12 FAM 570
INDUSTRIAL SECURITY PROGRAM
(CT:DS-195; 08-06-2013)
(Office of Origin: DS/SI/IS)
12 FAM 571 PURPOSe AND GENErAL
REQUIREMENTS
12 FAM 571.1 Purpose and
Responsibility
(CT:DS-195; 08-06-2013)
a. The purpose of this policy is to ensure contractors
safeguard classified and sensitive material entrusted to them under contract,
or during pre-award contract activities, with the Department. The Industrial
Security Division (DS/IS/IND) administers the Department's Industrial Security
Program. DS/IS/IND establishes policies and implements procedures for
safeguarding classified and sensitive but unclassified (SBU) information
released to, or generated by prime contractors (and subcontractors) under
contract to the Department. This includes contractor personnel supporting
Department activities at Department locations or performing on contracts from
their companies' respective physical locations.
b. DS/IS/IND serves as liaison between the Department
and the Department of Defense (DOD) Defense Security Service concerning
Department contractors who participate in the National Industrial Security
Program (NISP). DS/IS/IND serves as the final approving authority for all
prime and subcontractor Contract Security Classification Specifications (Form DD-254)
issued under all classified contracts and subcontracts. DS/IS/IND also assists
to develop contract security requirements and issues the Department's
industrial security policies and standards.
12 FAM 571.2 Applicability
(CT:DS-195; 08-06-2013)
This chapter applies to the Department's operations
domestically and abroad, including U.S. missions to international
organizations, and contractors performing under contract to the Department,
from pre-contract award to post-contract completion. As noted in 12 FAM 573.2-1,
this chapter does not apply to personal services contractors (PSCs). All
Department contract actions must comply with the Federal Acquisition Regulation
(FAR) and the Department of State Acquisition Regulation (DOSAR). The FAR and
the DOSAR take precedence if any conflicting interpretations result from this
chapter.
12 FAM 571.3 National Industrial
Security Program
(CT:DS-195; 08-06-2013)
a. The Department participates as a User Agency in NISP
through DS/IS/IND's Industrial Security Program. On January 6, 1993, Executive
Order 12829 established the NISP for the protection of information classified
pursuant to Executive Order 12356, April 2, 1982, "National Security
Information," or its successor or predecessor orders, and the Atomic
Energy Act of 1954, as amended. The National Security Council provides overall
policy direction for the NISP. The President designated the Secretary of
Defense as Executive Agent for the NISP. The Director, Information Security
Oversight Office (ISOO), implements and monitors the NISP and issues
implementing directives that are binding on Federal agencies.
b. Prior to the NISP, the Department initially
formalized its use of industrial security services as a User Agency of the
Defense Industrial Security Program by Memorandum of Agreement, dated June 5,
1961. The Departments continued participation in the NISP enhances oversight
of Department contractors classified activities.
c. Defense Security Service issues and maintains
facility security clearances (FCL) and personnel security clearances (PCL), as
required, for Department contractors. Defense Security Service inspects and
monitors contractors who require or will require access to classified
information. The Defense Industrial Security Clearance Office (DISCO), a field
element of Defense Security Service, issues PCLs under the authority of the
NISP.
d. DOD Directive 5220.22-R and DOD Directive 5220.22-M
promulgate the standards for implementing the NISP. These directives establish
the requirements for safeguarding classified information, including foreign
government information, which the U.S. Government must protect in the interest
of national security, and contractors, subcontractors, vendors, or suppliers
may need to access.
e. DS/IS/IND serves as the Departments representative
to and a voting member of the National Industrial Security Program Policy
Advisory Committee (NISPPAC). The NISPPAC, comprised of both Government and
industry representatives, is responsible for recommending changes in industrial
security policy through modifications to Executive Order 12829, its
implementing directives, and the National Industrial Security Program Operating
Manual.
12 FAM 571.4 Authorities
(CT:DS-195; 08-06-2013)
a. Executive Order (E.O.) 13526, Classified National
Security Information, December 29, 2009.
b. E.O. 12829, National Industrial Security Program
(NISP), January 6, 1993, which provides for a uniform program for safeguarding
Federal Government classified information released to contractors, licensees,
or grantees of U.S. Government Executive Branch departments and agencies.
c. E.O. 10865, Safeguarding Classified Information
Within Industry, February 20, 1960, as amended by E.O. 10909, January 17, 1961,
and succeeding orders, which direct Federal agencies to establish regulations
governing U.S. industry in handling and protection of its national security
information.
d. DOD 5220.22-R, Industrial Security Regulation,
current edition, which sets forth requirements of User Agencies participating
in the NISP.
e. DOD 5220.22-M, National Industrial Security Program
Operating Manual (NISPOM) for Safeguarding Classified Information, current
edition, prescribes the requirements contractors must follow to safeguard
national security information
f. DOD 5220.22-M-Sup 1, National Industrial Security
Program Operating Manual (NISPOM) Supplement, current edition.
g. 32 CFR Part 2004, National Industrial Security
Program Directive No. 1.
h. The Federal Information Security Management Act
(FISMA) of 2002 and succeeding legislation that prescribes a uniform
information security program.
i. The Omnibus Diplomatic Security and Antiterrorism
Act of 1986, (Public Law 99-399) Section 403 (22 U.S.C. 4853), Security
Requirements for Contractors.
