
established by the DNI.
SECRET means the classification level applied to information, the
unauthorized disclosure of which reasonably could be expected to cause
serious damage to the national security that the OCA is able to
identify or describe.
Security in depth means a determination made by the CSA that a
contractor's security program consists of layered and complementary
security controls sufficient to deter and detect unauthorized entry and
movement within the facility. Examples include, but are not limited to,
use of perimeter fences, employee and visitor access controls, use of
an Intrusion Detection System (IDS), random guard patrols throughout
the facility during nonworking hours, closed circuit video monitoring,
or other safeguards that mitigate the vulnerability of open storage
areas without alarms and security storage cabinets during nonworking
hours.
Security violation means failure to comply with the policy and
procedures established by this part that reasonably could result in the
loss or compromise of classified information.
Shipper means one who releases custody of material to a carrier for
transportation to a consignee. (See also ``Consignor.'')
SMO is the contractor's official responsible for the entity policy
and strategy. The SMO is an entity employee occupying a position in the
entity with ultimate authority over the facility's operations and the
authority to direct actions necessary for the safeguarding of
classified information in the facility. This includes the authority to
direct actions necessary to safeguard classified information when the
access to classified information by the facility's employees is solely
at other contractor facilities or USG locations.
Source document means an existing document that contains classified
information that is incorporated, paraphrased, restated, or generated
in new form into a new document.
Standard practice procedures means a document prepared by a
contractor that implements the applicable requirements of this rule for
the contractor's operations and involvement with classified information
at the contractor's facility.
Subcontract means any contract entered into by a contractor to
furnish supplies or services for performance of a prime contract or a
subcontract. It includes a contract, subcontract, purchase order, lease
agreement, service agreement, request for quotation (RFQ), request for
proposal (RFP), invitation for bid (IFB), or other agreement or
procurement action between contractors that requires or will require
access to classified information to fulfill the performance
requirements of a prime contract.
Subcontractor means a supplier, distributor, vendor, or firm that
enters into a contract with a prime contractor to furnish supplies or
services to or for the prime contractor or another subcontractor. For
the purposes of this rule, each subcontractor will be considered as a
prime contractor in relation to its subcontractors.
Subsidiary means an entity in which another entity owns at least a
majority of its voting securities.
System software means computer programs that control, monitor, or
facilitate use of the information system; for example, operating
systems, programming languages, communication, input-output controls,
sorts, security packages, and other utility-type programs. Also
includes off-the-shelf application packages obtained from manufacturers
and commercial vendors, such as for word processing, spreadsheets, data
base management, graphics, and computer-aided design.
Technical data means:
(1) Information, other than software, which is required for the
design, development, production, manufacture, assembly, operation,
repair, testing, maintenance or modification of defense articles. This
includes information in the form of blueprints, drawings, photographs,
plans, instructions or documentation.
(2) Classified information relating to defense articles and defense
services on the U.S. Munitions List and 600-series items controlled by
the Commerce Control List.
(3) Information covered by an invention secrecy order.
(4) Software directly related to defense articles.
TFNI means classified information concerning the nuclear energy
programs of other nations (including subnational entities) removed from
the RD category under section 142(e) of the AEA after the DOE and the
Director of National Intelligence jointly determine that it is
necessary to carry out intelligence-related activities under the
provisions of the National Security Act of 1947, as amended, and that
it can be adequately safeguarded as NSI instead. This includes
information removed from the RD category by past joint determinations
between DOE and the CIA. TFNI does not include information transferred
to the United States under an Agreement for Cooperation under the
Atomic Energy Act or any other agreement or treaty in which the United
States agrees to protect classified information.
TOP SECRET means the classification level applied to information,
the unauthorized disclosure of which reasonably could be expected to
cause exceptionally grave damage to the national security that the OCA
is able to identify or describe.
[[Page 83319]]
Transmission means sending information from one place to another by
radio, microwave, laser, or other non-connective methods, as well as by
cable, wire, or other connective medium. Transmission also includes
movement involving the actual transfer of custody and responsibility
for a document or other classified material from one authorized
addressee to another.
Transshipping activity means a government activity to which a
carrier transfers custody of freight for reshipment by another carrier
to the consignee.
UK community consists of the UK Government entities with facilities
and UK non-governmental facilities identified on the DDTC website
(https://www.pmddtc.state.gov/) at the time of export.
Unauthorized person means a person not authorized to have access to
specific classified information in accordance with the requirements of
this rule.
United States means the 50 states and the District of Columbia.
United States and its territorial areas means the 50 states, the
District of Columbia, Puerto Rico, Guam, American Samoa, the Virgin
Islands, Wake Island, Johnston Atoll, Kingman Reef, Palmyra Atoll,
Baker Island, Howland Island, Jarvis Island, Midway Islands, Navassa
Island, and Northern Mariana Islands.
Upgrade means a determination that certain classified information,
in the interest of national security, requires a higher degree of
protection against unauthorized disclosure than currently provided,
coupled with a change to the classification designation to reflect the
higher degree.
U.S. classified cryptographic information means a cryptographic key
and authenticators that are classified and are designated as TOP SECRET
CRYPTO or SECRET CRYPTO. This means all cryptographic media that
embody, describe, or implement classified cryptographic logic, to
include, but not limited to, full maintenance manuals, cryptographic
descriptions, drawings of cryptographic logic, specifications
describing a cryptographic logic, and cryptographic software, firmware,
or repositories of such software such as magnetic media or optical
disks.
U.S. person means a United States citizen, an alien known by the
intelligence agency concerned to be a permanent resident alien, an
unincorporated association substantially composed of United States
citizens or permanent resident aliens, or a corporation incorporated in
the United States, except for a corporation directed and controlled by
a foreign government or governments.
Voting securities means any securities that presently entitle the
owner or holder thereof to vote for the election of directors of the
issuer or, with respect to unincorporated entities, individuals
exercising similar functions.
Working hours means the period of time when:
(1) There is present in the specific area where classified material
is located, a work force on a regularly scheduled shift, as contrasted
with employees working within an area on an overtime basis outside of
the scheduled work shift; and
(2) The number of employees in the scheduled work force is
sufficient in number and so positioned to be able to detect and
challenge the presence of unauthorized personnel. This would,
therefore, exclude janitors, maintenance personnel, and other
individuals whose duties require movement throughout the facility.
Working papers means documents or materials, regardless of the
media, which are expected to be revised prior to the preparation of a
finished product for dissemination or retention.
Sec. 117.4 Policy.
E.O. 12829 established the NISP to serve as a single, integrated,
cohesive industrial security program to protect classified information
and preserve our Nation's economic and technological interests.
(a) When contracts, licenses, agreements, and grants to contractors
require access to classified information, national security requires
that this information be safeguarded in a manner equivalent to its
protection within the executive branch of the USG.
(b) National security requires that the industrial security program
promote the economic and technological interests of the United States.
Redundant, overlapping, or unnecessary requirements impede those
interests.
Sec. 117.5 Information collections.
The information collection requirements are:
(a) Standard Form (SF) 328 ``Certificate Pertaining to Foreign
Interest'' (available at: https://www.gsa.gov/forms-library/certificate-pertaining-foreign-interests) in Sec. 117.8 and Sec.
117.11, is assigned Office of Management and Budget (OMB) Control
Number 0704-0579. The expiration date of this information collection is
listed in the DoD Information Collections System at https://apps.sp.pentagon.mil/sites/dodiic/Pages/default.aspx.
(b) NRC collection. ``Facility Security Clearance and Safeguarding
of National Security Information and Restricted Data,'' is assigned OMB
Control Number: 3150-0047. Under this collection, NRC-regulated
facilities and other organizations are required to provide information
and maintain records to ensure that an adequate level of protection is
provided to NRC-classified information and material.
(c) DOE collection. ``Security,'' a NISP CSA information
collection, is assigned OMB Control Number: 1910-1800. This information
collection, which includes facility security clearance information, is
used by the DOE to exercise management, oversight, and control over its
contractors' management and operation of DOE's Government-owned
contractor-operated facilities, and over its offsite contractors. The
contractor management, oversight, and control functions relate to the
ways in which DOE contractors provide goods and services for DOE
organizations and activities in accordance with the terms of their
contracts and the applicable statutory, regulatory, and mission support
requirements of the Department. Information collected from private
industry and private individuals is used to protect national security
and critical assets entrusted to the Department.
(d) DoD collection. ``DoD Security Agreement,'' is assigned OMB
Control Number: 0704-0194. ``National Industrial Security System,'' a
CSA information collection, is assigned OMB Control Number: 0704-0571,
and is a DoD information collection used to conduct its monitoring and
oversight of contractors. Department of Defense ``Contract Security
Classification Specification,'' (available at: https://www.esd.whs.mil/Portals/54/Documents/DD/forms/dd/dd0254.pdf and available at: https://www.dcsa.mil/is/nccs/), is assigned OMB Control Number 0704-0567 and
used by both DoD and agencies which have an industrial security
agreement with DoD. ``Defense Information System for Security,'' is
assigned OMB Control Number: 0704-0573. Defense Information System for
Security is a DoD automated system for personnel security, providing a
common, comprehensive medium to record, document, and identify personal
security actions within DoD including submitting adverse information,
verification of security clearance status, requesting investigations,
and supporting continuous evaluation activities. It requires personal
data collection to facilitate the initiation, investigation and
adjudication of information relevant to DoD security clearances and
employment suitability
[[Page 83320]]
determinations for active duty military, civilian employees and
contractors seeking such credentials. Joint Personnel Adjudicative
System is assigned OMB Control Number: 0704-0496. Joint Personnel
Adjudicative System is an information system which requires personal
data collection to facilitate the initiation, investigation and
adjudication of information relevant to DoD security clearances and
employment suitability determinations for active duty military,
civilian employees and contractors seeking such credentials.
Sec. 117.6 Responsibilities.
(a) Under Secretary of Defense for Intelligence & Security
(USD(I&S)). The USD(I&S), on behalf of the Secretary of Defense, and in
accordance with E.O. 12829, 32 CFR part 2004, and DoDI 5220.22:
(1) Carries out the direction in section 201 of E.O. 12829 that the
Secretary of Defense issue and maintain this rule and changes to it.
The USD(I&S) does so in consultation with all affected agencies (E.O.
12829 section 201), with the concurrence of the Secretary of Energy,
the Chairman of the NRC, the DNI, and the Secretary of Homeland
Security (E.O.12829 section 201), and in consultation with the ISOO
Director (E.O. 12829 section 102).
(2) Acts as the CSA for DoD.
(3) Provides policy and management of the NISP for non-DoD
executive branch agencies who enter into inter-agency security
agreements with DoD to provide industrial security services required
when classified information is disclosed to contractors in accordance
with E.O. 12829, as amended.
(b) Director, DCSA. Under the authority, direction, and control of
the USD(I&S), and in accordance with DoDI 5220.22 and DoD Directive
(DoDD) 5105.42, ``Defense Security Service (DSS)'' \1\ (available at:
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/510542p.pdf?ver=2019-01-14-090012-283) the Director, DCSA:
---------------------------------------------------------------------------
\1\ On June 20, 2020, the Secretary of Defense re-named the
Defense Security Service (DSS) as the Defense Counterintelligence
and Security Agency (DCSA), as required by Executive Oder 13467,
section 2.6(b)(i) (as amended by Executive Order 13968, Apr. 24,
2019, 84 FR 18125). Pursuant to Section 4 of E.O. 13968, references
to DSS in DoD issuances should be deemed or construed to refer to
DCSA.
---------------------------------------------------------------------------
(1) Oversees and manages DCSA, which serves as the DoD CSO.
(2) Administers the NISP as a separate program element on behalf of
DoD GCAs and those agencies with agreements with DoD for security
services.
(3) Provides security oversight of the NISP as the DoD CSO on
behalf of DoD components and those non-DoD executive branch agencies
who enter into agreements with DoD as noted in paragraph (a)(3) of this
section. The Director, DCSA, will be relieved of this oversight
function for DoD special access programs (SAPs) when the Secretary of
Defense or the Deputy Secretary of Defense approves a carve-out
provision in accordance with DoDD 5205.07, ``DoD SAP Policy''
(available at: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/520507p.pdf?ver=2020-02-04-142942-827).
(c) Secretary of Energy. In addition to the responsibilities in
paragraph (h) of this section, the Secretary of Energy:
(1) Prescribes procedures for the portions of this rule pertaining
to information classified under the AEA (i.e., RD, FRD, and TFNI), as
nothing in the rule shall be construed to supersede the authority of
the Secretary of Energy under the AEA.
(2) Retains authority over access to information classified under
the AEA.
(3) Inspects and monitors contractor, licensee, certificate holder,
and grantee programs and facilities that involve access to information
classified under the AEA, as necessary.
(d) Chairman of the NRC. In addition to the responsibilities in
paragraph (h) of this section, the Chairman of the NRC:
(1) Prescribes procedures for the portions of this rule that
pertain to information under NRC programs classified under the AEA,
other federal statutes, and executive orders.
(2) Retains authority over access to information under NRC programs
classified under the AEA, other federal statutes, and executive orders.
(3) Inspects and monitors contractor, licensee, certificate holder,
and grantee programs and facilities that involve access to information
under NRC programs classified pursuant to the AEA, other federal
statutes, and executive orders where appropriate.
(e) DNI. In addition to the responsibilities in paragraph (h) of
this section, the DNI:
(1) Prescribes procedures for the portions of this rule pertaining
to intelligence sources, methods, and activities, including, but not
limited to, SCI.
(2) Retains authority over access to intelligence sources, methods,
and activities, including SCI.
(3) Provides guidance on the security requirements for intelligence
sources and methods of information, including, but not limited to, SCI.
(f) Secretary of Homeland Security. In accordance with E.O. 12829,
E.O. 13691, and in addition to the responsibilities in paragraph (h) of
this section, the Secretary of Homeland Security:
(1) Prescribes procedures for the portions of this rule that
pertain to the CCIPP.
(2) Retains authority over access to information under the CCIPP.
(3) Inspects and monitors contractor, licensee, certificate holder,
and grantee programs and facilities that involve access to CCIPP.
(g) All the CSA heads. The CSA heads:
(1) Oversee the security of classified contracts and activities
under their purview.
(2) Provide oversight of contractors under their security
cognizance.
(3) Minimize redundant and duplicative security review and audit
activities of contractors, including such activities conducted at
contractor locations where multiple CSAs have equities.
(4) Execute appropriate intra-agency and inter-agency agreements to
avoid redundant and duplicate reviews.
(5) Designate one or more CSOs for security administration.
(6) Designate subordinate officials, in accordance with governing
policies, to act as the authorizing official. Authorizing officials
will:
(i) Assess and authorize contractors to process classified
information on information systems.
(ii) Conduct oversight of such information system processing and
provide information system security guidelines in accordance with
Federal information system security control policies, standards, and
procedures. Minimize redundant and duplicative security review and
audit activity of contractors, including such activity conducted at
contractor locations where multiple CSAs have equities.
(h) Heads of component agencies. In accordance with applicable CSA
direction, the component agency heads:
(1) Oversee compliance with procedures identified by the applicable
CSA or designated CSO.
(2) Provide oversight of contractor personnel visiting or working
on USG installations.
(3) Promptly apprise the CSO of information received or developed
that could adversely affect a cleared contractor, licensee, or grantee,
and their employees, to hold an FCL or PCL, or that otherwise raises
substantive doubt about their ability to safeguard classified
information entrusted to them.
(4) Propose changes to this rule as deemed appropriate and provide
them
[[Page 83321]]
to the applicable CSA for submission to the OUSD(I&S)
Counterintelligence, Law Enforcement and Security Directorate.
(i) Director, ISOO. The Director, ISOO:
(1) Oversees the NSIP and agency compliance with it, in accordance
with E.O. 12829.
(2) Issues and maintains the NISP implementing directive (32 CFR
part 2004), in accordance with E.O. 12829, to provide guidance to the
CSAs and USG agencies under the NISP.
(3) Chairs the NISP Policy Advisory Committee. Addresses complaints
and suggestions from contractors, as detailed in the NISP Policy
Advisory Committee bylaws.
Sec. 117.7 Procedures.
(a) General. Contractors will protect all classified information
that they are provided access to or that they possess. This
responsibility applies at both contractor and USG locations.
(b) Contractor Security Officials. Contractors will appoint
security officials who are U.S. citizens, except in exceptional
circumstances (see Sec. 117.9(m) and Sec. 117.11(e)).
(1) Appointed security officials listed in paragraphs (b)(2),
(b)(3), and (b)(4) of this section must:
(i) Oversee the implementation of the requirements of this rule.
Depending upon the size and complexity of the contractor's security
operations, a single contractor employee may serve in more than one
position.
(ii) Undergo the same security training that is required for all
other contractor employees pursuant to Sec. 117.12, in addition to
their position specific training.
(iii) Be designated in writing with their designation documented in
accordance with CSA guidance.
(iv) Undergo a personnel security investigation and national
security eligibility determination for access to classified information
at the level of the entity's eligibility determination for access to
classified information (e.g., FCL level) and be on the KMP list for the
cleared entity.
(2) SMO. The SMO will:
(i) Ensure the contractor maintains a system of security controls
in accordance with the requirements of this rule.
(ii) Appoint a contractor employee or employees, in writing, as the
FSO and appoint the same employee or a different employee as the ITPSO.
The SMO may appoint a single employee for both roles or may appoint one
employee as the FSO and a different employee as the ITPSO.
(iii) Remain fully informed of the facility's classified
operations.
(iv) Make decisions based on classified threat reporting and their
thorough knowledge, understanding, and appreciation of the threat
information and the potential impacts caused by a loss of classified
information.
(v) Retain accountability for the management and operations of the
facility without delegating that accountability to a subordinate
manager.
(3) FSO. The FSO will:
(i) Supervise and direct security measures necessary for
implementing the applicable requirements of this rule and the related
USG security requirements to ensure the protection of classified
information.
(ii) Complete security training pursuant to Sec. 117.12 and as
deemed appropriate by the CSA.
(4) ITPSO. The ITPSO will establish and execute an insider threat
program.
(i) If the appointed ITPSO is not also the FSO, the ITPSO will
ensure that the FSO is an integral member of the contractor's insider
threat program.
(ii) The ITPSO will complete training pursuant to Sec. 117.12.
(iii) An entity family may choose to establish an entity family-
wide insider threat program with one senior official appointed, in
writing, to establish, and execute the program as the ITPSO. Each
cleared entity using the entity-wide ITPSO must separately appoint that
person as its ITPSO for that facility. The ITPSO will provide an
implementation plan to the CSA for executing the insider threat program
across the entity family.
(5) ISSM. Contractors who are, or will be, processing classified
information on an information system located at the contractor facility
will appoint an employee to serve as the ISSM. The ISSM must be
eligible for access to classified information to the highest level of
the information processed on the system(s) under their responsibility.
The contractor will ensure that the ISSM is adequately trained and
possesses technical competence commensurate with the complexity of the
contractor's classified information system. The contractor will notify
the applicable CSA if there is a change in the ISSM. The ISSM will
oversee development, implementation, and evaluation of the contractor's
classified information system program. ISSM responsibilities are in
Sec. 117.18.
(6) Employees performing security duties. Those employees whose
official duties include performance of NISP-related security functions
will complete security training tailored to the security functions
performed. This training requirement also applies to consultants whose
official duties include security functions.
(c) Other KMP. In addition to the SMO, the FSO, and the ITPSO, the
contractor will include on the KMP list, subject to CSA concurrence,
any other officials who either hold majority interest or stock in the
entity, or who have direct or indirect authority to influence or decide
issues affecting the management or operations of the contractor or
issues affecting classified contract performance. The CSA may either:
(1) Require these KMP to be determined to be eligible for access to
classified information as a requirement for the entity's eligibility
determination or;
(2) Allow the entity to formally exclude these KMP from access to
classified information. The entity's governing board will affirm the
exclusion by issuing a formal action (see table), and provide a copy of
the exclusion action to the CSA. The entity's governing board will
document this exclusion action.
Table 1 to Paragraph (c)(2)--Exclusion Resolutions
------------------------------------------------------------------------
Type of affirmation Language to be used in exclusion action
------------------------------------------------------------------------
Affirmation for Exclusion [Insert name and address of entity or
from Access to Classified name and position of officer, director,
Information. partner, or similar entity official or
officials] will not require, will not
have, and can be effectively and
formally excluded from, access to all
classified information disclosed to the
entity and does not occupy a position
that would enable them to adversely
affect the organization's policies or
practices in the performance of
classified contracts.
[[Page 83322]]
Affirmation for Exclusion [Insert name and address of entity or
from Higher-level Classified name and position of officer, director,
Information. partner, or similar entity official or
officials] will not require, will not
have, and can be effectively and
formally excluded from access to [insert
SECRET or TOP SECRET] classified
information and does not occupy a
position that would enable them to
adversely affect the organization's
policies or practices in the performance
of [insert SECRET or TOP SECRET]
classified contracts.
------------------------------------------------------------------------
(d) Insider Threat Program. Pursuant to this rule and CSA provided
guidance to supplement unique CSA mission requirements, the contractor
will establish and maintain an insider threat program to gather,
integrate, and report relevant and available information indicative of
a potential or actual insider threat, consistent with E.O. 13587 and
Presidential Memorandum ``National Insider Threat Policy and Minimum
Standards for Executive Branch Insider Threat Programs.''
(e) Standard practice procedures. The contractor will implement all
applicable provisions of this rule at each of its cleared facility
locations. The contractor will prepare written procedures when the CSA
determines them to be necessary to reasonably exclude the possibility
of loss or compromise of classified information, and in accordance with
additional CSA-provided guidance, as applicable.
(f) Cooperation with Federal agencies. Contractors will cooperate
with Federal agencies and their officially credentialed USG or
contractor representatives during official reviews, investigations
concerning the protection of classified information, or personnel
security investigations of present or former employees and others
(e.g., consultants or visitors). At a minimum, cooperation includes:
(1) Providing suitable arrangements within the facility for
conducting private interviews with employees during normal working
hours;
(2) Providing, when requested, relevant employment or personnel
files, security records, supervisory files, records pertinent to
insider threat (e.g., security, cybersecurity, and human resources) and
any other records pertaining to an individual under investigation that
are, in the possession or control of the contractor or the contractor's
representatives or located in the contractor's offices;
(3) Providing access to employment and security records that are
located at an offsite location; and
(4) Rendering other necessary assistance.
(g) Security training and briefings. Contractors will advise all
cleared employees, including those assigned to USG locations or
operations outside the United States, of their individual
responsibility for classification management and for safeguarding
classified information. Contractors will provide security training to
cleared employees consisting of initial briefings, refresher briefings,
and debriefings in accordance with Sec. 117.12.
(h) Security reviews--(1) USG reviews. The applicable CSA will
conduct recurring oversight reviews of contractors' NISP security
programs to verify that the contractor is protecting classified
information and implementing the provisions of this rule. The
contractor's participation in the security review is required for
maintaining the entity's eligibility for access to classified
information.
(i) Review cycle. The CSA will determine the scope and frequency of
security reviews, which may be increased or decreased consistent with
risk management principles.
(ii) Procedures. (A) The CSA will generally provide notice to the
contractor of a forthcoming review, but may also conduct unannounced
reviews at its discretion. The CSA security review may subject
contractor employees and all areas and receptacles under the control of
the contractor to examination.
(B) The CSA will make every effort to avoid unnecessary intrusion
into the personal effects of contractor personnel.
(C) The CSA may conduct physical examinations of the interior space
of containers not authorized to secure classified material. Such
examinations will always be accomplished in the presence of a
representative of the contractor.
(iii) Controlled unclassified information (CUI). 32 CFR part 2002
requires agencies to implement CUI requirements, but compliance with
CUI requirements is outside the scope of the NISP and this rule.
However, CSAs may conduct CUI assessments in conjunction with NISP USG
reviews when:
(A) The contractor is a participant in the NISP based on a
requirement to access classified information;
(B) A classified contract under the CSA's cognizance includes
provisions for access to, or protection or handling of, CUI; and
(C) The CSA has provided the contractor with specific guidance
regarding the assessment criteria and methodology it will use for
overseeing protection of the CUI being accessed, stored or transmitted
by the contractor as part of the classified contract.
(2) Contractor reviews. Contractors will review their security
programs on a continuing basis and conduct a formal self-inspection at
least annually and at intervals consistent with risk management
principles.
(i) Self-inspections will include the review of the classified
activity, classified information, classified information systems,
conditions of the overall security program, and the insider threat
program. They will have sufficient scope, depth, and frequency, and
will have management support during the self-inspection and during
remedial actions taken as a result of the self-inspection. Self-
inspections will include the review of samples representing the
contractor's derivative classification actions, as applicable.
(ii) The contractor will prepare a formal report describing the
self-inspection, its findings, and its resolution of issues discovered
during the self-inspection. The contractor will retain the formal
report for CSA review until after the next CSA security review is
completed.
(iii) The SMO at the cleared facility will annually certify to the
CSA, in writing, that a self-inspection has been conducted, that other
KMP have been briefed on the results of the self-inspection, that
appropriate corrective actions have been taken, and that management
fully supports the security program at the cleared facility in the
manner as described in the certification.
(i) Contractors working at USG locations. Contractor employees
performing work within the confines of a USG facility will safeguard
classified information according to the procedures of the host
installation or agency.
(j) Hotlines. Federal agencies maintain hotlines to provide an
unconstrained avenue for USG and contractor employees to report,
without fear of reprisal, known or suspected instances
[[Page 83323]]
of security irregularities and infractions concerning contracts,
programs, or projects. These hotlines do not supplant the contractor's
responsibility to facilitate reporting and timely investigations of
security issues concerning its operations or personnel. Contractor
personnel are encouraged to report information through established
contractor channels. The hotline may be used as an alternate means to
report this type of information. Contractors will inform all personnel
that hotlines may be used for reporting issues of national security
significance. Each CSA will post hotline information and telephone
numbers on their websites for contractor access.
(k) Agency agreements. 32 CFR part 2004 and E.O. 12829 require non-
CSA agency heads to enter into agreements with the Secretary of Defense
as the Executive Agent for the NISP to provide industrial security
services. The Secretary of Defense may also enter into agreements to
provide services for other CSA's in accordance with 32 CFR part 2004
and E.O. 12829. Agency agreements establish the terms of the Secretary
of Defense's (or the Secretary of Defense's designee's)
responsibilities when acting as the CSA on behalf of these agency
heads. The list of agencies for which the Secretary of Defense has
agreed to render industrial security services is on the DCSA website at
https://www.dcsa.mil.
(l) Security cognizance. The CSA will inform contractors if
oversight has been delegated to a CSO.
(m) Rule interpretations. Contractors will forward requests for
interpretations of this rule to their CSA in accordance with their CSA-
provided guidance to supplement unique CSA mission requirements.
(n) Waivers to this rule. Contractors will submit any requests to
waive provisions of this rule in accordance with CSA procedures, which
may include periodic review of approved waivers. When submitting a
request for a waiver, the contractor will, in writing, explain why it
is impractical or unreasonable for the contractor to comply with the
requirement it is asking to waive, identify alternative measures as
prescribed by this rule, and include a proposed duration for the
waiver. The contractor cannot implement a waiver unless the waiver is
approved by the applicable CSA.
(o) Complaints and suggestions. Contractors may forward NISP
administration complaints and suggestions to the Director of ISOO.
However, contractors are encouraged to forward NISP administration
complaints and suggestions to their respective CSA prior to forwarding
to the ISOO.
Table 2 to Paragraph (o) NISP Administration Complaints and Suggestions
----------------------------------------------------------------------------------------------------------------
Addressee Mailing address Telephone No. Facsimile Email address
----------------------------------------------------------------------------------------------------------------
Director, ISOO, National 700 Pennsylvania 202-357-5250 202-357-5907 [email protected].
Archives and Records Avenue NW, Room
Administration. 100, Washington,
DC 20408-0001.
----------------------------------------------------------------------------------------------------------------
Sec. 117.8 Reporting requirements.
(a) General. Pursuant to this rule, Security Executive Agent
Directive (SEAD) 3, (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-Reporting-U.pdf) and CSA-provided guidance
to supplement unique CSA mission requirements, contractors and their
cleared employees are required to:
(1) Report certain events that may have an effect on the status of
the entity's or an employee's eligibility for access to classified
information; report events that indicate an insider threat to
classified information or to employees with access to classified
information; report events that affect proper safeguarding of
classified information; and report events that indicate classified
information has been, or is suspected to be, lost or compromised.
(2) Establish internal procedures to ensure employees with
eligibility for access to classified information are aware of their
responsibilities for reporting pertinent information to the FSO. The
contractor will:
(i) Provide reports to the FBI, or other Federal authorities as
required by this rule, the terms of a classified contract or other
agreement, and by U.S. law.
(ii) Provide complete information to enable the CSA to ascertain
whether classified information is adequately protected.
(iii) Submit reports to the FBI, the CSA, or the ISOO as specified
in paragraphs (b), (c), and (g) of this section.
(3) Appropriately mark reports containing classified information in
accordance with Sec. 117.14.
(4) Clearly mark a report containing information submitted in
confidence as containing that information. When reports contain
information pertaining to an individual, 5 U.S.C. 552a (also known as
and referred to in this rule as ``The Privacy Act of 1974, as
amended,'') permits the withholding of certain information from the
individual in accordance with specific exemptions, which include
authority to withhold release of information to the extent that the
disclosure of the information would reveal the identity of a source who
furnished the information to the USG under an express promise that the
identity of the source would be held in confidence.
(b) Reports to be submitted to the FBI. The contractor will
promptly submit a written report to the nearest field office of the FBI
regarding information coming to the contractor's attention concerning
actual, probable, or possible espionage, sabotage, terrorism, or
subversive activities at any of its locations.
(1) An initial report may be made by phone, but it must be followed
up in writing (e.g., email or formal correspondence), regardless of the
FBI's disposition of the report.
(2) The contractor will promptly notify the CSA when they make a
report to the FBI and provide the CSA a copy of the written report.
(c) Reports to be submitted to the CSA.--(1) Adverse information.
Contractors are required to report adverse information coming to their
attention concerning any of their employees determined to be eligible
for access to classified information, in accordance with this rule,
SEAD 3, and CSA-provided guidance. Contractors will not make reports
based on rumor or innuendo.
(i) The termination of employment of an employee does not negate
the requirement to submit this report. If a contractor employee is
assigned to a USG location, the contractor will furnish a copy of the
report and its final disposition to the USG security point of contact
for that location.
(ii) Pursuant to Becker v. Philco, 372 F.2d 771 (4th Cir. 1967),
cert. denied 389 U.S. 979 (1967), and subsequent cases, a contractor
may not be liable for defamation of an employee because of
communications that are required of and made by a contractor to an
agency of the United States under the requirements of this rule or
under the terms of applicable contracts.
