12 FAM 570
INDUSTRIAL SECURITY PROGRAM
(Office of Origin: DS/SI/IS)
12 FAM 571 PURPOSe AND GENErAL REQUIREMENTS
12 FAM 571.1 Purpose and Responsibility
a. The purpose of this policy is to ensure contractors safeguard classified and sensitive material entrusted to them under contract, or during pre-award contract activities, with the Department. The Industrial Security Division (DS/IS/IND) administers the Department's Industrial Security Program. DS/IS/IND establishes policies and implements procedures for safeguarding classified and sensitive but unclassified (SBU) information released to, or generated by prime contractors (and subcontractors) under contract to the Department. This includes contractor personnel supporting Department activities at Department locations or performing on contracts from their companies' respective physical locations.
b. DS/IS/IND serves as liaison between the Department and the Department of Defense (DOD) Defense Security Service concerning Department contractors who participate in the National Industrial Security Program (NISP). DS/IS/IND serves as the final approving authority for all prime and subcontractor Contract Security Classification Specifications (Form DD-254) issued under all classified contracts and subcontracts. DS/IS/IND also assists to develop contract security requirements and issues the Department's industrial security policies and standards.
12 FAM 571.2 Applicability
This chapter applies to the Department's operations domestically and abroad, including U.S. missions to international organizations, and contractors performing under contract to the Department, from pre-contract award to post-contract completion. As noted in 12 FAM 573.2-1, this chapter does not apply to personal services contractors (PSCs). All Department contract actions must comply with the Federal Acquisition Regulation (FAR) and the Department of State Acquisition Regulation (DOSAR). The FAR and the DOSAR take precedence if any conflicting interpretations result from this chapter.
12 FAM 571.3 National Industrial Security Program
a. The Department participates as a User Agency in NISP through DS/IS/IND's Industrial Security Program. On January 6, 1993, Executive Order 12829 established the NISP for the protection of information classified pursuant to Executive Order 12356, April 2, 1982, "National Security Information," or its successor or predecessor orders, and the Atomic Energy Act of 1954, as amended. The National Security Council provides overall policy direction for the NISP. The President designated the Secretary of Defense as Executive Agent for the NISP. The Director, Information Security Oversight Office (ISOO), implements and monitors the NISP and issues implementing directives that are binding on Federal agencies.
b. Prior to the NISP, the Department initially formalized its use of industrial security services as a User Agency of the Defense Industrial Security Program by Memorandum of Agreement, dated June 5, 1961. The Department’s continued participation in the NISP enhances oversight of Department contractors’ classified activities.
c. Defense Security Service issues and maintains facility security clearances (FCL) and personnel security clearances (PCL), as required, for Department contractors. Defense Security Service inspects and monitors contractors who require or will require access to classified information. The Defense Industrial Security Clearance Office (DISCO), a field element of Defense Security Service, issues PCLs under the authority of the NISP.
d. DOD Directive 5220.22-R and DOD Directive 5220.22-M promulgate the standards for implementing the NISP. These directives establish the requirements for safeguarding classified information, including foreign government information, which the U.S. Government must protect in the interest of national security, and contractors, subcontractors, vendors, or suppliers may need to access.
e. DS/IS/IND serves as the Department’s representative to and a voting member of the National Industrial Security Program Policy Advisory Committee (NISPPAC). The NISPPAC, comprised of both Government and industry representatives, is responsible for recommending changes in industrial security policy through modifications to Executive Order 12829, its implementing directives, and the National Industrial Security Program Operating Manual.
12 FAM 571.4 Authorities
a. Executive Order (E.O.) 13526, Classified National Security Information, December 29, 2009.
b. E.O. 12829, National Industrial Security Program (NISP), January 6, 1993, which provides for a uniform program for safeguarding Federal Government classified information released to contractors, licensees, or grantees of U.S. Government Executive Branch departments and agencies.
c. E.O. 10865, Safeguarding Classified Information Within Industry, February 20, 1960, as amended by E.O. 10909, January 17, 1961, and succeeding orders, which direct Federal agencies to establish regulations governing U.S. industry in handling and protection of its national security information.
d. DOD 5220.22-R, Industrial Security Regulation, current edition, which sets forth requirements of User Agencies participating in the NISP.
e. DOD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) for Safeguarding Classified Information, current edition, prescribes the requirements contractors must follow to safeguard national security information
f. DOD 5220.22-M-Sup 1, National Industrial Security Program Operating Manual (NISPOM) Supplement, current edition.
g. 32 CFR Part 2004, National Industrial Security Program Directive No. 1.
h. The Federal Information Security Management Act (FISMA) of 2002 and succeeding legislation that prescribes a uniform information security program.
i. The Omnibus Diplomatic Security and Antiterrorism Act of 1986, (Public Law 99-399) Section 403 (22 U.S.C. 4853), Security Requirements for Contractors.