12 FAM 572 INDUSTRIAL SECURITY
EDUCATION PROGRAMS
12 FAM 572.1 General
(CT:DS-195; 08-06-2013)
a. The effectiveness of the Department's Industrial
Security Program depends upon contractor firms and U.S. Government personnels
understanding of their respective security responsibilities. For this reason,
education is an integral part of the Department's Industrial Security Program.
The focus of the educational effort is to impress upon these individuals, through
security briefings, their responsibility to safeguard classified and SBU
information. DS/IS/IND conducts briefings for contractor personnel, Civil
Service Personnel, Foreign Service officers, Department program office
personnel and Department acquisition personnel, and schedules briefings on a
recurring basis, upon request or when an issue (e.g., multiple security
infractions) arises that warrants a security briefing.
b. Contractor personnel working at Department
facilities must familiarize themselves not only with security regulations found
in the Foreign Affairs Manual (FAM) that relate to their assigned duties, but
also with the information and personnel security requirements specified in
their contract and on their Form DD-254.
12 FAM 572.2 Required Briefings
12 FAM 572.2-1 Department
Personnel
((CT:DS-195; 08-06-2013)
DS/IS/IND briefs Department personnel, such as regional
security officers (RSOs), contracting officers (COs), contracting officers
representatives (CORs), or Government technical monitors (GTMs), program
managers, site security managers (SSMs), etc., on their responsibilities for
proper implementation of the Department's Industrial Security Program.
12 FAM 572.2-2 Contractor
Personnel
(CT:DS-195; 08-06-2013)
a. DS/IS/APD briefs all contractors who reside on-site
at Department facilities and who are cleared for access to Department
classified information, on their security responsibilities prior to receiving
access to Department facilities or information systems.
b. FSOs must provide their personnel with initial and
recurring security briefings in accordance with the NISP.
c. RSOs or SSMs brief all contractors arriving at
their post and or site regarding their security responsibilities prior to
granting access to the post, site, or information systems.
12 FAM 572.3 Counterintelligence
Briefings
(CT:DS-195; 08-06-2013)
The RSO assigned to a critical human intelligence (HUMINT)
threat post is responsible for administering a counterintelligence briefing
when contractors arrive at post and debriefing them before they depart. See 12 FAM 260 for
further information regarding Counterintelligence Programs.
12 FAM 573 SECURITY CLEARANCE POLICY
(CT:DS-195; 08-06-2013)
To ensure the proper safeguarding of classified
information entrusted to the private sector, the Department requires contractor
firms to possess FCLs and contractor personnel to possess PCLs commensurate
with the level of classified information required. The following policies set
forth the requirements for private sector/contractor firms and personnel who
require access to Department classified information. Requirements for access
to specific categories of Department SBU information are outlined throughout
this subchapter.
12 FAM 573.1 Facility Security
Clearances (FCL)
(CT:DS-195; 08-06-2013)
a. Any U.S. firm under contract to the Department
requiring access to classified information, or to areas where access to
classified information may exist, requires an FCL commensurate with the level
of access required. An FCL is an administrative determination that a company
meets all of the NISP requirements and is eligible for access to classified
information or eligible for award of a classified contract. Additionally, any
U.S. contractor firm, or business that requires access to classified
information to prepare a response to a request for proposal (RFP) or
solicitation, invitation for bid (IFB), request for quotation (RFQ), etc.,
and/or in performance of a classified Department contract, must have or obtain
an FCL commensurate with the level of access required.
b. Department contracting authorities must submit
facility clearance requirements and requests to DS/IS/IND. If warranted,
DS/IS/IND sponsors the U.S. contractor firm for an FCL through DSS. Only
DS/IS/IND has the authority to submit FCL requests to DSS on behalf of the
Department.
c. Non-U.S. firms are ineligible for FCLs, except as
specified in 12
FAM 573.1-2. To be eligible for an FCL, the company must be incorporated
under the laws of any of the 50 states, the District of Columbia, or Puerto
Rico, and reside in the United States or its territorial areas.
d. All classified contracts must include a Contract
Security Classification Specification, Form DD-254, which denotes the FCL level
required for the contract as well as specific contract security requirements.
12 FAM 573.1-1 Joint Ventures
(CT:DS-195; 08-06-2013)
U.S. joint ventures that require access to classified
information during the bid phase or during contract performance must have an
FCL commensurate with the level of access required. In order for a U.S. joint
venture to obtain a clearance, all entities comprising the joint venture must
possess an FCL. DS/IS/IND submits FCL requests for U.S. joint ventures through
DSS. Foreign firms that are part of a joint venture are ineligible for FCLs,
and make the joint venture ineligible for an FCL.
12 FAM 573.1-2 Foreign-Owned U.
S. Contractors
(CT:DS-195; 08-06-2013)
a. Under the NISP, foreign-owned U.S. contractors may
be eligible for an FCL, provided the foreign ownership has been mitigated in
accordance with the NISPOM, DOD 5200.22-M.
b. The NISPOM prescribes several methods for mitigating
foreign ownership of foreign-owned U.S. contractors. DSS works directly with
foreign-owned U.S. contractors in establishing an approved method of mitigating
the foreign ownership control or influence. Examples of methods for mitigating
foreign ownership include the establishment of a voting trust agreement, a
proxy agreement, a security control agreement (SCA) or a special security
agreement (SSA). There are no restrictions levied on the FCL of firms which
establish voting trust agreements or proxy agreements, as the foreign owner
relinquishes most rights associated with ownership of the company to U.S.