[[Page 83324]]
(2) Suspicious contacts. Contractors will report information
pertaining to suspicious contacts with employees determined to be
eligible for access to classified information, and pertaining to
efforts to obtain illegal or unauthorized access to the contractor's
cleared facility by any means, including:
(i) Efforts by any individual, regardless of nationality, to obtain
illegal or unauthorized access to classified information.
(ii) Efforts by any individual, regardless of nationality, to
elicit information from an employee determined eligible for access to
classified information, and any contact which suggests the employee may
be the target of an attempted exploitation by an intelligence service
of another country. See SEAD 3 for specific information to be reported.
(3) Change in status of employees determined eligible for access to
classified information. Contractors will report by means of the CSA-
designated reporting mechanism information pertaining to changes in
status of employees determined eligible for access to classified
information such as:
(i) Death.
(ii) Change in name.
(iii) Termination of employment.
(iv) Change in citizenship.
(4) Citizenship by naturalization. Contractors will report if a
non-U.S. citizen employee granted an LAA becomes a citizen through
naturalization. The report will include:
(i) City, county, and state where naturalized.
(ii) Date naturalized.
(iii) Court.
(iv) Certificate number.
(5) Employees desiring not to be processed for a national security
eligibility determination or not to perform classified work.
Contractors will report instances when an employee no longer wishes to
be processed for a determination of eligibility for access to
classified information or to continue having access to classified
information, and the reason for that request.
(6) Classified information nondisclosure agreement (NDA).
Contractors will report the refusal by an employee to sign the SF 312,
``Classified Information Nondisclosure Agreement,'' (available at:
https://www.gsa.gov/cdnstatic/SF312-13.pdf?forceDownload=1) or other
approved NDA.
(7) Changed conditions affecting the contractor's eligibility for
access to classified information. Contractors are required to report
certain events that affect the status of the entity eligibility
determination (e.g., FCL), affect the status of an employee's PCL, may
indicate an employee poses an insider threat, affect the proper
safeguarding of classified information, or indicate classified
information has been lost or compromised, including:
(i) Change of ownership or control of the contractor, including
stock transfers that affect control of the entity.
(ii) Change of operating name or address of the entity or any of
its locations determined eligible for access to classified information.
(iii) Any change to the information previously submitted for KMP
including, as appropriate, the names of the individuals the contractor
is replacing. A new complete KMP listing need be submitted only at the
discretion of the contractor or when requested by the CSA. The
contractor will provide a statement indicating:
(A) Whether the new KMP are cleared for access to classified
information, and if cleared, to what level they are cleared and when
they were cleared, their dates and places of birth, social security
numbers, and citizenship.
(B) Whether they have been excluded from access to classified
information in accordance with Sec. 117.7(b)(5)(ii).
(C) Whether they have been temporarily excluded from access to
classified information pending the determination of eligibility for
access to classified information in accordance with Sec. 117.9(g).
(iv) Any action to terminate business or operations for any reason,
imminent adjudication or reorganization in bankruptcy, or any change
that might affect the validity of the contractor's eligibility for
access to classified information.
(v) Any material change concerning the information previously
reported concerning foreign ownership, control, or influence (FOCI).
This report will be made by the submission of an updated SF 328,
``Certificate Pertaining to Foreign Interests,'' in accordance with
CSA-provided guidance. When submitting this information, it is not
necessary to repeat answers that have not changed. When entering into
discussion, consultations, or agreements that may reasonably lead to
effective ownership or control by a foreign interest, the contractor
will report the details to the CSA in writing. If the contractor has
received a Schedule 13D from the investor, the contractor will forward
a copy with the report.
(8) Changes in storage capability. The contractor will report any
changes in their storage requirement or capability to safeguard
classified material.
(9) Inability to safeguard classified material. The contractor will
report any emergency situation that renders their location incapable of
safeguarding classified material as soon as possible.
(10) Unsatisfactory conditions of a prime or subcontractors. (i)
Prime contractors, including subcontractors who have in turn
subcontracted work, will report any information coming to their
attention that may indicate that classified information cannot be
adequately protected by a subcontractor, or other circumstances that
may impact the validity of the eligibility for access to classified
information of any subcontractors.
(ii) Subcontractors will report any information coming to their
attention that may indicate that classified information cannot be
adequately protected or other circumstances that may impact the
validity of the eligibility for access to classified information of
their prime contractor.
(11) Dispositioned material previously terminated. The contractor
will make a report when the location or disposition of material
previously terminated from accountability is subsequently discovered
and brought back into accountability.
(12) Foreign classified contracts. Contractors will report any pre-
contract negotiation or award not placed through a CSA or U.S. GCA that
involves, or may involve:
(i) The release or disclosure of U.S. classified information to a
foreign interest.
(ii) Access to classified information furnished by a foreign
interest.
(13) Reporting of improper receipt of foreign government material.
The contractor will report to the CSA the receipt of classified
material from foreign interests that is not received through USG
channels.
(14) Reporting by subcontractor. Subcontractors will also notify
their prime contractors if they make any reports to their CSA in
accordance with the provisions of paragraphs (c)(7) through (c)(10) of
this section.
(d) Reports of loss, compromise, or suspected compromise. The
contractor will report any loss, compromise, or suspected compromise of
classified information, U.S. or foreign, to the CSA in accordance with
paragraph (d)(1) through (d)(3) of this section. Each CSA may provide
additional guidance concerning the reporting time period. If the
contractor is located on a USG facility, the contractor will submit the
report to the CSA and to the head of the USG facility.
(1) Preliminary inquiry. Immediately upon receipt of a security
violation report involving classified information, the contractor will
initiate a preliminary
[[Page 83325]]
inquiry to ascertain all of the circumstances surrounding the presumed
loss, compromise, or suspected compromise, including validation of the
classification of the information.
(2) Initial report. If the contractor's preliminary inquiry
confirms that a loss, compromise, or suspected compromise of any
classified information occurred, the contractor will promptly submit an
initial report of the incident unless otherwise notified by the CSA.
(3) Final report. When the investigation has been completed, the
contractor will submit a final report to the CSA which, in turn, will
follow CSA procedures to notify the applicable GCA. The report will
include:
(i) Material and relevant information that was not included in the
initial report.
(ii) The full name and social security number of the individual or
individuals primarily responsible for the incident, including a record
of prior loss, compromise, or suspected compromise for which the
individual had been determined responsible.
(iii) A statement of the corrective action taken to preclude a
recurrence.
(iv) Disciplinary action taken against the responsible individual
or individuals, if any.
(v) Specific reasons for reaching the conclusion that loss,
compromise, or suspected compromise occurred or did not occur.
(4) Employee information in compromise cases. When requested by the
CSA, the contractor will report information concerning an employee or
other individual, determined to be responsible for the incident, when
the information is needed by the CSA for the loss, compromise, or
suspected compromise of classified information.
(e) Individual culpability reports. Contractors will establish and
enforce policies that provide for appropriate administrative or
disciplinary actions taken against employees who violate the
requirements of this rule.
(1) Contractors will establish a system to manage and track
information regarding employees with eligibility for access to
classified information who violate the requirements of this rule in
order to be able to identify patterns of negligence or carelessness, or
to identify a potential insider threat.
(2) Contractors will establish and apply a graduated scale of
administrative and disciplinary actions in the event of employee
security violations or negligence in the handling of classified
information. CSAs may provide guidance to contractors with examples of
administrative or disciplinary actions that the contractor may consider
implementing in the event of employee violations or negligence.
Contractors are required to submit a final report to the CSA with the
findings of an employee's culpability and what corrective actions were
taken.
(3) Contractors will include a statement of the administrative or
disciplinary actions taken against an employee in a final report to the
CSA. A statement must be included when the individual responsible for a
security violation can be determined. Contractors' final reports will
indicate whether one or more of the following factors are evident:
(i) Involved a deliberate disregard of security requirements.
(ii) Involved negligence in the handling of classified material.
(iii) Was not deliberate in nature but reflects a recent or
recurring pattern of questionable judgment, irresponsibility,
negligence, or carelessness.
(f) CDC cyber incident reports. This paragraph applies only to CDCs
and sets forth reporting requirements pursuant to 10 U.S.C. 391 and 393
and Defense Federal Acquisition Regulation Supplement Clause 252.204-
7012. The reporting requirements of paragraph (f) of this section are
in addition to the requirements in paragraphs (b) and (d) of this
section, which can include certain activities occurring on unclassified
information systems. DoD will provide detailed reporting instructions
for contractors affected by these references via industrial security
letter in accordance with DoDI 5220.22.
(1) Reports to be submitted to the designated DoD CSO. CDCs will
immediately report to the DoD CSO, any cyber incident on a classified
covered information system that has been approved by that CSO to
process classified information.
(i) At a minimum, the report will include:
(A) A description of the technique or method used in the cyber
incident.
(B) A sample of the malicious software involved in the cyber
incident, if discovered and isolated by the CDC,
(C) A summary of information in connection with any DoD program
that has been potentially compromised due to the cyber incident.
(ii) Information that is reported by the CDC (or derived from
information reported by the CDC) will be safeguarded, used, and
disseminated in a manner consistent with DoD procedures governing the
handling of such information pursuant to Public Law 112-239 and 10
U.S.C. 391.
(iii) Reports involving classified foreign government information
will be reported to the Director, Defense Technology Security
Administration (DoD).
(2) Reports on non-Federal information systems not authorized to
process classified information. CDCs will report cyber incidents on
non-Federal, unclassified information systems in accordance with
contract requirements.
(3) Access to equipment and information by DoD personnel. (i) The
CDC will allow, upon request by DoD personnel, access by DoD personnel
to additional equipment or information of the CDC that is necessary to
conduct forensic analysis of reportable cyber incidents in addition to
any analysis conducted by the CDC.
(ii) The CDC is only required to provide DoD access to equipment or
information to determine whether information created by or for DoD in
connection with any DoD program was successfully exfiltrated from a
CDC's network or information system, and what information was
exfiltrated from the CDC's network or information system.
(g) Reports to ISOO. (1) Contractors will report instances of
redundant or duplicative security review and audit activity by the CSAs
to the Director, ISOO, for resolution.
(2) Contractors will report instances of CSAs duplicating
processing to determine an entity's eligibility for access to
classified information when there is an existing determination of an
entity's eligibility for access to classified information by another
CSA.
Sec. 117.9 Entity eligibility determination for access to classified
information.
(a) General. This section applies to all contractors with entity
eligibility determinations, except as provided in Sec. 117.22 for
entity eligibility determinations for participation in the CCIPP under
the cognizance of DHS.
(1) Prior to the entity being granted an entity eligibility
determination for access to classified information, the responsible CSA
must have determined that:
(i) The entity is eligible for access to classified information to
meet a legitimate USG or foreign government need.
(ii) Access is consistent with national security interests.
(2) The CSA will provide guidance on processing entity eligibility
determinations for entity access to classified information.
(3) The determination of entity eligibility for access is separate
from the determination of a classified
[[Page 83326]]
information safeguarding capability (see Sec. 117.15).
(4) Neither the contractor nor its employees will be permitted
access to classified information until the CSA has made an entity
eligibility determination (e.g., issued an FCL).
(5) The requirement for a favorable entity eligibility
determination (also referred to in some instances as an FCL) for a
prime contractor includes instances where all access to classified
information will be limited to subcontractors. A prime contractor must
have a favorable entity eligibility determination at the same or higher
classification level as its subcontractors.
(6) Contractors are eligible for storage of classified material in
connection with a legitimate USG or foreign government requirement if
they have a favorable entity eligibility determination and a classified
information safeguarding capability approved by the CSA.
(7) An entity eligibility determination is valid for access to
classified information at the same or lower classification level.
(8) Each CSA will maintain a record of entity eligibility
determinations made by that CSA.
(9) A contractor will not use its favorable entity eligibility
determination for advertising or promotional purposes. This does not
prohibit the contractor from advertising employee positions that
require a PCL in connection with the position.
(10) A contractor or prospective contractor cannot apply for its
own entity eligibility determination. A GCA or a currently cleared
contractor may sponsor an entity for an entity eligibility
determination at any point during the contracting or agreement life
cycle at which the entity must have access to classified information to
participate (including the solicitation or competition phase).
(b) Reciprocity. If an entity has an appropriate, final entity
eligibility determination, a CSA will not duplicate the entity
eligibility determination processes performed by another CSA. If a CSA
cannot acknowledge an entity eligibility determination to another CSA,
the involved entity may be subject to duplicate processing in
accordance with 32 CFR part 2004.
(c) Eligibility requirements. To be eligible for an initial entity
eligibility determination or to maintain an existing entity eligibility
determination, the entity must:
(1) Need access to classified information in connection with a
legitimate USG or foreign government requirement, and access must be
consistent with U.S. national security interests as determined by the
CSA.
(2) Be organized and existing:
(i) Under the laws of the United States, one of the fifty States,
the District of Columbia, or an organized U.S. territory (Guam,
Commonwealth of the Northern Marianas Islands, Commonwealth of Puerto
Rico, and the U.S. Virgin Islands); or
(ii) Under the laws of an American Indian/Alaska Native tribal
entity if:
(A) The American Indian or Alaska Native tribe under whose laws the
entity is chartered has been formally acknowledged by the Assistant
Secretary--Indian Affairs, of the U.S. Department of the Interior.
(B) The contractor is organized and continues to exist, during the
period of the eligibility under a tribal statue or code, or pursuant to
a resolution of an authorized tribal legislative body.
(C) The contractor has submitted or will submit records such as a
charter, certificate of organization, or other applicable tribal
documents and statute or code provisions governing the formation and
continuation of the entity, for CSA determination that the entity is
tribally chartered.
(3) Be located in the United States or its territorial areas.
(4) Have a record of integrity and lawful conduct in its business
dealings.
(5) Have a SMO, FSO, and ITPSO who have and who maintain
eligibility for access to classified information and are not excluded
from participating in USG contracts or agreements in accordance with
Sec. 117.7(b)(1) through Sec. 117.7(b)(3).
(6) Not be under FOCI to such a degree that a favorable entity
eligibility determination for access to classified information would be
inconsistent with the national interest, in the judgment of the CSA.
(7) Maintain sufficient authorized and cleared employees to manage
and implement the requirements of this rule in accordance with CSA
guidance.
(8) Not pose an unacceptable risk to national security interests,
in the judgment of the CSA.
(9) Meet all requirements governing access to classified
information established by the CSA or the relevant authorizing law,
regulation, or government-wide policy.
(d) Processing the entity eligibility determination. The CSA will
assess the entity's eligibility for access to classified information
based on its business structure.
(1) At a minimum, the entity will:
(i) Provide CSA-requested documentation within timelines
established by the CSA.
(ii) Have and identify the SMO.
(iii) Appoint a U.S. citizen employee as the FSO.
(iv) Appoint a U.S. citizen employee as the ITPSO.
(v) Submit requests for personnel security investigations for the
SMO, FSO, ITPSO, and those other KMP identified by the CSA as requiring
eligibility for access to classified information in connection with the
entity eligibility.
(2) If the entity is under FOCI with a special security agreement
(SSA) as the proposed method of FOCI mitigation, and the GCA requires
the entity to have access to proscribed information, the CSA must
consider the measures listed in Sec. 117.11(d) as part of the entity
eligibility determination.
(e) Other personnel eligibility determinations concurrent with the
entity eligibility determination. (1) Contractors may designate
employees who require access to classified information during the
negotiation of a contract or the preparation of a bid or quotation
pertaining to a prime contract or a subcontract. These designated
employees will be processed for a determination of eligibility for
access to classified information (i.e., PCL eligibility) concurrent
with entity's entity eligibility determination.
(2) The entity eligibility determination is not dependent on the
PCL eligibility for access to classified information by such employees,
provided none of these employees are among those listed in paragraph
(c)(5) of this section. Even so, the employees will not be granted
access to classified information until both a favorable entity
eligibility determination and PCL eligibility has been granted.
(f) Exclusion procedures. If a CSA determines that certain KMP can
be excluded from access to classified information, the contractor will
follow the procedures in accordance with Sec. 117.7(b)(5)(ii).
(g) Temporary exclusions. As a result of a changed condition, the
SMO or other KMP who require eligibility for access to classified
information in connection with the facility entity eligibility
determination may be temporarily excluded from access to classified
information while in the process of a PCL eligibility determination
provided:
(1) The SMO or other KMP are not appointed as the FSO or ITPSO.
FSOs and ITPSOs may not be temporarily excluded. A cleared employee
must always be appointed to fulfill the requirements of these positions
in accordance with this rule.
(2) An employee, cleared to the level of the entity eligibility
determination,
[[Page 83327]]
must be able to fulfill the NISP responsibilities of the temporarily
excluded KMP in accordance with this rule while the temporary exclusion
is in effect.
(3) The applicable CSA may provide additional guidance on the
duration of a temporary exclusion from access to classified information
based on circumstances, business structure, and other relevant security
information.
(4) The contractor's governing board affirms the exclusion action,
and provides a copy of the exclusion action to the CSA. The
organization's governing body will document this action.
Table 1 to Paragraph (g)(4) Temporary Exclusion Resolutions
------------------------------------------------------------------------
Type of affirmation Language to be used in exclusion action
------------------------------------------------------------------------
Affirmation for Temporary Pending a final determination of
Exclusion from Access to eligibility for access to classified
Classified Information. information by the U.S. Government,
[insert name and position] will not
require, will not have, and can be
effectively and formally excluded from
access to all classified information
disclosed to the entity.
Affirmation for Temporary Pending a final determination of
Exclusion from Higher Level eligibility for access to classified
Classified Information. information at the [insert SECRET or TOP
SECRET] level, [insert name and
position] will not have, and can be
effectively and formally excluded from
access to higher-level classified
information [specify which higher level
of information].
------------------------------------------------------------------------
(h) Interim entity eligibility determinations. The CSA may make an
interim entity eligibility determination for access to classified
information, in the sole discretion of the CSA. See Sec. 117.10(l) for
access limitations that also apply to interim entity eligibility
determinations.
(i) An interim entity eligibility determination is made on a
temporary basis pending completion of the full investigative
requirements.
(ii) If the contractor with an interim entity eligibility
determination is unable or unwilling to comply with the requirements of
this rule and CSA-provided guidance regarding the process to obtain a
final entity eligibility determination, the CSA will withdraw the
interim entity eligibility.
(i) Multiple facility organizations. The home office must have an
entity eligibility determination at the same level as the highest
entity eligibility determination of an entity within the MFO. The CSA
will determine whether branch offices are eligible for access to
classified information if the branch offices need access and meet all
other requirements.
(j) Parent-subsidiary relationships. When a parent-subsidiary
relationship exists, the CSA will process the parent and the subsidiary
separately for entity eligibility determinations.
(1) If the CSA determines the parent must be processed for an
entity eligibility determination, then the parent must have an entity
eligibility determination at the same or higher level as the
subsidiary.
(2) When a parent and subsidiary or multiple cleared subsidiaries
are collocated, a formal written agreement to use common security
services may be executed by the entities, subject to the approval of
the CSA.
(k) Joint ventures. A joint venture may be granted eligibility for
access to classified information if it meets the eligibility
requirements in paragraph (c) of this section, including:
(1) The joint venture must be established as a legal business
entity (e.g. limited liability company, corporation, or partnership). A
joint venture established by contract that is not also established as a
legal business entity is not eligible for an entity eligibility
determination.
(2) The business entity operating as a joint venture must have been
awarded a classified contract or sponsored by a GCA or prime contractor
for an entity eligibility determination in advance of a potential award
for which the business entity has bid pursuant to paragraph (c) of this
section.
(3) The business entity operating as a joint venture must have an
employee or employees appointed as security officials or KMP pursuant
to Sec. 117.7(b).
(l) Consultants. The responsible CSA will determine when there is a
need for self-employed consultants requiring access to classified
information to be considered for an entity eligibility determination.
(m) Limited entity eligibility determination (Non-FOCI). (1) The
applicable CSA may choose to allow a GCA to request limited entity
eligibility determinations for a single, narrowly defined contract,
agreement, or circumstance and specific to the requesting GCA's
classified information. This is not the same as a limited entity
eligibility determination in situations involving FOCI, when the FOCI
is not mitigated or negated.
(i) Limited entity eligibility determinations (or FCLs) involving
FOCI will be processed in accordance with Sec. 117.11(e).
(ii) This paragraph (paragraph (m) of this section) applies to
limited entity eligibility determinations for purposes other than FOCI
mitigation in accordance with 32 CFR part 2004. Additional guidance may
be provided by the responsible CSA.
(2) An entity must be sponsored for a limited entity eligibility
determination by a GCA in accordance with the sponsorship requirements
contained in paragraph (c) of this section. The contractor should be
aware that the sponsorship request from the GCA to the CSA must also
include:
(i) Description of the compelling need for the limited entity
eligibility determination that is in accordance with U.S. national
security interests.
(ii) Specific reason(s) or rationale for limiting the entity
eligibility determination.
(iii) The GCA's formal acknowledgement and acceptance of the risk
associated with this rationale.
(3) The entity must otherwise meet the entity eligibility
determination requirements set out in this rule.
(4) Access limitations are inherent with the limited entity
eligibility determination and are imposed upon all of the entity's
employees regardless of citizenship.
(5) Contractors should be aware that the CSA will document the
requirements of each limited entity eligibility determination it makes,
including the scope of, and any limitations on, access to classified
information.
(6) Contractors should be aware that the CSA will verify limited
entity eligibility determinations only to the requesting GCA. In the
case of multiple limited entity eligibility determinations for a single
entity, the CSA verifies each one separately only to its requestor.
(7) The applicable CSA administratively terminates the limited
entity eligibility determination when there is no longer a need for
access to the classified information for which the CSA approved the
limited entity eligibility determination.
[[Page 83328]]
(n) Termination of the entity eligibility determination. Once
granted, a favorable entity eligibility determination remains in effect
until terminated or revoked. If the entity eligibility determination is
terminated or revoked, the contractor will return all classified
material in its possession to the appropriate GCA or dispose of the
material as instructed by the CSA. The contractor should be aware that
it may request an administrative termination or the CSA may:
(1) After coordination with applicable GCAs, administratively
terminate the entity eligibility determination because the contractor
no longer has a need for access to classified information.
(2) Revoke an entity eligibility determination if the contractor is
unable or unwilling to protect classified information or is unable to
comply with the security requirements of this rule.
(o) Invalidation of the entity eligibility determination. The CSA
may invalidate an existing entity eligibility determination. While the
entity eligibility determination is in an invalidated status, the
contractor may not bid on or be awarded new classified contracts or
solicitations. The contractor may continue to work on existing
classified contracts if the GCA agrees.
(p) Records maintenance. Contractors will maintain the original CSA
designated forms for the duration of the entity eligibility
determination in accordance with CSA-provided guidance.
Sec. 117.10 Determination of eligibility for access to classified
information for contractor employees.
(a) General. (1) The CSA is responsible for determining an
employee's eligibility for access to classified information.
(i) The contractor must determine that access to classified
information is essential in the performance of tasks or services
related to the fulfillment of a classified contract.
(ii) Access must be clearly consistent with U.S. national security
interests as determined by the CSA.
(iii) A contractor may give an employee access to classified
information at the same or lower level of classification as the level
of the contractor's entity eligibility determination if the employee
has:
(A) A valid need-to-know for the classified information.
(B) A USG favorable eligibility determination for access to
classified information at the appropriate level; and
(C) Signed a non-disclosure agreement.
(2) The CSA will determine eligibility for access to classified
information in accordance with SEAD 4 (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-4-Adjudicative-Guidelines-U.pdf) and notify the contractor when eligibility has been
granted.
(i) The CSA will notify the contractor when an employee's
eligibility has been denied, suspended, or revoked.
(ii) The contractor will immediately deny access to classified
information to any employee when notified of a denial, revocation, or
suspension of eligibility regardless of the contractor employee's
location.
(iii) If the employee's performance is at a USG facility, the
contractor will provide notification to the appropriate GCA of any
denial, revocation, or suspension of eligibility for access to
classified information.
(3) Contractors will annotate and maintain the accuracy of their
employees' records in the system of record for contractor eligibility
and access to classified information, when one has been designated by
the CSA.
(4) Within an MFO or within the same business organization,
contractors may centrally manage eligibility for access to classified
information and access to classified information records.
(5) The contractor will limit requests for determinations of
eligibility for access to classified information to the minimum number
of employees and consultants necessary for operational efficiency in
accordance with contractual obligations and other requirements of this
rule. Requests for determinations of eligibility for access to
classified information will not be used to establish a cache of cleared
employees.
(6) The contractor will not submit a request for an eligibility
determination to one CSA if the employee applicant is known to be
cleared or in process for eligibility for access to classified
information by another CSA. In such cases, reciprocity of eligibility
determination in accordance with SEAD 7 (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-7_BI_ReciprocityU.pdf) shall be used. The contractor will provide the
new CSA with the full name, date, and place of birth, social security
number, clearing agency, and type of investigation for verification.
(7) Contractors will not submit requests for determination of
eligibility for access to classified information for individuals who
are not their employees or consultants; nor will they submit requests
for employees of subcontractors.
(8) Access to SCI, SAP, FRD, and RD information is a determination
made by the granting authority by the applicable USG granting authority
for each category of information.
(b) Investigative requirements. E.O. 13467, as amended, ``Reforming
Processes Related to Suitability for Government Employment, Fitness for
Contractor Employees, and Eligibility for Access to Classified National
Security Information,'' designates the Security and Suitability
Executive Agents responsible for establishing the standards for
investigative requirements that apply to contractors.
(1) Investigative tiers. The standards established in accordance
with E.O. 13467, as amended, designate specific investigative tiers
that are acceptable for access to classified information. An
investigative tier is for positions designated as moderate risk, non-
critical sensitive, and allow access to information classified at the
L, CONFIDENTIAL, and SECRET levels. Another investigative tier is for
positions designated as high risk, critical sensitive, special
sensitive, and allow access to information classified at the Q, TOP
SECRET, and SCI levels.
(2) Investigative coverage. (i) Automated sources. Investigative
providers will use automation whenever possible to collect, verify,
corroborate, or discover information about an individual, as documented
on the request for investigation or developed from other sources, i.e.,
automated record checks and inquiries.
(ii) Interviews. Interviews, if required, will cover areas of
adjudicative concern.
(iii) Information Covered in Previous Investigations. Information
validated in a prior investigation, the results of which are not
expected to change (e.g., verification of education degree), will not
be repeated as part of subsequent investigations.
(3) Polygraph. Agencies with policies authorizing the use of the
polygraph for purposes of determining eligibility for access to
classified information may require polygraph examinations when
necessary. If adjudicatively relevant information arises during the
investigation or the polygraph examination, the investigation may be
expanded to resolve the adjudicative concerns.
(4) Financial disclosure. When a GCA requires that a contractor
employee complete a financial disclosure form, the contractor will
ensure that the employee has the opportunity to complete and submit the
form in accordance with the Privacy Act of 1974, as amended, and other
applicable provisions of law.
(5) Reinvestigation and Continuous Evaluation. Contractor employees
[[Page 83329]]
determined eligible for access to classified information will follow
CSA guidance to complete reinvestigation and continuous evaluation or
continuous vetting requirements. The contractor will validate that the
employee requires continued eligibility for access to classified
information before initiating the reinvestigation.
(c) Verification of U.S. citizenship. A contractor will require
each applicant for determination of eligibility for access to
classified information who claims U.S. citizenship to provide evidence
of citizenship to the FSO or other authorized representative of the
contractor. All documentation must be the original or certified copies
of the original documents.
(1) Any document, or its successor, listed in this paragraph is an
acceptable document to corroborate U.S. citizenship by birth, including
by birth abroad to a U.S. citizen.
(i) A birth certificate certified with the registrar's signature,
which bears the raised, embossed, impressed, or multicolored seal of
the registrar's office.
(ii) A current or expired U.S. passport or passport card that is
unaltered and undamaged and was originally issued to the individual.
(iii) A Department of State Form FS-240, ``Consular Report of Birth
Abroad of a Citizen of the United States of America.''
(iv) A Department of State Form FS-545 or DS-1350, ``Certification
of Report of Birth.''
(2) Any document, or its successor, listed in this paragraph is an
acceptable document to corroborate U.S. citizenship by certification,
naturalization, or birth abroad to a U.S. citizen.
(i) A U.S. Citizenship and Immigration Services Form N-560 or N-
561, ``Certification of U.S. Citizenship.''
(ii) A U.S. Citizenship and Immigration Services Form 550, 551, or
570, ``Naturalization Certificate.''
(iii) A valid or expired U.S. passport or passport card that is
unaltered and undamaged and was originally issued to the individual.
(d) Procedures for completing the electronic version of the SF 86,
``Questionnaire for National Security Positions.'' The electronic
version of the SF 86 (available at: https://www.opm.gov/forms/pdf_fill/sf86.pdf) must be completed in e-QIP or its successor system by the
contractor employee and reviewed by the FSO or other contractor
employee(s) who has (have) been specifically designated by the
contractor to review an employee's SF 86. The FSO or designee will:
(1) Provide the employee with written notification that review of
the SF 86 by the FSO or other contractor employee is for adequacy and
completeness and information will be used for no other purpose within
the entity. The use and disclosure by the U.S. Government, and by U.S.
Government contractors operating systems of records on behalf of a U.S.
Government agency to accomplish an agency function, of the information
provided by the employee on the SF-86 is governed by the Privacy Act of
1974, as amended, and by the routine uses published by the USG in the
applicable System of Records Notice.
(2) Not share information from the employee's SF 86 within the
entity and will not use the information for any purpose other than
determining the adequacy and completeness of the SF 86.
(e) Fingerprint collection. The contractor will submit fingerprints
in accordance with CSA guidance. Contractors will use digital
fingerprints whenever possible.
(f) Pre-employment eligibility determination action. (1) If a
potential employee requires access to classified information
immediately upon commencement of employment, the contractor may submit
a request for investigation prior to the date of employment, provided:
(i) A written commitment for employment has been made by the
contractor.
(ii) The candidate has accepted the offer in writing.
(2) The commitment for employment must indicate employment will
commence within 45 days of the employee being granted eligibility for
access to classified information at a level that allows them to perform
the tasks or services associated with the contract or USG requirement
for which they were hired.
(3) Contractors will comply with the requirements pursuant to
paragraph (a) (5) of this section.
(g) Classified information NDA. The NDA designated by the CSA
(e.g., SF 312), is an agreement between the USG and an individual who
is determined eligible for access to classified information.
(1) An employee determined eligible for access to classified
information must execute an NDA prior to being granted access to
classified information.
(2) The employee must sign and date the NDA in the presence of a
witness. The employee's and witness' signatures must bear the same
date.