12 FAM 572 INDUSTRIAL SECURITY EDUCATION PROGRAMS
12 FAM 572.1 General
a. The effectiveness of the Department's Industrial Security Program depends upon contractor firms and U.S. Government personnel’s understanding of their respective security responsibilities. For this reason, education is an integral part of the Department's Industrial Security Program. The focus of the educational effort is to impress upon these individuals, through security briefings, their responsibility to safeguard classified and SBU information. DS/IS/IND conducts briefings for contractor personnel, Civil Service Personnel, Foreign Service officers, Department program office personnel and Department acquisition personnel, and schedules briefings on a recurring basis, upon request or when an issue (e.g., multiple security infractions) arises that warrants a security briefing.
b. Contractor personnel working at Department facilities must familiarize themselves not only with security regulations found in the Foreign Affairs Manual (FAM) that relate to their assigned duties, but also with the information and personnel security requirements specified in their contract and on their Form DD-254.
12 FAM 572.2 Required Briefings
12 FAM 572.2-1 Department Personnel
DS/IS/IND briefs Department personnel, such as regional security officers (RSOs), contracting officers (COs), contracting officer’s representatives (CORs), or Government technical monitors (GTMs), program managers, site security managers (SSMs), etc., on their responsibilities for proper implementation of the Department's Industrial Security Program.
12 FAM 572.2-2 Contractor Personnel
a. DS/IS/APD briefs all contractors who reside on-site at Department facilities and who are cleared for access to Department classified information, on their security responsibilities prior to receiving access to Department facilities or information systems.
b. FSOs must provide their personnel with initial and recurring security briefings in accordance with the NISP.
c. RSOs or SSMs brief all contractors arriving at their post and or site regarding their security responsibilities prior to granting access to the post, site, or information systems.
12 FAM 572.3 Counterintelligence Briefings
The RSO assigned to a critical human intelligence (HUMINT) threat post is responsible for administering a counterintelligence briefing when contractors arrive at post and debriefing them before they depart. See 12 FAM 260 for further information regarding Counterintelligence Programs.
12 FAM 573 SECURITY CLEARANCE POLICY
To ensure the proper safeguarding of classified information entrusted to the private sector, the Department requires contractor firms to possess FCLs and contractor personnel to possess PCLs commensurate with the level of classified information required. The following policies set forth the requirements for private sector/contractor firms and personnel who require access to Department classified information. Requirements for access to specific categories of Department SBU information are outlined throughout this subchapter.
12 FAM 573.1 Facility Security Clearances (FCL)
a. Any U.S. firm under contract to the Department requiring access to classified information, or to areas where access to classified information may exist, requires an FCL commensurate with the level of access required. An FCL is an administrative determination that a company meets all of the NISP requirements and is eligible for access to classified information or eligible for award of a classified contract. Additionally, any U.S. contractor firm, or business that requires access to classified information to prepare a response to a request for proposal (RFP) or solicitation, invitation for bid (IFB), request for quotation (RFQ), etc., and/or in performance of a classified Department contract, must have or obtain an FCL commensurate with the level of access required.
b. Department contracting authorities must submit facility clearance requirements and requests to DS/IS/IND. If warranted, DS/IS/IND sponsors the U.S. contractor firm for an FCL through DSS. Only DS/IS/IND has the authority to submit FCL requests to DSS on behalf of the Department.
c. Non-U.S. firms are ineligible for FCLs, except as specified in 12 FAM 573.1-2. To be eligible for an FCL, the company must be incorporated under the laws of any of the 50 states, the District of Columbia, or Puerto Rico, and reside in the United States or its territorial areas.
d. All classified contracts must include a Contract Security Classification Specification, Form DD-254, which denotes the FCL level required for the contract as well as specific contract security requirements.
12 FAM 573.1-1 Joint Ventures
U.S. joint ventures that require access to classified information during the bid phase or during contract performance must have an FCL commensurate with the level of access required. In order for a U.S. joint venture to obtain a clearance, all entities comprising the joint venture must possess an FCL. DS/IS/IND submits FCL requests for U.S. joint ventures through DSS. Foreign firms that are part of a joint venture are ineligible for FCLs, and make the joint venture ineligible for an FCL.
12 FAM 573.1-2 Foreign-Owned U. S. Contractors
a. Under the NISP, foreign-owned U.S. contractors may be eligible for an FCL, provided the foreign ownership has been mitigated in accordance with the NISPOM, DOD 5200.22-M.
b. The NISPOM prescribes several methods for mitigating foreign ownership of foreign-owned U.S. contractors. DSS works directly with foreign-owned U.S. contractors in establishing an approved method of mitigating the foreign ownership control or influence. Examples of methods for mitigating foreign ownership include the establishment of a voting trust agreement, a proxy agreement, a security control agreement (SCA) or a special security agreement (SSA). There are no restrictions levied on the FCL of firms which establish voting trust agreements or proxy agreements, as the foreign owner relinquishes most rights associated with ownership of the company to U.S. Government-approved cleared U.S. citizens. Restrictions are not levied on the FCL of firms under SCAs, either, as the company is not effectively owned or controlled by a foreign interest, although the foreign interest is entitled to representation on the company’s governing board.
