12 FAM 570
INDUSTRIAL SECURITY PROGRAM
(CT:DS-427; 07-16-2024)
(Office of Origin: DS/SI/IS)
12 FAM 571 PURPOSe AND GENErAL REQUIREMENTS
(CT:DS-427; 07-16-2024)
12 FAM 571.1 Purpose and Responsibility
(CT:DS-392; 11-07-2022)
a. The purpose of this policy is to ensure contractors safeguard classified and sensitive material entrusted to them under contract, or during pre-award contract activities, with the Department. The Industrial Security Division (DS/IS/IND) administers the Department's Industrial Security Program. DS/IS/IND establishes policies and implements procedures for safeguarding classified and Sensitive but Unclassified (SBU) information released to, or generated by, prime contractors and subcontractors under contract to the Department. This includes contractor personnel supporting Department activities at Department locations or performing on contracts from their companies' respective physical locations.
b. DS/IS/IND serves as liaison between the Department and the Defense Counterintelligence and Security Agency (DCSA) concerning Department contractors who participate in the National Industrial Security Program (NISP). All prime and subcontractor DD Forms 254 Contract Security Classification Specifications issued for classified Department contracts and subcontracts are issued by DS/IS/IND, which is the final approving authority. DS/IS/IND also assists in the development of contract security requirements and issues the Department's industrial security policies and standards.
c. DS/IS/IND ensures the appropriate security requirements, including special access requirements, are incorporated into all classified and Sensitive But Unclassified contracts; administers an industrial security compliance and briefing program; conducts ongoing reviews of Department contractors, both domestically and overseas, to include those with OpenNet and ClassNet extensions; approves access authorizations for classified information up to Top Secret (TS), including Communications Security (COMSEC); and oversees compliance of contractors connecting to Department OpenNet and ClassNet information systems.
d. DS/IS/IND responsibilities encompass the following programs: Acquisitions Support (Domestic and Overseas); Access Authorizations; Oversight and Compliance; Overseas Buildings Operations (OBO) Project Security Oversight; Special Projects (Iraq, Afghanistan, and Fragile States); Contractor Connectivity; Industrial Security Expertise; and an ongoing Industrial Security Education Program.
12 FAM 571.2 Applicability
(CT:DS-392; 11-07-2022)
This chapter applies to the Department's operations domestically and abroad, including U.S. missions to international organizations and contractors performing under contract to the Department, from pre-contract award to post-contract completion. As noted in 12 FAM 573.2, this chapter does not apply to personal services contractors (PSCs). All Department contract actions must comply with the Federal Acquisition Regulation (FAR) and the Department of State Acquisition Regulation (DOSAR). The FAR and the DOSAR take precedence if any conflicting interpretations result from this chapter.
12 FAM 571.3 National Industrial Security Program
(CT:DS-392; 11-07-2022)
a. The Department participates as a User Agency in the NISP through DS/IS/IND's Industrial Security Program. On January 6, 1993, Executive Order 12829 established the NISP for the protection of information classified pursuant to Executive Order 12356, April 2, 1982, "National Security Information," or its successor orders, including Executive Order 13526, "Classified National Security Information," and the Atomic Energy Act of 1954, as amended. The National Security Council provides overall policy direction for the NISP. The President designated the Secretary of Defense as Executive Agent for the NISP. The Director, Information Security Oversight Office (ISOO), implements and monitors the NISP and issues implementing directives that are binding on Federal agencies.
b. DCSA issues and maintains facility security clearances (FCL), as required, for Department contractors. Personnel security clearances are maintained by the contractor’s facility security officer (FSO). DCSA inspects and monitors contractors who require or will require access to classified information. The Vetting Risk Operations Center provides liaison services between cleared contracting firms and the Department of Defense Central Adjudication Facility (DoD CAF). The DoD CAF adjudicates and grants final personnel security clearances (PCLs) for contractors requiring clearances under the authority of the NISP.
c. DoD Manual 5220.22, Vol 2 (The National Industrial Security Program: Industrial Security Procedures For Government Activities) and DoD Manual 5220.22-M (National Industrial Security Program Operating Manual) promulgate the standards for implementing the NISP. These directives establish the requirements for safeguarding classified information, including foreign government information, which the U.S. Government must protect in the interest of national security, and which contractors, subcontractors, vendors, or suppliers may need to access.
d. DS/IS/IND is the Department’s representative to and a voting member of the National Industrial Security Program Policy Advisory Committee (NISPPAC). The NISPPAC, comprised of both Government and industry representatives, is responsible for recommending changes in industrial security policy through modifications to E.O. 12829, its implementing directives, and the National Industrial Security Program Operating Manual.