(3) The contractor will forward the executed NDA to the CSA for
retention. The CSA may authorize the contractor to retain a copy of the
form for administrative purposes, if appropriate.
(4) If the employee refuses to execute the NDA, the contractor will
deny the employee access to classified information and submit a report
to the CSA in accordance with Sec. 117.8(c)(6).
(h) Reciprocity. The applicable CSA is responsible for determining
whether contractor employees have been previously determined eligible
for access to classified information or investigated by an authorized
investigative activity in accordance with SEAD 7 (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-7_BI_ReciprocityU.pdf).
(1) Any current eligibility determination for access to classified
information that is based on an investigation of a scope that meets or
exceeds that necessary for the required level of access will provide
the basis for a new eligibility determination.
(2) The prior investigation will be used without further
investigation or adjudication unless the CSA becomes aware of
significant derogatory information that was not previously adjudicated.
(i) Break in access. There are circumstances when a contractor
administratively terminates an employee's access to classified
information solely because of no current requirement for such access.
If the employee again requires access to classified information and has
been in the contractor's continuous employment, and the employee again
requires access to classified information, the contractor may provide
access to classified information without further investigation, based
on CSA guidance, so long as the employee remains eligible for access to
classified information and has a current investigation of a scope that
meets or exceeds that necessary for the access required and no new
derogatory information is known. Any adverse information from or about
the employee must continue to be reported while the employee maintains
eligibility for access to classified information, even when access to
classified information has been administratively terminated.
(j) Break in employment. (1) When an employee had a break in
employment and now requires access to classified information, the
contractor may provide access to classified information based on CSA
guidance provided the employee remains eligible for access to
classified information and has a current investigation of a scope that
meets or exceeds that necessary for the access required.
[[Page 83330]]
(2) The contractor may not provide access to classified information
to an employee who previously was eligible for access to classified
information, but has had a break in employment that resulted in a loss
of eligibility without a new eligibility determination by the CSA.
(k) Non-U.S. citizens. (1) Contractors must make every effort to
ensure that non-U.S. citizens are not employed in duties that may
require access to classified information. However, compelling reasons
may exist to grant access to classified information to a non-U.S.
citizen. The CSA may grant such individuals a LAA in those rare
circumstances where a non-U.S. citizen possesses unique or unusual
skills or expertise that is urgently needed to support a specific USG
contract involving access to specified classified information, and a
cleared or clearable U.S. citizen is not readily available. The CSA
will provide specific procedures for requesting an LAA, to include the
need for approval by a GCA senior official.
(2) An LAA granted under the provisions of this rule is not valid
for access to:
(i) TOP SECRET information.
(ii) RD or FRD.
(iii) Information that has not been determined releasable by a USG
designated disclosure authority to the country of which the individual
is a citizen.
(iv) Communications security (COMSEC) information.
(v) Intelligence information.
(vi) NATO information. Foreign nationals of a NATO member nation
may be authorized access to NATO information provided:
(A) The CSA obtains a NATO security clearance certificate from the
individual's country of citizenship.
(B) NATO access is limited to performance on a specific NATO
contract.
(vii) Information for which foreign disclosure has been prohibited
in whole or in part.
(viii) Information provided to the USG in confidence by a third-
party government.
(ix) Classified information furnished by a third-party government.
(l) Temporary eligibility for access to classified information. In
accordance with SEAD 8 (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-8_Temporary_Eligibility_U.pdf), the CSA may
grant temporary (previously called interim) eligibility for access to
classified information, as appropriate, to applicants for access to TOP
SECRET, SECRET, and CONFIDENTIAL information. This eligibility may only
be granted if there is no evidence of adverse information that calls
into question an individual's eligibility for access to classified
information. If results are favorable following completion of full
investigative requirements, the CSA will update the temporary
eligibility determination for access to classified information to be
final. In any case, a temporary eligibility determination shall not
exceed one year unless approved by the applicable CSA in the system of
record. Non-U.S. citizens are not eligible for access to classified
information on a temporary basis.
(1) A temporary SECRET or CONFIDENTIAL eligibility determination is
valid for access to classified information at the level of the
eligibility granted. Access to RD, COMSEC information, and NATO
information requires a final SECRET eligibility determination.
(2) A temporary TOP SECRET eligibility determination is valid for
access to TOP SECRET information. If an individual has a temporary TOP
SECRET eligibility determination and has a final SECRET eligibility
determination based on a previously completed investigation, the
temporary TOP SECRET eligibility determination is valid for access to
RD, NATO, and COMSEC information at the SECRET or CONFIDENTIAL level.
(3) Access to SCI and SAP information based on a temporary
eligibility determination is a determination made by the granting
authority.
(4) When a temporary eligibility determination has been made and
derogatory information is subsequently developed, the CSA may withdraw
the temporary eligibility pending completion of the processing that is
a prerequisite to the final eligibility determination.
(5) When a temporary eligibility determination is withdrawn for an
individual who is required to be eligible for access to classified
information in connection with the entity eligibility determination for
access to classified information, the contractor must remove the
individual from access to classified information and any KMP position
requiring PCL eligibility or the temporary entity eligibility
determination will also be withdrawn.
(6) Withdrawal of a temporary eligibility determination is not a
denial, termination, or revocation of eligibility under this rule and
may not be appealed.
(m) Consultants. (1) A consultant will not access classified
information off the premises of the using (hiring) contractor except in
connection with authorized classified visits.
(2) A contractor may only assign a consultant outside the United
States with responsibilities requiring access to classified information
when:
(i) The consultant agreement between the contractor and consultant
includes:
(A) Identification of the contract, license, or agreement that
requires access to classified information, the level of classified
information that is required, and access to FGI by the consultant while
assigned outside the United States.
(B) A formal agreement that prohibits the consultant from
disclosing any classified information related to the contract, license,
or agreement as required in paragraph (m)(i)(A) of this section to any
party other than the USG or foreign government with which the
consultant is meeting, and who possesses the requisite clearance and
need to know.
(ii) The consultant and the using contractor will jointly execute
the consultant agreement setting forth respective security
responsibilities. The contractor will retain an original signed copy of
the agreement and will ensure its availability if requested by the CSA.
(iii) The contractor, in consultation with the applicable CSA as
appropriate, will determine what threat briefing(s) the consultant
should receive before the assignment, and conduct those briefings as
part of the consultant's pre-assignment and recurring security
training.
(iv) The contractor provides notice of any changes to the
consultant agreement to the applicable CSA during assessments or upon
CSA request.
(3) The using contractor will be the consumer of the consultant
services as set forth in the consultant agreement.
(4) For security administration purposes, a consultant will be
considered an employee of the using contractor for compliance with this
rule.
(5) Consultants to GCAs are not under the purview of the NISP and
will be processed for determination of eligibility by the GCA in
accordance with GCA procedures.
Sec. 117.11 Foreign Ownership, Control, or Influence (FOCI).
(a) General. Foreign investment can play an important role in
maintaining the vitality of the U.S. industrial base. Therefore, it is
the intent of the USG to allow foreign investment consistent with the
national security interests of the United States. The following FOCI
[[Page 83331]]
procedures for cleared U.S. entities are intended to mitigate the risks
associated with FOCI by ensuring that foreign firms cannot undermine
U.S. security to gain unauthorized access to classified information.
(1) The CSA will consider a U.S. entity to be under FOCI when:
(i) A foreign interest has the power to direct or decide issues
affecting the entity's management or operations in a manner that could
either:
(A) Result in unauthorized access to classified information; or
(B) Adversely affect performance of a classified contract or
agreement.
(ii) The foreign government is currently exercising, or could
prospectively exercise, that power, whether directly or indirectly,
such as:
(A) Through ownership of the U.S. entity's securities, by
contractual arrangements, or other means, or;
(B) By the ability to control or influence the election or
appointment of one or more members to the entity's governing board.
(2) When the CSA has determined that an entity is under FOCI, the
primary consideration will be the protection of classified information.
The CSA will take whatever action is necessary to protect classified
information, in coordination with other affected agencies as
appropriate.
(3) A U.S. entity that is in process for an entity eligibility
determination for access to classified information and subsequently
determined to be under FOCI is ineligible for access to classified
information unless and until effective security measures have been put
in place to negate or mitigate FOCI to the satisfaction of the CSA.
(4) When a contractor determined to be under FOCI is negotiating an
acceptable FOCI mitigation or negation measure in good faith, an
existing entity eligibility determination may continue in effect so
long as there is no indication that classified information is at risk
of compromise in consultation with the applicable GCA. The applicable
CSA may decide that circumstances involving the FOCI are such that the
entity eligibility determination will be invalidated until
implementation of an acceptable FOCI mitigation plan.
(5) An existing entity eligibility determination will be
invalidated if the contractor is unable or unwilling to negotiate and
implement an acceptable FOCI mitigation or negation measure. An
existing entity eligibility determination will be revoked if security
measures cannot be taken to remove the possibility of unauthorized
access to classified information or adverse effect on performance of
classified contracts.
(6) Changed conditions, such as a change in ownership,
indebtedness, or a foreign intelligence threat, may justify certain
adjustments to the security terms under which an entity is operating
or, alternatively, that a different FOCI mitigation or negation method
be employed. If a changed condition is of sufficient significance, it
might also result in a determination that a contractor is no longer
considered to be under FOCI, or, conversely, that a contractor is no
longer eligible for access to classified information.
(7) The USG reserves the right, and has the obligation, to impose
any security method, safeguard, or restriction (including denial,
termination or revocation of an entity eligibility determination) it
believes necessary to ensure that unauthorized access to classified
information is effectively precluded and performance of classified
contracts is not adversely affected.
(8) Nothing contained in this section affects the authority of a
Federal agency head to limit, deny, or revoke access to classified
information under its statutory, regulatory, or contract jurisdiction.
(b) Factors. Factors relating to the entity, relevant foreign
interests, and the government of such foreign interests, as
appropriate, will be considered in the aggregate to determine whether
an applicant entity is under FOCI, its eligibility for access to
classified information, and the protective measures required. These
factors include:
(1) Record of espionage against U.S. targets, either economic or
government.
(2) Record of enforcement actions against the entity for
transferring technology without authorization.
(3) Record of compliance with pertinent U.S. laws, regulations, and
contracts or agreements.
(4) Type and sensitivity of the information the entity would
access.
(5) Source, nature, and extent of FOCI, including whether foreign
interests hold a majority or minority position in the entity, taking
into consideration the immediate, intermediate, and ultimate parent
entities.
(6) Nature of any relevant bilateral and multilateral security and
information exchange agreements.
(7) Ownership or control, directly or indirectly, in whole or in
part, by a foreign government.
(8) Any other factor that indicates or demonstrates capability of
foreign interests to control or influence the entity's operations or
management.
(c) Procedures. An entity is required to complete an SF 328 during
the process for an entity eligibility determination or when significant
changes occur to information previously submitted. In the case of a
corporate family, the form may be a consolidated response rather than
separate submissions from individual members of the corporate family
based on CSA guidance.
(1) If an entity provides any affirmative answers on the SF 328, or
the CSA receives other information which indicates that the applicant
entity may be under FOCI, the CSA will make a risk-based determination
regarding the relative significance of the information in regard to:
(i) Whether the applicant is under FOCI.
(ii) The extent and manner to which the FOCI represents a risk to
the national security or may adversely impact classified contract
performance.
(iii) The type of actions, if any, that would be necessary to
mitigate or negate the effects of FOCI to a level deemed acceptable to
the USG. The CSA will advise entities on the CSA's appeal channels for
disputing CSA FOCI determinations.
(2) When an entity with a favorable eligibility determination
enters into negotiations for the proposed merger, acquisition, or
takeover by a foreign interest, the entity will submit notification to
the CSA of the commencement of such negotiations.
(i) The submission will include the type of transaction under
negotiation (e.g., stock purchase, asset purchase), the identity of the
potential foreign interest investor, and a plan to negate or mitigate
the FOCI by a method outlined in paragraph (d) of this section.
(ii) The entity will submit copies of loan, purchase, and
shareholder agreements, annual reports, bylaws, articles of
incorporation, partnership agreements, other organizational documents,
and reports filed with other Federal agencies to the CSA.
(d) FOCI action plans. (1) When FOCI factors not related to
ownership are present, the CSA will determine if positive measures will
assure the CSA that the foreign interest can be effectively mitigated
and cannot otherwise adversely affect performance on classified
contracts. Examples of such measures include:
(i) Modification or termination of loan agreements, contracts, and
other understandings with foreign interests.
(ii) Diversification or reduction of foreign-source income.
[[Page 83332]]
(iii) Demonstration of financial viability independent of foreign
interests.
(iv) Elimination or resolution of problem debt.
(v) Assignment of specific oversight duties and responsibilities to
board members.
(vi) Formulation of special executive-level security committees to
consider and oversee issues that affect the performance of classified
contracts.
(vii) Physical or organizational separation of the contractor
component performing on classified contracts.
(viii) Adoption of special board resolutions.
(ix) Other actions that negate or mitigate foreign control or
influence.
(x) A combination of these methods, as determined by the CSA.
(2) When FOCI factors related to ownership are present, methods the
CSA may apply to negate or mitigate the risk of foreign ownership
include, but are not limited to:
(i) Board resolution. (A) When a foreign interest does not possess
voting interests sufficient to elect, or otherwise is not entitled to
representation on the entity's governing board, a resolution(s) by the
governing board may be adequate. In the resolution, the governing board
will:
(1) Identify the foreign shareholder.
(2) Describe the type and number of foreign-owned shares.
(3) Acknowledge the entity's obligation to comply with all
industrial security program requirements.
(4) Certify that the foreign owner does not require, will not have,
and can be effectively precluded from unauthorized access to all
classified information entrusted to or held by the entity.
(B) The governing board will provide for annual certifications to
the CSA acknowledging the continued effectiveness of the resolution.
(C) The entity will distribute to members of its governing board
and to its KMP copies of such resolutions, and report in the entity's
corporate records the completion of such distribution.
(ii) Security control agreement (SCA). When a foreign interest does
not effectively own or control an entity (i.e., the entity is under
U.S. control), but the foreign interest is entitled to representation
on the entity's governing board, an SCA may be adequate. At least one
cleared U.S. citizen must serve as an outside director on the entity's
governing board. There are no access limitations under an SCA.
(iii) SSA. When a foreign interest effectively owns or controls an
entity, an SSA may be adequate. An SSA is an arrangement that, based
upon an assessment of the source and nature of FOCI and FOCI factors,
imposes various industrial security measures within an
institutionalized set of entity practices and procedures. The SSA
preserves the foreign owner's right to be represented on the entity's
board or governing body with a direct voice in the entity's business
management, while denying the foreign owner majority representation and
unauthorized access to classified information.
(A) Requirement for a National Interest Determination (NID). Unless
otherwise prohibited by law or regulation (e.g., Section 842 of Pub. L.
115-232), the applicable CSA must determine whether allowing an entity
access to proscribed information under an SSA is consistent with
national security interests of the U.S. with concurrence from
controlling agencies, as applicable. Such NIDs will be made as part of
an entity eligibility determination or because of a changed condition
when a GCA requires an entity to have access to proscribed information
and the CSA proposes an SSA as the mitigation measure. The NID can be
program, project, or contract specific.
(B) NID process: (1) The CSA makes a NID for TOP SECRET or SAP
information to which the entity requires access. Contractors should be
aware that DOE Order 470.4B provides additional information and
requirements for processing NID requests for access to RD.
(2) In cases in which any category of the proscribed information is
controlled by another agency (ODNI for SCI, DOE for RD, the National
Security Agency (NSA) for COMSEC), the CSA asks that controlling agency
to concur or non-concur on the NID for that category of information.
(3) The CSA informs the GCA and the entity when the NID is
complete. In cases involving SCI, RD, or COMSEC, the CSA also informs
the GCA and the entity when a controlling agency concurs or non-concurs
on that agency's category of proscribed information. The entity may
begin accessing a category of proscribed information once the CSA
informs the GCA and the entity that the controlling agency concurs,
even if other categories of proscribed information are pending
concurrence.
(4) An entity's access to SCI, RD, or COMSEC remains in effect so
long as the entity remains eligible for access to classified
information and the contract or agreement (or program or project) which
imposes the requirement for access to those categories of proscribed
information remains in effect, except under any of the following
circumstances:
(i) The CSA, GCA, or controlling agency becomes aware of adverse
information that impacts the entity eligibility determination.
(ii) The CSA's threat assessment pertaining to the entity indicates
a risk to one of the categories of proscribed information.
(iii) The CSA becomes aware of any material change regarding the
source, nature, and extent of FOCI.
(iv) The entity's record of NISP compliance, based on CSA reviews,
becomes less than satisfactory. Consult DOE Order 470.4B for additional
information and requirements for processing NID requests for access to
RD.
(5) Under any of the circumstances in paragraphs
(d)(2)(iii)(B)(4)(i) through (d)(2)(iii)(B)(4)(iv) in this section, the
CSA determines whether the entity remains eligible for access to
classified information, it must change the FOCI mitigation measure in
order to remain eligible for access to classified information, or the
CSA must terminate or revoke the access to classified information.
(6) When an entity is eligible for access to classified information
that includes a favorable NID for SCI, RD, or COMSEC, the CSA does not
have to request a new NID concurrence for the same entity if the access
to classified information requirements for the relevant category of
proscribed information and terms remain unchanged for:
(i) Renewing the contract or agreement.
(ii) New task orders issued under the contract or agreement.
(iii) A new contract or agreement that contains the same provisions
as the previous one (this usually applies when the contract or
agreement is for a program or project.)
(iv) Renewing the SSA.
(7) Under certain conditions, entities under an SSA may not require
a NID for one or more categories of proscribed information in
accordance with CSA-provided guidance. Categories of proscribed
information for entities under SSAs not requiring a NID will be
recorded in the CSA's system of record for entity eligibility
determinations.
(iv) Voting Trust (VT) or Proxy Agreement (PA). The VT and the PA
are arrangements that vest the voting rights of the foreign-owned stock
in cleared U.S. citizens approved by the USG. Under a VT, the foreign
owner transfers legal title its ownership interests in the entity to
the trustees. Under a PA, the foreign owner's voting rights are
[[Page 83333]]
conveyed to the proxy holders. Neither arrangement imposes any
restrictions on the entity's eligibility to have access to classified
information or to compete for classified contracts.
(A) Establishment of a VT or PA involves the selection of trustees
or proxy holders, all of whom must become members of the entity's
governing board. Both arrangements must provide for the exercise of all
prerogatives of ownership by the trustees or proxy holders with
complete freedom to act independently from the foreign owners, except
as provided in the VT or PA. The arrangements may limit the authority
of the trustees or proxy holders by requiring approval be obtained from
the foreign owner with respect to issues such as:
(1) The sale or disposal of the entity's assets or a substantial
part thereof.
(2) Pledges, mortgages, or other encumbrances on the entity's
assets, capital stock, or ownership interests.
(3) Mergers, consolidations, or reorganizations.
(4) Dissolution.
(5) Filing of a bankruptcy petition.
(B) The trustees or proxy holders may consult with the foreign
owner, or vice versa, where otherwise consistent with U.S. laws,
regulations, and the terms of the VT or PA.
(C) The trustees or proxy holders assume full responsibility for
the foreign owner's voting interests and for exercising all governance
and management prerogatives relating thereto to ensure the foreign
owner will be insulated from the entity, thereby solely retaining the
status of a beneficiary. The entity must be organized, structured, and
financed to be capable of operating as a viable business entity and
independent from the foreign owners' interests that required FOCI
mitigation or negation.
(v) Combination measures. The CSA may apply combinations of the
measures in paragraphs (d)(2)(i) through (d)(2)(iv) in this section or
other similar measures that effectively mitigate or negate the risks
involved with foreign ownership.
(e) Limited entity eligibility determination due to FOCI. In
accordance with the provisions of this section and CSA-provided
guidance, a limited entity eligibility determination may be an option
for a single, narrowly defined contract, agreement, or circumstance for
entities under FOCI without mitigation or negation. Limitations on
access to classified information are inherent with the granting of
limited entity eligibility determinations and are imposed upon all of
the entity's employees regardless of citizenship.
(1) In exceptional circumstances, when an entity is under FOCI, the
CSA may decide that a limited entity eligibility determination is
appropriate when the entity is unable or unwilling to implement FOCI
mitigation or negation measures, and the conditions in paragraphs
(e)(1)(i) through (iii) of this section are met. This is not the same
as a limited entity eligibility determination for purposes not related
to FOCI. Information on limited entity eligibility determinations for
purposes other than FOCI can be found in Sec. 117.9(m). A CSA may
decide that a limited entity eligibility is appropriate for an entity
under FOCI if:
(i) The limited entity eligibility determination is in accordance
with national security interests and a GCA has informed the CSA that
access to classified information by the contractor is essential to
contract or agreement performance.
(ii) There is an industrial security agreement with the foreign
government of the country from which the FOCI is derived.
(iii) The contractor meets all other entity eligibility
requirements outlined in Sec. 117.9(c) except that KMP, other than the
FSO, may be citizens of the country from which the FOCI derives and the
United States has obtained security assurances at the appropriate level
from that country.
(2) A U.S. subsidiary of a foreign entity may be sponsored for a
limited entity eligibility determination by a foreign government when
the foreign government desires to award a contract or agreement to the
U.S. subsidiary that involves access to only that classified
information for which the foreign government is the OCA.
(3) Limited entity eligibility determinations are specific to the
classified information for the requesting GCA or foreign government and
the single narrowly defined contract, agreement, or circumstance the
request was based on. The limited entity eligibility determination will
only be verified to that GCA or foreign government for the authorized
level of access to classified information and any limitations to that
access to classified information.
(4) A limited entity eligibility determination is not an option for
contractors that require access to proscribed information when a
foreign government has ownership or control over the entity.
(5) Release of classified information must be in conformity with
the U.S. National Disclosure Policy-1 (provided to designated
disclosure authorities on a need-to-know basis from the Office of the
Under Secretary of Defense for Policy, Defense Technology Security
Administration).
(6) A limited entity eligibility determination will be
administratively terminated when there is no longer a need for the
contractor to access the classified information for which it was
sponsored. Administrative termination of one limited entity eligibility
determination does not impact a contractor's other limited entity
eligibility determinations.
(7) If there is no industrial security agreement with the foreign
government of the country from which the FOCI is derived, in
extraordinary circumstances, a limited entity eligibility determination
may also be granted if there is a compelling need to do so consistent
with U.S. national security interests and the GCA has informed the
applicable CSA that access to classified information by the contractor
is essential to contract or agreement performance. Under this
circumstance, the entity must follow all provisions of this rule.
(f) Qualifications of trustees, proxy holders, and outside
directors. Individuals who serve as trustees, proxy holders, or outside
directors must meet the following criteria:
(1) Trustees and proxy holders must be resident U.S. citizens who
can exercise governance and management prerogatives relating to their
position in a way that ensures that the foreign owner can be
effectively insulated from the entity.
(2) Outside directors must be resident U.S. citizens who can
exercise governance and management prerogatives relating to their
position in a way that ensures that the foreign owner can be
effectively separated from the entity's classified work.
(3) New trustees, proxy holders, and outside directors must be
completely disinterested individuals with no prior involvement with the
entity, the entities with which it is affiliated, or the foreign owner.
(4) The CSA may consider other circumstances that may affect an
individual's eligibility to serve effectively including the number of
boards on which the individual serves, the length of time serving on
any other governance boards, and other factors in accordance with CSA-
provided guidance.
(5) Trustees, proxy holders, and outside directors must be
determined eligible for access to classified information at the level
of the entity eligibility determination for access to
[[Page 83334]]
classified information. Individuals who are serving as trustees, proxy
holders, or outside directors as part of a mitigation measure for the
entity are not considered to have prior involvement solely by
performing that role for purposes of paragraph (f)(3) of this section.
(g) Government security committee (GSC). Under a VT, PA, SSA, or
SCA, the contractor is required to establish a permanent committee of
its board of directors, known as the GSC.
(1) Unless otherwise approved by the CSA, the GSC consists of
trustees, proxy holders, or outside directors and those officer
directors who have been determined to be eligible for access to
classified information.
(2) The members of the GSC are required to ensure that the
contractor adheres to laws and regulations and maintains internal
entity policies and procedures to safeguard classified information
entrusted to it. The GSC ensures that violations of those policies and
procedures are promptly investigated and reported to the appropriate
authority when it has been determined that a violation has occurred.
(3) The contractor's FSO will be the principal advisor to the GSC
and attend GSC meetings. The chairman of the GSC must concur with the
appointment and replacement of FSOs selected by management. The FSO
functions will be carried out under the authority of the GSC.
(h) Additional procedures for FOCI mitigation or negation measures.
In addition to the basic requirements of the FOCI mitigation or
negation agreement, the entity may be required to document and
implement additional procedures based upon the circumstances of an
entity's operations. Those additional procedures will be established in
supplements to the FOCI mitigation agreement to allow for flexibility
as circumstances change without having to renegotiate the entire
agreement. When making use of supplements, the CSA does not consider
the FOCI mitigation measure final until the CSA has approved the
required supplements. These supplements may include:
(1) Technology control plan (TCP). A TCP approved by the CSA will
be developed and implemented by those entities cleared under a VT, PA,
SSA and SCA and when otherwise deemed appropriate by the CSA. The TCP
will prescribe all security measures determined necessary to reasonably
prevent the possibility of access by non-U.S. citizen employees and
visitors to information for which they are not authorized. The TCP will
also prescribe measures designed to assure that access by non-U.S.
citizens is strictly limited to only that specific information for
which appropriate USG disclosure authorization has been obtained, e.g.,
an approved export license or technical assistance agreement. Unique
badging, escort, segregated work area, security indoctrination schemes,
and other measures will be included, as appropriate.
(2) Electronic communications plan (ECP). The contractor will
develop and implement an ECP, subject to CSA approval, tailored to the
contractor's operations to verify that electronic controls are in place
for clear technical and logical separation of electronic communications
and networks between the contractor, the foreign interest, and its
affiliates. The purpose is to prevent the unauthorized disclosure of
classified information to the foreign parent or its affiliates. The
contractor will include in the ECP a detailed network description and
configuration diagram that clearly delineates which networks will be
shared and which will be protected from access by the foreign parent or
its affiliates. The network description will address firewalls, remote
administration, monitoring, maintenance, and separate email servers, as
appropriate.
(3) Affiliated operations plan. There may be circumstances when the
parties to a transaction propose in the FOCI action plan that the U.S.
contractor provides certain services for the foreign interest or enters
into arrangements with the foreign interest, or the foreign interest
provides services for or enters into arrangements with the U.S.
contractor. In such circumstances, the contractor will document a plan,
subject to CSA approval, outlining the entity's consolidated policies
and procedures regarding the control of affiliated operations,
regardless of whether such endeavors are administrative, operational,
or commercial, performed directly or through third-party service
providers, within the entity, or among any of the entity's controlled
entities, or the foreign interest and its affiliates.
(4) Facilities location plan. When a contractor is potentially
collocated with or in close proximity to its foreign parent or an
affiliate, the contractor will prepare a facilities location plan to
assist the CSA in determining if the contractor is collocated or if the
close proximity can be allowed under the FOCI mitigation plan. A U.S.
entity generally cannot be collocated with the foreign parent or
affiliate, i.e., at the same address or in the same location.
(i) Annual review and certification.--(1) Annual review. The CSA
will meet at least annually, and otherwise as required by
circumstances, with the GSCs of contractors operating under a VT, PA,
SSA, or SCA to review the purpose and effectiveness of the clearance
arrangement and to establish a common understanding of the operating
requirements and their implementation. These reviews will include an
examination of:
(i) Acts of compliance or noncompliance with the approved security
arrangement, standard rules, and applicable laws and regulations.
(ii) Problems or impediments associated with the practical
application or utility of the security arrangement.
(iii) Whether security controls, practices, or procedures warrant
adjustment.
(2) Annual certification. For contractors operating under a VT, PA,
SSA, or SCA, the chairman of the GSC will submit to the CSA one year
from the effective date of the agreement and annually thereafter, an
implementation and compliance report. Such reports will include:
(i) A detailed description of the manner in which the contractor is
carrying out its obligations under the agreement.
(ii) Changes to security procedures, implemented or proposed, and
the reasons for those changes.
(iii) A detailed description of any acts of noncompliance, whether
inadvertent or intentional, with a discussion of remedial measures,
including steps taken to prevent such acts from recurring.
(iv) Any changes, or impending changes, of KMP or key board
members, including the reasons therefore.
(v) Any changes or impending changes in the organizational
structure or ownership, including any reorganizations, acquisitions,
mergers, or divestitures.
(vi) Any other issues that could have a bearing on the
effectiveness of the applicable agreement.
(j) Transactions involving foreign persons, and the Committee on
Foreign Investment in the United States (CFIUS).
(1) The CFIUS is a USG interagency committee chaired by the
Treasury Department that conducts assessments, reviews and
investigations of transactions that could result in foreign control of
a U.S. business, and certain non-controlling investments and certain
real estate transactions involving foreign persons under 50 U.S.C.
4565.
(2) In CFIUS cases where the acquired U.S. business requires access
to classified information, the CFIUS assessment, review or
investigation, as applicable, and the CSA industrial
[[Page 83335]]
security FOCI review are carried out in parallel, but are separate
processes with different time constraints and considerations.
(3) The CSA will promptly advise the parties in a transaction under
CFIUS review that would require FOCI negation or mitigation measures if
consummated, to submit to the CSA a plan to negate or mitigate FOCI. If
it appears that an agreement cannot be reached on material terms of a
FOCI action plan, or if the U.S. person that is a party, or in
applicable cases, a subject of the proposed transaction fails to comply
with the FOCI reporting requirements of this rule, the CSA may
recommend a full investigation of the transaction by the CFIUS to
determine the effects on national security.
Sec. 117.12 Security training and briefings.
(a) General. Contractors will provide all cleared employees with
security training and briefings commensurate with their involvement
with classified information.
(b) Training materials. Contractors may obtain security, threat
awareness, and other education and training information and material
from their CSA or other sources.
(c) Government provided briefings. The CSA is responsible for
providing initial security briefings to the FSO and for ensuring other
briefings required for special categories of information are provided
to the FSO.
(d) FSO training. Contractors will ensure the FSO and others
performing security duties complete training considered appropriate by
the CSA. Training requirements will be based on the contractor's
involvement with classified information. Training may include an FSO
orientation course, and for FSOs at contractor locations with a
classified information safeguarding capability, an FSO program
management course. Contractor FSOs will complete training within six
months of appointment to the position of FSO. When determined by the
applicable CSA, contractor FSOs must complete an FSO program management
course within six months of the CSA approval to store classified
information at the contractor.