c. One mitigation method contractor firms may elect, establishing an SSA, results in the imposition of restrictions on access to certain categories of classified information (referred to as proscribed information), e.g., Top Secret, Communications Security (COMSEC), Special Access Program (SAP), Restricted Data (RD), North Atlantic Treaty Organization (NATO), and Sensitive Compartmented Information (SCI). Firms under SSAs may be ineligible for award of specific Department projects that require access to these levels of information. Foreign-owned U.S. firms which opt to establish SSAs may become ineligible for an award or be unable to continue performing as a prime or subcontractor on efforts that require access to the categories of information noted in this paragraph. The CO and COR must coordinate the use of foreign-owned U.S. contractors with DS/IS/IND. DS/IS/IND works closely with DSS on any foreign ownership mitigation strategies established for Department contractor firms.
12 FAM 573.2 Self-Employed Personnel
The Department may use the services of self-employed individuals, consultants, and personal services contractors (PSCs). By definition, self-employed personnel must have no affiliation with a company and/or contractor firm. Individuals incorporated for tax purposes with family members as office holders of the corporation also qualify as self-employed contractors, although the family members become ineligible for access to classified information or processed for personnel security clearances. The Office of Personnel Security and Suitability (DS/SI/PSS) clears self-employed individuals, consultants, and PSCs. DS/SI/PSS also clears consultants hired through the Bureau of Human Resources (HR) under Federal personnel regulations. Program offices, HR representatives, CORs and COs must work directly with their Executive Offices and DS/SI/PSS regarding personnel security clearances for these personnel. DS/IS/IND plays no role with regard to these categories of personnel.
12 FAM 573.3 Personnel Security Clearance Requirements
12 FAM 573.3-1 Overall Personnel Security Clearance Requirements
Contractor personnel must possess clearances commensurate with the level of access required for performance under a Department classified contract. The Contract Security Classification Specification, Form DD-254, included in all classified procurements, establishes the FCL and individual clearance requirements for contract performance. It also outlines whether or not the company must store and/or generate classified material in the performance of the contract.
12 FAM 573.3-2 Department Contractor Personnel
a. All cleared contractor firms must designate an individual as their facility security officer who is responsible for the administration of the company’s industrial security program and adherence to the NISPOM and any contract security requirements. The facility security officer submits personnel security clearance requests to DISCO. The facility security officer also submits visitor authorization requests (VARs) and required documentation on all contractor personnel who are DISCO cleared directly to DS/IS/IND.
b. DISCO usually processes Department contractor personnel for personnel security clearances. However, there are extenuating circumstances when DS/SI/PSS must process specific contractor personnel for personnel security clearances. In those cases, the classified contracts awarded to the contractor firms notes this requirement, as well as the procedures to process their personnel for Department clearances.
12 FAM 573.3-3 Overseas Personnel Security Requirements
Item 13 of Form DD-254, which is issued to contractor firms, includes specific personnel security clearance requirements regarding travel and/or assignments to all posts abroad, regardless of the threat level of the post.
(1) Clearance requirements for access to core spaces, including the post communication center (PCC), must adhere to the provisions of 5 FAH-6 H-124. As such, IRM and the post information management officer (IMO) may authorize contractors who possess Final Top Secret clearances access to the PCC. CORs and/or GTMs must coordinate access to PCCs and/or core areas with both the Cryptographic Service Branch (IRM/OPS/ITI/SI/CSB) and the post IMO, and the contractor must be read-on for COMSEC access or use before accessing the PCCs and/or core areas.
(2) DS established additional clearance requirements for U.S. contractor personnel performing under contract to the Department at critical HUMINT threat posts listed in the Department's Security Environment Threat List (SETL). The duration of the visit, access requirements, and area(s) of access form the basis for any additional clearance requirements. DS/IS/IND provides guidance for contractor personnel traveling to critical HUMINT threat posts in Item 13 of Form DD-254. There is no reference to the term “critical HUMINT threat post”, since identifying a post at a specific threat level is classified; instead, Form DD-254, which is an unclassified document, notes “specific HUMINT threat posts”. The NOTE in this subsection addresses these additional requirements.
NOTE: The contents of the SETL are classified and must only be discussed in secure locations authorized for classified discussion and/or processed on automated information systems certified and accredited for the processing of national security information at the appropriate level of assurance.
12 FAM 573.3-3(A) Classified Projects on the Compound at Critical HUMINT Threat Posts
a. Classified contracts at critical HUMINT threat posts:
(1) Travel and/or deployments to critical HUMINT threat posts of less than 60 days (cumulative for all critical HUMINT threat posts visited in a calendar year) require Final Secret clearances and favorable DS name checks before travel and/or deployment commences. Access to Top Secret information requires Top Secret clearances and favorable name checks. Interim Secret clearances are not acceptable for ANY travel;
(2) Travel and/or deployments to critical HUMINT threat posts of more than 60 days (cumulative for all critical HUMINT threat posts visited in a calendar year) require Final Top Secret clearances, favorable DS name checks and favorably adjudicated DS Acceptability Reviews before travel and/or deployment commences.