12 FAM 571.4 Authorities
(CT:DS-392; 11-07-2022)
a. Executive Order 13526, Classified National Security Information, December 29, 2009;
b. Executive Order 12829, National Industry Security Program, January 6, 1993, as amended;
c. Executive Order 10909, Safeguarding Classified Information Within Industry, January 17, 1961, as amended;
d. DoD 5220.22-R, Industrial Security Regulation, current edition;
e. DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) for Safeguarding Classified Information, current edition;
f. DoD 5220.22-M-Sup 1, NISPOM Supplement, current edition;
g. 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM);
h. 32 CFR Part 2004, National Industrial Security Program;
i. The Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. 3501 et seq.; and
j. The Omnibus Diplomatic Security and Antiterrorism Act of 1986, (Public Law 99-399) Section 403 (22 U.S.C. 4853), Security Requirements for Contractors.
12 FAM 572 INDUSTRIAL SECURITY EDUCATION PROGRAMS
12 FAM 572.1 General
(CT:DS-352; 03-10-2021)
a. The effectiveness of the Department's Industrial Security Program depends upon contractor firms' and U.S. Government personnel’s understanding of their respective security responsibilities. For this reason, education is an integral part of the Department's Industrial Security Program. The focus of the educational effort is to impress upon these individuals, through security briefings, their responsibility to safeguard classified and SBU information. DS/IS/IND conducts briefings for contractor personnel, Civil Service Personnel, Foreign Service Officers, Department program office personnel and Department acquisition personnel, and schedules briefings on a recurring basis, upon request or when an issue (e.g., multiple security infractions) arises that warrants a security briefing.
b. The contractor personnel working at Department facilities must familiarize themselves not only with security regulations found in the Foreign Affairs Manual (FAM) that relate to their assigned duties, but also with the information and personnel security requirements specified in their contract and on their DD Form 254.
12 FAM 572.2 Required Briefings
12 FAM 572.2-1 Department Personnel
(CT:DS-392; 11-07-2022)
The DS/IS/IND briefs Department personnel, such as regional security officers (RSOs), contracting officers (COs), contracting officer’s representatives (CORs), or Government technical monitors (GTMs), general services officers (GSOs), program managers, site security managers (SSMs), etc., on their responsibilities for proper implementation of the Department's Industrial Security Program.
12 FAM 572.2-2 Contractor Personnel
(CT:DS-392; 11-07-2022)
a. The Program Applications Division (DS/IS/APD) briefs all contractor personnel who reside on-site at Department facilities and who are cleared for access to classified information on their security responsibilities prior to receiving access to Department facilities or information systems. The contracting firm is responsible for ensuring all cleared personnel receive initial and annual refresher training and that the training meets the requirements of the NISPOM.
b. RSOs or SSMs brief all contractor personnel arriving at their post and or site regarding their security responsibilities prior to granting access to the post, site, or information systems.
12 FAM 572.3 Counterintelligence Briefings
(CT:DS-392; 11-07-2022)
RSOs assigned to critical Human Intelligence (HUMINT) threat posts are responsible for administering a counterintelligence briefing when contractors arrive at post and debriefing them before they depart. See 12 FAM 260 for further information regarding Counterintelligence programs.
12 FAM 573 SECURITY CLEARANCE POLICY
(CT:DS-392; 11-07-2022)
To ensure the proper safeguarding of classified information entrusted to the private sector, the Department requires contractor firms to possess FCLs and contractor personnel to possess PCLs commensurate with the level of classified information to which they require access. The following policies set forth the requirements for private sector/contractor firms and personnel who require access to Department classified information. Additionally, requirements for access to specific categories of Department SBU information are outlined throughout this subchapter.
12 FAM 573.1 Facility Security Clearances (FCL)
(CT:DS-392; 11-07-2022)
a. Any U.S. firm under contract to the Department requiring access to classified information or to areas where access to classified information cannot be excluded requires an FCL commensurate with the level of access required. An FCL is an administrative determination that a company meets all of the NISP requirements and is eligible for access to classified information or eligible for award of a classified contract. Any contract that requires or will require access to classified information by the contractor or their employees in the performance of the contract is a classified contract, even though the contract document itself is not classified. Additionally, any U.S. contractor firm, or business that requires access to classified information to prepare a response to a request for proposal (RFP) or solicitation, invitation for bid, request for quotation, etc., and/or in performance of a classified Department contract, must have or obtain an FCL commensurate with the level of access required.
b. Department contracting authorities must submit facility clearance requirements and requests to DS/IS/IND. If warranted, DS/IS/IND sponsors the U.S. contractor firm for an FCL through DCSA. Only DS/IS/IND has the authority to submit FCL requests to DCSA on behalf of the Department.
c. Non-U.S. firms are ineligible for FCLs, except as specified in 12 FAM 573.1-2. To be eligible for an FCL, the company must be incorporated under the laws of any of the 50 states, the District of Columbia, or Puerto Rico, and reside in the United States or its territorial areas.
d. All classified contracts must include a Contract Security Classification Specification, DD Form 254. The purpose of the DD Form 254 is to convey security classification guidance and to advise contractors on the handling procedures for classified material. The Department also uses the DD Form 254 to provide guidance regarding unclassified information associated with the classified contract. The form outlines the actual performance location of the classified portion of the work; a general description of the procurement requirement; what accesses the contractor will require; and other amplifying, security related information.
e. DCSA issues FCLs to contractors who have a bona fide procurement requirement to access classified information. Indefinite Delivery/Indefinite Quantity type contracts are convenient when short notice requirements arise. However, if there are no classified task orders issued within 24 months, DCSA may terminate the FCL due to lack of performance where access to classified information is required.