(e) Initial security briefings. Prior to being granted access to
classified information, contractors will provide employees with an
initial security briefing that includes:
(1) Threat awareness, including insider threat awareness in
accordance with paragraph (g) in this section.
(2) Counterintelligence (CI) awareness.
(3) Overview of the information security classification system.
(4) Reporting obligations and requirements, including insider
threat.
(5) Cybersecurity training for all authorized information system
users in accordance with CSA-provided guidance pursuant to Sec.
117.18(a)(1) and (a)(2).
(6) Security procedures and duties applicable to the employee's
position requirements (e.g. marking and safeguarding of classified
information) and criminal, civil, or administrative consequences that
may result from the unauthorized disclosure of classified information,
even though the individual has not yet signed an NDA.
(f) CUI training. While outside the requirements of the NISPOM,
when a classified contract includes provisions for CUI training,
contractors will comply with those contract requirements.
(g) Insider threat training. The designated ITPSO will ensure that
contractor program personnel assigned insider threat program
responsibilities and all other cleared employees complete training
consistent with applicable CSA provided guidance.
(1) The contractor will provide training to insider threat program
personnel, including the contractor's designated ITPSO, on:
(i) CI and security fundamentals.
(ii) Procedures for conducting insider threat response actions.
(iii) Applicable laws and regulations regarding the gathering,
integration, retention, safeguarding, and use of records and data,
including the consequences of misuse of such information.
(iv) Applicable legal, civil liberties, and privacy policies and
requirements applicable to insider threat programs.
(2) The contractor will provide insider threat awareness training
to all cleared employees on an annual basis. Depending upon CSA
specific guidance, a CSA may instead conduct such training. The
contractor must provide all newly cleared employees with insider threat
awareness training before granting access to classified information.
Training will address current and potential threats in the work and
personal environment and will include at a minimum:
(i) The importance of detecting potential insider threats by
cleared employees and reporting suspected activity to the insider
threat program designee.
(ii) Methodologies of adversaries to recruit trusted insiders and
collect classified information, in particular within information
systems.
(iii) Indicators of insider threat behavior and procedures to
report such behavior.
(iv) CI and security reporting requirements, as applicable.
(3) The contractor will establish procedures to validate all
cleared employees who have completed the initial and annual insider
threat training.
(h) Derivative classification.--(1) Initial training. The
contractor will ensure all employees authorized to make derivative
classification decisions are trained in the proper application of the
derivative classification principles, in accordance with CSA direction.
Employees are not authorized to conduct derivative classification until
they receive such training.
(2) Refresher training. In addition to the initial training,
contractors will ensure all employees who conduct derivative
classification receive training at least once every two years.
Contractors will suspend an employee's derivative classification
authority for any employee who does not receive such training at least
once every two years. Training will emphasize the avoidance of over-
classification and address:
(i) Classification levels.
(ii) Duration of classification.
(iii) Identification and markings.
(iv) Classification prohibitions and limitations.
(v) Sanctions and classification challenges.
(vi) Security classification guides.
(vii) Information sharing.
(3) Record of training. Contractors will retain records of the date
of the most recent training (initial or refresher) and type of training
provided to employees.
(i) Information systems security. All information system authorized
users will receive training on the security risks associated with their
user activities and responsibilities under the NISP. The contractor
will determine the appropriate content of the training, taking into
consideration assigned roles and responsibilities, specific security
requirements, and the information system to which personnel are
authorized access.
(j) Temporary help suppliers. A cleared temporary help supplier, or
other contractor who employs cleared individuals solely for dispatch
elsewhere, will be responsible for ensuring that required briefings
(both initial and refresher training) are provided to their cleared
personnel. The temporary help supplier or the using contractor may
conduct these briefings.
[[Page 83336]]
(k) Refresher training. The contractor will provide all cleared
employees with security education and training every 12 months.
Refresher training will reinforce the information provided during the
initial security briefing and will keep cleared employees informed of
changes in security regulations and should also address issues or
concerns identified during contractor self-reviews. Training methods
may include group briefings, interactive videos, dissemination of
instructional materials, or other media and methods. Contractors will
maintain records about the programs offered and employee participation
in them.
(l) Debriefings. Contractors will debrief cleared employees and
annotate the debriefing in the appropriate contractor records when
access to classified information is no longer needed; at the time of
termination of employment (discharge, resignation, or retirement); when
an employee's eligibility for access to classified information is
terminated, suspended, or revoked; and upon termination of the entity
eligibility determination.
Sec. 117.13 Classification.
(a) Original classification. Only a USG official designated or
delegated the authority in writing can make an original classification
decision.
(1) An OCA classifies information pursuant to E.O. 13526 and 32 CFR
part 2001, designates and marks it as TOP SECRET, SECRET, or
CONFIDENTIAL, and, except as provided by statute, may use no other
terms to identify classified information.
(2) The designation UNCLASSIFIED is used to identify information
that does not meet the criteria for classification in accordance with
E.O. 13526. In accordance with 32 CFR 2002, CUI implementing guidance
(including the Marking Handbook) and any GCA-provided guidance, CUI
commingled with classified information must be marked as CUI to alert
users to its presence and sensitivity. The CUI regulation, guidance,
and handbook are available at: https://www.archives.gov/cui.
(b) Derivative classification. (1) Contractor personnel make
derivative classification decisions when they incorporate, paraphrase,
restate, or generate in new form, information that is already
classified. They must mark the newly developed material consistently
with the classification markings that apply to the source information.
(2) Derivative classification is the classification of information
based on guidance from an OCA, which may be either a properly marked
source document or a current security classification guide provided by
a GCA in accordance with E.O. 13526. The duplication or reproduction of
existing classified information is not derivative classification.
(3) A source document that does not contain portion markings, due
to an ISOO-approved waiver, must contain a warning statement that it
may not be used as a source for derivative classification in accordance
with 32 CFR 2001.24(k)(4).
(4) Classified information in email messages is marked pursuant to
E.O. 13526 and 32 CFR part 2001. If an email is transmitted on a
classified system, includes a classified attachment, and contains no
classified information within the body of the email itself, the email
serves as a transmittal document and is not a derivatively classified
document. The email's overall classification must reflect the highest
classification level present in the attachment.
(c) Derivative classification responsibilities. Contractors will
provide employees with pertinent classification guidance to fulfill
their derivative classification responsibilities. All contractor
employees authorized to make derivative classification decisions will:
(1) Mark the face of each derivatively classified document with a
classification authority block that includes the employee's name and
position or personal identifier, the entity name, and when applicable,
the division or the branch.
Figure 1 to Paragraph (c)(1) Example of Industry Classification
Authority Block
UNCLASSIFIED: CLASSIFICATION MARKINGS FOR ILLUSTRATION PURPOSES ONLY
------------------------------------------------------------------------
-------------------------------------------------------------------------
Classified by: John Doe, Security Specialist, Entity ABC Security
Division
Derived From: SecDef Memo, dtd 20101024, Subj: ___
Declassify On: 20201024
------------------------------------------------------------------------
(2) Observe and respect original classification decisions.
(3) Carry forward the pertinent classification markings to any
newly created documents. For information derivatively classified based
on multiple sources, the derivative classifier will carry forward:
(i) The date or event for declassification that corresponds to the
longest period of classification among the sources.
(ii) A listing of the source materials.
(4) Be trained, in accordance with Sec. 117.12(h), in the proper
application of the derivative classification principles at least once
every two years.
(5) Whenever possible, use a classified addendum if classified
information constitutes a small portion of an otherwise unclassified
document.
(d) Security classification guidance. (1) Contractors should be
aware the GCA will:
(i) Incorporate appropriate security requirement clauses in a
classified contract, IFB, RFP, RFQ, or all solicitations leading to a
classified contract.
(ii) Provide the contractor with the security classification
guidance needed during performance of the contract.
(iii) Provide this guidance to the contractor in the contract
security classification specification, or equivalent.
(2) The contract security classification specification, or
equivalent, must identify the specific elements of classified
information involved in the contract that require security protection.
(3) At the discretion of the CSA, contractors may, to the extent
possible, advise and assist in the development and any updates to or
any revisions to the contract security classification specification, or
equivalent.
(4) The contractor will comply with all aspects of the
classification guidance.
(i) Users of classification guides are encouraged to notify the
originator of the guide when they acquire information that suggests the
need for change in the instructions contained in the guide.
(ii) Classification guidance is the exclusive responsibility of the
GCA, and the final determination of the appropriate classification for
the information rests with that activity. The contract security
classification specification, or equivalent, is a contractual
specification necessary for the performance of a classified contract.
Challenges to classification status are in paragraph (e) in this
section.
(iii) If the contractor receives a classified contract without a
contract security classification specification, or equivalent, the
contractor will notify the GCA. If the GCA does not respond with the
appropriate contract security classification specification, or
equivalent, the contractor will notify the CSA.
(5) Upon completion of a classified contract, the contractor must
return all USG provided or deliverable information to the custody of
the USG.
(i) If the GCA does not advise to the contrary, the contractor may
retain
[[Page 83337]]
copies of the USG material for a period of two years following the
completion of the contract. The contract security classification
specification, or equivalent, will continue in effect for this two-year
period.
(ii) If the GCA determines the contractor has a continuing need for
the copies of the USG material beyond the two-year period, the GCA will
issue a final contract security classification specification, or
equivalent, for the classified contract and will include disposition
instructions for the copies.
(e) Challenges to classification status. (1) The contractor will
address challenges to classification status with the GCA and request
remedy when:
(i) Information is classified improperly or unnecessarily.
(ii) Current security considerations justify downgrading to a lower
classification level or upgrading to a higher classification level.
(iii) Security classification guidance is not provided, improper or
inadequate.
(2) If the GCA does not provide a remedy, and the contractor still
believes that corrective action is required, the contractor will make a
formal written challenge to the GCA. The challenge will include:
(i) A description sufficient to identify the issue.
(ii) The reasons why the contractor thinks that corrective action
is required.
(iii) Recommendations for appropriate corrective action.
(3) The contractor will safeguard the information as required for
its assigned or proposed level of classification, whichever is higher,
until action is completed.
(4) If the contractor does not receive a written answer from the
GCA within 60 days, the contractor will request assistance from the
CSA. If the contractor does not receive a response from the GCA within
120 days, the contractor may appeal the challenge to the Interagency
Security Classification Appeals Panel through ISOO.
(5) The fact that a contractor has initiated such a challenge will
not, in any way, serve as a basis for adverse action against the
contractor by the USG. If a contractor believes that adverse action did
result from a classification challenge, the contractor will promptly
furnish full details to ISOO for resolution.
(f) Contractor developed information. Whenever a contractor
develops an unsolicited proposal or originates information not in the
performance of a classified contract, the provisions of this paragraph
apply.
(1) If the information was previously identified as classified, it
will be classified according to an appropriate classification guide, or
source document, and appropriately marked.
(2) If the information was not previously classified, but the
contractor believes the information may or should be classified, the
contractor will:
(i) Protect the information as though classified at the appropriate
level.
(ii) Submit the information to the agency that has an interest for
a classification determination. In such cases, clearly mark the
material ``CLASSIFICATION DETERMINATION PENDING; Protect as either TOP
SECRET, SECRET, or CONFIDENTIAL.'' This marking will appear
conspicuously at least once on the material but no further markings are
necessary until a classification determination is received.
(iii) Not be precluded from marking such material as entity-private
or entity-proprietary information, unless the material was based upon
information obtained from prior deliverables to the USG or was
developed from USG material.
(iv) Protect the information pending a final classification
determination. The information may be CUI, if it is not classified.
Only information that is owned by, produced by, produced for, or is
under the control of the USG can be classified in accordance with E.O.
13526.
(3) To be eligible for classification:
(i) The information must incorporate classified information to
which the contractor was given prior access.
(ii) The information must be partially or wholly owned by, produced
by or for, or under the control of the USG.
(4) 10 CFR 1045.21 includes provisions for the DOE with regard to
privately generated RD, whereby the DOE may classify such information
in accordance with the AEA.
(g) Improperly released classified information appearing in public
media. Improperly released classified information is not automatically
declassified. When classified information has been improperly released,
and even when that classified information has become publicly
available, contractors will:
(1) Continue to protect the information at the appropriate
classification level until formally advised to the contrary by the GCA.
(2) Bring any questions about the propriety of continued
classification in these cases to the immediate attention of the GCA.
(3) Notify the applicable CSA if an employee downloads the
improperly released classified information to determine how to resolve
a data spill.
(h) Downgrading or declassifying classified information.
Information is downgraded or declassified based on the loss of
sensitivity of the information due to the passage of time or on
occurrence of a specific event. Downgrading or declassifying actions
constitute implementation of a directed action based on a review by
either the OCA or the USG-designated classification authority.
Declassification is not an approval for public disclosure.
(1) Downgrading. Contractors will refer information for
classification or downgrade to the GCA based on the guidance provided
in a contract security classification specification, or equivalent, or
upon formal notification.
(2) Declassification. Contractors are not authorized to implement
downgrading or declassification instructions even when the material is
marked for automatic downgrading or declassification. If the material
is marked for automatic declassification and the contractor notes that
the date or event for the automatic declassification has occurred, the
contractor will seek guidance from the GCA.
(i) RD, FRD, and TFNI. Protection requirements for RD, FRD, and
TFNI are pursuant to Sec. 117.23(e). Information about classification
and declassification of RD, FRD, or TFNI documents is in Sec.
117.23(e)(5).
Sec. 117.14 Marking requirements.
(a) Purpose for marking. (1) Physically marking classified
information with appropriate classification markings serves to warn and
inform holders of the information of the degree of protection required.
Other notations facilitate downgrading and declassification, and aid in
derivative classification actions.
(2) Contractors will clearly mark all classified information and
material to convey to the holder the level of classification assigned,
the portions that contain or reveal classified information, the period
of time protection is required, the identity (by name and position or
personal identifier) of the classifier, the source(s) for derivative
classification, and any other notations required for protection of the
information.
(b) Marking guidance for classified information and material.
Contractors will use the marking guidance conveyed in 32 CFR 2001.22
through 2001.26, and its companion document, ISOO booklet ``Marking
Classified National Security Information,'' (available at: https://www.archives.gov/isoo/training/training-aids) or CSA specific provided
guidance for marking derivatively classified information and material
and as required by applicable security
[[Page 83338]]
classification guide. The special requirements for marking documents
containing RD, FRD, and TFNI are addressed in Sec. 117.23.
(c) Marking guidance for CUI. Contractors will use marking guidance
conveyed in 32 CFR 2002.20, the CUI Marking Handbook (available at:
https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf), and agency policy to mark CUI in
accordance with contract requirements.
(d) Working papers. Working papers will be marked, destroyed, and
retained in accordance with Sec. 117.15(e)(3).
(e) Translations. The contractor will mark translations of U.S.
classified information into a language other than English with the
appropriate U.S. markings and the foreign language equivalent to show
the United States as the country of origin.
(f) Marking wholly unclassified material. The contractor will not
mark or stamp wholly UNCLASSIFIED material as UNCLASSIFIED unless it is
essential to convey to a recipient of such material that:
(1) The material has been examined specifically with a view to
impose a security classification and has been determined not to require
classification by the GCA.
(2) The material has been reviewed and has been determined to no
longer require classification and it has been declassified by the
applicable GCA.
(g) Marking miscellaneous material. The contractor will:
(1) Handle miscellaneous material developed in connection with the
handling, processing, production, storage, and utilization of
classified information in a manner that ensures adequate protection of
the classified information involved.
(2) Destroy the miscellaneous material at the earliest practical
time, unless a requirement exists to retain such material.
Notwithstanding the provisions of paragraph (a) of this section, there
is no requirement for the contractor to mark such material, but
disposition and retention requirements in Sec. 117.15(i) and (j)
apply.
(h) Marking training material. The contractor will clearly mark
unclassified documents or materials that are created to simulate or
demonstrate classified documents or material to indicate the actual
UNCLASSIFIED status of the information. For example, the contractor may
use: MARKINGS ARE FOR TRAINING PURPOSES ONLY, OTHERWISE UNCLASSIFIED or
UNCLASSIFIED SAMPLE, or other similar marking.
(i) Downgrading or declassification actions. When a contractor
removes documents or material that have been downgraded or declassified
from storage for use or for transmittal outside the contractor
location:
(1) The documents or material must be re-marked pursuant to
paragraph (i)(1)(i) or (i)(1)(ii) in this section.
(i) Prior to taking any action to downgrade or declassify
information, the contractor will seek guidance from the GCA. If the GCA
approves such action, the contractor will cancel all old classification
markings with the new markings substituted, whenever practical. For
documents, at a minimum the outside of the front cover, the title page,
the first page, and the outside of the back will reflect the new
classification markings, or include the designation UNCLASSIFIED. The
contractor will re-mark other material by the most practical method for
the type of material involved to ensure that it is clear to the holder
what level of classification is assigned to the material.
(ii) When the GCA notifies contractors of downgrading or
declassification actions that are contrary to the markings shown on the
material, the contractor will re-mark material to indicate the change
and notify other holders if further dissemination was made. The
contractor will mark the material to indicate the:
(A) Authority for the action.
(B) Date of the action.
(C) Identity and position of the individual taking the action.
(2) If the volume of material is such that prompt re-marking of
each classified item cannot be accomplished without unduly interfering
with operations, the contractor may attach a downgrading and
declassification notice to the inside of the file drawers or other
storage container instead of the re-marking otherwise required.
(3) When such documents or materials are withdrawn from the
container solely for transfer to another container, or when the
container is transferred from one place to another, the transfer may be
made without re-marking if the notice is attached to the new container
or remains with each shipment.
(4) For the purpose of paragraphs (i)(2) and (i)(3) in this
section, the contractor must include in the downgrading and
declassification notice:
(i) The authority for the downgrading or declassification action.
(ii) The date of the action.
(iii) The storage container to which it applies.
(j) Upgrading action. (1) When the contractor receives notice from
the GCA to upgrade material to a higher level; for example, from
CONFIDENTIAL to SECRET, the contractor will:
(i) Immediately enter the new markings on the material according to
the notice to upgrade, and strike through all the superseded markings.
(ii) Enter the authority for and the date of the upgrading action
on the material.
(iii) Ensure all records affected are stored at the appropriate
level of security, including digital networks and systems. Upgrades
requiring network or system adjustment will be coordinated with the GCA
to mitigate or account for impact on the execution of the contract.
(2) The contractor will notify all holders to whom they
disseminated the material. The contractor will not mark the notice as
classified unless it contains additional information warranting
classification.
(3) In the case of material which was inadvertently released as
UNCLASSIFIED, the contractor will mark and protect the notice as
classified at the CONFIDENTIAL level, unless it contains additional
information warranting a higher classification. The contractor will
cite the applicable Contract Security Classification Specification, or
equivalent, or other classification guide on the ``Derived From'' line
and mark the notice with an appropriate declassification instruction.
(k) Dissemination of improperly marked information. If the
contractor inadvertently distributes classified material without the
proper classification assigned to it, or without any markings to
identify the material as classified, as appropriate, the contractor
will:
(1) Determine whether all holders of the material are cleared and
authorized access to it.
(2) If recipients are authorized persons, and the contractor
disseminated the information through authorized channels, promptly
provide written notice to all holders of the proper classification to
be assigned. The contractor will also include the classification source
as well as declassification instructions in the notification.
(3) Report compromises to the CSA in accordance with the provisions
of Sec. 117.8(d), if:
(i) Any of the recipients of the material are not authorized
persons.
(ii) Any material cannot be accounted for.
(iii) The material was transmitted through unauthorized channels.
[[Page 83339]]
(l) Marking foreign government classified material. Foreign
government classified information will retain its original
classification markings or will be assigned a U.S. classification that
provides a degree of protection at least equivalent to that required by
the foreign government entity that furnished the information in
accordance with 32 CFR 2001.54. The equivalent U.S. classification and
the country of origin will be marked on the front and back in English.
(m) Foreign government restricted information and ``in confidence''
information.
(1) Some foreign governments have a fourth level of classification
that does not correspond to an equivalent U.S. classification that is
identified as RESTRICTED information. In many cases, security
agreements require RESTRICTED information to be protected as U.S.
CONFIDENTIAL information.
(2) Some foreign governments may have a category of unclassified
information that is protected by law. This latter category is normally
provided to other governments with the expectation that the information
will be treated ``In Confidence.'' The foreign government or
international organization must state that the information is provided
in confidence and that it must be protected from release.
(i) 10 U.S.C. 130c protects information provided ``In Confidence''
by foreign governments which is not classified but meets special
requirements.
(ii) This provision also applies to RESTRICTED information which is
not required by an agreement to be protected as classified information.
(iii) The contractor will not disclose information protected by
this statutory provision to anyone except personnel who require access
to the information in connection with the contract.
(3) It is the responsibility of the foreign entity that awards the
contract to incorporate requirements for the protection and marking of
RESTRICTED or ``In Confidence'' information in the contract. The
contractor will advise the CSA if requirements were not provided by the
foreign entity.
(n) Marking U.S. documents containing FGI. (1) U.S. documents
containing FGI must be marked on the front, ``THIS DOCUMENT CONTAINS
(indicate country of origin) INFORMATION.'' In addition, the portions
must be marked to identify both the country and classification level,
(e.g., (UK-C), (GE-C)). The ``Derived From'' line will identify U.S. as
well as foreign classification sources.
(2) If the identity of the foreign government must be concealed,
the front of the document will be marked ``THIS DOCUMENT CONTAINS
FOREIGN GOVERNMENT INFORMATION;'' paragraphs will be marked FGI,
together with the classification level (e.g., (FGI-C)); and the
``Derived From'' line will indicate FGI in addition to any U.S. source.
The identity of the foreign government will be maintained with the
record copy of the document.
(3) A U.S. document that contains FGI will not be downgraded below
the highest level of FGI contained in the document or be declassified
without the written approval of the foreign government that originated
the information. Recommendations concerning downgrading or
declassification will be submitted to the GCA or foreign government
contracting authority, as applicable.
(o) Marking documents prepared for foreign governments. Documents
prepared for foreign governments that contain U.S. classified
information and FGI will be marked as prescribed by the foreign
government. In addition, they will be marked on the front, ``THIS
DOCUMENT CONTAINS UNITED STATES CLASSIFIED INFORMATION.'' Portions will
be marked to identify the U.S. classified information.
(p) Marking requirements for transfers of defense articles to
Australia (AUS) or the United Kingdom (UK). Marking requirements for
transfers of defense articles to AUS or the UK without a license or
other written authorization are pursuant to Sec. 117.19(i).
(q) Commingling of RD and FRD. Commingling of RD, FRD, and TFNI
with national security information (NSI) in the same document should be
avoided to the greatest degree possible. When mixing this information
cannot be avoided, the marking requirements in 10 CFR part 1045,
section 140(f) and declassification requirements of 10 CFR part 1045,
section 155 apply.
Sec. 117.15 Safeguarding Classified Information.
(a) General safeguarding. Contractors will be responsible for
safeguarding classified information in their custody or under their
control, with approval for such storage of classified information by
the applicable CSA. Individuals are responsible for safeguarding
classified information entrusted to them. Contractors will provide the
extent of protection to classified information sufficient to reasonably
protect it from loss or compromise.
(1) Oral discussions. Contractors will ensure that all cleared
personnel are aware of the prohibition against discussing classified
information over unsecured telephones, in public conveyances or places,
or in any other manner that permits interception by unauthorized
persons.
(2) End of day security checks. (i) Contractors that store
classified material will establish a system of security checks at the
close of each working day to verify that all classified material and
security repositories have been appropriately secured.
(ii) Contractors that operate multiple work shifts will perform the
security checks at the end of the last working shift in which
classified material was removed from storage for use. The checks are
not required during continuous 24-hour operations.
(3) Perimeter controls. (i) Contractors authorized to store
classified material will establish and maintain a system to deter and
detect unauthorized introduction or removal of classified material from
their facility without proper authority.
(ii) If the unauthorized introduction or removal of classified
material can be reasonably prevented through technical means (e.g., an
intrusion detection system), which are encouraged, no further controls
are necessary. The contractor will provide appropriate authorization to
personnel who have a legitimate need to remove or transport classified
material for passing through designated entry or exit points.
(iii) The contractor will:
(A) Provide appropriate authorization to personnel who have a
legitimate need to remove or transport classified material for passing
through designated entry or exit points.
(B) Conspicuously post notices at all pertinent entries and exits
that persons who enter or depart the facility are subject to an
inspection of their personal, except under circumstances where the
possibility of access to classified material is remote.
(C) Limit inspections to buildings or areas where classified work
is being performed.
(D) Establish the extent, frequency, and location of inspections in
a manner consistent with contractual obligations and operational
efficiency. The contractor may use any appropriate random sampling
technique.
(E) Seek legal advice during the formulation of implementing
procedures.
(F) Submit significant problems pertaining to perimeter controls
and inspections to the CSA.
(iv) Contractors will develop procedures for safeguarding
classified material in emergency situations.
[[Page 83340]]
(A) The procedures should be as simple and practical as possible
and adaptable to any type of emergency that may reasonably arise.
(B) Contractors will promptly report to the CSA any emergency
situation that renders them incapable of safeguarding classified
material.
(b) Standards for Security Equipment. Contractors will follow
guidelines established in 32 CFR part 2001, when procuring storage and
destruction equipment. Authorized repairs for GSA-approved security
containers and vaults must be in accordance with Federal Standard 809.
(c) Storage. Contractors will store classified information and
material in General Services Administration (GSA)-approved security
containers, vaults built to Federal Standard 832, or an open storage
area constructed in accordance with 32 CFR 2001.53. In the instance
that an open storage area has a false ceiling or raised floor,
contractors shall develop and implement procedures to ensure their
structural integrity. Nothing in 32 CFR part 2001, should be construed
to contradict or inhibit compliance with local laws or building codes,
but the contractor will notify the applicable CSA if there are any
conflicting issues that would inhibit compliance. Contractors will
store classified material in accordance with the specific sections of
32 CFR 2001.43:
(1) CONFIDENTIAL. See 32 CFR 2001.43(b)(3).
(2) SECRET. See 32 CFR 2001.43(b)(2).
(3) TOP SECRET Documents. See 32 CFR 2001.43(b)(1).
(d) Intrusion Detection Systems (IDS). This paragraph specifies the
minimum standards for an approved IDS when used for supplemental
protection of TOP SECRET and SECRET material. The CSA will provide
additional guidance for contingency protection procedures in the event
of IDS malfunction, including contractors located in USG owned
contractor operated facilities.
(1) CSA approval. (i) CSA approval is required before installing an
IDS. The CSA will base approval of a new IDS on the criteria of
Intelligence Community Directive 705 (available at: https://www.dni.gov/files/documents/ICD/ICD_705_SCIFs.pdf) and any applicable
intelligence community standard, Underwriters Laboratories (UL)
Standard 2050 (Government agencies with a role as a CSA or CSO may
obtain this reference without charge; available at: www.ul.com/contact), or the CSA may base approval on written CSA-specific
standards for the information to be protected.
(ii) Installation will be performed by an alarm services company
certified by a NRTL that meets the requirements in 29 CFR 1910.7 to
perform testing and certification. The NRTL-approved alarm service
company is responsible for completing the appropriate alarm system
description form approved by the NRTL.
(iii) All the intrusion detection equipment (IDE) used in the IDS
installation will be tested and approved (or listed) by a NRTL,
ensuring its proper operation and resistance from tampering. Any IDE
that has not been tested and approved by a NRTL will require CSA
approval.
(2) Central monitoring station. (i) For the purpose of monitoring
alarms, an equivalent level of monitoring service is available from
multiple types of providers. The central monitoring station may be
located at a one of the following:
(A) Government contractor monitoring station (GCMS), formerly
called a proprietary central station.
(B) Cleared commercial central station.
(C) Cleared protective signal service station (e.g., fire alarm
monitor).
(D) Cleared residential monitoring station.
(E) National industrial monitoring station.
(ii) SECRET-cleared central station employees at the alarm
monitoring station will be in attendance in sufficient number to
monitor each alarmed area within the cleared contractor facility.
(iii) The central monitoring station will be supervised
continuously by a U.S. citizen who has eligibility for access to SECRET
information.
(iv) The IDS must be activated at the close of business whenever
the area is not occupied by cleared personnel. Any IDS exit delay
function must expire prior to the cleared personnel leaving the
immediate area. A record will be maintained to identify the person or
persons who are responsible for setting and deactivating the IDS.
(v) Records will be maintained for 12 months indicating time of
receipt of alarm, name(s) of security force personnel responding, time
dispatched to facility or area, time security force personnel arrived,
nature of alarm, and what follow-up actions were accomplished.
(3) Investigative response to alarms. (i) Alarm response teams will
ascertain if intrusion has occurred and, if possible, assist in the
apprehension of the individuals involved.
(A) If an alarm activation resets in a reasonable amount of time
and no damage to the area is visible, then entrance into the area is
not required and an initial response team may consist of uncleared
personnel.
(B) If the alarm activation does not reset and damage is observed,
then a cleared response team must be dispatched. The initial uncleared
response team must stay on station until relieved by the cleared
response team. If a cleared response team does not arrive within 1
hour, then a report to the CSA must be made by the close of the next
business day.
(ii) The following resources may be used to investigate alarms:
Proprietary security force personnel, central station guards, local law
enforcement personnel, or a subcontracted guard service. The CSA may
approve procedures for the use of entity cleared employees who can meet
the minimum response requirements outlined in this section.
(A) For a GCMS, trained proprietary or subcontractor security force
personnel, cleared to the SECRET level and sufficient in number to be
dispatched immediately to investigate each alarm, will be available at
all times when the IDS is in operation.
(B) For a commercial central station, protective signaling service
station, or residential monitoring station, there will be a sufficient
number of trained guards available to respond to alarms. Guards will be
cleared only if they have the ability and responsibility to access the
area or container(s) housing classified material (i.e., keys to the
facility have been provided or the personnel are authorized to enter
the building or check the container or area that contains classified
material).
(C) Uncleared guards dispatched by a commercial central station,
protective signaling service station, or residential monitoring station
in response to an alarm will remain on the premises until a designated,
cleared representative of the facility arrives, or for a period of not
less than 1 hour, whichever comes first. If a cleared representative of
the facility does not arrive within 1 hour following the arrival of the
guard, the central control station must provide the CSA with a report
of the incident that includes the name of the subscriber facility, the
date and time of the alarm, and the name of the subscriber's
representative who was contacted to respond. A report will be submitted
to the CSA by the end of business on the next business day.
(D) Subcontracted guards must be under a classified contract with
either the installing alarm service company or the cleared facility.