NOTE: Contractor personnel may deploy after the submission of the DS Acceptability Review to DS/IS/IND, provided DS deems the name checks favorable. However, if the Acceptability Review is subsequently adjudicated unfavorably, the COR or GTM is advised and, upon the COR or GTM notification, the contractor personnel must immediately leave the site at no expense to the U.S. Government; and
(3) DS name checks must be requested from DS/IS/IND; do not send country clearance requests to post prior to notification of favorable results.
b. Unclassified portions of classified contracts at critical HUMINT threat posts – Access to general work areas and/or public access areas (see 12 FAH-6 H-021):
(1) In coordination with the COR or GTM, DS/IS/IND evaluates the occasional requirement to deploy an uncleared contractor to a critical HUMINT threat post in support of a classified contract. In these individual cases and as the COR or GTM and DS/IS/IND agree, the contractor submits the necessary paperwork to DS/IS/IND for a DS Moderate Risk Public Trust (MRPT) certification; and
(2) Uncleared contractor personnel cannot travel to post until DS/SI/PSS renders a favorable MRPT determination. Upon issuance of a favorable MRPT, DS/IS/IND notifies the COR or GTM and the contractor, and the COR or GTM may provide such information on the country clearance request to post.
12 FAM 573.3-3(B) All Other Unclassified Projects on or off the Chancellery at Critical HUMINT Threat Posts
The COR or GTM must coordinate with DS/IS/IND before drafting the statement of work for unclassified projects on or off the chancellery at critical HUMINT threat posts. As a result, the project schedule must include the time required for Diplomatic Security checks. Contractor personnel deploying to critical HUMINT threat posts for performance on wholly unclassified projects, with no access to controlled access areas (CAAs) (see 12 FAH-6 H-021) or restricted spaces requiring clearances, must have a favorable DS MRPT certification from DS/SI/PSS prior to travel/deployment. DS/IS/IND notifies the COR or GTM and the contractor upon issuance of a favorable MRPT. The COR or GTM may then provide such information in the country clearance request to post.
12 FAM 573.3-3(C) Cleared American Personnel Program for the Bureaus of European Affairs and East Asia and Pacific Affairs
These programs use specific contractors to provide technical and administrative support directly to posts as the Executive Offices of the Bureaus of European Affairs (EUR-IO/EX) and East Asia and Pacific Affairs (EAP/EX) designate. Contractor personnel under this program require a single-scope background investigation that DS/SI/PSS conducts. DS may also accept Top Secret or equivalent clearances that other U.S. Government agencies granted upon receipt, review, and evaluation of investigative files for issuance of reciprocal Department Top Secret clearances and suitability for deployment to critical HUMINT threat posts. DS may conduct further investigation as required, including Counterintelligence Pass-through reviews. DS/IS/IND coordinates these requirements with the COR or GTM and other pertinent DS offices.
12 FAM 573.4 Special Program/Access Requirements
12 FAM 573.4-1 Special Access Program (SAP)
The Department program office, in coordination with DS/IS/IND, determines contractor clearance requirements for special access programs (SAP) based on the need for access to SAP information. If a contract requires access to SAP information, DS/IS/IND documents the specific requirements in Form DD-254 included in the classified contract and specifies that the contractor must adhere to stated requirements. Form DD-254 also notes whether DSS or DS (or its representative) has inspection responsibility for the SAP information.
12 FAM 573.4-2 Sensitive Compartmented Information (SCI) Requirements
a. DS/IS/IND coordinates with the Special Security Operations Division (DS/IS/SSO) on contracts requiring authorization for access to sensitive compartmented information (SCI). If a program office advises that a contract requires access to SCI information and includes the requirement within the body of the contract, DS/IS/IND documents the specific SCI requirements and procedures for processing contractor personnel in Form DD-254 included in the classified contract.
b. DS/IS/IND processes contractor personnel for SCI access when the COR or GTM requests SCI access for contractor personnel. The COR or GTM must submit written requests for SCI access for the contractor personnel directly to DS/IS/IND, and must include sufficient justification for the SCI requirement for each member of the contractor personnel. DS/IS/IND does not authorize contractor access to SCI without a favorable SCI-eligibility determination and the individual receiving the required SCI briefing.