12 FAM 573.1-1 Joint Ventures
(CT:DS-392; 11-07-2022)
This U.S. joint ventures that require access to classified information during the bid phase or during contract performance must have an FCL commensurate with the level of access required. DS/IS/IND submits FCL requests for U.S. joint ventures through DCSA. Foreign firms that are part of a joint venture are ineligible for FCLs, making the joint venture ineligible for an FCL.
12 FAM 573.1-2 Foreign-Owned U. S. Contractors
(CT:DS-392; 11-07-2022)
a. Under the NISP, foreign-owned U.S. contractors may be eligible for an FCL, provided the foreign ownership has been mitigated in accordance with the NISPOM, 32 CFR Part 117.
b. The NISPOM prescribes several methods for mitigating foreign ownership of foreign-owned U.S. contractors. DCSA works directly with foreign-owned U.S. contractors in establishing an approved method of mitigating the foreign ownership control or influence. Examples of methods for mitigating foreign ownership include the establishment of a voting trust agreement, a proxy agreement, a Security Control Agreement (SCA), board resolution, or a Special Security Agreement (SSA).
c. There are no restrictions levied on the FCL of firms which establish voting trust agreements or proxy agreements, as the foreign owner relinquishes most rights associated with ownership of the company to U.S. Government-approved cleared U.S. citizens. Restrictions are not levied on the FCL of firms under SCAs either, as the companies are not effectively owned or controlled by a foreign interest, although the foreign interest is entitled to representation on the company’s governing board.
d. Restrictions are levied on foreign-owned contractor firms who elect to establish an SSA. Specifically, restrictions are on access to certain categories of classified information (referred to as "proscribed information"), e.g., Top Secret, Communications Security (COMSEC), Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI). Firms under SSAs may be ineligible for award of specific Department projects that require access to these levels of information. Additionally, these firms may be unable to continue performing as a prime or subcontractor on efforts that require access to these categories of information. The CO and COR must coordinate the use of foreign-owned U.S. contractors with DS/IS/IND. DS/IS/IND works closely with DCSA on any foreign ownership mitigation strategies established for Department contractor firms.
12 FAM 573.2 Self-Employed Personnel
(CT:DS-392; 11-07-2022)
The Department may use the services of self-employed individuals, consultants, and PSCs. By definition, self-employed personnel must have no affiliation with a company and/or contractor firm. Individuals incorporated for tax purposes with family members as office holders of the corporation also qualify as self-employed contractors, although the family members become ineligible for access to classified information or processed for personnel security clearances. The Office of Personnel Security and Suitability (DS/SI/PSS) clears self-employed individuals, consultants, and PSCs. DS/SI/PSS also clears consultants hired through the Bureau of Global Talent Management (GTM) under Federal personnel regulations. Program offices, GTM representatives, CORs, and COs must work directly with their Executive Offices and DS/SI/PSS regarding personnel security clearances for these personnel. DS/IS/IND plays no role with regard to these categories of personnel.
12 FAM 573.3 Personnel Security Clearance Requirements
12 FAM 573.3-1 Overall Personnel Security Clearance Requirements
(CT:DS-392; 11-07-2022)
The contractor personnel must possess personnel clearances commensurate with the level of access required for performance under a Department classified contract. The Contract Security Classification Specification, DD Form 254, included in all classified procurements, establishes the FCL and PCL requirements for contract performance.
12 FAM 573.3-2 Department Contractor Personnel
(CT:DS-392; 11-07-2022)
a. All cleared contractor firms must designate an individual as their FSO who is responsible for the administration of the company’s industrial security program and adherence to the NISPOM and any contract security requirements. The FSO submits personnel security clearance requests to DCSA. The FSO also submits Visitor Authorization Requests (VARs) and required documentation on all contractor personnel who are cleared directly to DS/IS/IND before performance on classified Department contracts.
b. DCSA usually processes Department contractor personnel for personnel security clearances. However, there might be extenuating circumstances when DS/SI/PSS must process specific contractor personnel for personnel security clearances. In those cases, the classified contracts awarded to the contractors note this requirement, as well as the procedures to process their personnel for Department clearances.