[[Page 83341]]
(iii) The response time will be in accordance with the provisions
in paragraphs (c)(1) through (c)(3) in this section as applicable. When
environmental factors (e.g., traffic, distance) legitimately prevent
meeting the requirements for TOP SECRET information, as indicated in
paragraph (c)(3) in this section, the CSA may authorize up to a 30-
minute response time. The CSA approval will be documented on the alarm
system description form and the specified response time will be noted
on the alarm certificate. The requirement for response is 80 percent
within the time limits.
(4) Installation. The IDS will be installed by an NRTL-approved
entity or by an entity approved in writing by the CSA. When connected
to a commercial central station, GCMS, national industrial monitoring
station, or residential monitoring station, the service provided will
include line security (i.e., the connecting lines are electronically
supervised to detect evidence of tampering or malfunction). The level
of protection for the alarmed area will include all points of probable
entry (perimeter doors and accessible windows) with magnetic contacts
and motion detectors positioned in the probable intruder paths from the
probable points of entry to the classified information. In accordance
with Federal Standard 809, no IDS sensors (magnetic contacts or
vibration detectors) will be installed on GSA-approved security
containers. CSA authorization on the alarm system description form is
required in the following circumstances:
(i) When line security is not available, installation will require
two independent means of transmission of the alarm signal from the
alarmed area to the monitoring station.
(ii) Alarm installation provides a level of protection, e.g. UL's
Extent 5, based on patrolling employees and CSA approval of security-
in-depth.
(iii) Where law enforcement personnel are the primary alarm
response. Under those circumstances, the contractor must obtain written
assurance from the police department regarding the ability to respond
to alarms in the required response time.
(iv) Alarm signal transmission is over computer-controlled data-
networks (e.g., internet, intranet). The CSA will provide specific
acceptance criteria (e.g., encryption requirements) for alarms
monitored over data networks.
(v) Alarm investigator response time exceeds the parameters
outlined in paragraphs (c)(1) through (c)(3) in this section as
applicable.
(5) Certification of compliance. Evidence of compliance with the
requirements of this section will consist of a valid (current)
certification by an approved NRTL for the appropriate category of
service. This certificate:
(i) Will have been issued to the protected facility by the NRTL,
through the alarm service company.
(ii) Serves as evidence that the alarm service company that did the
installation is:
(A) Listed as furnishing security systems of the category
indicated.
(B) Authorized to issue the certificate of installation as
representation that the equipment is in compliance with requirements
established by NRTL for the class of alarm system.
(C) Subject to the NRTL inspection program whereby periodic
inspections are made of representative alarm installations by NRTL
personnel to verify the correctness of certification practices.
(6) Exceptional cases. (i) If the requirements in paragraphs (d)(1)
through (d)(5) in this section cannot be met, the contractor may
request CSA approval for an alarm system meeting one of these
conditions, which will be documented on the alarm system description
form:
(A) Monitored by a central control station but responded to by a
local (municipal, county, state) law enforcement organization.
(B) Connected by direct wire to alarm receiving equipment located
in a local (municipal, county, State) police station or public
emergency service dispatch center. This alarm system is activated and
deactivated by employees of the contractor, but the alarm is monitored
and responded to by personnel of the monitoring police or emergency
service dispatch organization. Personnel monitoring alarm signals at
police stations or dispatch centers do not require PCLs. Police
department response systems may be requested only when:
(1) The contractor facility is located in an area where central
control station services are not available with line security or
proprietary security force personnel, or a contractually-dispatched
response to an alarm signal cannot be achieved within the time limits
required by the CSA.
(2) It is impractical for the contractor to establish a GCMS or
proprietary guard force at that location. In this case, installation of
these systems must use NRTL-approved equipment and be accomplished by
an NRTL-approved entity meeting the applicable testing standard for the
category of service.
(ii) An installation proposal, explaining how the system would
operate, will be submitted to the CSA. The proposal must include:
(A) Sufficient justification for the granting of an exception and
the full name and address of the police department that will monitor
the system and provide the required response.
(B) The name and address of the NRTL-approved entity that will
install the system, and inspect, maintain, and repair the equipment.
(iii) The response times will be in accordance with the provisions
in paragraphs (c)(1) through (c)(3) in this section as applicable.
Arrangements will be made with the central monitoring station to
immediately notify a contractor representative on receipt of the alarm.
The contractor representative is required to go immediately to the
facility to investigate the alarm and to take appropriate measures to
secure the classified material.
(iv) In exceptional cases where central station monitoring service
is available, but no proprietary security force, central station, or
subcontracted guard response is available, and where the police
department does not agree to respond to alarms, and no other manner of
investigative response is available, the CSA may approve cleared
employees as the sole means of response.
(e) Information controls.--(1) Information management system.
Contractors will establish:
(i) A system to verify that classified information in their custody
is used or retained only for a lawful and authorized USG purpose.
(ii) An information management system to protect and control the
classified information in their possession regardless of media, to
include information processed and stored on authorized information
systems.
(2) Top secret information. Contractors will establish controls for
TOP SECRET information and material to validate procedures are in place
to address accountability, need to know, and retention, e.g.,
demonstrating that TOP SECRET material stored in an electronic format
on an authorized classified information system does not need to be
individually numbered in series. These controls are in addition to the
information management system and must be applied, unless otherwise
directed by the applicable CSA, regardless of the media of the TOP
SECRET information, to include information processed and stored on
authorized information systems. Unless otherwise directed by the
applicable
[[Page 83342]]
CSA, the contractor will establish the following additional controls:
(i) Designate TOP SECRET control officials to receive, transmit,
and maintain access and accountability records to TOP SECRET
information.
(ii) Conduct an annual inventory of TOP SECRET information and
material.
(iii) Establish a continuous receipt system for the transmittal of
TOP SECRET information within and outside the contractor location.
(iv) Number each item of TOP SECRET material in a series. Place the
copy number on TOP SECRET documents, regardless of media, and on all
associated transactions documents.
(v) Establish a record of TOP SECRET material when the material is:
(A) Completed as a finished document.
(B) Retained for more than 180 days after creation, regardless of
the stage of development.
(C) Transmitted outside the contractor location.
(vi) Establish procedures for destruction of TOP SECRET material by
two authorized persons.
(vii) Establish destruction records for TOP SECRET material and
maintain the records for two years in accordance with Sec.
117.13(d)(5) or in accordance with GCA requirements.
(3) Working papers. Contractors will establish procedures for the
control of classified working papers generated in the preparation of a
finished document. The contractor will:
(i) Date working papers when they are created.
(ii) Mark each page of the working papers with the highest
classification level of any information contained in them and with the
annotation ``WORKING PAPERS.''
(iii) Destroy working papers when no longer needed.
(iv) Mark in the same manner prescribed for a finished document at
the same classification level if released outside the contractor
location or retained for more than 180 days from the date of origin.
(4) Combinations to locks. Contractors will follow the guidance in
32 CFR 2001.45(a)(1) and 2001.43 (c) to address thresholds when
combinations will be changed. Combinations to locks used to secure
vaults, open storage areas, and security containers that are approved
for the safeguarding of classified information will be protected in the
same manner as the highest level of classified information that the
vault, open storage area, or security container is used to protect.
(5) Information system passwords. Contractors will follow the
guidance established in 32 CFR 2001.45(a)(2) for the protection of
passwords to information systems authorized to process and store
classified information at the highest level of classification to which
the information system is authorized.
(6) Reproduction of classified information. Contractors will follow
the guidance established in 32 CFR 2001.45(b) for the reproduction of
classified information.
(f) Transmission of classified information. Contractors will
establish procedures for transmitting and receiving classified
information and material in accordance with 32 CFR 2001.46.
(1) Top secret. The contractor must have written authorization from
the GCA to transmit TOP SECRET material outside the contractor
location.
(2) Transmission outside the United States and its Territorial
Areas. The contractor may transmit classified material to a USG
activity outside the United States or a U.S. territorial area only
under the provisions of a classified contract or with written
authorization from the GCA.
(3) Commercial delivery entities. The CSA may approve contractors
to transmit SECRET or CONFIDENTIAL information within the United States
and its territorial areas by means of a commercial delivery entity that
is a current holder of the GSA contract for overnight delivery, and
which provides nation-wide, overnight service with computer tracking
and reporting features (a list of current contract holders may be found
at: https://www.archives.gov/isoo/faqs#what-is-overnightcarriers). Such
entities do not need to be determined eligible for access to classified
information.
(i) Prior to CSA approval, the contractor must establish and
document procedures to ensure the proper protection of incoming and
outgoing classified packages, including the street delivery address,
for each cleared facility intending to use GSA-listed commercial
delivery entities for overnight services.
(ii) Contractors will establish procedures for the use of
commercial delivery entities in accordance with 32 CFR part 2001. The
procedures will:
(A) Confirm that the commercial delivery entity provides
nationwide, overnight delivery service with automated in-transit
tracking of the classified packages.
(B) Ensure the package integrity during transit and that incoming
shipments are received by appropriately cleared personnel.
(C) Not be used for COMSEC, NATO, or FGI.
(4) Couriers and hand carriers. Contractors may designate cleared
employees as couriers or hand carriers. Contractors will:
(i) Brief employees providing such services on their responsibility
to safeguard classified information and keep classified material in
their possession at all times.
(ii) Provide employees with an identification card or badge which
contains the contractor's name and the name and a photograph of the
employee.
(iii) Make arrangements in advance of departure for overnight
storage at a USG installation or at a cleared contractor's facility
that has appropriate storage capability, if needed.
(iv) Conduct an inventory of the material prior to departure and
upon return. The employee will carry a copy of the inventory with them.
(5) Use of commercial passenger aircraft. The contractor may
authorize cleared employees to hand carry classified material aboard
commercial passenger aircraft.
(i) Routine processing. Employees hand carrying classified material
are subject to routine processing by airline security agents. Hand-held
packages will normally be screened by x-ray examination. If security
personnel are not satisfied with the results of the inspection and
requests the prospective passenger to open a classified package for
visual examination, the traveler must inform the screener that the
carry-on items contain USG classified information and cannot be opened.
Under no circumstances may traveler or security personnel open the
classified material unless required by customs or other government
officials.
(ii) Special processing. The contractor will contact the
appropriate air carrier in advance to explain the particular
circumstances and obtain instructions on the special screening
procedures to follow when:
(A) Routine processing would subject the classified material to
compromise or damage.
(B) Visual examination is or may be required to successfully screen
a classified package.
(C) Classified material is in specialized containers, which due to
its size, weight, or other physical characteristics cannot be routinely
processed.
(iii) Authorization letter. Contractors will provide employees with
written authorization to hand carry classified material on commercial
aircraft that includes:
[[Page 83343]]
(A) Full name, date of birth, height, weight, and signature of the
traveler and statement that he or she is authorized to transmit
classified material.
(B) Description of the type of identification the traveler will
present on request.
(C) Description of the material being hand carried, with a request
that it be exempt from opening.
(D) Identification of the points of departure, destination, and
known transfer points.
(E) Name, telephone number, and signature of the FSO, and the
location and telephone number of the CSA.
(6) Escorts. If an escort is necessary to ensure the protection of
the classified information being transported, the contractor will
assign a sufficient number to each classified shipment to ensure
continuous surveillance and control over the shipment while in transit.
The contractor will furnish escorts with specific written instructions
and operating procedures prior to shipping that include:
(i) Name and address of persons, including alternates, to whom the
classified material is to be delivered.
(ii) Receipting procedures.
(iii) Means of transportation and the route to be used.
(iv) Duties of each escort during movement, during stops end route,
and during loading and unloading operations.
(v) Emergency and communication procedures.
(g) Destruction. Contractors will:
(1) Destroy classified material in their possession based on the
disposition instructions in the contract security classification
specification or equivalent.
(2) Follow the guidance for destruction of classified material in
accordance with 32 CFR 2001.47 and the destruction equipment standards
in accordance with 32 CFR 2001.42(b). See https://www.nsa.gov/resources/everyone/media-destruction/ and any CSA provided guidance for
additional information.
(h) Disclosure. Contractors will establish processes by which
classified information is disclosed only to authorized persons.
(1) Disclosure to employees. Contractors are authorized to disclose
classified information to their cleared employees with the appropriate
eligibility for access to classified information and need to know as
necessary, including cleared employees across the MFO, when applicable,
for the performance of tasks or services essential to the fulfillment
of a classified contract or subcontract.
(2) Disclosure to subcontractors.--(i) Contractors: (A) Are
authorized to disclose classified information to a cleared
subcontractor with the appropriate entity eligibility determination
(also known as a facility security clearance) and need to know when
access to classified information is necessary for the performance of
tasks or services essential to the fulfillment of a prime contract or a
subcontract.
(B) Will convey appropriate classification guidance for the
classified information to be disclosed with the subcontract in
accordance with Sec. 117.13.
(ii) The CSA must have: (A) Made a determination of eligibility for
access to classified information for the subcontractor, at the same
level, or higher, than the classified information to be disclosed, to
allow for such disclosures.
(B) Approved storage capability for classified material at the
subcontractor location if a physical transfer of classified material
occurs.
(3) Disclosure between parent and subsidiaries--(i) Contractors:
(A) Are authorized to disclose classified information between parent
and subsidiary entities with the appropriate entity eligibility
determination (also known as a facility security clearance) and need to
know when access to classified information is necessary for the
performance of tasks or services essential to the fulfillment of a
prime or subcontract.
(B) Will convey appropriate classification guidance with the
agreement or procurement action that necessitates the disclosure.
(ii) The CSA must have: (A) Made a determination of eligibility for
access to classified information for both the parent and subsidiary, at
the same level, or higher, than the classified information to be
disclosed, to allow for such disclosures.
(B) Approved storage capability for classified material at the
parent and the subsidiary if a physical transfer of classified material
occurs.
(4) Disclosure to federal agencies. Contractors will not disclose
classified information received or generated under a contract from one
agency to any other federal agency unless specifically authorized by
the agency that has classification jurisdiction over the information.
(5) Disclosure of classified information to foreign persons.
Contractors will not disclose classified information to foreign persons
unless specified by the contract and release of the information is
authorized in writing by the government agency having classification
jurisdiction over the information involved, i.e. the DOE for RD and FRD
(also see Sec. 117.23), the NSA for COMSEC, the DNI for SCI, and all
other executive branch departments and agencies for classified
information under their respective jurisdictions.
(6) Disclosure to other contractors. Contractors will not disclose
classified information to another contractor except in furtherance of a
contract, subcontract, or other GCA purpose without the authorization
of the GCA, if such authorization is required by contract.
(7) Disclosure of classified information in connection with
litigation. Contractors will not disclose classified information to:
(i) Attorneys hired solely to represent the contractor in any civil
or criminal case in federal or State courts unless the disclosure is
specifically authorized by the agency that has jurisdiction over the
information.
(ii) Any federal or state court except on specific instructions of
the agency, which has jurisdiction over the information or the attorney
representing the United States in the case.
(8) Disclosure to the public. Contractors will not disclose
classified information to the public. Contractors will not disclose
unclassified information pertaining to a classified contract to the
public without prior review and clearance as specified in the Contract
Security Classification Specification, or equivalent, for the contract
or as otherwise specified by the GCA. The procedures of this paragraph
also apply to information pertaining to classified contracts intended
for use in unclassified brochures, promotional sales literature,
reports to stockholders, or similar material.
(i) The contractor will:
(A) Submit requests for approval through the activity specified in
the GCA-provided classification guidance for the contract involved.
(B) Include in each request the approximate date the contractor
intends to release the information for public disclosure and identify
the media to be used for the initial release.
(C) Retain a copy of each approved request for release for a period
of one inspection cycle for review by the CSA.
(D) Clear all information developed subsequent to the initial
approval through the appropriate office prior to public disclosure.
(ii) Unless specifically prohibited by the GCA, the contractor does
not need to request approval for disclosure of:
(A) The fact that a contract has been received, including the
subject of the contract or type of item in general terms
[[Page 83344]]
provided the name or description of the subject is not classified.
(B) The method or type of contract.
(C) Total dollar amount of the contract unless that information
equates to:
(1) A level of effort in a sensitive research area.
(2) Quantities of stocks of certain weapons and equipment that are
classified.
(D) Whether the contract will require the hiring or termination of
employees.
(E) Other information that from time-to-time may be authorized on a
case-by-case basis in a specific agreement with the contractor.
(F) Information previously officially approved for public
disclosure.
(iii) Information that has been declassified is not authorized for
public disclosure. If the information is comingled with CUI, or
qualifies as CUI once declassified, it will be marked and protected as
CUI until it is decontrolled pursuant to 32 CFR part 2002 and reviewed
for public release. If the information does not qualify as CUI, it will
be protected in accordance with the basic safeguarding requirements in
48 CFR 52.204-21 and subject to the agency's public release procedures.
Contractors will request approval for public disclosure of declassified
information in accordance with the procedures of this paragraph.
(i) Disposition. Contractors will:
(1) Establish procedures for review of their classified holdings on
a recurring basis to ensure the classified holdings are in support of a
current contract or authorization to retain beyond the end of the
contract period.
(2) Destroy duplicate copies as soon as practical.
(3) For disposition of classified material not received under a
specific contract:
(i) Return or destroy classified material received with a bid,
proposal, or quote if the bid, proposal, or quote is not:
(A) Submitted or is withdrawn within 180 days after the opening
date of bids, proposals, or quotes.
(B) Accepted within 180 days after notification that a bid,
proposal, or quote has not been accepted.
(ii) If the classified material was not received under a specific
contract, such as material obtained at classified meetings or from a
secondary distribution center, return or destroy the classified
material within one year after receipt.
(j) Retention. The provisions of Sec. 117.13(d)(5) apply for
retention of classified material upon completion of a classified
contract.
(1) If contractors propose to retain copies of classified material
beyond 2 years, the contractor will identify:
(i) TOP SECRET material identified in a list of specific documents
unless the GCA authorizes identification by subject and approximate
number of documents.
(ii) SECRET and CONFIDENTIAL material may be identified by general
subject and the approximate number of documents.
(iii) Contractors will include a statement of justification for
retention beyond two years based on if the material:
(A) Is necessary for the maintenance of the contractor's essential
records.
(B) Is patentable or proprietary data to which the contractor has
the title.
(C) Will assist the contractor in independent research and
development efforts.
(D) Will benefit the USG in the performance of other prospective or
existing agency contracts.
(E) Will benefit the USG in the performance of another active
contract and will be transferred to that contract (specify contract).
(2) If the GCA does not authorize retention beyond two years, the
contractor will destroy all classified material received or generated
in the performance of a classified contract unless it has been
declassified or the GCA has requested that the material be returned.
(k) Termination of security agreement. Notwithstanding the
provisions for retention outlined in paragraph (i) in this section, in
the event that the CSA terminates the contractor's eligibility for
access to classified information, the contractor will return all
classified material in its possession to the GCA concerned, or dispose
of such material in accordance with instructions from the CSA.
(l) Safeguarding CUI. While outside the requirements of the NISPOM,
when a classified contract also includes provisions for protection of
CUI, contractors will comply with those contract requirements.
Sec. 117.16 Visits and meetings.
(a) Visits. This paragraph applies when, for a lawful and
authorized USG purpose, it is anticipated that classified information
will be disclosed during a visit to a cleared contractor facility or to
a USG facility.
(1) Classified visits. The number of classified visits will be held
to a minimum. The contractor:
(i) Must determine that the visit is necessary and the purpose of
the visit cannot be achieved without access to, or disclosure of,
classified information.
(ii) Will establish procedures to ensure positive identification of
visitors, appropriate PCL, and need-to-know prior to the disclosure of
any classified information.
(iii) Will establish procedures to ensure that visitors are only
afforded access to classified information consistent with the purpose
of the visit.
(2) Need-to-know determination. The responsibility for determining
need-to-know in connection with a classified visit rests with the
individual who will disclose classified information during the visit.
Need-to-know is generally based on a contractual relationship between
the contractors. In other circumstances, disclosure of the information
will be based on an assessment that the receiving contractor has a bona
fide need to access the information in furtherance of a GCA purpose.
(3) Visits by USG representatives. Representatives of the USG, when
acting in their official capacities as inspectors, investigators, or
auditors, may visit a contractor's facility, provided these
representatives present appropriate USG credentials upon arrival.
(4) Visit authorization. (i) If a visit requires access to
classified information, the host contractor will verify the visitor's
PCL level. Verification of a visitor's PCL may be accomplished by a
review of a CSA-designated database that contains the information or by
a visit authorization letter (VAL) provided by the visitor's employer.
(ii) If a CSA-designated database is not available and a VAL is
required, contractors will include in all VALs:
(A) Contractor's name, employee's name, address, and telephone
number, assigned commercial and government entity (CAGE) code, if
applicable, and certification of the level of the entity eligibility
determination.
(B) Name, date and place of birth, and citizenship of the employee
intending to visit.
(C) Certification of the proposed visitor's PCL and any special
access authorizations required for the visit.
(D) Name of person(s) to be visited.
(E) Purpose and sufficient justification for the visit to allow for
a determination of the necessity of the visit.
(F) Date or period during which the VAL is to be valid.
(5) Long term visitors. (i) When USG employees or employees of one
contractor are temporarily stationed at another contractor's facility,
the security procedures of the host contractor will govern.
(ii) USG personnel assigned to or visiting a contractor facility
and engaged in oversight of an acquisition program
[[Page 83345]]
will retain control of their work product. Classified work products of
USG employees will be handled in accordance with this rule. Contractor
procedures will not require USG employees to relinquish control of
their work products, whether classified or not, to a contractor.
(iii) Contractor employees at USG installations will follow the
security requirements of the host. This does not relieve the contractor
from security oversight of their employees who are long-term visitors
at USG installations.
(b) Classified meetings. This paragraph applies to a conference,
seminar, symposium, exhibit, convention, training course, or other such
gathering during which classified information is disclosed, hereafter
called a ``meeting.'' Disclosure of classified information to large
diverse audiences such as conferences increases security risks.
Classified disclosure at such meetings may occur when it serves a
government purpose and adequate security measures have been provided in
advance.
(1) Meeting conducted by a cleared contractor. If conducted by a
cleared contractor, the meeting is authorized by a USG agency that has
agreed to assume security jurisdiction. The USG agency:
(i) Must approve security arrangements, announcements, attendees,
and the location of the meeting.
(ii) May delegate certain responsibilities to a cleared contractor
for the security arrangements and other actions necessary for the
meeting under the general supervision of the USG agency.
(2) Request for authorization. Contractors desiring to conduct
meetings that require sponsorship will submit their requests to the USG
agency that has principal interest in the subject of each meeting.
Requests for authorization will include:
(i) An explanation of the USG purpose to be served by disclosing
classified information at the meeting and why the use of conventional
channels for release of the classified information will not advance
those interests.
(ii) The subject of the meeting and scope of classified topics, to
include the classification level, to be disclosed at the meeting.
(iii) The expected dates and location of the meeting.
(iv) The general content of the proposed announcement or invitation
to be sent to prospective attendees or participants.
(v) The identity of any other non-government organization involved
and a full description of the type of support it will provide.
(vi) A list of any foreign representatives (including their
nationality, name, organizational affiliation) whose attendance at the
meeting is proposed.
(vii) A description of the security arrangements necessary for the
meeting to comply with the requirements of this rule.
(3) Locations of meetings. Classified sessions will be held only at
a USG installation or a cleared contractor facility where adequate
physical security and procedural controls have been approved. The
authorizing USG agency is responsible for evaluating and approving the
location proposed for the meeting.
(4) Security arrangements for meetings. The contractor will develop
the security measures and procedures to be used and obtain the
authorizing agency's approval. The security arrangements must provide:
(i) Announcements. Approval of the authorizing agency will be
obtained for all announcements of the meeting.
(A) Announcements will be unclassified and will be limited to a
general description of topics expected to be presented, names of
speakers, and administrative instructions for requesting invitations or
participation. Classified presentations will not be solicited in the
announcement.
(B) When the meeting has been approved, announcements may only
state that the USG agency has authorized the conduct of classified
sessions and will provide necessary security assistance.
(C) The announcement will further specify that security clearances
and justification to attend classified sessions are to be forwarded to
the authorizing agency or its designee.
(D) Invitations to foreign persons will be sent by the authorizing
USG agency.
(ii) Clearance and need-to-know. All persons in attendance at
classified sessions will possess the requisite clearance and need-to-
know for the information to be disclosed.
(A) Need-to-know will be determined by the authorizing agency or
its designee based on the justification provided.
(B) Attendance will be authorized only to those persons whose
security clearance and justification for attendance have been verified
by the security officer of the organization represented.
(C) The names of all authorized attendees or participants must
appear on an access list with entry permitted to the classified session
only after verification of the attendee's identity based on
presentation of official photographic identification such as a
passport, contractor or USG identification card.
(iii) Presentations. Classified information must be authorized for
disclosure in advance by the USG agency having jurisdiction over the
information to be presented.
(A) Individuals making presentations at meetings will provide
sufficient classification guidance to enable attendees to identify what
information is classified and the level of classification.
(B) Classified presentations will be delivered orally or visually.
(C) Copies of classified presentation materials will not be
distributed at the classified meeting, and any classified notes or
electronic recordings of classified presentations will be classified,
safeguarded, and transmitted as required by this rule.
(iv) Physical security. The physical security measures for the
classified sessions will provide for control of, access to, and
dissemination of, the classified information to be presented and will
provide for secure storage capability, if necessary.
(5) Disclosure authority at meetings. Authority to disclose
classified information at meetings, whether disclosure is by officials
of industry or USG, must be granted by the USG agency or activity that
has classification jurisdiction over the information to be disclosed.
Each contractor that desires to disclose classified information at a
meeting is responsible for requesting and obtaining disclosure
approvals. Associations are not responsible for ensuring that
classified presentations and papers of other organizations have been
approved for disclosure. A contractor desiring to disclose classified
information at a meeting will:
(i) Obtain prior written authorization for each proposed disclosure
of classified information from the USG agency having jurisdiction over
the information involved.
(ii) Furnish a copy of the disclosure authorization to the USG
agency sponsoring the meeting.
(6) Requests to attend classified meetings. Before a contractor
employee can attend a classified meeting, the contractor will provide
justification for why the employee requires access to the classified
information, cite the classified contract or GCA program or project
involved, and forward the information to the authorizing USG agency.
[[Page 83346]]
Sec. 117.17 Subcontracting.
(a) Prime contractor responsibilities.--(1) Responsibilities.
Before a prime contractor may release or disclose classified
information to a subcontractor, or cause classified information to be
generated by a subcontractor, a determination that access to classified
information will be required and such access serves a legitimate USG
requirement for the performance of a ``classified contract'' in
accordance with Sec. 117.9(a) must be made. Prime contractors are
responsible for communicating the appropriate security requirements to
all subcontractors.
(i) A ``security requirements clause'' and a ``Contract Security
Classification Specification,'' or equivalent, will be incorporated in
the solicitation and in the subcontract. (See the ``security
requirements clause'' in the prime contract.)
(ii) The subcontractor must possess an appropriate entity
eligibility determination and a classified information safeguarding
capability if possession of classified information will be required.
(A) If access to classified information will not be required in the
pre-award phase, prospective subcontractors are not required to possess
an entity eligibility determination to receive or bid on the
solicitation.
(B) If a prospective subcontractor requires access to classified
information during the pre-award phase and does not have the
appropriate entity eligibility determination or a classified
information safeguarding capability, the prime contractor will request
the CSA of the subcontractor to initiate the necessary action.
(iii) If access to classified information will not be required, the
contract is not a classified contract within the meaning of this rule.
If the prime contract contains requirements for release or disclosure
of protected information that is not classified, such as CUI, the
requirements will be incorporated in the solicitation and the
subcontract and are not covered by this rule.
(2) Prospective subcontractors entity eligibility determinations.
(i) The prime contractor will verify whether the prospective
subcontractors have the appropriate entity eligibility determination
and also a classified information safeguarding capability, if a
subcontract requirement. This determination can be made if there is an
existing contractual relationship between the parties involving
classified information of the same or higher category, and must be
verified by accessing the CSA-designated database, or by contacting the
CSA.
(ii) If a prospective subcontractor does not have the appropriate
entity eligibility determination or a classified information
safeguarding capability, the prime contractor will request that the CSA
of the subcontractor initiate the necessary action.
(A) Requests will include, at a minimum, the full name, address,
and contact information for the requester; the full name, address, and
contact information for a contact at the facility to be processed for
an entity eligibility determination; the level of clearance and the
required classified information safeguarding capability; and full
justification for the request.
(B) Requests for safeguarding capability will include a
description, quantity, end-item, and classification of the information
related to the proposed subcontract.
(C) Other factors necessary to help the CSA determine if the
prospective subcontractor meets the requirements of this rule will be
identified, such as any special access requirements.
(3) Lead time for entity eligibility determination when awarding to
an uncleared subcontractor. Requesting contractors will allow
sufficient lead time in connection with the award of a classified
subcontract to enable an uncleared bidder to be processed for the
necessary entity eligibility determination. When the entity eligibility
determination cannot be granted in sufficient time to qualify the
prospective subcontractor for participation in the current procurement
action, the CSA will continue the entity eligibility determination
processing action to qualify the prospective subcontractor for future
contract consideration provided:
(i) The delay in processing the entity eligibility determination
was not caused by a lack of cooperation on the part of the prospective
subcontractor.
(ii) Future classified negotiations may occur within 12 months.
(iii) There is reasonable likelihood the subcontractor may be
awarded a classified subcontract.
(iv) Subcontracting that involves access to FGI. (A) A U.S.
contractor may award a subcontract that involves access to FGI to
another U.S. contractor after verifying with the CSA that the
prospective subcontractor has the appropriate entity eligibility
determination and a classified information storage capability, and
review of the prime contract to determine if there are any contractual
limitations for approval before awarding a subcontract. The contractor
awarding a subcontract will provide appropriate security classification
guidance and incorporate the pertinent security provisions in the
subcontract.
(B) The contractor cannot award subcontracts involving FGI to a
contractor in a third country or to a U.S. entity with a limited entity
eligibility determination based on third-country FOCI without the
express written consent of the originating foreign government. The CSA
will coordinate with the appropriate foreign government authorities.
(b) Security classification guidance. (1) Prime contractors will
ensure that a Contract Security Classification Specification, or
equivalent, is incorporated in each classified subcontract.
(i) When preparing classification guidance for a subcontract, the
prime contractor may extract pertinent information from:
(A) The Contract Security Classification Specification, or
equivalent, issued with the prime contract.
(B) Security classification guides issued with the prime contract.
(C) Any security guides that provide guidance for the classified
information furnished to, or that will be generated by, the
subcontractor.
(ii) The Contract Security Classification Specification, or
equivalent, prepared by the prime contractor will be certified by a
designated official of the contractor.