12 FAM 574 CONTRACTING RESPONSIBILITIES
Department program, project, and contracting personnel must consider security requirements at the earliest possible stage in the procurement process. The following must share responsibility for the effective implementation of the Department's Industrial Security Program:
(1) Bureau or office project manager;
(2) Contracting officer's representative (COR);
(3) Government technical monitor (GTM);
(4) Contracting officer (CO);
(5) Unit security officer (USO); and
12 FAM 574.1 Contracting Officers (COs)
a. COs award classified and designated SBU contracts, and ensure that pre-contract, contract award, and post-contract actions include appropriate contract documentation and contract security clauses. Contract documentation may include, but is not limited to:
(1) Contract Security Classification Specifications, Form DD- 254 (for classified contracts);
(2) Security clauses specific to SBU contracts that provide for the protection of Department information and other assets, and the requirement for investigations of contractor personnel in positions of public trust;
(3) Contract clauses specific to the policy and procedures regarding Department personal identification cards; and
(4) Applicable FAR and DOSAR clauses.
b. COs should take into account the processing times required for facility and personnel clearances, and provide sufficient time in the selection and award process for the contractor firms and contractor personnel to obtain the required clearances. COs should provide DS/IS/IND with complete RFP and contract packages for review (and generation of Form DD-254) prior to any award. COs should provide DS/IS/IND with draft acquisition announcements (e.g., Federal Business Opportunity (FEDBIZOPS)) prior to their release. DS/IS/IND provides language for use in the announcement that explains to interested bidders what the facility and personnel security clearance requirements are, and whether the Department will sponsor uncleared firms for FCLs, or whether interested bidders must already possess an FCL to make a bid.
12 FAM 574.2 Contracting Officer's Representative (COR)/Government Technical Monitor (GTM)
a. After consulting with applicable Department security elements, CORs and GTMs are responsible for identifying and coordinating the security requirements for inclusion in classified or designated SBU contracts. If the COR or GTM has any questions regarding proposed security clearance and access requirements, he/she should contact DS/IS/IND in the beginning of the procurement process. DS/IS/IND assists and is responsible for generating and approving Form DD-254, along with providing Form DD-254 to the CO for inclusion in classified RFPs and contracts. SBU contracts do not contain a Form DD-254, but should contain specific language for the handling of SBU and the processing of contractor firm personnel for access to SBU.
b. The COR or GTM is responsible for performing reviews during contract performance and upon contract completion, and must ensure compliance with all security requirements for the duration of the contract. The COR or GTM must notify DS/IS/IND and the CO of any changes in security requirements to allow for contract modifications and Form DD-254 revisions.
c. The COR or GTM must give adequate guidance to all contractor personnel concerning the specific security requirements unique to their assigned projects and ensure that contractor personnel fully understand the elements of their individual assignments that involve classified information. Further, the COR or GTM must ensure that:
(1) Contractor personnel have security classification guidance for any classified information they generate;
(2) Contractor personnel attend required security briefings;
(3) The appropriate USO receives reports of infractions and/or violations; and
(4) DS/IS/IND receives reports of adverse information concerning any contractor personnel performing on Department classified or SBU contracts.
NOTE: Adverse information is any information that adversely reflects on the integrity or character of cleared contractor personnel (or contractor personnel with a public trust certification) that could impair their ability to safeguard classified and/or sensitive information, subject them to exploitation or blackmail, or is of such a nature that access to classified information clearly is not in the interest of national security.
12 FAM 574.3 Unit Security Officers
Unit security officers (USOs) are responsible for briefing all contractor personnel working in their assigned area(s) regarding applicable security requirements and procedures. The USO should consult with DS/IS/IND if there are any security-related problems or concerns with any contractor personnel. If a bureau security officer (BSO) is assigned to a particular bureau, consult him or her in addition to DS/IS/IND.
12 FAM 574.4 Contractor Personnel Responsibilities
a. All contractor personnel are responsible for complying with the Department's security regulations and procedures. All contractor personnel are responsible for their Department personal identification cards when the contract requires them to have a Department identification card, and must follow the security reporting requirements in 12 FAM 270, including adverse information, dual citizenship, certain contacts with foreign nationals, and personal travel to specific HUMINT threat countries.
b. See contractor identification cards Web site for procedures to obtain Department personal identification cards for contractor personnel, contracting firms, and Department project personnel.
12 FAM 575 CONTRACT PROCESSING
12 FAM 575.1 Department Contracting Activities
a. The Office of the Procurement Executive (A/OPE) delegates contracting authority for Department contracting activities. Only those persons A/OPE designates may negotiate, enter into, and award contracts. A/OPE authorizes DS/IS/IND to approve Contract Security Classification Specifications (Form DD-254) for inclusion in classified contracts.
b. Department classified procurement actions (i.e. those that require access to classified information or areas where precluding access to classified information cannot occur) require a fully executed Form DD-254 to include with each of the following:
(1) Invitation for bid;
(2) Request for proposal or quotation;
(3) Contract (a contract can exist in the form of a letter contract, purchase order, indefinite delivery indefinite quantity (IDIQ) contract, basic ordering agreement, delivery order, or any other Federally-recognized contract vehicle); or
(4) Subcontract package.
c. DS/IS/IND must review SBU contracts (i.e., those that require access to specific categories of SBU information), and include specific contract clauses related to the handling of SBU information. One example is a contract that requires access to passport information and the facilities that process passport information.
d. Unclassified contracts, which do not involve access to classified information, do not normally require a DS/IS/IND review. However, DS/IS/IND coordinates security requirements with the requesting office when the sensitivity of the project (e.g., physical protection requirements for Department information or other assets, background investigations on contractor personnel, etc.) warrants additional security requirements.
e. During the country clearance notification process, DS/IS/IND must approve uncleared personnel who travel to posts abroad to perform duties pursuant to unclassified contracts.