Government-approved cleared U.S. citizens. Restrictions are not levied on the
FCL of firms under SCAs, either, as the company is not effectively owned or
controlled by a foreign interest, although the foreign interest is entitled to
representation on the companys governing board.
c. One mitigation method contractor firms may elect,
establishing an SSA, results in the imposition of restrictions on access to
certain categories of classified information (referred to as proscribed
information), e.g., Top Secret, Communications Security (COMSEC), Special
Access Program (SAP), Restricted Data (RD), North Atlantic Treaty Organization
(NATO), and Sensitive Compartmented Information (SCI). Firms under SSAs may be
ineligible for award of specific Department projects that require access to
these levels of information. Foreign-owned U.S. firms which opt to establish
SSAs may become ineligible for an award or be unable to continue performing as
a prime or subcontractor on efforts that require access to the categories of
information noted in this paragraph. The CO and COR must coordinate the use of
foreign-owned U.S. contractors with DS/IS/IND. DS/IS/IND works closely with
DSS on any foreign ownership mitigation strategies established for Department
contractor firms.
12 FAM 573.2 Self-Employed
Personnel
(CT:DS-195; 08-06-2013)
The Department may use the services of self-employed
individuals, consultants, and personal services contractors (PSCs). By
definition, self-employed personnel must have no affiliation with a company
and/or contractor firm. Individuals incorporated for tax purposes with family
members as office holders of the corporation also qualify as self-employed
contractors, although the family members become ineligible for access to
classified information or processed for personnel security clearances. The
Office of Personnel Security and Suitability (DS/SI/PSS) clears self-employed
individuals, consultants, and PSCs. DS/SI/PSS also clears consultants hired
through the Bureau of Human Resources (HR) under Federal personnel
regulations. Program offices, HR representatives, CORs and COs must work
directly with their Executive Offices and DS/SI/PSS regarding personnel
security clearances for these personnel. DS/IS/IND plays no role with regard
to these categories of personnel.
12 FAM 573.3 Personnel Security
Clearance Requirements
12 FAM 573.3-1 Overall Personnel
Security Clearance Requirements
(CT:DS-195; 08-06-2013)
Contractor personnel must possess clearances commensurate
with the level of access required for performance under a Department classified
contract. The Contract Security Classification Specification, Form DD-254,
included in all classified procurements, establishes the FCL and individual
clearance requirements for contract performance. It also outlines whether or
not the company must store and/or generate classified material in the
performance of the contract.
12 FAM 573.3-2 Department
Contractor Personnel
(CT:DS-195; 08-06-2013)
a. All cleared contractor firms must designate an
individual as their facility security officer who is responsible for the
administration of the companys industrial security program and adherence to
the NISPOM and any contract security requirements. The facility security
officer submits personnel security clearance requests to DISCO. The facility
security officer also submits visitor authorization requests (VARs) and
required documentation on all contractor personnel who are DISCO cleared
directly to DS/IS/IND.
b. DISCO usually processes Department contractor
personnel for personnel security clearances. However, there are extenuating
circumstances when DS/SI/PSS must process specific contractor personnel for
personnel security clearances. In those cases, the classified contracts
awarded to the contractor firms notes this requirement, as well as the
procedures to process their personnel for Department clearances.
12 FAM 573.3-3 Overseas Personnel
Security Requirements
(CT:DS-195; 08-06-2013)
Item 13 of Form DD-254, which is issued to contractor firms,
includes specific personnel security clearance requirements regarding travel
and/or assignments to all posts abroad, regardless of the threat level of the
post.
(1) Clearance requirements for access to core spaces,
including the post communication center (PCC), must adhere to the provisions of
5 FAH-6 H-124.
As such, IRM and the post information management officer (IMO) may authorize
contractors who possess Final Top Secret clearances access to the PCC. CORs
and/or GTMs must coordinate access to PCCs and/or core areas with both the
Cryptographic Service Branch (IRM/OPS/ITI/SI/CSB) and the post IMO, and the
contractor must be read-on for COMSEC access or use before accessing the PCCs
and/or core areas.
(2) DS established additional clearance requirements
for U.S. contractor personnel performing under contract to the Department at
critical HUMINT threat posts listed in the Department's Security Environment
Threat List (SETL). The duration of the visit, access requirements, and
area(s) of access form the basis for any additional clearance requirements.
DS/IS/IND provides guidance for contractor personnel traveling to critical
HUMINT threat posts in Item 13 of Form DD-254. There is no reference to the
term critical HUMINT threat post, since identifying a post at a specific
threat level is classified; instead, Form DD-254, which is an unclassified
document, notes specific HUMINT threat posts. The NOTE in this subsection
addresses these additional requirements.
NOTE: The contents of the SETL are
classified and must only be discussed in secure locations authorized for
classified discussion and/or processed on automated information systems
certified and accredited for the processing of national security information at
the appropriate level of assurance.
12 FAM 573.3-3(A) Classified
Projects on the Compound at Critical HUMINT Threat Posts
(CT:DS-195; 08-06-2013)
a. Classified contracts at critical HUMINT threat
posts:
(1) Travel and/or deployments to critical HUMINT
threat posts of less than 60 days (cumulative for all critical HUMINT threat
posts visited in a calendar year) require Final Secret clearances and favorable
DS name checks before travel and/or deployment commences. Access to Top Secret
information requires Top Secret clearances and favorable name checks. Interim
Secret clearances are not acceptable for ANY travel;
(2) Travel
and/or deployments to critical HUMINT threat posts of more than 60 days
(cumulative for all critical HUMINT threat posts visited in a calendar year)
require Final Top Secret clearances, favorable DS name checks and favorably
adjudicated DS Acceptability Reviews before travel and/or deployment
commences.