(iii) In the absence of exceptional circumstances, the
classification specification will not contain any classified
information. If classified supplements are required as part of the
Contract Security Classification Specification, or equivalent, they
will be identified and forwarded to the subcontractor by separate
correspondence.
(2) An original Contract Security Classification Specification, or
equivalent, will be included with each RFQ, RFP, IFB, or other
solicitation to ensure that the prospective subcontractor is aware of
the security requirements of the subcontract and can plan accordingly.
An original Contract Security Classification Specification, or
equivalent, will also be included in the subcontract awarded to the
successful bidder.
(3) A revised Contract Security Classification Specification, or
equivalent, will be issued as necessary during the lifetime of the
subcontract when the security requirements change.
(4) Requests for public release by a subcontractor will be
forwarded through the prime contractor to the GCA.
[[Page 83347]]
(c) Responsibilities upon completion of the subcontracts. (1) Upon
completion of the subcontract, the subcontractor may retain classified
material received or generated under the subcontract for a two-year
period, in accordance with the provisions in Sec. 117.13(d)(5).
(2) If retention is required beyond the two-year period, the
subcontractor must request written retention authority through the
prime contractor to the GCA, including the information required by
Sec. 117.15(j).
(3) If retention authority is approved by the GCA, the prime
contractor will issue a final Contract Security Classification
Specification, or equivalent, annotated to provide the retention period
and final disposition instructions.
(d) Notification of invalidation, marginal, or unsatisfactory
conditions. The prime contractor will be notified if the CSA discovers
marginal or unsatisfactory conditions at the subcontractor's facility
or if the CSA invalidates the subcontractor's facility clearance. Once
notified, the prime contractor will follow the instructions received on
what action, if any, should be taken in order to safeguard classified
material relating to the subcontract.
Sec. 117.18 Information system security.
(a) General. (1) Contractor information systems that are used to
capture, create, store, process, or distribute classified information
must be properly managed to protect against unauthorized disclosure of
classified information. The contractor will implement protective
measures using a risk-based approach that incorporates minimum
standards for their insider threat program in accordance with CSA-
provided guidance.
(2) The CSA will issue guidance based on requirements for federal
systems, pursuant to 44 U.S.C. Ch. 35 of subchapter II, also known as
the ``Federal Information Security Modernization Act,'' and as set
forth in National Institute of Standards and Technology (NIST) Special
Publication 800-37 (available at: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final), Committee on National Security Systems
(CNSS) Instruction 1253 (available at: https://www.cnss.gov/CNSS/openDoc.cfm?QwPYrAJ5Ldq+s+jvttTznQ==), and other applicable CNSS and
NIST publications (e.g., NIST Special Publication 800-53).
(b) Information system security program. The contractor will
maintain an information system security program that supports overall
information security by incorporating a risk-based set of management,
operational, and technical security controls in accordance with CSA-
provided guidance. The contractor will incorporate into the program:
(1) Policies and procedures that reduce information security risks
to an acceptable level and address information security throughout the
information system life cycle.
(2) Plans and procedures to assess, report, isolate, and contain
data spills and compromises, to include sanitization and recovery
methods.
(3) Information system security training for authorized users, as
required in CSA provided guidance.
(4) Policies and procedures that address key components of the
contractor's insider threat program, such as:
(i) User activity monitoring network activity, either automated or
manual.
(ii) Information sharing procedures.
(iii) A continuous monitoring program.
(iv) Protecting, interpreting, storing, and limiting access to user
activity monitoring automated logs to privileged users.
(5) Processes to continually evaluate threats and vulnerabilities
to contractor activities, facilities, and information systems to
ascertain the need for additional safeguards.
(6) Change control processes to accommodate configuration
management and to identify security relevant changes that may require
re-authorization of the information system.
(7) Methods to ensure users are aware of rights and
responsibilities through the use of banners and user agreements.
(c) Contractor responsibilities--(1) Certification. The contractor
will:
(i) Certify to the CSA that the security program for information
systems to process classified information addresses management,
operation, and technical controls in accordance with CSA-provided
guidelines.
(ii) Provide adequate resources to the information system security
program and organizationally align to ensure prompt support and
successful execution of a compliant information system security
program.
(2) ISSM. Contractors that are or will be processing classified
information on an information system will appoint an employee ISSM. The
contractor will confirm that the ISSM is adequately trained, has
sufficient experience, and possesses technical competence commensurate
with the complexity of the information system. The ISSM will:
(i) Oversee the development, implementation, and evaluation of the
contractor's information system program for contractor management,
information system personnel, users, and others as appropriate.
(ii) Coordinate with the contractor's insider threat senior program
official so that insider threat awareness is addressed in the
contractor's information system security program.
(iii) Develop, document, and monitor compliance of the contractor's
information system security program in accordance with CSA-provided
guidelines for management, operational, and technical controls.
(iv) Verify self-inspections are conducted at least every 12 months
on the contractor's information systems that process classified
information, and that corrective actions are taken for all identified
findings.
(v) Certify to the CSA in writing that the systems security plan
(SSP) is implemented for each authorized information systems, specified
in the SSP; the specified security controls are in place and properly
tested; and the information system continues to function as described
in the SSP.
(vi) Brief users on their responsibilities with regard to
information system security and verify that contractor personnel are
trained on the security restrictions and safeguards of the information
system prior to access to an authorized information system.
(vii) Develop and maintain security documentation of the security
authorization request to the CSA. Documentation may include:
(A) SSPs.
(B) Security assessment reports.
(C) Plans of actions and milestones.
(D) Risk assessments.
(E) Authorization decision letters.
(F) Contingency plans.
(G) Configuration management plans.
(H) Security configuration checklists.
(I) System interconnection agreements.
(3) Information systems security officer (ISSO). The ISSM may
assign an ISSO. If assigned, the ISSO will:
(i) Verify the implementation of the contractor's information
system security program as delegated by the ISSM.
(ii) Ensure continuous monitoring strategies and verify corrective
actions to the ISSM.
(iii) Conduct self-inspections and verify corrective actions to the
ISSM.
(4) Information system users. All information system users will:
(i) Comply with the information system security program
requirements as part of their responsibilities for protecting
classified information.
(ii) Be accountable for their actions on an authorized information
system.
[[Page 83348]]
(iii) Not share any authentication mechanisms (including passwords)
issued for the control of their access to an information system.
(iv) Protect authentication mechanisms at the highest
classification level and most restrictive classification category of
information to which the mechanisms permit access.
(v) Be subject to monitoring of their activity on any classified
network, understanding that the results of such monitoring can be used
against them in a criminal, security, or administrative proceeding or
action.
(vi) Notify the ISSM or ISSO when access to a classified system is
no longer required.
(d) Information system security life-cycle. The CSA-provided
guidance on the information system security life-cycle is based on the
risk management framework outlined in NIST special publication 800-37
that emphasizes:
(1) Building security into information systems during initial
development.
(2) Maintaining continuous awareness of the current state of
information system security.
(3) Keeping contractor management informed to facilitate risk
management decisions.
(4) Supporting reciprocity of information system authorizations.
(e) Risk management framework. The risk management framework is a
seven-step process used for managing information system security-
related risks. These steps will be used to help ensure security
capabilities provided by the selected security controls are
implemented, tested, validated, and approved by the USG authorizing
official with a degree of assurance appropriate for the information
system. This process accommodates an on-going risk mitigation strategy.
(1) Prepare. The contractor will execute essential activities at
the organization, mission and business process, and system levels of
the organization to help prepare the organization to manage its
security and privacy risks using the Risk Management Framework.
(2) Categorize. The contractor will categorize the information
system and the information processed, stored, and transmitted by the
information system based on an impact analysis. Unless imposed by
contract, the information system baseline is moderate-confidentiality,
low-integrity, and low-availability.
(3) Select. The contractor will select an initial set of baseline
security controls for the information system based on the security
categorization; tailoring and supplementing the security control
baseline as needed based on an organizational assessment of risk and
local conditions.
(4) Implement. The contractor will implement the security controls
and document how the controls are deployed within the information
system and the operational environment.
(5) Assess. The contractor will assess the security controls to
determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect
to meeting the security requirements for the information system. The
contractor will review and certify to the CSA that all systems have the
appropriate protection measures in place.
(6) Authorize. The CSA will use the information provided by the
contractor to make a timely, credible, and risk-based decision to
authorize the system to process classified information. The CSA must
authorize the system before the contractor can use the system to
process classified information.
(7) Monitor. The contractor will monitor and assess selected
security controls in the information system on an ongoing basis:
(i) Effectiveness of security controls.
(ii) Documentation of changes to the information system and the
operational environment.
(iii) Analysis of the security impact of changes to the information
system.
(iv) Making appropriate reports to the CSA.
(f) Unclassified information systems that process, store, or
transmit CUI. While outside the requirements of the NISPOM, contractors
will comply with contract requirements regarding contractor information
systems that process, store, or transmit CUI.
Sec. 117.19 International security requirements.
(a) General. This section provides information and procedures
governing the protection of classified information in international
programs.
(b) Disclosure of classified U.S. information to foreign
interests.--(1) Applicable federal law. The transfer of articles,
services, and related data to a foreign person, within or outside the
United States, or the movement of such material or information to any
destination outside of the legal jurisdiction of the United States
constitutes an export. Depending on the nature of the articles or data,
most exports are pursuant to (1) 22 U.S.C. chapter 39, also known and
referred to in this rule as the ``Arms Export Control Act,'' (2) 50
U.S.C. 4801 et seq., also known as the ``Export Control Reform Act of
2018,'' or (3) the AEA. This section applies to those exports that
involve classified information.
(2) Security agreements.--(i) Bilateral security agreements (e.g.,
General Security of Information Agreements and General Security of
Military Information Agreements) are negotiated with various foreign
governments. Confidentiality requested by some foreign governments
prevents a listing of the countries that have executed these
agreements. The bilateral security agreement, negotiated through
diplomatic channels:
(A) Requires that each government provide substantially the same
degree of protection to classified information released by the other
government.
(B) Contains provisions concerning limits on the use of each
government's information, including restrictions on third-party
transfers and proprietary rights.
(C) Does not commit governments to share classified information,
nor does it constitute authority to release classified material to that
government.
(D) Satisfies, in part, the eligibility requirements of the Arms
Export Control Act concerning the agreement of the recipient foreign
government to protect U.S. classified defense articles and classified
information.
(ii) The applicable CSA will provide a mechanism for contractors to
access, for official purposes, classified general security agreements.
(iii) Industrial security agreements have been negotiated with
certain foreign governments that identify the procedures to be used
when foreign government classified information is provided to U.S.
industry and UUSG classified information is provided to foreign defense
industry.
(3) Authorization for disclosure. The GCA will provide disclosure
guidance.
(i) Contractors will only disclose non-public USG information to
foreign persons in accordance with specified requirements of the
contract. In the absence of any specified requirements the contractor
will not disclose non-public USG information to foreign persons.
(ii) Disclosure authorization may be in the form of an export
license or other export authorization by a cognizant export authority.
(iii) The contractor may not use disclosure guidance provided by
the GCA for a previous contract or program unless so instructed in
writing by the GCA or the licensing authority.
(iv) Disclosure and export of classified information, authorized by
an appropriate USG disclosure official, by a contractor will ensure the
following:
[[Page 83349]]
(A) International agreements. Contractors may not disclose
classified information until agreements are signed by the participating
government and disclosure guidance and security arrangements are
established. The export of technical data pursuant to such agreements
may be exempt by approval of the Department of State or the Department
of Commerce.
(B) Symposia, seminars, exhibitions, and conferences. Contractors
must assure that any foreign nationals who will be attending a
classified gathering have the appropriate export license, disclosure
authority, and security assurance on file.
(C) Visits by foreign nationals to the contractor. The contractor
will limit disclosure of classified information to that specific
information authorized in connection with an approved visit request and
an export authorization, as required.
(D) Temporary exports. Classified articles, including articles that
require the use of classified information for operation, exported for
demonstration purposes must remain under U.S. control. The contractor
must obtain an export authorization from the relevant authority (i.e.,
from the Department of State in accordance with 22 CFR parts 120-130,
also known as and referred to in this rule as the ``International
Traffic in Arms Regulations,'' or from the Department of Commerce in
accordance with 15 CFR parts 730-774, also known as the ``Export
Administration Regulations'').
(4) Direct commercial arrangements. (i) The disclosure of
classified information may be authorized pursuant to a direct
commercial sale with the appropriate export authorization. A direct
commercial arrangement includes sales, loans, leases, or grants of
classified items, including sales under a government agency sales
financing program.
(ii) If a proposed disclosure is in support of a foreign government
requirement, the contractor should consult with U.S. in-country
officials, normally the U.S. Security Assistance/Armaments Cooperation
Office or Commercial Counselor.
(A) Before a contractor makes a proposal to a foreign interest that
involves the eventual disclosure of U.S. classified information, the
contractor must obtain appropriate government disclosure authorization.
(B) Such disclosure authorization does not equate with
authorization for export. Export authorization must be obtained from
the appropriate regulatory body.
(iii) The contractor will request a FCL assurance for a foreign
entity through the CSA from the security authority of the foreign
entity's sponsoring government prior to entering into a contractual
arrangement with the foreign entity.
(5) Subcontract security provisions. (i) A U.S. contractor may be
authorized to enter into an agreement involving classified information
with a foreign contractor. The U.S. contractor's empowered official
will verify the contractor can release the information to a foreign
person. Such agreements may include:
(A) Award of a subcontract.
(B) Department of State authorized manufacturing license agreement,
technical assistance agreement, or other direct commercial arrangement.
(ii) The contractor will incorporate security provisions into the
subcontract document or agreement, and provide security classification
guidance by means of a Contract Security Classification Specification,
or equivalent.
(iii) The contractor will provide a copy of the signed contract
with the provisions and the classification guidance to the CSA.
(iv) If the export authorization specifies that additional security
arrangements are necessary for performance on the contract, the
contractor will incorporate those additional arrangements by
appropriate provision in the contract or in a separate security
document.
(v) The contractor will prepare and maintain a written record that
identifies the originator or source of classified information that will
be used in providing classified defense articles, material or services
to foreign customers. The contractor will maintain this listing with
the contractor's record copy of the pertinent export authorization.
(vi) The contractor will include the security provisions in
accordance with paragraph (b)(5) in this section in all contracts and
subcontracts involving classified information that are awarded to
foreign contractors. Contractors must insert the bracketed contract
specific information (e.g., applicable country and disposition of
classified material) where noted, when using the following security
clauses in the contract.
(A) All classified information and material furnished or generated
under the contract will be protected to ensure that:
(1) The recipient will not release the information or material to
any third party without disclosure authorization and export
authorization, as appropriate.
(2) The recipient will afford the information and material a degree
of protection equivalent to that afforded it by the releasing
government.
(3) The recipient will not use the information and material for
other than the purpose for which it was furnished without the prior
written consent of the releasing government.
(B) Classified information and material furnished or generated
under this contract will be transferred through government channels or
other channels specified in writing by the governments of the United
States and [insert applicable country]. It will only be transferred to
persons who have an appropriate security clearance and an official need
for access to the information in order to perform on the contract.
(C) Classified information and material furnished under the
contract will be re-marked by the recipient with its government's
equivalent security classification markings.
(D) Classified information and material generated under the
contract must be assigned a security classification as specified by the
Contract Security Classification Specifications, or equivalent,
provided with this contract.
(E) All cases in which it is known or there is reason to believe
that classified information or material furnished or generated under
the contract has been lost or disclosed to unauthorized persons will be
reported promptly and fully by the contractor to its government's
security authorities.
(F) Classified information and material furnished or generated
pursuant to the contract will not be further provided to another
potential contractor or subcontractor unless:
(1) A potential contractor which is located in the United States or
[insert applicable country] has been approved for access to classified
information and material by the USG or [insert applicable country]
security authorities; or
(2) If located in a third country, prior written USG consent is
obtained.
(G) Upon completion of the contract, all classified material
furnished or generated pursuant to the contract will be [insert whether
the material is to be returned or destroyed, or provide other
instructions].
(H) The recipient contractor will insert terms that substantially
conform to the language of these provisions, including this one, in all
subcontracts under this contract that involve access
[[Page 83350]]
to classified information furnished or generated under this contract.
(c) FGI.--(1) General. The contractor will notify the csa when
awarded contracts by a foreign interest that will involve access to
classified information. The csa will oversee and ensure implementation
of the security requirements of the contract on behalf of the foreign
government, including the establishment of channels for the transfer of
classified material.
(2) Contract security requirements. The foreign entity that awards
a classified contract is responsible for providing appropriate security
classification guidance and any security requirements clauses. The
contractor will report to the CSA when a foreign entity fails to
provide classification guidance.
(3) Marking foreign government classified material. Foreign
government classified material will be marked in accordance with Sec.
117.14(l).
(4) Foreign Government RESTRICTED Information and ``In Confidence''
Information. Foreign government RESTRICTED information and ``in
confidence'' information will be marked in accordance with Sec.
117.14(m).
(5) Marking U.S. documents containing FGI. U.S. documents
containing FGI will be marked in accordance with Sec. 117.14(n).
(6) Marking documents prepared for foreign governments. Marking
documents prepared for foreign governments will be marked in accordance
with Sec. 117.14(o).
(7) Storage and control. Contractors will store foreign government
material and control access generally in the same manner as U.S.
classified material of an equivalent classification. Contractors will
store foreign government material in a manner that will separate it
from other material. Separation can be accomplished by establishing
distinct files in a storage container or on an information system.
(8) Disclosure and use limitations. (i) FGI is provided by the
foreign government to the United States. The contractor will:
(A) Not disclose FGI to nationals of a third country, or to any
other third party, or use it for any purpose other than that for which
it was provided without the prior written consent of the originating
foreign government.
(B) Submit requests for other uses or further disclosure to the GCA
for U.S. contracts, and through the CSA for direct commercial
contracts.
(ii) Approval of the request by the foreign government does not
eliminate the requirement for the contractor to obtain an export
authorization.
(9) Transfer. The contractor will transfer FGI within the United
States and its territories using the same channels as specified for
U.S. classified information of an equivalent classification, except
that contractors cannot use non-cleared express overnight carriers for
FGI.
(10) Reproduction. The reproduction of foreign government TOP
SECRET or equivalent information requires the written approval of the
originating government.
(11) Disposition. The contractor:
(i) Will destroy FGI on completion of the contract unless the
contract specifically authorizes retention or return of the information
to the U.S. GCA or foreign government that provided the information.
(ii) Must witness the destruction of TOP SECRET, execute a
destruction certificate, and retain the destruction certificate for two
years.
(12) Reporting of improper receipt of foreign government material.
The contractor will report improper receipt of foreign government
material in accordance with Sec. 117.8(c)(13).
(13) Subcontracting. Subcontracting procedures will be in
accordance with Sec. 117.17(a)(4).
(d) International transfers of classified material.--(1) General.
This paragraph (d) contains the procedures for international transfers
of classified material through government-to-government channels or
other arrangements agreed to by the governments involved, otherwise
referred to as government-to-government transfers. The requirements in
this paragraph (d) do not apply to the transmission of classified
material to usg activities outside the united states.
(i) All international transfers of classified material must take
place through channels approved by both governments. U.S. control of
classified material must be maintained until the material is officially
transferred to the intended recipient government through its designated
government representative (DGR).
(ii) To ensure government control, written transmission
instructions must be prepared for all international transfers of
classified material. The contractor is responsible for the preparation
of instructions for direct commercial arrangements, and the GCA will
prepare instructions for government arrangements.
(iii) The contractor will contact the CSA at the earliest possible
stage in deliberations that will lead to the international transfer of
classified material. The CSA will advise the contractor on the transfer
arrangements, identify the recipient government's DGR, appoint a U.S.
DGR, and ensure that the transportation plan prepared by the contractor
or foreign government is adequate.
(iv) The contractor's empowered official is responsible for
requests for all export authorizations, including ones that will
involve the transfer of classified information.
(2) Transfers of freight.--(i) Transportation plan (TP). (A) A
requirement to prepare a TP will be included in each arrangement that
involves the international transfer of classified material as freight.
The TP will:
(1) Describe requirements for the secure shipment of the material
from the point of origin to the ultimate destination.
(2) Provide for security requirements in the event the transfer
cannot be made promptly.
(B) The U.S. and recipient government DGRs will be identified in
the TP as well as any requirement for an escort. When there are to be
repetitive shipments, a notice of classified consignment will be used.
(ii) Government agency arrangements. Classified material to be
furnished to a foreign government under such transactions normally will
be shipped via government agency-arranged transportation and be
transferred to the foreign government's DGR within the recipient
government's territory.
(A) The government agency that executes the arrangement is
responsible, in coordination with the recipient foreign government, for
preparing a TP.
(B) When the point of origin is a U.S. contractor facility, the GCA
will provide the contractor with a copy of the TP and the applicable
letter of offer and acceptance. If a freight forwarder will be involved
in processing the shipment, the GCA will provide a copy of the TP to
the freight forwarder.
(C) Commercial arrangements. (1) The contractor will prepare a TP
in coordination with the receiving government. This requirement applies
whether the material is moved by land, sea, or air, and applies to U.S.
and foreign classified contracts.
(2) After the CSA approves the TP, the CSA will forward it to the
recipient foreign government security authorities for final
coordination and approval. The CSA will notify the contractor upon the
concurrence by the respective parties.
(D) International carriers. The international transfer of
classified material will be made using only ships, aircraft, or other
carriers that:
(1) Are owned or chartered by the USG or under U.S. registry;
[[Page 83351]]
(2) Are owned or chartered by or under the registry of the
recipient government; or
(3) Are other than those described that are expressly authorized to
perform this function in writing by the Designated Security Authority
of the GCA and the security authorities of the foreign government
involved. This authority cannot be delegated and this exception may be
authorized only when a carrier described in paragraph (d)(2)(iv)(A) or
(d)(2)(iv)(B) in this section is not available and an urgent
operational requirement dictates use of the exception.
(E) Escorts. (1) The contractor must provide escorts for
international shipments of SECRET or CONFIDENTIAL material by air.
(2) Escorts must have an eligibility determination and access to
classified information at the classification level of the material
being shipped.
(3) Escorts are responsible for ensuring that the classified
material being shipped is safeguarded in the event of an emergency stop
en route, re-routing of the aircraft, or in the event that the
recipient government's representative fails to meet the shipment at its
destination.
(4) The contractor does not have to provide escorts if:
(i) The classified material is shipped by the Defense
Transportation System or a U.S. military carrier.
(ii) The recipient government DGR has signed for the receipt of the
classified material within the United States.
(iii) The classified material is shipped via a military carrier of
the recipient government or a carrier owned by or registered to the
recipient government.
(iv) The classified material is shipped via a cleared U.S.
commercial freight carrier, so long as the contractor has a written
agreement from the U.S. commercial freight carrier to provide an escort
who is eligible for access to classified information and has access to
classified information at the classification level of the material
being shipped.
(v) There are exceptional circumstances, and procedures have been
approved by both the USG and the recipient government.
(3) Secure communications plan. (i) The contractor is required to
meet all requirements outlined in this section, as applicable, for the
secure communications plan.
(ii) The secure communications plan may be approved within a
program security instruction, SSP, or a government to government
agreement by the designated security authorities. A separate memorandum
of understanding or memorandum of agreement is not required.
(iii) Additionally, an SSP must be authorized in accordance with
Sec. 117.18 and the CSA provided guidance.
(4) Return of material for repair, modification, or maintenance.
(i) A foreign government or foreign contractor may return classified
material to a U.S. contractor for repair, modification, or maintenance.
(ii) The approved methods of return will be specified in either the
GCA sales arrangement, the security requirements section of a direct
commercial sales arrangement or, in the case of material transferred as
freight, in the original TP.
(iii) The contractor, on receipt of notification that classified
material is to be received, will notify the applicable CSA.
(5) Use of freight forwarders. (i) A commercial freight forwarder
may be used to arrange for the international transfer of classified
material as freight.
(A) The freight forwarder must be under contract to a USG agency,
U.S. contractor, or the recipient foreign government.
(B) The contract will describe the specific functions to be
performed by the freight forwarder.
(C) The responsibility for security and control of the classified
material that is processed by freight forwarders remains with the USG
until the freight is transferred to a DGR of the recipient government.
(ii) Only freight forwarders that have a valid determination of
eligibility for access to classified information and storage capability
for classified material at the appropriate level are eligible to take
custody or possession of classified material for delivery as freight to
foreign recipients. Freight forwarders that only process unclassified
paperwork and make arrangements for the delivery of classified material
to foreign recipients do not require an eligibility determination for
access to classified information.
(iii) A freight forwarder cannot serve as a DGR.
(6) Hand carrying classified material. To meet contractual
requirements, the CSA may authorize contractor employees to hand carry
classified material outside the United States. SECRET is the highest
level of classified material to be carried and it must be of such size
and weight that the courier can retain it in his or her possession at
all times.
(i) The CSA will ensure that the contractor has made necessary
arrangements with U.S. airport security and customs officials and that
security authorities of the receiving government approve the plan. If
the transfer is under a contract or a bilateral or multinational
government program, the GCA will approve the request in writing. The
contractor will notify the CSA of a requirement to hand carry at least
5 working days in advance of the transfer.
(ii) The courier must be a full-time employee of the dispatching or
receiving contractor who has been determined eligible and has been
granted access to classified information.
(iii) The employing contractor will provide the courier with a
courier certificate that is consecutively numbered and valid for one
journey only. The journey may include more than one stop if approved by
the CSA and secure government storage has been arranged at each stop.
The courier will return the courier certificate to the dispatching
contractor immediately on completion of the journey.
(iv) Before commencement of each journey, the courier will read and
initial the notes to the courier attached to the courier certificate
and sign the courier declaration. The contractor will maintain the
declaration until completion of the next CSA security review.
(v) The dispatching contractor will inventory, wrap, and seal the
material in the presence of the U.S. DGR. The contractor will place the
address of the receiving security office and the return address of the
dispatching contractor security office on the inner envelope or
wrapping and mark it with the appropriate classification. The
contractor will place the address of the receiving government's DGR on
the outer envelope or wrapping along with the return address of the
dispatching contractor.
(vi) The dispatching contractor will prepare three copies of a
receipt based on the inventory and list the classified material that is
being sent. The dispatching contractor will retain one copy of the
receipt. The contractor will pack the other two copies with the
classified material. The contractor will obtain a receipt for the
sealed package from the courier.
(vii) The dispatching contractor will provide the receiving
contractor with 24 work hours advance notification of the anticipated
date and time of the courier's arrival and the identity of the courier.
The receiving contractor must notify the dispatching contractor if the
courier does not arrive within 8 hours of the expected time of arrival.
The dispatching contractor will notify its DGR of any delay, unless
officially notified otherwise of a change in the courier's itinerary.
[[Page 83352]]
(viii) The receiving DGR will verify the contents and sign the
receipts enclosed in the consignment. The receiving DGR will return one
copy to the courier. On return, the courier will provide the executed
receipt to the dispatching contractor.
(ix) Throughout the journey, the courier will maintain the
classified material under direct personal control. The courier will not
leave the material unattended at any time during the journey, in the
transport being used, in hotel rooms, in cloakrooms, or other such
location, and will not deposit it in hotel safes, luggage lockers, or
in luggage offices. In addition, the courier will not open envelopes or
packages containing the classified material en route, unless required
by customs or other government officials.
(x) When inspection by government officials is unavoidable, the
courier will request that the officials provide written verification
that they have opened the package. The courier will notify their
employing contractor as soon as possible. The contractor will notify
the U.S. DGR. If the inspecting officials are not of the same country
as the dispatching contractor, the CSA will notify the designated
security authority in the country whose officials inspected the
consignment. Under no circumstances will the courier hand over the
classified material to customs or other officials for their custody.
(xi) When carrying classified material, the courier will not travel
by surface routes through third countries, except as authorized by the
CSA. The courier will travel only on carriers described in paragraph
(d)(2)(iv) in this section, and will travel direct routes between the
United States and the destination.
(7) Classified material receipts. (i) The U.S. DGR and the DGR of
the ultimate foreign recipient will maintain a continuous chain of
receipts to record international transfers of all classified material
from the contractor through the dispatching DGR and recipient DGR to
the ultimate foreign recipient. The dispatching contractor will retain:
(A) An active suspense record until return of applicable receipts
for the material.
(B) A copy of the external receipt that records the passing of
custody of the package containing the classified material and each
intermediate consignee in a suspense file until the receipt that is
enclosed in the package is signed and returned.
(ii) The contractor will initiate follow-up action through the CSA
if the signed receipt is not returned within 45 days.
(8) Contractor preparations for international transfers of
classified material pursuant to direct commercial and foreign military
sales. To prepare for international transfers the contractor will:
(i) Identify each party to be involved in the transfer in the
applicable contract or agreement and in the license application or
letter request.
(ii) Notify the appropriate U.S. DGR when the material is ready.
(iii) When the classified material is also ITAR-controlled, provide
documentation or written certification by an empowered official (as
defined in the ITAR) to the U.S. DGR. This documentation must verify
that the classified shipment is within the limitation scope of the
pertinent export authorization or an authorized exemption to the export
authorization requirements, or is within the limitations of the
pertinent GCA contract.
(iv) Have the classified shipment ready for visual review and
verification by the DGR. As a minimum this will include:
(A) Preparing the packaging materials, address labels, and receipts
for review.
(B) Marking the contents with the appropriate U.S. classification
or the equivalent foreign government classification, downgrading, and
declassification markings, as applicable.
(C) Ensuring that shipping documents (including, as appropriate,
the shipper's export declaration) include the name and contact
information for the CSA that validates the license or letter
authorization, and the FSO or designee for the particular transfer.
(D) Sending advance notification of the shipment to the CSA, the
recipient, and to the freight forwarder, if applicable. The
notification will require that the recipient confirm receipt of the
shipment or provide notice to the contractor if the shipment is not
received in accordance with the prescribed shipping schedule.
(9) Transfers pursuant to an ITAR exemption. (i) The contractor
will provide to the DGR valid documentation (i.e., license, export
authorization, letter of offer and acceptance, or agreement) to verify
the export authorization for classified technical data information or
certain defense articles to be transferred under an exemption to the
ITAR exemption. The documentation must include a copy of the Department
of State Form DSP-83 associated with the original export authorization.
(ii) Classified technical data information or certain defense
articles to be exported pursuant to ITAR exemptions will be supported
by a written authorization signed by an authorized exemption official
or exemption certifying official who has been appointed by the GCA's
responsible disclosure authority.
(A) The contractor will provide a copy of the authorization to the
CSA.
(B) The CSA will provide a copy of the authorization to the
Department of State Directorate of Defense Trade Controls (DDTC).