12 FAM 575.2 Other Contracting Activities
a. Acquisition and program offices must advise DS/IS/IND when their contracting officers are awarding classified contracts for the Department. The requirements in 12 FAM 574 are equally applicable to contracts other contracting agencies awarded on behalf of the Department (e.g., Small Business Administration, General Services Administration, etc.) and to Interagency Agreements (IAAs) used to obtain contractor services. Both instances require the issuance of a DS/IS/IND-approved Form DD-254.
b. General Services officers (GSOs) at posts abroad with contracting authority must contact DS/IS/IND and A/OPE when the contract scope of work requires cleared contractor personnel. A/OPE determines whether the GSO or domestic procurement office conducts the procurement. DS/IS/IND ensures incorporation of a Form DD-254 into the contract.
12 FAM 575.3 Contract Clause(s)
A/OPE provides contract clauses governing security requirements for inclusion in all Department classified contracts, SBU, and unclassified contracts. DS/IS/IND, in coordination with the program office, may also add security requirements to the contract in DD-Form 254 section H and instructions for classified deliveries in section D.
12 FAM 575.4 Contract Performance
The CO, in consultation with the COR and DS/IS/IND, is responsible for ensuring contractor compliance with all security requirements during contract performance. The CO, COR, and DS/IS/IND coordinate changes in the contract security requirements before notifying the contractor.
12 FAM 575.5 Contract Completion
The CO is responsible for notifying DS/IS/IND of the contract completion (i.e., final delivery of goods or services) or the termination of the contract. DS/IS/IND advises the contractor regarding the proper disposition of any classified material the contractor releases or generates, as well as the requirement for the contractor facility security officer to cancel any current VARs and/or public trust determinations.
12 FAM 576 HANDLING CLASSIFIED INFORMATION
12 FAM 576.1 Releasing Classified Information to Contractors
Any Department office intending to provide classified material to a contractor bidding on or performing on a classified contract must, prior to release of the material, advise DS/IS/IND of its intention to release the classified material. DS/IS/IND will verify the contractor's facility security clearance and storage capability, and issue a Form DD-254 (or ensure one has already been issued) authorizing the receipt of classified material. (See 12 FAM 573.1). The office releasing classified information to a contractor is responsible for establishing the contractor’s need-to-know requirements (see 12 FAM 576.2) and advising DS/IS/IND of its intention to transmit classified material to the contractor’s location. When the releasing office establishes the contractor’s need-to-know requirement, DS/IS/IND verifies the contractor’s classified mailing address authorized for receipt of classified material. After DS/IS/IND’s verification, the releasing office may transmit the classified material in accordance with 12 FAM 536.9, and/or Item 13 of the Form DD-254.
12 FAM 576.2 Need-to-Know Determination
In addition to DS/IS/IND verifying the contractor's facility clearance, the possessor of classified information must determine that a contractor has a need-to-know the information. The basis of this determination is the recipient's need, in the interest of national security, to have access to, knowledge of, or possession of classified information to perform tasks or services essential to fulfilling a Department contract or program (see 12 FAM 536.1).
12 FAM 576.3 Verification of Individual Personnel Clearances
Prior to allowing individual contractor personnel access to classified information or areas where precluding access to classified information cannot occur, Department employees should contact DS/IS/IND to verify a contractor’s eligibility to access classified information. The clearance must at least equal the level of the classified information the contractor will access.
12 FAM 576.4 Reporting Requirements
a. USOs must immediately report, in writing, on Form OF-117, Notice of Security Incident, to the Program Applications Division (DS/IS/APD) any unauthorized disclosures of classified information to contractor personnel and security incidents involving contractor personnel working at Department facilities both domestically and abroad. When warranted, DS/IS/APD conducts an evaluation and investigation, issues Form OF 118, Record of Incident, and advises DS/IS/IND of the results. See 12 FAM 550 for detailed guidance regarding reports of security incidents and compromises.
b. The facility security officer must immediately report, in writing, to DS/IS/IND and the COR the suspected loss or compromise of Department classified information at the contractor’s facility. DS/IS/IND coordinates the investigation and any subsequent mitigation, with the contractor, COR, and other Department offices. DS/IS/IND ensures the contractor’s Defense Security Service Industrial Security Representative is notified when there is a possible compromise and/or computer systems or documents require sanitization at the contractor’s facility.
c. Department personnel and contractors must immediately report, in writing, to DS/IS/IND any adverse information coming to their attention concerning any cleared contractor personnel. (For the purpose of this requirement, cleared contractor personnel include employees of contracting firms cleared in accordance with the Industrial Security Program.) The individuals providing these reports must not make reports based on rumor or innuendo. The subsequent termination of employment of a contractor does not preclude the requirement to submit this report. The contracting firm must submit to DS/IS/IND a copy of adverse information reports sent to DISCO on personnel working on any Department classified project. When adverse information on a contractor employee comes to the attention of DS/IS/IND, DS/IS/IND may report the adverse information directly to Defense Security Service.
d. The Department requires cleared contractors performing work on classified contracts to comply with Department guidance in 12 FAM 270 and report their intent to marry, cohabitate, or other contact/established relationships with foreign nationals. The Department counsels contractor personnel on the potential impact of such relationships on their continued acceptability for assignment abroad, or performance on Department contracts. When required, the contractor personnel must provide the forms for a Department-conducted investigation and evaluation.