12 FAM 573.3-3 Overseas Personnel Security Requirements
(CT:DS-427; 07-16
-2024)
a. Item 13 of DD Form 254 includes specific personnel security clearance requirements regarding travel and/or assignments to all posts abroad, regardless of the threat level of the post.
b. The clearance requirements for access to core spaces, including the post communication center (PCC), must adhere to the provisions of 5 FAH-6 H-124. As such, DT and the post information management officer (IMO) may authorize contractors who possess final (not interim) Top Secret clearances access to the PCC. CORs and/or GTMs must coordinate access to PCCs and/or core areas with both the Cryptographic Service Branch (DT/OPS/ITI/SI/CSB) and the post IMO, and the contractor must be read-on for COMSEC access or use before accessing the PCCs and/or core areas.
c. DS established additional clearance requirements for U.S. contractor personnel performing under contract to the Department at critical HUMINT threat posts listed in the Department's Security Environment Threat List (SETL). The duration of the visit, access requirements, and area(s) of access form the basis for any additional clearance requirements. DS/IS/IND provides guidance for contractor personnel traveling to critical HUMINT threat posts in Item 13 of DD Form 254.
NOTE: The contents of the SETL are classified and must only be discussed in secure locations authorized for classified discussion and/or processed on automated information systems certified and accredited for the processing of national security information at the appropriate level of assurance.
d. In order to ensure timely access to overseas posts, an electronic country clearance (eCC) must be drafted for all U.S. contractor personnel, regardless of whether cleared or uncleared, who perform under contract to the Department at overseas locations. The draft eCC must be forwarded to DS/IS/IND (INDeCCcerts@state.gov) prior to submission to post. DS/IS/IND reviews the travel, ensures the appropriate level of clearance is held by the traveler, and passes this information to the appropriate RSO and/or SSM in advance of travel. A VAR must already be on file with DS/IS/IND for personnel requiring classified access who are being submitted for an eCC. VARs are valid for a one year period, and if a valid VAR exists, there is no need to resubmit solely for the purpose of the eCC submission.
12 FAM 573.3-3(A) Classified Projects on the Compound at Critical HUMINT Threat Posts
(CT:DS-392; 11-07-2022)
a. Classified contracts at critical HUMINT threat posts:
(1) Travel and/or deployments to critical HUMINT threat posts of less than 60 days (cumulative for all critical HUMINT threat posts visited in a 365-day period) require, at a minimum, a final (not interim) Secret clearances and favorable DS name checks before travel and/or deployment commences. Access to Top Secret information requires Top Secret clearances and favorable name checks. ;
(2) Travel and/or deployments to critical HUMINT threat posts of more than 60 days (cumulative for all critical HUMINT threat posts visited in a 365-day period) require final (not interim) Top Secret clearances, favorable DS name checks and a DS acceptability review in accordance with 12 FAM 263.3-2.
NOTE: Contractor personnel may deploy after the submission of the DS Acceptability Review to DS/IS/IND, provided DS deems the name checks favorable. However, if the acceptability review is subsequently adjudicated unfavorably, the COR or GTM is advised and, upon the COR or GTM notification, the contractor personnel must immediately leave the site or post at no expense to the U.S. Government;
(3) DS name checks must be requested from DS/IS/IND; do not send country clearance requests to post prior to notification of favorable results.
b. Unclassified portions of classified contracts at critical HUMINT threat posts – Access to general work areas and/or public access areas (see 12 FAH-6 H-021):
(1) In coordination with the COR or GTM, DS/IS/IND evaluates the occasional requirement to deploy an uncleared contractor to a critical HUMINT threat post in support of a classified contract. In these individual cases, and as the COR or GTM and DS/IS/IND agree, the contractor submits the necessary paperwork to DS/IS/IND for a fitness determination; and
(2) Uncleared contractor personnel cannot travel to post until DS/SI/PSS determines the individual is fit to perform on the contract. Upon issuance of the fitness determination, DS/IS/IND notifies the COR or GTM and the contractor, and the COR or GTM may provide such information on the country clearance request to post.
12 FAM 573.3-3(B) All Other Unclassified Projects at Critical HUMINT Threat Posts
(CT:DS-392; 11-07-2022)
The COR or GTM must coordinate with DS/IS/IND before drafting statements of work for all unclassified projects at critical HUMINT threat posts. As a result, the project schedule must include the time required for DS checks. Contractor personnel deploying to critical HUMINT threat posts for performance on wholly unclassified projects, with no access to controlled access areas (see 12 FAH-6 H-021) or restricted spaces requiring clearances, must have a favorable fitness determination from DS/SI/PSS prior to travel/deployment. DS/IS/IND notifies the COR or GTM and the contractor upon issuance of a fitness determination. The COR or GTM may then provide such information in the country clearance request to post.