(e) International visits.--(1) General. (i) The contractor will
establish procedures to monitor international visits by their employees
and visits or assignments of foreign nationals to the contractor
location. Doing so will ensure that the disclosure of, and access to,
classified export-controlled articles related to classified information
are limited to those that are approved by an export authorization.
(ii) Contractors cannot use visit authorizations to employ or
otherwise acquire the services of foreign nationals that require access
to export-controlled information. An export authorization is required
for such situations.
(2) International visits by U.S. contractor employees.--(i) Types
and purpose of international visits.--(A) One-time visits. A visit for
a single, short-term occasion (normally 30 days or fewer) for a
specified purpose.
(B) Recurring visits. Intermittent, recurring visits over a
specified period of time, normally up to one year in duration, in
support of a government-approved arrangement, such as an agreement,
contract, or license. By agreement of the governments, the term of the
authorization may be for the duration of the arrangement, subject to
annual review, and validation.
(C) Long-term visits. A single visit for an extended period of
time, normally up to one year, in support of an agreement, contract, or
license.
(D) Emergency visits. A visit related to a specific government-
approved contract, international agreement or announced request for
proposal, and failure to make the visit could be reasonably expected to
seriously jeopardize performance on the contract or program, or result
in the loss of a contract opportunity.
(ii) Requests for visits. Visit requests are necessary to make
administrative arrangements and disclosure decisions and obtain
security assurances.
(A) Many foreign governments require the submission of a visit
request for all visits to a government facility or a cleared contractor
facility, even though classified information may not be involved. They
may also require that the requests be received a specified number of
days in advance of the visit.
(B) The contractor can obtain information pertaining to the visit
[[Page 83353]]
requirements of other governments and the NATO from the CSA. The
contractor must obtain an export authorization if classified export
controlled articles or technical data is to be disclosed or if
information to be divulged is related to a classified USG program,
unless the disclosure of the information is covered by other
agreements, authorizations, or exemptions.
(iii) Request format. Contractors will request a visit request
template from the CSA. The contractor will forward the visit request to
the security official designated by the CSA. The host for the visit
should coordinate the visit in advance with appropriate government
authorities who are required to approve the visit. It is the visitor's
responsibility to ensure that such coordination has occurred.
(iv) Government agency programs. The contractor will submit a visit
request when contractor employees are to visit foreign government
facilities or foreign contractors on USG orders in support of a
government contract or agreement.
(v) Requests for emergency visits. The requester will include in
the emergency visit request, and any other requirements in accordance
with applicable CSA guidance:
(A) The complete name, position, address, and telephone number of
the person to be visited.
(B) A knowledgeable foreign government point of contact.
(C) The identification of the contract, agreement, or program and
the justification for submission of the emergency visit request.
(vi) Requests for recurring visits. Contractors will request
recurring visit authorizations at the beginning of each program. After
approval of the request, the contractor may arrange individual visits
directly with the security office of the location to be visited subject
to 5 working days advance notice.
(vii) Amendments. (A) Once visit requests have been approved or are
being processed, the contractor may amend them only to change, add, or
delete names and change dates.
(B) The contractor cannot amend visit requests to specify dates
that are earlier than originally specified.
(C) The contractor cannot amend emergency visit authorizations.
(3) Classified visits by foreign nationals to U.S. contractors.--
(i) Requests for classified visits. Requests for visits by foreign
nationals to U.S. contractors that will involve the disclosure of
classified information may require authorization by the Department of
State. Classified visits by foreign nationals must be processed by
government national security authorities on behalf of the contractor
through the sponsoring foreign government (normally the visitor's
embassy) to the USG for approval.
(ii) USG approval. The USG may approve or deny the request or
decline to render a decision.
(A) USG-Approved Visits. (1) USG approved classified visits cannot
be used to avoid the export licensing requirements for commercial
initiatives.
(2) When the cognizant USG agency approves a classified visit, the
notification of approval will contain instructions on the level and
scope of classified and unclassified information authorized for
disclosure, as well as any limitations.
(3) Final acceptance for the visit will be subject to the
concurrence of the contractor. The contractor will notify the USG
agency when a classified visit is not desired.
(B) Visit request denials. (1) If the USG agency does not approve
the disclosure of the information related to the proposed classified
visit, it will deny the classified visit request. The USG agency will
advise the requesting government and the contractor to be visited of
the reason for the denial.
(2) The contractor may accept the visitor(s), but only information
that is in the public domain may be disclosed during the classified
visit.
(C) Non-sponsorship. The USG agency will decline to render a
decision on a classified visit request that is not in support of a USG
program. The USG agency will furnish a declination notice indicating
that the classified visit is not USG-approved (i.e., the classified
visit is non-sponsored) to the requesting foreign government with an
information copy to the U.S. contractor to be visited.
(1) A declination notice does not preclude the classified visit,
provided the contractor has, or obtains, an export authorization for
the information involved and, has been notified that the requesting
foreign government has provided the required security assurance of the
proposed visitor to the USG agency in the original classified visit
request.
(2) It is the contractor's responsibility to consult applicable
export regulations to determine licensing requirements regarding the
disclosure of export-controlled information during such classified
visits by foreign nationals.
(D) Visits to subsidiaries. A classified visit request
authorization for a classified visit to any element of a corporate
family may be used for visits to other divisions or subsidiaries within
the same corporate family in accordance with Sec. 117.15(h)(3),
provided disclosures are for the same purpose and the information to be
disclosed does not exceed the parameters of the approved classified
visit request.
(E) Long-term classified visits and assignments of foreign
nationals. Extended classified visits and assignments of foreign
nationals to contractor locations can be authorized only when it is
essential pursuant to a contract or government agreement (e.g., joint
venture, liaison representative to a joint or multinational program,
and direct commercial sale). The contractor will:
(1) Consult with its empowered official for guidance.
(2) Notify the CSA in advance of all long-term classified visits
and assignments of foreign nationals.
(3) Provide the CSA with a copy of the approved classified visit
authorization or the USG export authorization.
(4) Control of foreign visitors to U.S. contractors.--(i)
Contractor. The contractor will:
(A) Establish procedures to ensure that foreign visitors are not
afforded access to classified information except as authorized by an
export license, approved visit request, or other exemption to the
licensing requirements.
(B) Not inform the foreign visitor of the scope of access
authorized or of the limitations imposed by the government.
(ii) Foreign visitors. Foreign visitors will not be given custody
of classified material except when they are acting as official couriers
of the government and the CSA authorizes the transfer.
(iii) Visitor records. The contractor will maintain a record of
foreign visitors for one year when the visit involves access to
classified information.
(iv) Temporary approval of safeguarding. (A) Classified U.S. and
foreign government material at a U.S. contractor location is to remain
under U.S. contractor custody and control and is subject to self-
inspection and CSA security reviews.
(B) This does not preclude the contractor from furnishing a foreign
visitor with a security container for the temporary storage of
classified material, consistent with the purpose of the visit or
assignment, provided the CSA approves and responsibility for the
container and its contents remains with the U.S. contractor.
(1) The CSA may approve exceptions to this policy on a case-by-case
basis for the storage of foreign government classified information
furnished to the visitor by the visitor's government through government
channels.
(2) The CSA must approve such exceptions in advance in writing with
[[Page 83354]]
agreement from the visitor's government. The agreed procedures will be
included in the contractor's TCP, will require the foreign nationals to
provide receipts for the material, and will include an arrangement for
the CSA to ensure compliance, including provisions for the CSA to
inspect and inventory the material.
(v) TCP. A TCP is required to control access by foreign nationals
assigned to, or employed by, cleared contractor facilities, and when
foreign nationals visit cleared contractor facilities on a long-term or
extended basis, unless the CSA determines that procedures already in
place at the contractor's facility are adequate. The TCP will contain
procedures to control access for all export-controlled information. A
sample TCP may be obtained from the CSA.
(f) Contractor operations abroad.--(1) Access by contractor
employees assigned outside the United States. (i) Contractor employees
assigned outside the United States, its possessions, or territories may
have access to classified information in connection with performance on
a specified U.S., NATO, or foreign government classified contract.
(ii) The assignment of an employee who is a non-U.S. citizen
outside the United States on programs that will involve access to
classified information is prohibited.
(2) Storage, custody, and control of classified information abroad
by contractor employees. (i) The USG is responsible for the storage,
custody, and control of classified information required by a U.S.
contractor employee abroad. Therefore, the storage of classified
information by contractor employees at any location abroad that is not
under USG control is prohibited. The storage may be at a U.S. military
facility, an American Embassy or consulate, or other location occupied
by a USG organization.
(ii) A contractor employee may be furnished a security container to
temporarily store classified material at a USG agency overseas
location. The decision to permit a contractor to temporarily store
classified information must be approved in writing by the senior
security official for the USG host organization.
(iii) A contractor employee may be permitted to temporarily remove
classified information from an overseas USG-controlled facility when
necessary for the performance of a GCA contract or pursuant to an
approved export authorization.
(A) The responsible USG security official at the facility will
verify that the contractor has an export authorization or other written
USG approval to have the material, verify the need for the material to
be removed from the facility, and brief the employee on handling
procedures.
(1) In such cases, the contractor employee will sign a receipt for
the classified material.
(2) Arrangements will also be made with the USG custodian for the
return and storage of the classified material during non-duty hours.
(B) The security office at the USG facility will report violations
of this policy to the applicable CSA.
(iv) A contractor employee will not store classified information at
overseas divisions or subsidiaries of U.S. entities incorporated or
located in a foreign country.
(A) The divisions or subsidiaries may possess classified
information that has been transferred to the applicable foreign
government through government-to-government channels pursuant to an
approved export authorization or other written USG authorization.
(B) Access to this classified information at such locations by a
U.S. contractor employee assigned abroad by the parent facility on a
visit authorization in support of a foreign government contract or
subcontract, is governed by the laws and regulations of the country in
which the division or subsidiary is registered or incorporated. The
division or subsidiary that has obtained the information from the
foreign government will provide the access.
(v) U.S. contractor employees assigned to foreign government or
foreign contractor locations under a direct commercial sales
arrangement will be subject to the host-nation's industrial security
policies.
(3) Transmission of classified material to employees abroad. The
transmission of classified material to a cleared contractor employee
located outside the United States will be through USG channels.
(i) If the material is to be used for other than USG purposes, an
export authorization is required and a copy of the authorization,
validated by the DGR, will accompany the material. The material will be
addressed to a U.S. military organization or other USG organization
(e.g., an embassy).
(ii) USG organization abroad will be responsible for custody and
control of the material.
(4) Security briefings. An employee being assigned outside the
United States will be briefed on the security requirements of his or
her assignment, including the handling, disclosure, and storage of
classified information overseas.
(g) NATO information security requirements.--(1) General. This
section provides the security requirements needed to comply with the
procedures established by the U.S. Security Authority for NATO Affairs
Instruction 1-07 (available at: http://archives.nato.int/informationobject/browse?topLod=0&query=United+States+Security+Authority+for+NATO+Affairs+Instruction+1-07) for safeguarding NATO information provided to U.S.
industry.
(2) NATO security classification levels.
Table 1 to Paragraph (g)(2) NATO Security Classification Levels
------------------------------------------------------------------------
NATO security classification Classification level
------------------------------------------------------------------------
COSMIC TOP SECRET...................... Top Secret.
NATO SECRET............................ Secret.
NATO CONFIDENTIAL...................... Confidential.
NATO RESTRICTED \1\.................... Does not correspond to an
equivalent U.S.
classification.
------------------------------------------------------------------------
\1\ Pursuant to applicable NATO security regulations and United States
Security Authority, NATO Instruction 1-07, security accreditation may
be delegated to contractors for information systems processing only
NATO RESTRICTED information. The contractor will be responsible for
executing specific provisions under contract for the accreditation of
such systems, and shall provide the Contracting Authority with a
written statement confirming the information system has been
accredited in compliance with the minimum requirements established in
the contract security clause or contract Security Aspects Letter.
(3) ATOMAL Classification Markings. ATOMAL is a marking applied to
U.S. RESTRICTED DATA or FORMERLY RESTRICTED DATA and UK Atomic
information that has been released to the NATO.
[[Page 83355]]
Table 2 to Paragraph (g)(3) ATOMAL Classification Markings
------------------------------------------------------------------------
ATOMAL marking Classification level
------------------------------------------------------------------------
COSMIC TOP SECRET ATOMAL............... Top Secret.
NATO SECRET ATOMAL..................... Secret.
NATO CONFIDENTIAL ATOMAL............... Confidential.
------------------------------------------------------------------------
(4) NATO contracts. NATO contracts involving NATO-unique systems,
programs, or operations are awarded by a NATO Production and Logistics
Organization (NPLO), a designated NATO Management Agency, the NATO
Research Staff, or a NATO Command. In the case of NATO infrastructure
projects (e.g., airfields, communications), the NATO contract is
awarded by a contracting agency or prime contractor of the NATO nation
responsible for the infrastructure project.
(5) NATO facility security clearance certificate (FSCC). A NATO
FSCC is required for a contractor to negotiate or perform on a NATO
classified contract.
(i) A U.S. entity qualifies for a NATO FSCC if it has an equivalent
U.S. entity eligibility determination and its personnel have been
briefed on NATO procedures.
(ii) The CSA will provide the NATO FSCC to the requesting activity.
(iii) A NATO FSCC is not required for GCA contracts involving
access to NATO classified information.
(6) Eligibility for personnel access to classified information.
Access to NATO classified information requires a final determination
that an individual is eligible for access to classified information at
the equivalent level.
(7) NATO briefings. Before having access to NATO classified
information, the contractor will give employees a NATO security
briefing that covers the requirements of this section and the
consequences of negligent handling of NATO classified information. A
representative of the CSA will give the initial briefing to the
contractor. The contractor must conduct annual refresher briefings.
(i) When access to NATO classified information is no longer
required, the contractor will debrief the employees. The employees will
sign a certificate stating that they have been briefed or debriefed, as
applicable, and acknowledge their responsibility for safeguarding NATO
information.
(ii) The contractor will maintain certificates for two years for
NATO SECRET and CONFIDENTIAL, and three years for COSMIC TOP SECRET and
all ATOMAL information. The contractor will maintain a record of all
NATO briefings and debriefings in the CSA-designated database.
(8) Access to NATO classified information by foreign nationals.
Foreign nationals of non-NATO nations may have access to NATO
classified information only with the consent of the NATO Office of
Security and the contracting activity.
(i) Requests will be submitted to the Central U.S. Registry (CUSR).
(ii) Access to NATO classified information may be permitted for
citizens of NATO member nations, provided a NATO security clearance
certificate is provided by their government and they have been briefed.
(9) Subcontracting for NATO contracts. The contractor will obtain
prior written approval from the NATO contracting activity and a NATO
FSCC must be issued prior to awarding the subcontract. The contractor
will forward the request for approval through the CSA.
(10) Preparing and marking NATO documents. All classified documents
created by a U.S. contractor will be portion-marked. Any portion
extracted from a NATO document that is not portion marked, must be
assigned the classification that is assigned to the NATO document.
(i) All U.S.-originated NATO classified documents will bear an
assigned reference number and date on the first page. The reference
numbers will be assigned as follows:
(A) The first element will be the abbreviation for the name of the
contractor.
(B) The second element will be the abbreviation for the highest
classification followed by a hyphen and the 4-digit sequence number for
the document within that classification that has been generated for the
applicable calendar year.
(C) The third element will be the year; e.g., MM/NS-0013/17.
(ii) COSMIC TOP SECRET, NATO SECRET, and ATOMAL documents will bear
the reference number on each page and a copy number on the cover or
first page.
(A) Copies of NATO documents will be serially numbered.
(B) Pages will be numbered.
(C) The first page, index, or table of contents will include a
list, including page numbers, of all annexes and appendices.
(D) The total number of pages will be stated on the first page.
(E) All annexes or appendices will include the date of the original
document and the purpose of the new text (addition or substitution) on
the first page.
(iii) One of the following markings will be applied to NATO
documents that contain ATOMAL information:
(A) ``This document contains U.S. ATOMIC Information (RESTRICTED
DATA or FORMERLY RESTRICTED DATA) made available pursuant to the NATO
Agreement for Cooperation Regarding ATOMIC Information, dated 18 June
1964, and will be safeguarded accordingly.''
(B) ``This document contains UK ATOMIC Information. This
information is released to NATO including its military and civilian
agencies and member states on condition that it will not be released by
the recipient organization to any other organization or government or
national of another country or member of any other organization without
prior permission from H.M. Government in the United Kingdom.''
(iv) Working papers will be retained only until a final product is
produced and in accordance with Sec. 117.15(e)(3).
(11) Classification guidance. Classification guidance will be in
the form of a NATO security aspects letter and a security requirements
checklist for NATO contracts, or a Contract Security Classification
Specification, or equivalent.
(i) If adequate classification guidance is not received, the
contractor will contact the CSA for assistance.
(ii) NATO classified documents and NATO information in other
documents will not be declassified or downgraded without the prior
written consent of the originating activity.
(iii) Recommendations concerning the declassification or
downgrading of NATO classified information will be forwarded to the
CUSR.
(12) Further distribution. The contractor will not release or
disclose NATO classified information to a third party or outside the
contractor's facility for any purpose without the prior written
approval of the contracting agency.
[[Page 83356]]
(13) Storage of NATO documents. NATO classified documents will be
stored as prescribed for U.S. documents of an equivalent classification
level, except as follows:
(i) NATO classified documents will not be comingled with other
documents.
(ii) Combinations for containers used to store NATO classified
information will be changed annually. The combination also will be
changed when an individual with access to the container departs or no
longer requires access to the container, and if the combination is
suspected of being compromised.
(iii) When the combination is recorded it will be marked with the
highest classification level of documents stored in the container as
well as to indicate the level and type of NATO documents in the
container. The combination record must be logged and controlled in the
same manner as NATO classified documents.
(14) International transmission. The NATO has a registry system for
the receipt and distribution of NATO documents within each NATO member
nation. The central distribution point for the United States is the
CUSR now located at 9301 Chapek Road, Building 1458, Fort Belvoir,
Virginia 22060.
(i) The CUSR establishes sub registries at USG organizations for
further distribution and control of NATO documents. Sub registries may
establish control points at contractor facilities.
(ii) COSMIC TOP SECRET, NATO SECRET, and all ATOMAL documents will
be transferred through the registry system. NATO CONFIDENTIAL documents
provided as part of NATO infrastructure contracts will be transmitted
via government channels in compliance with paragraph (d) in this
section.
(15) Hand carrying. NATO SECRET and NATO CONFIDENTIAL documents may
be hand carried across international borders if authorized by the GCA.
The courier will be issued a NATO Courier Certificate by the CSA. When
hand carrying is authorized, the documents will be delivered to a U.S.
organization at NATO, which will transfer them to the intended NATO
recipient.
(16) Reproduction. Reproductions of COSMIC TOP SECRET and COSMIC
TOP SECRET ATOMAL information will be performed by the responsible
Registry. The reproduction of NATO SECRET and CONFIDENTIAL documents
may be authorized to meet contractual requirements unless reproduction
is prohibited by the contracting entity. Copies of COSMIC TOP SECRET,
NATO SECRET, and ATOMAL documents will be serially numbered and
controlled and accounted for in the same manner as the original.
(17) Disposition. (i) Generally, all NATO classified documents will
be returned to the contracting activity that provided them on
completion of the contract. Documents provided in connection with an
invitation to bid also will be returned immediately if the bid is not
accepted or submitted.
(ii) NATO classified documents may also be destroyed when
permitted. COSMIC TOP SECRET and COSMIC TOP SECRET ATOMAL documents
will be destroyed by the registry that provided the documents.
(A) Destruction certificates are required for all NATO classified
documents except NATO CONFIDENTIAL.
(B) The destruction of COSMIC TOP SECRET, NATO SECRET, and all
ATOMAL documents must be witnessed.
(18) Accountability records. Logs, receipts, and destruction
certificates are required for NATO classified information. Records for
NATO documents will be maintained separately from records of non-NATO
documents (methods such as separate drawers of a container).
(i) COSMIC TOP SECRET and all ATOMAL documents will be recorded on
logs maintained separately from other NATO logs and will be assigned
unique serial control numbers.
(ii) Additionally, disclosure records bearing the name and
signature of each person who has access are required for all COSMIC TOP
SECRET, COSMIC TOP SECRET ATOMAL, and all other ATOMAL or NATO
classified documents to which special access limitations have been
applied.
(iii) Minimum identifying data on logs, receipts, and destruction
certificates will include the NATO reference number, short title, date
of the document, classification, and serial copy numbers. Logs will
reflect the short title, unclassified subject, and distribution of the
documents.
(iv) Receipts are required for all NATO classified documents except
NATO CONFIDENTIAL.
(v) Inventories will be conducted annually of all COSMIC TOP
SECRET, NATO SECRET, and ATOMAL documents.
(vi) Accountability records for ATOMAL documents will be retained
for 10 years after transfer or destruction of the ATOMAL document.
Destruction certificates will be retained for 10 years after
destruction of the related ATOMAL documents.
(19) Security violations and loss, compromise, or possible
compromise. The contractor will immediately report the loss,
compromise, or suspected loss or compromise, as well as any other
security violations involving NATO classified information to the CSA.
(20) Extracting from NATO documents. Permission to extract from a
COSMIC TOP SECRET or ATOMAL document will be obtained from the CUSR.
(i) If extracts of NATO information are included in a U.S. document
prepared for a non-NATO contract, the document will be marked with U.S.
classification markings. The caveat, ``THIS DOCUMENT CONTAINS NATO
(level of classification) INFORMATION'' also will be marked on the
front cover or first page of the document. Additionally, each paragraph
or portion containing the NATO information will be marked with the
appropriate NATO classification, abbreviated in parentheses (e.g.,
``NS'' for NATO SECRET) preceding the portion or paragraph.
Declassification and downgrading instructions shall indicate that the
NATO information is exempt from declassification or downgrading without
the prior consent of NATO, in the absence of other originator
instructions, citing the reason ``Foreign Government Information.''
(ii) The declassification or downgrading of NATO information in a
U.S. document requires the approval of the originating NATO activity.
Requests will be submitted to the CUSR for NATO contracts, through the
GCA for U.S. contracts, and through the CSA for non-NATO contracts
awarded by a NATO member nation.
(21) Release of U.S. information to NATO. (i) Release of U.S.
classified or export-controlled information to NATO requires an export
authorization or other written disclosure authorization. When a
document containing U.S. classified information is being prepared for
NATO, the appropriate NATO classification markings will be applied to
the document.
(A) Documents containing U.S. classified information and U.S.
classified documents that are authorized for release to NATO will be
marked on the cover or first page ``THIS DOCUMENT CONTAINS U.S.
CLASSIFIED INFORMATION. THE INFORMATION IN THIS DOCUMENT HAS BEEN
AUTHORIZED FOR RELEASE TO (cite the NATO organization) BY (cite the
applicable license or other written authority).''
(B) The CSA will provide transmission instructions to the
contractor. The material will be
[[Page 83357]]
addressed to a U.S. organization at NATO, which will then place the
material into NATO security channels. The material will be accompanied
by a letter to the U.S. organization that provides transfer
instructions and assurances that the material has been authorized for
release to NATO. The inner wrapper will be addressed to the intended
NATO recipient.
(C) Material to be sent to NATO via mail will be routed through the
U.S. Postal Service and U.S. military postal channels to the U.S.
organization that will make the transfer.
(ii) A record will be maintained that identifies the originator and
source of classified information that are used in the preparation of
documents for release to NATO. The record will be provided with any
request for release authorization.
(22) Visits. NATO visits will be handled in accordance with the
requirements in paragraph (e) of this section. A NATO Certificate of
Security Clearance will be included with the visit request.
(i) NPLO and NATO industrial advisory group (NIAG) recurring
visits. NATO has established special procedures for recurring visits
involving contractors, government departments and agencies, and NATO
commands and agencies that are participating in a NPLO or NIAG contract
or program. The NATO management office or agency responsible for the
NPLO program will prepare a list of the government and contractor
facilities participating in the program. For NIAG programs, the list
will be prepared by the responsible NATO staff element. The list will
be forwarded to the appropriate clearance agency of the participating
nations, which will forward it to the participating contractor.
(ii) Visitor record. The contractor will maintain a record of NATO
visits including those by U.S. personnel assigned to NATO. The records
will be maintained for three years.
(h) Security and export control violations involving foreign
nationals. Contractors will report any violation of administrative
security procedures or export control regulations that would subject
classified information to possible compromise by foreign visitors or
foreign national employees to the applicable CSA.
(i) Transfers of defense articles to the UK or AUS without a
license or other written authorization.--(1) Treaties with AUS and UK.
Exemptions in ITAR parts 126.16 and 126.17 implement the Defense Trade
Cooperation Treaty between the Government of the United States of
America and the Government of the UK of Great Britain and Northern
Ireland and the Defense Trade Cooperation Treaty between the Government
of the United States of America and the Government of AUS, also known
as the ``U.S.-UK Treaty'' and ``U.S.-AUS Treaty,'' respectively,
referred to collectively in this rule as ``the Treaties.''
(i) The Treaties provide a comprehensive framework for exports and
transfers to the UK or AUS of certain classified and unclassified
defense articles without a license or other written authorization.
(ii) The ITAR part 126, supplement no. 1 identifies those defense
articles and services that are not eligible for export via treaty
exemptions.
(iii) This exemption applies to contractors registered with the
DDTC and eligible to export defense articles.
(2) Defense articles. Defense articles fall under the scope of the
Treaties when they are in support of:
(i) U.S. and UK or U.S. and AUS combined military or counter-
terrorism operations.
(ii) U.S. and UK or U.S. and AUS cooperative security and defense
research, development, production, and support programs.
(iii) Mutually agreed specific security and defense projects where
the government of the UK or AUS is the end-user.
(iv) USG end-use.
(3) Marking requirements. Contractors are required to mark defense
articles that fall under the scope of the treaty prior to transferring
from the U.S. to the UK in accordance with the provisions of this
paragraph. All other standard classification marking in accordance with
Sec. 117.14 also apply. When defense articles are returned from the UK
or AUS to the United States, any defense articles marked as RESTRICTED
in the manner shown in Table 4 purely for the purposes of the treaties
will be considered to be unclassified and such marking will be removed.
Table 3 to Paragraph (i)(3) Classified U.S. Defense Article Markings
UNCLASSIFIED: CLASSIFICATION MARKINGS FOR ILLUSTRATION PURPOSES ONLY
----------------------------------------------------------------------------------------------------------------
Example (for SECRET classified
Treaty with: Marking defense articles)
----------------------------------------------------------------------------------------------------------------
Government of UK........................... //CLASSIFICATION LEVEL USML/REL //SECRET USML//REL GBR AND USA
GBR AND USA TREATY COMMUNITY//. TREATY COMMUNITY//''
Government of AUS.......................... //CLASSIFICATION LEVEL USML/REL //SECRET USML//REL AUS AND USA
AUS AND USA TREATY COMMUNITY//. TREATY COMMUNITY//''
----------------------------------------------------------------------------------------------------------------
Table 4 to Paragraph (i)(3) Unclassified U.S. Defense Article Markings
UNCLASSIFIED: CLASSIFICATION MARKINGS FOR ILLUSTRATION PURPOSES ONLY
------------------------------------------------------------------------
Treaty with: Marking
------------------------------------------------------------------------
Government of UK........................ //RESTRICTED-USML//REL GBR AND
USA TREATY COMMUNITY//
Government of AUS....................... //RESTRICTED-USML//REL AUS AND
USA TREATY COMMUNITY//
------------------------------------------------------------------------
(4) Notice. A notice will be included (e.g., as part of the bill of
lading) whenever defense articles are exported in accordance with the
provisions of these treaties and the ITAR.
[[Page 83358]]
Table 5 to Paragraph (i)(4) Notice Text for Exported Defense Articles
------------------------------------------------------------------------
------------------------------------------------------------------------
Notice text........................ These U.S. Munitions List
commodities are authorized by the
U.S. Government under the U.S.
[AUS or UK, as applicable] Defense
Trade Cooperation Treaty for
export only to [AUS or UK, as
applicable] for use in approved
projects, programs or operations
by members of the [AUS or UK, as
applicable] Community. They may
not be retransferred or re-
exported or used outside of an
approve project, program, or
operation, either in their
original form or after being
incorporated into other end-items,
without the prior written approval
of the U.S. Department of State.
------------------------------------------------------------------------
(5) Labeling. (i) Defense articles (other than technical data) will
be individually labeled with the appropriate identification; or, where
such labeling is impracticable (e.g., propellants, chemicals), will be
accompanied by documentation (such as contracts or invoices) clearly
associating the defense articles with the appropriate markings.
(ii) Technical data (including data packages, technical papers,
manuals, presentations, specifications, guides and reports), regardless
of media or means of transmission (i.e., physical, oral, or
electronic), will be individually labeled with the appropriate
identification detailed. Where such labeling is impracticable, the data
will be accompanied by documentation (such as contracts or invoices) or
oral notification clearly associating the technical data with the
appropriate markings.
(iii) Defense services will be accompanied by documentation (e.g.
contracts, invoices, shipping bills, or bills of lading clearly labeled
with the appropriate identification).
(6) Transfers. (i) All defense articles that fall under the scope
of the Treaties must be transferred from the U.S. point of embarkation
through channels approved by both the United States and the UK or the
United States and AUS, as applicable.
(ii) For transfers of defense articles as freight, the contractor
will prepare a transportation plan. For transfer of classified U.S.
defense articles, a freight forwarder must have a valid entity
eligibility determination and a classified information storage
capability at the appropriate level. For unclassified U.S. defense
articles transferred as freight, a freight forwarder is not required to
be cleared.
(7) Records. Contractors will maintain records of exports,
transfers, re-exports, or re-transfers of defense articles subject to
the Treaties for a minimum of five years. The contractor will make
records available to the CSA upon request. In accordance with the ITAR
parts 126.16 and 126.17 the records will contain:
(i) Port of entry or exit.
(ii) Date and time of export or import.
(iii) Method of export or import.
(iv) Commodity code and description of the commodity, including
technical data.
(v) Value of export.
(vi) Justification for export under the Treaties.
(vii) End-user or end-use.
(viii) Identification of all U.S. and foreign parties to the
transaction.
(ix) How export was marked.
(x) Security classification of the export.
(xi) All written correspondence with the USG on the export.
(xii) All information relating to political contributions, fees, or
commissions furnished or obtained, offered, solicited, or agreed upon,
as outlined in the ITAR parts 126.16(m) or 126.17(m).
(xiii) Purchase order, contract, or letter of intent.
(xiv) Technical data actually exported.
(xv) The internal transaction number for the electronic export
information filing in the automated export system.
(xvi) All shipping documentation (including, but not limited to,
the airway bill, bill of lading, packing list, delivery verification,
and invoice).