12 FAM 576.5 Contractor Releases
a. In accordance with the NISPOM and Form DD-254 for the contract, contractors must clear with DS/IS/IND all requests to release unclassified information pertaining to contracts involving national security information. This includes, but is not limited to:
(1) Requests for public releases of unclassified information pertaining to classified contracts;
(2) Contractor requests for release of unclassified information at seminars, meetings, and symposia; and
(3) Distribution of sales literature containing unclassified information including the publication or distribution of brochures, Web sites, promotional sales literature, or similar material.
b. When the CO, COR or GTM receives a copy of the proposed release, he or she must provide a copy to DS/IS/IND for review and clearance.
12 FAM 577 CONTRACTOR PERSONNEL SECURITY CLEARANCES
a. The Defense Security Service, in accordance with the NISP, usually clears a contracting firm’s employee, at the request of the cleared contracting firm, for performance on classified Department contracts.
b. In some extenuating instances (e.g., protective services contracts in Iraq and Afghanistan) and as noted in Form DD-254 included in specific contracts, DS/SI/PSS investigates or processes contractors for personnel security clearances and public trust certifications. Forms for clearances and public trust certifications must be submitted in accordance with 12 FAM 577.1.
12 FAM 577.1 Submission of Personnel Security Clearance and Public Trust Determination Requests
a. The contractor's facility security officer must submit all requests for personnel security clearances to DS/IS/IND for submission to DS/SI/PSS. The requesting memo for a contractor personnel security clearance or low, medium, or high-risk public trust certification must include:
(1) Name of the individual and his or her work location and phone number;
(2) Level of clearance and/or public trust certification required;
(3) Contract number, with expiration date;
(4) Area(s) to access, and a sufficient explanation of the proposed work, including job title; and
(5) Required forms, releases and fingerprint cards.
b. DS/IS/IND provides specific instructions to the contractor facility security officer regarding the specific forms required. DS/IS/IND provides notification of completed investigations and clearance/public trust issuance to the COR and contractor.
12 FAM 577.2 Certifying Clearances to the Department for Performance on Contracts
a. Contractor facility security officers must submit a VAR to certify the personnel security clearances for Defense Security Service cleared contractor personnel who are assigned to or visiting Department facilities where access to classified information is required, or areas where precluding access to classified information cannot occur. The facility security officer must submit all contractor VARs directly to DS/IS/IND. DS/IS/IND verifies the cited classified contract/activity and, if approved, enters the clearance information into the Visitor Security Clearance Tracking System (VSCTS).
b. Concurrent with this action, DS/IS/IND forwards a copy of the VAR to the COR or GTM. The COR or GTM must certify that the cleared contractor has a valid need-to-know for the contract/activity cited on the visit request. Unless the COR or GTM notifies otherwise, DS/IS/IND considers the need-to-know certified and does not take any further action. If there are issues with the information on the VAR, DS/IS/IND returns the VAR to the facility security officer, either requesting additional information or disapproving the proposed classified visit.
c. The facility security officer must submit an updated VAR when a contractor’s level of security clearance, or name changes.
d. The contractor must notify DS/IS/IND when a cleared employee terminates or no longer requires access to classified information. To make this notification, contractors must submit a VAR cancellation request.
e. If DISCO notifies the firm that an employee’s clearance has been revoked, suspended or terminated, the facility security officer must immediately contact his or her DS/IS/IND specialist, so DS/IS/IND can ensure that access to classified information immediately ceases and the employee’s building pass, if issued, is retrieved.
f. There are certain access restrictions for contractor personnel with interim clearances. An Interim Secret personnel security clearance is valid for access to classified information up to the Secret level, except for SCI, RD, COMSEC, SAP, and NATO information (or in other circumstances specified in Item 13 of Form DD-254). Those with Interim Secret clearances must not travel to specific HUMINT threat posts (see 12 FAM 573.3-2). An Interim Top Secret personnel security clearance is valid for access to Top Secret information and RD, NATO, and COMSEC information at the Secret and Confidential level only. However, an Interim Top Secret is not valid for unescorted access to an operating PCC at posts abroad. PCC mandatory access requirements are in 5 FAH-6 H-124.
g. VARs are valid for a period not to exceed 12 months. The facility security officer must submit VAR renewals 30 days in advance of the expiration of a contractor personnel’s VAR. Failure to meet this submission deadline may result in the revocation of access to Department facilities and information systems.