NOTE: Contractor personnel may deploy after the submission of
the DS Acceptability Review to DS/IS/IND, provided DS deems the name checks
favorable. However, if the Acceptability Review is subsequently adjudicated
unfavorably, the COR or GTM is advised and, upon the COR or GTM notification,
the contractor personnel must immediately leave the site at no expense to the
U.S. Government; and
(3) DS name checks must be requested from DS/IS/IND;
do not send country clearance requests to post prior to notification of
favorable results.
b. Unclassified portions of classified contracts at
critical HUMINT threat posts Access to general work areas and/or public
access areas (see 12 FAH-6 H-021):
(1) In coordination with the COR or GTM, DS/IS/IND
evaluates the occasional requirement to deploy an uncleared contractor to a
critical HUMINT threat post in support of a classified contract. In these
individual cases and as the COR or GTM and DS/IS/IND agree, the contractor
submits the necessary paperwork to DS/IS/IND for a DS Moderate Risk Public
Trust (MRPT) certification; and
(2) Uncleared contractor personnel cannot travel to
post until DS/SI/PSS renders a favorable MRPT determination. Upon issuance of
a favorable MRPT, DS/IS/IND notifies the COR or GTM and the contractor, and the
COR or GTM may provide such information on the country clearance request to
post.
12 FAM 573.3-3(B) All Other
Unclassified Projects on or off the Chancellery at Critical HUMINT Threat Posts
(CT:DS-195; 08-06-2013)
The COR or GTM must coordinate with DS/IS/IND before
drafting the statement of work for unclassified projects on or off the
chancellery at critical HUMINT threat posts. As a result, the project schedule
must include the time required for Diplomatic Security checks. Contractor
personnel deploying to critical HUMINT threat posts for performance on wholly
unclassified projects, with no access to controlled access areas (CAAs) (see 12 FAH-6 H-021)
or restricted spaces requiring clearances, must have a favorable DS MRPT
certification from DS/SI/PSS prior to travel/deployment. DS/IS/IND notifies
the COR or GTM and the contractor upon issuance of a favorable MRPT. The COR
or GTM may then provide such information in the country clearance request to
post.
12 FAM 573.3-3(C) Cleared
American Personnel Program for the Bureaus of European Affairs and East Asia
and Pacific Affairs
(CT:DS-195; 08-06-2013)
These programs use specific contractors to provide
technical and administrative support directly to posts as the Executive Offices
of the Bureaus of European Affairs (EUR-IO/EX) and East Asia and Pacific
Affairs (EAP/EX) designate. Contractor personnel under this program require a
single-scope background investigation that DS/SI/PSS conducts. DS may also
accept Top Secret or equivalent clearances that other U.S. Government agencies
granted upon receipt, review, and evaluation of investigative files for
issuance of reciprocal Department Top Secret clearances and suitability for
deployment to critical HUMINT threat posts. DS may conduct further
investigation as required, including Counterintelligence Pass-through reviews.
DS/IS/IND coordinates these requirements with the COR or GTM and other
pertinent DS offices.
12 FAM 573.4 Special Program/Access
Requirements
12 FAM 573.4-1 Special Access
Program (SAP)
(CT:DS-195; 08-06-2013)
The Department program office, in coordination with
DS/IS/IND, determines contractor clearance requirements for special access
programs (SAP) based on the need for access to SAP information. If a contract
requires access to SAP information, DS/IS/IND documents the specific
requirements in Form DD-254 included in the classified contract and specifies
that the contractor must adhere to stated requirements. Form DD-254 also notes
whether DSS or DS (or its representative) has inspection responsibility for the
SAP information.
12 FAM 573.4-2 Sensitive
Compartmented Information (SCI) Requirements
(CT:DS-195; 08-06-2013)
a. DS/IS/IND coordinates with the Special Security
Operations Division (DS/IS/SSO) on contracts requiring authorization for access
to sensitive compartmented information (SCI). If a program office advises that
a contract requires access to SCI information and includes the requirement
within the body of the contract, DS/IS/IND documents the specific SCI
requirements and procedures for processing contractor personnel in Form DD-254
included in the classified contract.
b. DS/IS/IND processes contractor personnel for SCI
access when the COR or GTM requests SCI access for contractor personnel. The
COR or GTM must submit written requests for SCI access for the contractor
personnel directly to DS/IS/IND, and must include sufficient justification for
the SCI requirement for each member of the contractor personnel. DS/IS/IND
does not authorize contractor access to SCI without a favorable SCI-eligibility
determination and the individual receiving the required SCI briefing.
12 FAM 574 CONTRACTING RESPONSIBILITIES
(CT:DS-195; 08-06-2013)
Department program, project, and contracting personnel
must consider security requirements at the earliest possible stage in the
procurement process. The following must share responsibility for the effective
implementation of the Department's Industrial Security Program:
(1) Bureau or office project manager;
(2) Contracting officer's representative (COR);
(3) Government technical monitor (GTM);
(4) Contracting officer (CO);
(5) Unit security officer (USO); and
(6) DS/IS/IND.