12 FAM 573.3-3(C) Cleared American Personnel Program for the Bureaus of European and Eurasian Affairs and East Asia and Pacific Affairs
(CT:DS-392; 11-07-2022)
These programs use specific contractors to provide technical and administrative support directly to posts as the Executive Offices of the Bureaus of European and Eurasian Affairs and East Asia and Pacific Affairs designate. Contractor personnel under this program require a single-scope background investigation, which DS/SI/PSS conducts. DS may also accept Top Secret or equivalent clearances that other U.S. Government agencies granted upon receipt, review, and evaluation of investigative files for issuance of reciprocal Department Top Secret clearances and suitability for deployment to critical HUMINT threat posts. DS may conduct further investigation as required, including Counterintelligence assignment reviews. DS/IS/IND coordinates these requirements with the COR or GTM and other pertinent DS offices.
12 FAM 573.4 Special Program/Access Requirements
(CT:DS-427; 07-16-2024)
12 FAM 573.4-1 Special Access Program (SAP)
(CT:DS-392; 11-07-2022)
The Department program office, in coordination with DS/IS/IND, determines contractor clearance requirements for Special Access Programs (SAP) based on the need for access to SAP information. If a contract requires access to SAP information, DS/IS/IND documents the specific requirements in DD Form 254 included in the classified contract and specifies that the contractor must adhere to stated requirements. The DD Form 254 also notes whether DCSA has inspection responsibility for the SAP information.
12 FAM 573.4-2 Sensitive Compartmented Information (SCI) Requirements
(CT:DS-392; 11-07-2022)
a. DS/IS/IND coordinates with the Special Security Operations Division (DS/IS/SSO) on contracts requiring authorization for access to Sensitive Compartmented Information (SCI). If a program office advises that a contract requires access to SCI information and includes the requirement within the body of the contract, DS/IS/IND documents the specific SCI requirements and procedures for processing contractor personnel in DD Form 254 included in the classified contract.
b. DS/IS/IND processes contractor personnel for SCI access when the COR or GTM requests SCI access for contractor personnel. The COR or GTM must submit written requests for SCI access for the contractor personnel directly to DS/IS/IND and must include sufficient justification for the SCI requirement for each member of the contractor personnel. DS/IS/IND does not authorize contractor access to SCI without a favorable SCI-eligibility determination and the individual receiving the required SCI briefing.
12 FAM 574 CONTRACTING RESPONSIBILITIES
(CT:DS-392; 11-07-2022)
The Department program, project, and contracting personnel must consider security requirements at the earliest possible stage in the procurement process. The following must share responsibility for the effective implementation of the Department's Industrial Security Program:
(1) Bureau or office project manager;
(2) Contracting officer's representative (COR);
(3) Government technical monitor (GTM);
(4) Contracting officer (CO);
(5) Bureau security officer
(6) Unit Security Officer (USO); and
(7) DS/IS/IND.
12 FAM 574.1 Contracting Officers (COs)
(CT:DS-392; 11-07-2022)
a. COs award classified and designated SBU contracts and ensure that pre-contract, contract award, and post-contract actions include appropriate contract documentation and contract security clauses. Contract documentation may include, but is not limited to:
(1) Contract Security Classification Specifications, DD Forms 254 (for classified contracts);
(2) Security clauses specific to SBU contracts that provide for the protection of Department information and other assets, and the requirement for investigations of contractor personnel performing on such contracts;
(3) Contract clauses specific to the policy and procedures regarding Department personal identification cards; and
(4) Applicable FAR and DOSAR clauses.
b. COs should take into account the processing times required for facility and personnel clearances and provide sufficient time in the selection and award process for the contractor firms and contractor personnel to obtain the required clearances. COs should provide DS/IS/IND with complete RFP and contract packages for review (and generation of DD Form 254) prior to any award. COs should provide DS/IS/IND with draft acquisition announcements prior to their release. DS/IS/IND provides language for use in the announcement that explains to interested bidders what the facility and personnel security clearance requirements are, and whether the Department will sponsor uncleared firms for FCLs, or whether interested bidders must already possess an FCL to make a bid.
12 FAM 574.2 Contracting Officer's Representative (COR)/Government Technical Monitor (GTM)
(CT:DS-392; 11-07-2022)
a. After consulting with applicable Department security elements, CORs and GTMs are responsible for identifying and coordinating the security requirements for inclusion in classified or designated SBU contracts. If the COR or GTM has any questions regarding proposed security clearance and access requirements, he/she should contact DS/IS/IND in the beginning of the procurement process. DS/IS/IND assists and is responsible for generating and approving DD Form 254, along with providing DD Form 254 to the CO for inclusion in classified RFPs and contracts. The SBU contracts do not contain a DD Form 254 but should contain specific language for the handling of SBU and the processing of contractor firm personnel for access to SBU.
b. The COR or GTM is responsible for performing reviews during contract performance and upon contract completion and must ensure compliance with all security requirements for the duration of the contract. The COR or GTM must notify DS/IS/IND and the CO of any changes in security requirements to allow for contract modifications and DD Form 254 revisions.
c. The COR or GTM must give adequate guidance to all contractor personnel concerning the specific security requirements unique to their assigned projects and ensure that contractor personnel fully understand the elements of their individual assignments that involve classified information. Further, the COR or GTM must ensure that:
(1) Contractor personnel have security classification guidance for any classified information they generate;
(2) Contractor personnel attend required security briefings;
(3) The appropriate USO receives reports of infractions and/or violations; and
(4) DS/IS/IND receives reports of adverse information concerning any contractor personnel performing on Department classified or SBU contracts.