12 FAM 577.3 Certifying Department Employee Clearances for Visits to Contractor Facilities
a. DS/SI/PSS certifies the clearance of a Department employee to visit contractor facilities when the visit requires access to classified information or classified discussions are to take place. The proposed visitor must complete Form DS-4070, Passing U.S. Department of State Clearances to Other Agencies/Companies for Direct Hire Employees, PSCs, and Detailees to the Department, and email or fax the completed form directly to the DS/SI/PSS Certification Unit.
b. Contractor personnel visiting other U.S. Government agencies or other contractor firms in the performance of their duties must have their facility security officer pass their clearance to that agency or firm.
12 FAM 577.4 Return of Department-Issued Documentation
Upon termination of a contractor, or all contractor personnel as a result of contract termination, the contractor personnel who are issued a Department personal identification card; official or diplomatic passport; or DS identification media for performance on the contract, must return these items to the COR or GTM for return to the appropriate office. Department personal identification cards and DS identification media should be returned to DS/DO. CORs or GTMs should refer to 7 FAM 1300 for the return of diplomatic passports. Contracting firms must obtain and return these items to the COR or GTM if their personnel fail to provide them.
12 FAM 578 INDUSTRIAL SECURITY COMPLIANCE PROGRAMS
12 FAM 578.1 Inspection Programs
12 FAM 578.1-1 Program Responsibility
a. The objective of the Department's Industrial Security Program is to ensure that firms with a contractual relationship with the Department requiring access to classified information, or to areas where precluding access to classified information cannot occur, as well as such firms that require access to SBU information, comply with the requirements in this subchapter.
b. DS/IS/IND is responsible for inspecting contractors performing on classified or designated SBU projects at Department locations domestically and abroad. RSOs and/or SSMs are also responsible for inspecting contractors abroad. RSOs, SSMs, the Office of Security Management (OBO/CFSM/SM) and/or the Certification, Accreditation, Transit Security Branch (DS/PSD/CAT) may request DS/IS/IND to perform inspections abroad. COs, CORs, and GTMs may request inspections at domestic locations, as well. These inspections may occur on an announced or unannounced basis at Department locations worldwide.
12 FAM 578.1-2 Scope
12 FAM 578.1-2(A) Domestic Inspections
a. For contractors performing on classified or designated SBU projects at domestic Department locations, DS/IS/IND conducts a pre-inspection survey and contacts the COR or GTM and facility security officer to determine the status of the contract, individuals assigned to the contract, and any areas of concern.
b. Inspections focus on the contractors' ability to protect the Department's classified and/or SBU information. DS/IS/IND interviews contractor personnel to determine if they had a security briefing and understand their security responsibilities.
c. DS/IS/IND provides to the CO, COR or GTM, and company facility security officer a report of the inspection findings, with any corrective actions required. Contractors must take immediate corrective action on specific inspection findings and provide a report on the corrective actions taken with 15 days of receipt of the findings.
12 FAM 578.1-2(B) Inspections Abroad
a. RSOs, SSMs, and/or DS/IS/IND conduct inspections of contractors assigned to Department facilities and/or construction project sites abroad. These inspections are necessary to ensure compliance with the Department's Industrial Security Program and must occur annually, or at least once during a project of a duration less than one year.
b. RSOs and SSMs contact DS/IS/IND for guidance in the conduct of these inspections. DS/IS/IND provides guidance for pre-inspection research, inspection, and post-inspection activities.
12 FAM 578.2 Contractor Extensions To Department Automated Information Systems
a. Contractor extensions are Department OpenNet and/or ClassNet systems located at the contractor facility. Program offices may request approval for these extensions from DS/SI/CS. The request will require justification demonstrating the need for the extension(s) that includes an explanation as to why a Department location is insufficient and why Global OpenNet would not be adequate to meet mission requirements.
b. As part of the DS/SI/CS and IRM/IA Contractor Extension approval process, DS/IS/IND performs initial and recurring inspections of contractor spaces to ensure they are compliant with Department physical security requirements for OpenNet and/or ClassNet. DS/IS/IND provides the security language specific to these requirements to the CO and/or COR for inclusion in the contract.
c. Program offices and CORs/GTMs should contact DS/IS/IND for specific guidance pertaining to the Department’s contractor extension program and the approval process.
12 FAM 579 Committee on Foreign Investment in the United States (CFIUS)
a. CFIUS is an interagency committee authorized to review transactions that could result in a foreign person controlling a U.S. business, in order to determine the effect of such transactions on the national security of the United States. The Secretary of the Treasury serves as Chairperson of CFIUS and the membership of the committee includes several agency heads, including the Secretary of State.
b. DS/IS/IND coordinates the security review and analysis of proposed foreign acquisitions of U.S. firms performing on Department contracts and other agency contracts, and provides the Bureau of Economic and Business Affairs (EB) with the consensus DS position. In collaboration with Department program offices, DS/IS/IND makes recommendations for mitigating the foreign ownership control or influence (FOCI) resulting from foreign acquisitions.