(xvii) Statement of registration (Department of State Form DS-2032
(available at: https://www.pmddtc.state.gov/sys_attachment.do?sysparm_referring_url=tear_off&view=true&sys_id=dabc05f6db6be344529d368d7c961984)).
Sec. 117.20 Critical Nuclear Weapon Design Information (CNWDI).
(a) General. This section contains the special requirements for
protection of CNDWI. The sensitivity of DoD CNWDI is such that access
shall be granted to the absolute minimum number of employees who
require it for the accomplishment of assigned responsibilities on a
classified contract. Because of the importance of such information,
special requirements have been established for its control. DoDI
5210.02, ``Access to and Dissemination of Restricted Data and Formerly
Restricted Data'' (available at: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/521002p.pdf?ver=2019-01-14-072742-700)
establishes these controls in the DoD.
(b) Briefings. Prior to having access to CNWDI, employees will be
briefed on its sensitivity by the FSO or his or her alternate. The FSO
will be initially briefed by a USG representative.
(1) The briefing will include:
(i) The definition of CNWDI.
(ii) A reminder of the extreme sensitivity of the information.
(iii) An explanation of the individual's continuing responsibility
for properly safeguarding CNWDI and for ensuring that dissemination is
strictly limited to other personnel who have been authorized for access
and have a need-to-know for the particular information.
(2) The briefing will also be tailored to cover any special local
requirements. Upon termination of access to CNWDI, the employee will be
given an oral debriefing.
(c) Markings. In addition to any other required markings, CNWDI
material will be clearly marked in accordance with DoDI 5210.02. At a
minimum, CNWDI documents will show such markings on the cover or first
page. Portions of documents that contain CNWDI will be marked with an
(N) or (CNWDI) following the classification of the portion; for
example, TS (RD)(N) or TS(RD)(CNWDI).
(d) Subcontractors. Contractors will not disclose CNWDI to
subcontractors without the prior written approval of the GCA. This
approval may be included in a contract security classification
specification, or equivalent, other contract-related document, or by
separate correspondence.
(e) Transmission outside the facility. Transmission of CNWDI
outside the contractor's facility is authorized only to the GCA, or to
a subcontractor as described in paragraph (d) of this section. Any
other transmission must be approved by the GCA.
(1) Prior to transmission to another cleared facility, the
contractor will verify from the CSA that the facility has been
authorized access to CNWDI. When CNWDI is transmitted to another
facility, the inner wrapping will be addressed to the personal
attention of the FSO or his or her alternate, and in addition to any
other prescribed markings, the inner wrapping will be marked:
``Critical Nuclear Weapon Design Information-DoD Instruction 5210.02
Applies.''
[[Page 83359]]
(2) The same marking will be used on the inner wrapping of
transmissions addressed to the GCA or other USG.
(f) Records. Contractors will annotate CNWDI access in the CSA-
designated database for all employees who have been authorized access
to CNWDI.
(g) Nuclear weapon data. Some nuclear weapon data is divided into
Sigma categories, the protection of which is prescribed by DOE Order
452.8 (available at: https://www.directives.doe.gov/directives-documents/400-series/0452.8-border/@@images/file). However, certain
nuclear weapon data has been re-categorized as CNWDI and is protected
as described in this section.
Sec. 117.21 COMSEC.
(a) General. The procedures in this section pertaining to
classified COMSEC information will apply to contractors when the
contractor:
(1) Requires the use of COMSEC systems in the performance of a
contract.
(2) Is required to install, maintain, or operate COMSEC equipment
for the USG.
(3) Is required to accomplish research, development, or production
of COMSEC systems, COMSEC equipment, or related COMSEC material.
(b) Instructions. Specific requirements for the management and
safeguarding of COMSEC material in industry are established in the
COMSEC material control and operating procedures provided to the
account manager of each industrial COMSEC account by the agency central
office of record (COR) responsible for establishing the account. Such
procedures that are above the baseline requirements detailed in the
other sections of this rule will be contractually mandated.
(c) Clearance and access requirements. (1) Before a COMSEC account
can be established and a contractor may receive or possess COMSEC
material accountable to a COR, individuals occupying the positions of
FSO, COMSEC account manager, and alternate COMSEC account manager must
have a final PCL appropriate for the material to be held in the
account.
(i) COMSEC account managers and alternate COMSEC account managers
having access to operational TOP SECRET keying material marked as
CRYPTO must have a final TOP SECRET security clearance based upon a
current investigation of a scope that meets or exceeds that necessary
for the access required.
(ii) This requirement does not apply to contractors using only data
transfer devices and seed key.
(2) Before disclosure of COMSEC information to a contractor, GCAs
must first verify with the CSA that appropriate COMSEC procedures are
in place at the contractor facility. If procedures are not in place,
the GCA will provide a written request and justification to the CSA to
establish COMSEC procedures and a COMSEC account, if appropriate, at
the facility and to conduct the initial COMSEC or cryptographic access
briefings for the FSO and COMSEC account personnel.
(3) Access to COMSEC information by a contractor requires a final
entity eligibility determination and a USG-issued final PCL at the
appropriate level; however, an Interim TOP SECRET entity eligibility
determination or PCL is valid for access to COMSEC at the SECRET and
CONFIDENTIAL levels.
(4) If a COMSEC account will be required, the Contract Security
Classification Specification, or equivalent, will contain a statement
regarding the establishment of a COMSEC account as appropriate.
(d) Establishing a COMSEC account. (1) When COMSEC material that is
accountable to a COR is to be provided, acquired, or produced under a
contract, the contracting officer will inform the contractor that a
COMSEC account must be established. The contractor will forward the
names of U.S. citizen employees who will serve as the COMSEC account
manager and alternate COMSEC account manager to the CSA. The CSA will
forward the names of the FSO, COMSEC account manager, and alternate
COMSEC account manager, along with a contractual requirement for the
establishment of a COMSEC account (using DD Form 254 or equivalent) to
the appropriate COR, with a copy to the GCA, indicating that the
persons have been cleared and COMSEC has been briefed.
(2) The COR will then establish the COMSEC account and notify the
CSA that the account has been established.
(3) An individual may be appointed as the COMSEC account manager or
alternate COMSEC account manager for more than one account only when
approved by each COR concerned.
(e) COMSEC briefing and debriefing. (1) All contractor employees
who require access to classified COMSEC information in the performance
of their duties will be briefed before access is granted. Depending on
the nature of COMSEC access required, either a COMSEC briefing or a
cryptographic access briefing will be given. The FSO, the COMSEC
account manager, and the alternate COMSEC account manager will be
briefed by a USG representative or their designee. Other contractor
employees will be briefed by the FSO, the COMSEC account personnel, or
other individual designated by the FSO. The purpose of the briefing is
to ensure that the contractor understands:
(i) The unique nature of COMSEC information and its unusual
sensitivity.
(ii) The special security requirements for the handling and
protection of COMSEC information.
(iii) The penalties prescribed in 18 U.S.C. 793, 794, and 798 for
disclosure of COMSEC information.
(2) COMSEC debriefings are not required.
(3) The contractor will maintain a record of all COMSEC briefings
as specified by the appropriate COR.
(f) U.S. classified cryptographic information access briefing and
debriefing requirements. (1) U.S. classified cryptographic information
does not include seed key or controlled cryptographic items.
(2) A contractor's employee may be granted access to U.S.
classified cryptographic information only if the employee:
(i) Is a U.S. citizen.
(ii) Has a final USG-issued eligibility determination appropriate
to the classification of the U.S. cryptographic information to be
accessed.
(iii) Has a valid need-to-know to perform duties for, or on behalf
of, the USG.
(iv) Receives a security briefing appropriate to the U.S.
Classified Cryptographic Information to be accessed.
(v) Acknowledges the granting of access to classified information
by executing Section I of Secretary of Defense (SD) Form 572,
``Cryptographic Access Certification and Termination'' (available at:
https://www.esd.whs.mil/Portals/54/Documents/DD/forms/sd/sd0572.pdf).
(vi) Where so directed by a USG department or agency head,
acknowledges the possibility of being subject to a CI scope polygraph
examination that will be administered in accordance with department or
agency directives and applicable law.
(3) An employee granted access to cryptographic information will be
debriefed and execute Section II of the SD 572 not later than 90 days
from the date access is no longer required.
(4) The contractor will maintain the SD 572 for a minimum of five
years following the debriefing.
(5) Cryptographic access briefings must fully meet the requirements
of paragraph (e) of this section.
[[Page 83360]]
(g) Destruction and disposition of COMSEC material. The appropriate
GCA representative, e.g., the contracting officer representative, will
provide directions to the contractor when accountable COMSEC material
is to be destroyed. These directions may be provided in superseding
editions of publications or by specific instructions.
(h) Subcontracting COMSEC work. Subcontracts requiring the
disclosure of classified COMSEC information will be awarded only upon
the written approval of the GCA.
(i) Unsolicited proposals. Any unsolicited proposal for a COMSEC
system, equipment, development, or study that may be submitted by a
contractor to a USG agency will be forwarded to the Deputy National
Manager for National Security Systems for review and follow up action
at: Deputy National Manager for National Security Systems, NSA, Fort
George G. Meade, MD 20755-6000.
Sec. 117.22 DHS CCIPP.
(a) General. DHS will coordinate with other USG agencies that have
an equity with a private sector entity and the CCIPP in accordance with
Sec. 117.6(f).
(b) Authority. (1) The Secretary of Homeland Security has the
authority to determine the eligibility for personnel security
clearances and to administer the sharing of relevant classified NSI
with certain private sectors or non-federal partners for the purpose of
furthering cybersecurity information sharing among critical
infrastructure partners pursuant to E.O. 13691.
(2) DHS provides security oversight and assumes security
responsibilities similar to those of an FSO, unless otherwise provided
in this section. Participating entities will cooperate with DHS
security officials to ensure the entity is in compliance with
requirements in this rule.
Sec. 117.23 Supplement to this rule: Security Requirements for
Alternative Compensatory Control Measures (ACCM), Special Access
Programs (SAPs), Sensitive Compartmented Information (SCI), Restricted
Data (RD), Formerly Restricted Data (FRD), Transclassified Foreign
Nuclear Information (TFNI), and NNPI.
(a) General. Given the sensitive nature of Alternative Compensatory
Control Measures (ACCM), SAPs, SCI, RD, FRD, TFNI, and NNPI, the
security requirements prescribed in this section exceed baseline
standards for this rule and must be applied, as applicable, through
specific contract requirements.
(1) Compliance. The contractor will comply with the security
measures reflected in this section and other documents specifically
referenced, when applied by the GCA or designee as part of a contract.
Acceptance of the contract security measures is a prerequisite to any
negotiations leading to program participation and an area accreditation
(e.g., an SCI facility or SAP facility accreditation).
(2) CSA-imposed higher standards. In some cases, security or
sensitive factors of a CSA-created program may require security
measures that exceed the standards of this section. In such cases, the
CSA-imposed higher standards specifically detailed in the contract or
conveyed through other applicable directives will be binding on USG and
contractor participants. In cases of doubt over the specific
provisions, the contractor should consult the program security officer
and the contracting officer before taking any action or expending
program-related funds. In cases of extreme emergencies requiring
immediate attention, the action taken should protect the USG's interest
and the security of the program from loss or compromise.
(3) Waivers. Every effort will be made to avoid waivers to
established standards unless they are in the best interest of the USG.
In those cases where waivers are deemed necessary, a request will be
submitted in accordance with the procedures established by the CSA.
(b) Intelligence information. National intelligence is under the
jurisdiction and control of the DNI, who establishes security policy
for the protection of national intelligence and intelligence sources,
methods, and activities. In addition to the guidance in this rule,
contractors will follow Intelligence Community directives, policy
guidance, standards, and specifications for the protection of
classified national intelligence and SCI.
(c) ACCM. Contractors may participate in ACCMs, or be directed to
participate, only when such access and the associated security plan are
identified in DD Form 254 or equivalent. Care must be taken to ensure
identification of the security plan does not disclose ACCM-protected
data.
(1) ACCM contracts. DoD contractors will implement the security
requirements for ACCMs, when established by contract, in accordance
with applicable statutes, E.O.s, CSA directives, instructions, manuals,
regulations, standards, and memorandums.
(2) Non-DoD with ACCMs. Contractors performing on ACCM contracts
issued by other than DoD GCAs will implement ACCM protection
requirements imposed in their contracts.
(d) SAPs.--(1) DoD SAP contracts. Contractors will implement the
security requirements for SAPs codified in SAP-related policy, when
established by contract. These documents include, but are not limited
to, statutes, E.O.s, CSA directives, instructions, manuals,
regulations, standards, memorandums, and other SAP security related
policy documents.
(2) Non-DoD SAPs. Contractors performing on SAP contracts issued by
non-DoD GCAs will implement SAP protection requirements imposed in
their contracts. These requirements may be from, but are not limited
to, statutes, E.O.s, CSA directives, instructions, manuals,
regulations, standards, memorandums, and other SAP security related
policy documents.
(e) RD, FRD, and TFNI.--(1) General. This section describes some of
the requirements for nuclear-related information designated RD, FRD, or
TFNI in accordance with the AEA and 10 CFR part 1045. 10 CFR part 1045
contains the full requirements for classification and declassification
of RD, FRD, and TFNI. Information on safeguarding of RD by access
permittees is contained in 10 CFR part 1016. For RD that is NNPI, the
additional provisions of paragraph (f) of this section apply.
(i) The DOE is the sole authority for establishing requirements for
classifying, accessing, handling, securing, and protecting RD. The DOE
and the DoD share authority for the requirements for FRD. The DOE and
ODNI share authority for establishing requirements for TFNI.
(ii) RD, FRD, and TFNI categories are distinguished from the NSI
category, which is governed in accordance with E.O. 13526.
(A) RD, FRD, and TFNI have unique marking requirements and are not
subject to automatic declassification. In addition, RD and FRD have
special restrictions regarding foreign release.
(B) It is necessary to differentiate between the handling of this
information and NSI because of its direct relationship to our nation's
nuclear deterrent.
(iii) Some access requirements for RD and FRD exceed the
requirements for NSI. Due to the unique national security implications
of RD and FRD, and to facilitate maintaining consistency of codified
requirement, they are not repeated in the baseline of this rule, but
may be applied through specific contract requirements.
(iv) When RD is transclassified as TFNI, it is safeguarded as NSI.
Such information will be labeled as TFNI. The label TFNI will be
included on
[[Page 83361]]
documents to indicate it is exempt from automatic declassification as
specified in 10 CFR part 1045, the AEA, E.O. 13526, and 32 CFR part
2001.
(2) Unauthorized disclosures. Contractors will report all
unauthorized disclosures involving RD, FRD and TFNI information to the
CSA.
(3) International requirements. The AEA provides for a program of
international cooperation to promote common defense and security and to
make available to cooperating nations the benefits of peaceful
applications of atomic energy as widely as expanding technology and
considerations of the common defense and security will permit.
(i) Information controlled in accordance with the AEA, RD, and FRD
may be shared with another nation only under the terms of an agreement
for cooperation. The disclosure by a contractor of RD and FRD will not
be permitted until an agreement is signed by the United States and
participating governments, and disclosure guidance and security
arrangements are established.
(ii) RD and FRD will not be transmitted to a foreign national or
regional defense organization unless such action is approved and
undertaken under an agreement for cooperation between the United States
and the cooperating entity and supporting statutory determinations, as
prescribed in the AEA.
(4) Personnel security clearance and access. Only the DOE, the NRC,
the DoD, and the National Aeronautics and Space Agency can grant access
to RD and FRD that is under their cognizance. Access to RD and FRD must
be granted in accordance with the AEA. Baseline requirements for access
to RD and FRD are codified in specific DoD, DOE, NRC, and the National
Aeronautics and Space Agency directives and regulations. In addition,
need-to-know and other restrictions on access apply.
(5) Classification and declassification. (i) All persons with
access to RD and FRD must receive initial and periodic refresher
training as required under Sec. 1045.120 10 CFR. The training must
include the following information:
(A) What information is potentially RD and FRD.
(B) Matter that potentially contains RD or FRD must be reviewed by
an RD derivative classifier to determine whether it is RD or FRD.
(C) The DOE must review matter that potentially contains RD or TFNI
for public release and DOE or DoD must review matter that potentially
contains FRD for public release.
(D) RD derivative classification authority is required to classify
or upgrade matter containing RD or FRD, or to downgrade the level of
matter containing RD or FRD.
(E) Only a person trained in accordance with Sec. 1045.120 10 CFR
may classify matter containing TFNI.
(F) Matter containing RD, FRD, and TFNI is not automatically
declassified and only DOE-authorized persons may downgrade the category
or declassify matter marked as containing RD. Only DOE or DoD
authorized persons may downgrade the category or declassify matter
marked as containing FRD.
(G) How to submit a challenge if they believe RD, FRD, or TFNI
information (e.g., a guide topic) or matter containing RD, FRD, or TFNI
is not properly classified.
(H) Access requirements for matter marked as containing RD or FRD.
(ii) All persons with access to TFNI must receive initial and
periodic refresher training as required under Sec. 1045.120 10 CFR.
This training may be combined with the training for access to RD and
FRD. The training must include the following information:
(A) What information is potentially TFNI.
(B) Only a person with appropriate training may determine if matter
contains TFNI.
(C) Marking requirements for matter containing TFNI.
(D) Matter containing TFNI is not automatically declassified and
only DOE authorized persons may downgrade the category or declassify
matter marked as containing TFNI.
(E) How to submit a challenge if they believe TFNI information
(e.g., a guide topic) or matter containing TFNI is not properly
classified.
(iii) Persons with access to RD, FRD, or TFNI must submit matter
that potentially contains RD or FRD to an RD derivative classifier for
review. If matter potentially contains TFNI, it must be submitted to a
person trained to make TFNI determinations. Matter potentially
containing RD, FRD, or TFNI must be reviewed, even if the potential RD,
FRD, or TFNI is derived from the open literature. Prior to review, the
matter must be marked as a working paper under 10 CFR 1045.140(c). If
the matter is intended for pubic release and potentially contains RD or
TFNI, it must be submitted to the DOE for review. If the matter is
intended for public release and contains FRD, it must be submitted to
the DOE or the DoD.
(iv) Only RD derivative classifiers may classify matter containing
RD or FRD. RD derivative classifiers must receive initial training and
refresher training every two years as required under 10 CFR 1045.120.
The training must include the content for persons with access to RD and
FRD, along with the following:
(A) The use of classification guides, classification bulletins, and
portion-marked source documents to classify matter containing RD and
FRD.
(B) What to do if applicable classification guidance is not
available.
(C) Limitations on an RD derivative classifier's authority to
remove RD or FRD portions from matter.
(D) Marking requirements for matter containing RD and FRD.
(v) Only persons with appropriate training may review matter to
determine if it contains TFNI. Training must be completed prior to
making determinations and every two years after. The training must
include the content for persons with access to TFNI and the following:
(A) The markings applied to matter containing TFNI.
(B) Limitations on their authority to remove TFNI portions from
matter.
(C) Only DOE authorized persons may determine that classified
matter no longer contains TFNI.
(D) Only DOE-authorized persons may declassify matter marked as
containing TFNI.
(E) The DOE must review matter that potentially contains TFNI for
public release.
(vi) RD derivative classifiers must use approved classification
guides, classification bulletins, or portion-marked source documents as
the basis for classifying matter containing RD and FRD.
(vii) Persons trained to make TFNI determinations must use approved
TFNI guidelines, classification guides, classification bulletins, or
portion-marked source documents as the basis for classifying or upgrade
matter containing TFNI.
(6) Marking matter containing RD, FRD, and TFNI. The front page of
matter containing RD or FRD must have the highest classification level
of the information on the top and bottom of the first page, the RD or
FRD admonishment, the subject or title marking, and the classification
authority block. Matter containing TFNI must include the TFNI
identifier on each page unless the matter also contains RD or FRD, in
which case the RD or FRD takes precedence.
(i) Documents classified as RD or FRD must also include a
Classification Authority Block with the RD derivative classifier's name
and position, title, or unique identifier and the classification guide
or source document (by title and
[[Page 83362]]
date) used to classify the document. No declassification date or event
may be placed on a document containing RD, FRD, or TFNI. If a document
containing RD, FRD, or TFNI also contains NSI, ``N/A to RD/FRD/TFNI''
(as appropriate) must be placed on the ``Declassify On:'' line.
(ii) Each interior page of matter containing RD or FRD must be
clearly marked at the top and bottom with the overall classification
level and category of the matter or the overall classification level
and category of the page, whichever is preferred. The abbreviations
``RD'' or ``FRD'' may be used in conjunction with the matter
classification (e.g., SECRET//RD, CONFIDENTIAL//FRD).
Table 1 to Paragraph (e)(6)(ii) RD and FRD Admonishment Markings
------------------------------------------------------------------------
Admonishment that must be included
Document containing on the front page of the document
------------------------------------------------------------------------
RD................................. ``RESTRICTED DATA
This document contains RESTRICTED
DATA as defined in the Atomic
Energy Act of 1954. Unauthorized
disclosure is subject to
administrative and criminal
sanctions.''
FRD................................ ``FORMERLY RESTRICTED DATA
Unauthorized disclosure subject to
administrative and criminal
sanctions. Handle as Restricted
Data in foreign dissemination.
Section 144b, AEA 1954.''
------------------------------------------------------------------------
(iii) Documents classified as RD or FRD must also include a
Classification Authority Block with the RD derivative classifier's name
and position, title, or unique identifier and the classification guide
or source document (by title and date) used to classify the document.
(iv) Other than the required subject or title markings, portion
marking is permitted, but not required, for matter containing RD or
FRD. Each agency that generates matter containing RD or FRD determines
the policy for portion-marking matter generated within the agency. If
matter containing RD or FRD is portion-marked, each portion containing
RD or FRD must be marked with the level and category of the information
in the portion (e.g., SRD, CFRD, S//RD, C//FRD).
(v) Additional information and requirements are in 10 CFR 1045.140.
Requests for additional information about the classification and
declassification of RD, FRD, and TFNI can be directed to Agency RD
Management Officials or the DOE Office of Classification at
[email protected] or at (301) 903-7567.
(7) Declassification. (i) No date or event for automatic
declassification ever applies to RD, FRD, or TFNI documents, even if
they contain classified NSI. RD, FRD, or TFNI documents remain
classified until a positive action by a designated DOE official (for
RD, FRD, or TFNI) or an appropriate DoD official (for FRD) is taken to
declassify them.
(ii) RD derivative classifiers may remove RD or FRD from portion-
marked source matter if the resulting matter is not for public release.
RD derivative classifiers cannot declassify matter marked as containing
RD, FRD, and TFNI. Matter that potentially contains RD or TFNI must be
sent to designated individuals in the DOE and those containing FRD must
be sent to designated individuals in the DoD for declassification or
removal of the RD, FRD, or TFNI prior to public release.
(iii) Matter containing TFNI is excluded from the automatic
declassification provisions of E.O. 13526 until the TFNI designation is
properly removed by the DOE. When the DOE determines that a TFNI
designation may be removed, any remaining classified information must
be referred to the appropriate agency.
(iv) Any matter marked as or that potentially contains RD, FRD, or
TFNI within a document intended for public release that contains RD or
FRD subject area indicators must be reviewed by the appropriate DOE
organization.
(8) Challenges to RD, FRD, and TFNI. A contractor employee who
believes RD, FRD, or TFNI is classified improperly or unnecessarily may
challenge that classification following the procedures established by
the GCA. They may also send challenges directly to the Director, Office
of Classification, AU-60/Germantown Building; U.S. Department of
Energy; 1000 Independence Avenue SW, Washington, DC 20585, at any time.
Under no circumstance is an employee subject to retribution for
challenging the classification status of RD, FRD, or TFNI.
(9) Commingling. Commingling of RD, FRD, and TFNI with NSI in the
same document should be avoided to the greatest degree possible. When
mixing this information cannot be avoided, the marking requirements in
10 CFR part 1045, section 140(f) and declassification requirements of
10 CFR part 1045, section 155 apply.
(10) Protection of RD and FRD. Most of the protection requirements
for RD and FRD are similar to NSI and are based on the classification
level. However, there are some protection requirements for certain RD
information that may be applied through specific contract requirements
by the GCA. These range from distribution limitations through the
limitation of access to specifically authorized individuals to specific
storage requirements, including the requirement for IDSs, and
additional accountability records.
(i) Any DOE contractor that violates a classified information
security requirement may be subject to a civil penalty under the
provisions of 10 CFR part 824.
(ii) Certification is required for individuals authorized access to
specific Sigma categories, as appropriate. Address questions regarding
these requirements to DOE's National Nuclear Security Administration,
Office of Defense Programs.
(iii) Storage and distribution requirements are determined by the
classification level, category, and Sigma category. Sigma designation
is not a requirement for all RD documents. Storage and distribution
requirements will be dependent only on classification level and
category.
(11) Accountability. In addition to TOP SECRET information, some
SECRET RD information is considered accountable (e.g., specific Sigma
14 matter). Each nuclear weapon data control point will keep a record
of transactions involving Secret nuclear weapon data documents under
its jurisdiction including origination, receipt, transmission, current
custodian, reproduction, change of classification, declassification,
and destruction.
(12) Cybersecurity. Classified databases, systems, and networks
containing RD and FRD are protected under the requirements developed
and distributed by the DOE Office of the Chief Information Officer.
(f) NNPI. NNPI is information associated with the Naval Nuclear
Propulsion Program and is governed by Office of the Chief of Naval
Operations
[[Page 83363]]
Instruction (OPNAVINST) N9210.3, ``Safeguarding of Naval Nuclear
Propulsion Information'' (available at: https://www.secnav.navy.mil/doni/Directives/09000%20General%20Ship%20Design%20and%20Support/09-200%20Propulsion%20Plants%20Support/N9210.3%20(Unclas%20Portion).pdf).
Naval Reactors, a joint DOE/Department of Navy organization established
under 50 U.S.C. 2406 and 2511, is responsible for the protection of
this information. All contracts which grant access to NNPI must require
compliance with the specific safeguarding requirements contained in
OPNAVINST N9210.3. All waivers or deviations involving security
requirements protecting NNPI require Naval Reactors' concurrence.
Classified NNPI may not be processed on any contractor information
system unless approved by the cognizant authorizing authority with
concurrence from Naval Reactors.
Sec. 117.24 Cognizant Security Office information.
(a) DoD. Refer to the DCSA website (https://www.dcsa.mil) for a
listing of office locations and areas of responsibility and for
information on verification of facility clearances and safeguarding. In
those cases where the cleared facility is located on a DoD installation
the applicable DCSA field office can advise if the installation
commander is providing security oversight.
Table 1 to Paragraph (a) DoD Cognizant Security Office
----------------------------------------------------------------------------------------------------------------
Designation Office name Mailing address Telephone No.
----------------------------------------------------------------------------------------------------------------
Headquarters, CSO...................... Defense 27130 Telegraph Rd., (888) 282-7682
Counterintelligence and Quantico, VA 22134.
Security Agency.
----------------------------------------------------------------------------------------------------------------
(b) DOE.
Table 2 to Paragraph (b) DOE Cognizant Security Offices
----------------------------------------------------------------------------------------------------------------
Designation Office name Mailing address Telephone No.
----------------------------------------------------------------------------------------------------------------
Headquarters........................... Headquarters Office of 19901 Germantown Road, (301) 903-2177
Security Operations (AU- Germantown, MD 20874.
40).
CSO, Clearance Agency, Central DOE/National Nuclear Pennsylvania & H Street, (505) 845-4154
Verification Activity, Adjudicative Security Administration Kirtland Air Force Base,
Authority, and PCL and FCL databases. Office of Personnel and Albuquerque, NM 87116.
Facility Clearances and
Classifications.
CSO.................................... U.S. Department of 850 Energy Drive, Idaho (208) 526-2216
Energy, Idaho Operations Falls, ID 83401.
Office.
----------------------------------------------------------------------------------------------------------------
Table 3 to Paragraph (b) DOE Cognizant Security Offices Continued
----------------------------------------------------------------------------------------------------------------
Designation Office name Mailing address Telephone No.
----------------------------------------------------------------------------------------------------------------
CSO, Naval Nuclear Propulsion Director, Naval Reactors. NA-30, 1240 Isaac Hull (202) 781-6297
Information. Ave., SE., Washington
Navy Yard, DC 20376.
CSO.................................... U.S. Department of 200 Administration Road, (865) 576-2140
Energy, Office of P.O. Box 2001, Oak
Science Consolidated Ridge, TN 37830.
Service Center.
CSO.................................... U.S. Department of 902 Battelle Boulevard, (888) 375-7665
Energy, Pacific Richland, WA 99354.
Northwest Site Office.
CSO.................................... U.S. Department of 825 Jadwin Avenue, P.O. (509) 376-7411
Energy, Richland Box 550, Richland, WA
Operations Office. 99352.
CSO.................................... U.S. Department of Road 1A, Aiken, SC 29801. (803) 725-6211
Energy, Savannah River
Operations Office.
----------------------------------------------------------------------------------------------------------------
(c) NRC.
Table 4 to Paragraph (c) NRC Cognizant Security Offices
------------------------------------------------------------------------
Designation Mailing address Telephone No.
------------------------------------------------------------------------
CSO, Adjudicative Authority, U.S. Nuclear (301) 415-8080
PCL and FCL databases, and Regulatory
Industrial Security Program. Commission, ATTN:
Director of
Facilities and
Security,
Washington, DC 20555.
CSO, FCL Database and U.S. Nuclear (301) 415-7048
Industrial Security Program Regulatory
for Licensees. Commission, ATTN:
Information Security
Branch, 11555
Rockville Pike,
Rockville, MD 20853.
Clearance Agency.............. U.S. Nuclear (301) 415-8080
Regulatory
Commission, ATTN:
Director of
Facilities and
Security Personnel
Security, 11545
Rockville Pike,
Rockville, MD 20853.
Central Verification Agency... U.S. Nuclear (301) 415-8080
Regulatory
Commission, ATTN:
Director of Security
Facilities Security,
11545 Rockville
Pike, Rockville, MD
20853.
------------------------------------------------------------------------
[[Page 83364]]
(d) DHS.
Table 6 to Paragraph (d) DHS Cognizant Security Office
------------------------------------------------------------------------
Designation Mailing address Telephone No.
------------------------------------------------------------------------
CSO........................... DHS Cognizant (202) 447-5424;
Security Office, (202) 447-5345
ATTN: Chief Security
Officer, 245 Murray
Lane, M/S 0120-3,
Washington, DC 20528.
------------------------------------------------------------------------
Dated: December 11, 2020.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2020-27698 Filed 12-18-20; 8:45 am]
BILLING CODE 5001-06-P