NOTE: Adverse information is any information that adversely reflects on the integrity or character of cleared contractor personnel (or contractor personnel with a fitness determination) that could impair their ability to safeguard classified and/or sensitive information, subject them to exploitation or blackmail, or is of such a nature that access to classified information clearly is not in the interest of national security. The subsequent termination of employment does not eliminate the requirement to submit this report.
12 FAM 574.3 Unit Security Officers
(CT:DS-392; 11-07-2022)
Unit security officers (USOs) are responsible for briefing all contractor personnel working in their assigned area(s) regarding applicable security requirements and procedures. The USO should consult with DS/IS/IND if there are any security-related problems or concerns with any contractor personnel. If a Bureau security officer is assigned to a particular bureau, consult with them in addition to DS/IS/IND.
12 FAM 574.4 Contractor Personnel Responsibilities
(CT:DS-392; 11-07-2022)
a. All contractor personnel are responsible for complying with the Department's security regulations and procedures. All contractor personnel are responsible for their Department personal identification cards when the contract requires them to have a Department identification card and must follow the security reporting requirements in 12 FAM 260 and 12 FAM 270.
b. See the Department Personal Identification Card Issuance Procedures at https://usdos.sharepoint.com/sites/DS-in/C/ST/SSI/NSM/IDM/OneBadge/SitePages/OneBadge.aspx for procedures to obtain Department personal identification cards for contractor personnel, contracting firms, and Department project personnel.
12 FAM 575 CONTRACT PROCESSING
(CT:DS-427; 07-16-2024)
12 FAM 575.1 Department Contracting Activities
(CT:DS-392; 11-07-2022)
a. The Office of the Procurement Executive (A/OPE) delegates contracting authority for Department contracting activities. Only those persons A/OPE designates may negotiate, enter into, and award contracts. A/OPE authorizes DS/IS/IND to approve Contract Security Classification Specifications (DD Form 254) for inclusion in classified contracts.
b. Department classified procurement actions (i.e., those that require access to classified information or areas where precluding access to classified information cannot occur) require a fully executed DD Form 254 to include with each of the following:
(1) Invitation for bid;
(2) Request for proposal or quotation;
(3) Contract (a contract can exist in the form of a letter contract, purchase order, indefinite delivery indefinite quantity contract, basic ordering agreement, delivery order, or any other Federally-recognized contract vehicle); or
(4) Subcontract package.
c. DS/IS/IND must review SBU contracts (i.e., those that require access to specific categories of SBU information) and include specific contract clauses related to the handling of SBU information. One example is a contract that requires access to passport information and the facilities that process passport information. There will be no DD Form 254 issued for SBU contracts.
d. Unclassified and non-SBU contracts, which do not involve access to classified or SBU information, do not normally require a DS/IS/IND review. However, DS/IS/IND coordinates security requirements with the requesting office when the sensitivity of the project (e.g., physical protection requirements for Department information or other assets, background investigations on contractor personnel, etc.) warrants additional security requirements. There will be no DD Form 254 issued for unclassified and non-SBU contracts.
e. During the country clearance notification process, DS/IS/IND must approve uncleared personnel who travel to posts abroad to perform duties pursuant to unclassified contracts. (See 12 FAM 573.3-3.c)
12 FAM 575.2 Other Contracting Activities
(CT:DS-392; 11-07-2022)
a. Acquisition and program offices must advise DS/IS/IND when their contracting officers are awarding classified contracts for the Department. The requirements in 12 FAM 574 are equally applicable to contracts other contracting agencies awarded on behalf of the Department (e.g., Small Business Administration, General Services Administration, etc.) and to Interagency Agreements used to obtain contractor services. Both instances require the issuance of a DS/IS/IND-approved DD Form 254.
b. General Services officers (GSOs) at posts abroad with contracting authority must contact DS/IS/IND and A/OPE when the contract scope of work requires cleared contractor personnel. A/OPE determines whether the GSO or domestic procurement office conducts the procurement. DS/IS/IND ensures incorporation of a DD Form 254 into the contract.
12 FAM 575.3 Contract Clause(s)
(CT:DS-392; 11-07-2022)
A/OPE provides contract clauses governing security requirements for inclusion in all Department classified contracts, SBU contracts, and unclassified contracts. DS/IS/IND, in coordination with the program office, may also add security requirements and classified and SBU handling instructions into the contract language, as well as the DD Form 254.