12 FAM 574.1 Contracting Officers
(COs)
(CT:DS-195; 08-06-2013)
a. COs award classified and designated SBU contracts,
and ensure that pre-contract, contract award, and post-contract actions include
appropriate contract documentation and contract security clauses. Contract
documentation may include, but is not limited to:
(1) Contract Security Classification Specifications, Form DD- 254 (for classified contracts);
(2) Security clauses specific to SBU contracts that
provide for the protection of Department information and other assets, and the
requirement for investigations of contractor personnel in positions of public
trust;
(3) Contract clauses specific to the policy and
procedures regarding Department personal identification cards; and
(4) Applicable FAR and DOSAR clauses.
b. COs should take into account the processing times
required for facility and personnel clearances, and provide sufficient time in
the selection and award process for the contractor firms and contractor
personnel to obtain the required clearances. COs should provide DS/IS/IND with
complete RFP and contract packages for review (and generation of Form DD-254)
prior to any award. COs should provide DS/IS/IND with draft acquisition
announcements (e.g., Federal Business Opportunity (FEDBIZOPS)) prior to their
release. DS/IS/IND provides language for use in the announcement that explains
to interested bidders what the facility and personnel security clearance
requirements are, and whether the Department will sponsor uncleared firms for
FCLs, or whether interested bidders must already possess an FCL to make a bid.
12 FAM 574.2 Contracting Officer's
Representative (COR)/Government Technical Monitor (GTM)
(CT:DS-195; 08-06-2013)
a. After consulting with applicable Department security
elements, CORs and GTMs are responsible for identifying and coordinating the
security requirements for inclusion in classified or designated SBU contracts.
If the COR or GTM has any questions regarding proposed security clearance and
access requirements, he/she should contact DS/IS/IND in the beginning of the procurement
process. DS/IS/IND assists and is responsible for generating and approving
Form DD-254, along with providing Form DD-254 to the CO for inclusion in
classified RFPs and contracts. SBU contracts do not contain a Form DD-254, but
should contain specific language for the handling of SBU and the processing of
contractor firm personnel for access to SBU.
b. The COR or GTM is responsible for performing reviews
during contract performance and upon contract completion, and must ensure
compliance with all security requirements for the duration of the contract.
The COR or GTM must notify DS/IS/IND and the CO of any changes in security
requirements to allow for contract modifications and Form DD-254 revisions.
c. The COR or GTM must give adequate guidance to all
contractor personnel concerning the specific security requirements unique to
their assigned projects and ensure that contractor personnel fully understand
the elements of their individual assignments that involve classified
information. Further, the COR or GTM must ensure that:
(1) Contractor personnel have security classification
guidance for any classified information they generate;
(2) Contractor personnel attend required security
briefings;
(3) The appropriate USO receives reports of
infractions and/or violations; and
(4) DS/IS/IND receives reports of adverse information
concerning any contractor personnel performing on Department classified or SBU
contracts.
NOTE: Adverse information is any
information that adversely reflects on the integrity or character of cleared
contractor personnel (or contractor personnel with a public trust
certification) that could impair their ability to safeguard classified and/or
sensitive information, subject them to exploitation or blackmail, or is of such
a nature that access to classified information clearly is not in the interest
of national security.
12 FAM 574.3 Unit Security Officers
(CT:DS-195; 08-06-2013)
Unit security officers (USOs) are responsible for briefing
all contractor personnel working in their assigned area(s) regarding applicable
security requirements and procedures. The USO should consult with DS/IS/IND if
there are any security-related problems or concerns with any contractor
personnel. If a bureau security officer (BSO) is assigned to a particular
bureau, consult him or her in addition to DS/IS/IND.
12 FAM 574.4 Contractor Personnel
Responsibilities
(CT:DS-195; 08-06-2013)
a. All contractor personnel are responsible for
complying with the Department's security regulations and procedures. All
contractor personnel are responsible for their Department personal
identification cards when the contract requires them to have a Department
identification card, and must follow the security reporting requirements in 12 FAM 270,
including adverse information, dual citizenship, certain contacts with foreign
nationals, and personal travel to specific HUMINT threat countries.
b. See contractor identification cards Web site for
procedures to obtain Department personal identification cards for contractor personnel,
contracting firms, and Department project personnel.
12 FAM 575 CONTRACT PROCESSING
12 FAM 575.1 Department Contracting
Activities
(CT:DS-195; 08-06-2013)
a. The Office of the Procurement Executive (A/OPE)
delegates contracting authority for Department contracting activities. Only
those persons A/OPE designates may negotiate, enter into, and award contracts.
A/OPE authorizes DS/IS/IND to approve Contract Security Classification
Specifications (Form DD-254) for inclusion in classified contracts.
b. Department classified procurement actions (i.e.
those that require access to classified information or areas where precluding
access to classified information cannot occur) require a fully executed Form DD-254
to include with each of the following:
(1) Invitation for bid;
(2) Request for proposal or quotation;
(3) Contract (a contract can exist in the form of a
letter contract, purchase order, indefinite delivery indefinite quantity (IDIQ)
contract, basic ordering agreement, delivery order, or any other
Federally-recognized contract vehicle); or
(4) Subcontract package.
c. DS/IS/IND must review SBU contracts (i.e., those
that require access to specific categories of SBU information), and include
specific contract clauses related to the handling of SBU information. One
example is a contract that requires access to passport information and the
facilities that process passport information.
d. Unclassified contracts, which do not involve access
to classified information, do not normally require a DS/IS/IND review.