12 FAM 575.4 Contract Performance
(CT:DS-345; 01-14-2021)
The CO, in consultation with the COR and DS/IS/IND, are responsible for ensuring contractor compliance with all security requirements during contract performance. The CO, COR, and DS/IS/IND coordinate changes in the contract security requirements before notifying the contractor.
12 FAM 575.5 Contract Completion
(CT:DS-392; 11-07-2022)
The CO are responsible for notifying DS/IS/IND of the contract completion (i.e., final delivery of goods or services) or the termination of the contract. DS/IS/IND advises the contractor regarding the proper disposition of any classified material the contractor receives or generates, as well as the requirement for the contractor FSO to cancel any current VARs and/or fitness determinations. Note that DS/IS/IND will only issue a final DD Form 254 when the contractor requests to retain any classified information associated with the specific contract and the Department approves the request.
12 FAM 576 HANDLING CLASSIFIED INFORMATION
(CT:DS-427; 07-16-2024)
12 FAM 576.1 Releasing Classified Information to Contractors
(CT:DS-392; 11-07-2022)
Any Department office intending to provide classified material to a contractor bidding on or performing on a classified contract must, prior to release of the material, advise DS/IS/IND of its intention to release the classified material. DS/IS/IND will verify the contractor's facility security clearance and storage capability and issue a DD Form 254 (or ensure one has already been issued) authorizing the receipt of classified material. (See 12 FAM 573.1). The office releasing classified information to a contractor are responsible for establishing the contractor’s need-to-know requirements (see 12 FAM 576.2) and advising DS/IS/IND of its intention to transmit classified material to the contractor’s location. When the releasing office establishes the contractor’s need-to-know requirement, DS/IS/IND verifies the contractor’s classified mailing address authorized for receipt of classified material. After DS/IS/IND’s verification, the releasing office may transmit the classified material in accordance with 12 FAM 536.9, and/or Item 13 of the DD Form 254. The office releasing the classified information to the contractor must ensure the information is properly transmitted in accordance with applicable regulations.
12 FAM 576.2 Need-to-Know Determination
(CT:DS-392; 11-07-2022)
Also, in addition to DS/IS/IND verifying the contractor's facility clearance, the possessor of classified information must determine that a contractor has a need to know the information. The basis of this determination is the recipient's need, in the interest of national security, to have access to, knowledge of, or possession of classified information to perform tasks or services essential to fulfilling a Department contract or program (see 12 FAM 536.1).
12 FAM 576.3 Verification of Individual Personnel Clearances
(CT:DS-392; 11-07-2022)
Prior to allowing individual contractor personnel access to classified information or areas where precluding access to classified information cannot occur, the Department employees should contact DS/IS/IND to verify a contractor’s eligibility to access classified information, in accordance with 12 FAM 577.2 below. The clearance must at least equal the level of the classified information the contractor will access.
12 FAM 576.4 Reporting Requirements
(CT:DS-392; 11-07-2022)
a. USOs must immediately report, in writing, on Form OF-117, Notice of Security Incident, to DS/IS/APD any unauthorized disclosures of classified information to contractor personnel and security incidents involving contractor personnel working at Department facilities both domestically and abroad. When warranted, DS/IS/APD conducts an evaluation and investigation, issues Form OF-118, Record of Incident, and advises DS/IS/IND of the results. See 12 FAM 550 for detailed guidance regarding reports of security incidents and compromises.
b. The FSO must immediately report the suspected loss or compromise of Department classified information at the contractor’s facility to DS/IS/IND and the COR, in writing. DS/IS/IND participates in the investigation and any subsequent mitigation, with the contractor, COR, and other Department offices. The FSO must notify their DCSA Industrial Security Representative when there is a possible compromise and/or computer systems or documents require sanitization at the contractor’s facility.
c. Department personnel and contractors must immediately report any adverse information coming to their attention concerning any cleared contractor personnel via the most expeditious method available (e.g., e-mail) to DS/IS/IND. For the purpose of this requirement, cleared contractor personnel include employees of contracting firms cleared in accordance with the Industrial Security Program. The individuals providing these reports must not make reports based on rumor or innuendo. The subsequent termination of employment of a contractor does not preclude the requirement to submit this report. The contracting firm must submit to DS/IS/IND a copy of adverse information reports sent to DCSA on personnel working on any Department classified project. When adverse information on a contractor employee comes to the attention of DS/IS/IND, DS/IS/IND may report the adverse information directly to DCSA.
d. The Department requires cleared contractors performing work on classified contracts to comply with Department security reporting requirements in 12 FAM 270.
e. Department personnel and contractors must report loss or compromise of PII in accordance with 5 FAM 468.3.
12 FAM 576.5 Contractor Releases
(CT:DS-392; 11-07-2022)
a. Contractors shall adhere to the language in their contracts with regard to public release of unclassified information pertaining to contracts involving national security information.
b. When the CO, COR or GTM receives a copy of the proposed release, they must provide a copy to DS/IS/IND.