However, DS/IS/IND coordinates security requirements with the requesting office
when the sensitivity of the project (e.g., physical protection requirements for
Department information or other assets, background investigations on contractor
personnel, etc.) warrants additional security requirements.
e. During the country clearance notification process,
DS/IS/IND must approve uncleared personnel who travel to posts abroad to
perform duties pursuant to unclassified contracts.
12 FAM 575.2 Other Contracting
Activities
(CT:DS-195; 08-06-2013)
a. Acquisition and program offices must advise
DS/IS/IND when their contracting officers are awarding classified contracts for
the Department. The requirements in 12 FAM 574 are
equally applicable to contracts other contracting agencies awarded on behalf of
the Department (e.g., Small Business Administration, General Services
Administration, etc.) and to Interagency Agreements (IAAs) used to obtain
contractor services. Both instances require the issuance of a
DS/IS/IND-approved Form DD-254.
b. General Services officers (GSOs) at posts abroad
with contracting authority must contact DS/IS/IND and A/OPE when the contract
scope of work requires cleared contractor personnel. A/OPE determines whether
the GSO or domestic procurement office conducts the procurement. DS/IS/IND
ensures incorporation of a Form DD-254 into the contract.
12 FAM 575.3 Contract Clause(s)
(CT:DS-195; 08-06-2013)
A/OPE provides contract clauses governing security
requirements for inclusion in all Department classified contracts, SBU, and
unclassified contracts. DS/IS/IND, in coordination with the program office,
may also add security requirements to the contract in DD-Form 254 section H and
instructions for classified deliveries in section D.
12 FAM 575.4 Contract Performance
(CT:DS-195; 08-06-2013)
The CO, in consultation with the COR and DS/IS/IND, is
responsible for ensuring contractor compliance with all security requirements
during contract performance. The CO, COR, and DS/IS/IND coordinate changes in
the contract security requirements before notifying the contractor.
12 FAM 575.5 Contract Completion
(CT:DS-195; 08-06-2013)
The CO is responsible for notifying DS/IS/IND of the
contract completion (i.e., final delivery of goods or services) or the
termination of the contract. DS/IS/IND advises the contractor regarding the
proper disposition of any classified material the contractor releases or generates,
as well as the requirement for the contractor facility security officer to
cancel any current VARs and/or public trust determinations.
12 FAM 576 HANDLING CLASSIFIED
INFORMATION
12 FAM 576.1 Releasing Classified
Information to Contractors
(CT:DS-195; 08-06-2013)
Any Department office intending to provide classified
material to a contractor bidding on or performing on a classified contract
must, prior to release of the material, advise DS/IS/IND of its intention to
release the classified material. DS/IS/IND will verify the contractor's
facility security clearance and storage capability, and issue a Form DD-254 (or
ensure one has already been issued) authorizing the receipt of classified
material. (See 12
FAM 573.1). The office releasing classified information to a contractor is
responsible for establishing the contractors need-to-know requirements (see 12 FAM 576.2)
and advising DS/IS/IND of its intention to transmit classified material to the
contractors location. When the releasing office establishes the contractors
need-to-know requirement, DS/IS/IND verifies the contractors classified mailing
address authorized for receipt of classified material. After DS/IS/INDs
verification, the releasing office may transmit the classified material in
accordance with 12
FAM 536.9, and/or Item 13 of the Form DD-254.
12 FAM 576.2 Need-to-Know
Determination
(CT:DS-195; 08-06-2013)
In addition to DS/IS/IND verifying the contractor's
facility clearance, the possessor of classified information must determine that
a contractor has a need-to-know the information. The basis of this
determination is the recipient's need, in the interest of national security, to
have access to, knowledge of, or possession of classified information to
perform tasks or services essential to fulfilling a Department contract or
program (see 12
FAM 536.1).
12 FAM 576.3 Verification of
Individual Personnel Clearances
(CT:DS-195; 08-06-2013)
Prior to allowing individual contractor personnel access
to classified information or areas where precluding access to classified
information cannot occur, Department employees should contact DS/IS/IND to
verify a contractors eligibility to access classified information. The
clearance must at least equal the level of the classified information the
contractor will access.
12 FAM 576.4 Reporting Requirements
(CT:DS-195; 08-06-2013)
a. USOs must immediately report, in writing, on Form OF-117,
Notice of Security Incident, to the Program Applications Division (DS/IS/APD)
any unauthorized disclosures of classified information to contractor personnel
and security incidents involving contractor personnel working at Department
facilities both domestically and abroad. When warranted, DS/IS/APD conducts an
evaluation and investigation, issues Form OF 118, Record of Incident, and
advises DS/IS/IND of the results. See 12 FAM 550 for
detailed guidance regarding reports of security incidents and compromises.
b. The facility security officer must immediately
report, in writing, to DS/IS/IND and the COR the suspected loss or compromise
of Department classified information at the contractors facility. DS/IS/IND
coordinates the investigation and any subsequent mitigation, with the
contractor, COR, and other Department offices. DS/IS/IND ensures the
contractors Defense Security Service Industrial Security Representative is
notified when there is a possible compromise and/or computer systems or
documents require sanitization at the contractors facility.
c. Department personnel and contractors must
immediately report, in writing, to DS/IS/IND any adverse information coming to
their attention concerning any cleared contractor personnel. (For the purpose
of this requirement, cleared contractor personnel include employees of
contracting firms cleared in accordance with the Industrial Security Program.)
The individuals providing these reports must not make reports based on rumor or
innuendo. The subsequent termination of employment of a contractor does not
preclude the requirement to submit this report. The contracting firm must
submit to DS/IS/IND a copy of adverse information reports sent to DISCO on
personnel working on any Department classified project. When adverse
information on a contractor employee comes to the attention of DS/IS/IND,
DS/IS/IND may report the adverse information directly to Defense Security
Service.
d. The Department requires cleared contractors
performing work on classified contracts to comply with Department guidance in 12 FAM 270 and
report their intent to marry, cohabitate, or other contact/established
relationships with foreign nationals. The Department counsels contractor
personnel on the potential impact of such relationships on their continued
acceptability for assignment abroad, or performance on Department contracts.
When required, the contractor personnel must provide the forms for a
Department-conducted investigation and evaluation.
12 FAM 576.5 Contractor Releases
(CT:DS-195; 08-06-2013)
a. In accordance with the NISPOM and Form DD-254 for
the contract, contractors must clear with DS/IS/IND
all requests to release unclassified information pertaining to contracts
involving national security information. This includes, but is not limited to:
(1) Requests for public releases of unclassified
information pertaining to classified contracts;
(2) Contractor requests for release of unclassified
information at seminars, meetings, and symposia; and
(3) Distribution of sales literature containing
unclassified information including the publication or distribution of
brochures, Web sites, promotional sales literature, or similar material.
b. When the CO, COR or GTM receives a copy of the
proposed release, he or she must provide a copy to DS/IS/IND for review and
clearance.
12 FAM 577 CONTRACTOR PERSONNEL
SECURITY CLEARANCES
(CT:DS-195; 08-06-2013)
a. The Defense Security Service, in accordance with the
NISP, usually clears a contracting firms employee, at the request of the
cleared contracting firm, for performance on classified Department contracts.
b. In some extenuating instances (e.g., protective
services contracts in Iraq and Afghanistan) and as noted in Form DD-254 included
in specific contracts, DS/SI/PSS investigates or processes contractors for
personnel security clearances and public trust certifications. Forms for
clearances and public trust certifications must be submitted in accordance with
12 FAM 577.1.
12 FAM 577.1 Submission of
Personnel Security Clearance and Public Trust Determination Requests
(CT:DS-195; 08-06-2013)
a. The contractor's facility security officer must
submit all requests for personnel security clearances to DS/IS/IND for
submission to DS/SI/PSS. The requesting memo for a contractor personnel
security clearance or low, medium, or high-risk public trust certification must
include:
(1) Name of the individual and his or her work
location and phone number;
(2) Level of clearance and/or public trust certification
required;
(3) Contract number, with expiration date;
(4) Area(s) to access, and a sufficient explanation of
the proposed work, including job title; and
(5) Required forms, releases and fingerprint cards.
b. DS/IS/IND provides specific instructions to the
contractor facility security officer regarding the specific forms required.
DS/IS/IND provides notification of completed investigations and
clearance/public trust issuance to the COR and contractor.
12 FAM 577.2 Certifying Clearances
to the Department for Performance on Contracts
(CT:DS-195; 08-06-2013)
a. Contractor facility security officers must submit a
VAR to certify the personnel security clearances for Defense Security Service
cleared contractor personnel who are assigned to or visiting Department
facilities where access to classified information is required, or areas where
precluding access to classified information cannot occur. The facility
security officer must submit all contractor VARs directly to DS/IS/IND.
DS/IS/IND verifies the cited classified contract/activity and, if approved,
enters the clearance information into the Visitor Security Clearance Tracking
System (VSCTS).
b. Concurrent with this action, DS/IS/IND forwards a
copy of the VAR to the COR or GTM. The COR or GTM must certify that the
cleared contractor has a valid need-to-know for the contract/activity cited on
the visit request. Unless the COR or GTM notifies otherwise, DS/IS/IND
considers the need-to-know certified and does not take any further action. If
there are issues with the information on the VAR, DS/IS/IND returns the VAR to
the facility security officer, either requesting additional information or
disapproving the proposed classified visit.
c. The facility security officer must submit an
updated VAR when a contractors level of security clearance, or name changes.
d. The contractor must notify DS/IS/IND when a cleared
employee terminates or no longer requires access to classified information. To
make this notification, contractors must submit a VAR cancellation request.
e. If DISCO notifies the firm that an employees
clearance has been revoked, suspended or terminated, the facility security
officer must immediately contact his or her DS/IS/IND specialist, so DS/IS/IND
can ensure that access to classified information immediately ceases and the
employees building pass, if issued, is retrieved.
f. There are certain access restrictions for
contractor personnel with interim clearances. An Interim Secret personnel
security clearance is valid for access to classified information up to the
Secret level, except for SCI, RD, COMSEC, SAP, and NATO information (or in
other circumstances specified in Item 13 of Form DD-254). Those with Interim
Secret clearances must not travel to specific HUMINT threat posts (see 12 FAM 573.3-2).
An Interim Top Secret personnel security clearance is valid for access to Top
Secret information and RD, NATO, and COMSEC information at the Secret and
Confidential level only. However, an Interim Top Secret is not valid for
unescorted access to an operating PCC at posts abroad. PCC mandatory access
requirements are in 5 FAH-6 H-124.
g. VARs are valid for a period not to exceed 12
months. The facility security officer must submit VAR renewals 30 days in
advance of the expiration of a contractor personnels VAR. Failure to meet
this submission deadline may result in the revocation of access to Department
facilities and information systems.
12 FAM 577.3 Certifying Department
Employee Clearances for Visits to Contractor Facilities
(CT:DS-195; 08-06-2013)
a. DS/SI/PSS certifies the clearance of a Department
employee to visit contractor facilities when the visit requires access to
classified information or classified discussions are to take place. The
proposed visitor must complete Form DS-4070, Passing U.S. Department of State
Clearances to Other Agencies/Companies for Direct Hire Employees, PSCs, and
Detailees to the Department, and email or fax the completed form directly to
the DS/SI/PSS Certification Unit.
b. Contractor personnel visiting other U.S. Government
agencies or other contractor firms in the performance of their duties must have
their facility security officer pass their clearance to that agency or firm.
12 FAM 577.4 Return of
Department-Issued Documentation
(CT:DS-195; 08-06-2013)
Upon termination of a contractor, or all contractor
personnel as a result of contract termination, the contractor personnel who are
issued a Department personal identification card; official or diplomatic
passport; or DS identification media for performance on the contract, must
return these items to the COR or GTM for return to the appropriate office.
Department personal identification cards and DS identification media should be
returned to DS/DO. CORs or GTMs should refer to 7 FAM 1300 for the return of
diplomatic passports. Contracting firms must obtain and return these items to
the COR or GTM if their personnel fail to provide them.
12 FAM 578 INDUSTRIAL SECURITY
COMPLIANCE PROGRAMS
12 FAM 578.1 Inspection Programs
12 FAM 578.1-1 Program
Responsibility
(CT:DS-195; 08-06-2013)
a. The objective of the Department's Industrial
Security Program is to ensure that firms with a contractual relationship with
the Department requiring access to classified information, or to areas where
precluding access to classified information cannot occur, as well as such firms
that require access to SBU information, comply with the requirements in this
subchapter.
b. DS/IS/IND is responsible for inspecting contractors
performing on classified or designated SBU projects at Department locations
domestically and abroad. RSOs and/or SSMs are also responsible for inspecting
contractors abroad. RSOs, SSMs, the Office of Security Management
(OBO/CFSM/SM) and/or the Certification, Accreditation, Transit Security Branch
(DS/PSD/CAT) may request DS/IS/IND to perform inspections abroad. COs, CORs,
and GTMs may request inspections at domestic locations, as well. These
inspections may occur on an announced or unannounced basis at Department
locations worldwide.
12 FAM 578.1-2 Scope
12 FAM 578.1-2(A) Domestic
Inspections
(CT:DS-195; 08-06-2013)
a. For contractors performing on classified or
designated SBU projects at domestic Department locations, DS/IS/IND conducts a
pre-inspection survey and contacts the COR or GTM and facility security officer
to determine the status of the contract, individuals assigned to the contract,
and any areas of concern.
b. Inspections focus on the contractors' ability to
protect the Department's classified and/or SBU information. DS/IS/IND interviews
contractor personnel to determine if they had a security briefing and
understand their security responsibilities.
c. DS/IS/IND provides to the CO, COR or GTM, and
company facility security officer a report of the inspection findings, with any
corrective actions required. Contractors must take immediate corrective action
on specific inspection findings and provide a report on the corrective actions
taken with 15 days of receipt of the findings.
12 FAM 578.1-2(B) Inspections
Abroad
(CT:DS-195; 08-06-2013)
a. RSOs, SSMs, and/or DS/IS/IND conduct inspections of
contractors assigned to Department facilities and/or construction project sites
abroad. These inspections are necessary to ensure compliance with the
Department's Industrial Security Program and must occur annually, or at least
once during a project of a duration less than one year.
b. RSOs and SSMs contact DS/IS/IND for guidance in the
conduct of these inspections. DS/IS/IND provides guidance for pre-inspection
research, inspection, and post-inspection activities.
12 FAM 578.2 Contractor Extensions
To Department Automated Information Systems
(CT:DS-195; 08-06-2013)
a. Contractor extensions are Department OpenNet and/or
ClassNet systems located at the contractor facility. Program offices may
request approval for these extensions from DS/SI/CS. The request will
require justification demonstrating the need for the extension(s) that includes
an explanation as to why a Department location is insufficient and why Global
OpenNet would not be adequate to meet mission requirements.
b. As part of the DS/SI/CS and IRM/IA Contractor
Extension approval process, DS/IS/IND performs initial and recurring
inspections of contractor spaces to ensure they are compliant with Department
physical security requirements for OpenNet and/or ClassNet. DS/IS/IND provides
the security language specific to these requirements to the CO and/or COR for
inclusion in the contract.
c. Program offices and CORs/GTMs should contact
DS/IS/IND for specific guidance pertaining to the Departments contractor
extension program and the approval process.
12 FAM 579 Committee on Foreign
Investment in the United States (CFIUS)
(CT:DS-195; 08-06-2013
a. CFIUS is an interagency committee authorized to
review transactions that could result in a foreign person controlling a U.S.
business, in order to determine the effect of such transactions on the national
security of the United States. The Secretary of the Treasury serves as
Chairperson of CFIUS and the membership of the committee includes several
agency heads, including the Secretary of State.
b. DS/IS/IND coordinates the security review and
analysis of proposed foreign acquisitions of U.S. firms performing on
Department contracts and other agency contracts, and provides the Bureau of
Economic and Business Affairs (EB) with the consensus DS position. In
collaboration with Department program offices, DS/IS/IND makes recommendations
for mitigating the foreign ownership control or influence (FOCI) resulting from
foreign acquisitions.