12 FAM 577 CONTRACTOR PERSONNEL SECURITY CLEARANCES
(CT:DS-392; 11-07-2022)
a. The DCSA, in accordance with the NISP, usually clears a contracting firm’s employee, at the request of the cleared contracting firm, for performance on classified Department contracts.
b. In some extenuating instances (e.g., protective services contracts in Iraq and Afghanistan) and as noted in the DD Form 254 in specific contracts, DS/SI/PSS investigates or processes contractors for personnel security clearances and fitness determinations. The forms for clearances and fitness determinations must be submitted in accordance with 12 FAM 577.1.
12 FAM 577.1 Submission of Personnel Security Clearance and Fitness Determination Requests
(CT:DS-392; 11-07-2022)
a. The contractor's FSO must submit all requests for non-DCSA personnel security clearances and fitness determinations to DS/IS/IND electronically. DS/IS/IND reviews the submissions for completeness and accuracy before forwarding for submission to DS/SI/PSS.
b. DS/IS/IND provides specific instructions to the contractor's FSO regarding the specific forms required. DS/IS/IND provides notification of completed investigations and clearance/fitness determinations to the COR and contractor's FSO.
12 FAM 577.2 Certifying Clearances to the Department for Performance on Contracts
(CT:DS-392; 11-07-2022)
a. Contractor FSOs must submit a VAR to certify the personnel security clearances for DCSA-cleared contractor personnel who are assigned to or visiting Department facilities where access to classified information is required or areas where precluding access to classified information cannot occur. The FSO must submit all contractor VARs directly to DS/IS/IND. DS/IS/IND is the only Department office authorized to receive and validate VARs for contractor personnel performing on Department contracts. DS/IS/IND verifies the cited classified contract/activity and, if approved, enters the clearance information into the Department’s designated Security Records Tracking System - Industrial Security Management System.
b. Concurrent with this action, DS/IS/IND notifies the COR or GTM of VAR approval. The COR or GTM must certify that the cleared contractor has a valid need-to-know for the contract/activity cited on the visit request. Unless the COR or GTM notifies otherwise, DS/IS/IND considers the need-to-know certified and does not take any further action. If there are issues with the information on the VAR, DS/IS/IND returns the VAR to the FSO, either requesting additional information or disapproving the proposed classified visit.
c. The FSO must submit an updated VAR when a contractor’s level of security clearance, or name changes.
d. The contractor must notify DS/IS/IND when a cleared employee terminates or no longer requires access to classified information. To make this notification, contractors must submit a VAR cancellation request.
e. If the DoD CAF notifies the firm that an employee’s clearance has been revoked, suspended, or terminated, the FSO must immediately contact his or her DS/IS/IND specialist, so DS/IS/IND can ensure that access to classified information immediately ceases and the employee’s building pass, if issued, is retrieved.
f. There are certain access restrictions for contractor personnel with interim clearances. An interim Secret personnel security clearance is valid for access to classified information up to the Secret level, except for SCI, RD, COMSEC, SAP, and NATO information (or in other circumstances specified in Item 13 of DD Form 254). Those with interim Secret clearances must not travel to specific HUMINT threat posts (see 12 FAM 573.3-3). An interim Top Secret personnel security clearance is valid for access to Top Secret information and RD, NATO, and COMSEC information at the Secret and Confidential level only. However, an interim Top Secret is not valid for unescorted access to an operating PCC at posts abroad. PCC mandatory access requirements are in 5 FAH-6 H-124.
g. VARs are valid for a period not to exceed 12 months. The FSO must submit VAR renewals 30 days in advance of the expiration of a contractor personnel’s VAR. Failure to meet this submission deadline may result in the revocation of access to Department facilities and information systems.
12 FAM 577.3 Certifying Department Employee Clearances for Visits to Contractor Facilities
(CT:DS-392; 11-07-2022)
a. DS/SI/PSS certifies the clearance of a Department employee to visit contractor facilities when the visit requires access to classified information or classified discussions are to take place. The proposed visitor must complete Form DS-4070, passing the U.S. Department of State Clearances to Other Agencies/Companies for Direct Hire Employees, PSCs, and detailees to the Department, and email or fax the completed form directly to the DS/SI/PSS Certification Unit.
b. The contractor personnel visiting other U.S. Government agencies or other contractor firms in the performance of their duties must have their FSO pass their clearance to that agency or firm.
12 FAM 577.4 Return of Department-Issued Documentation
(CT:DS-392; 11-07-2022)
Upon termination of a contractor, or all contractor personnel as a result of contract termination, the contractor personnel who are issued a Department personal identification card, official or diplomatic passport, or DS identification media for performance on the contract, must return these items to the COR or GTM for return to the appropriate office. Department personal identification cards and DS identification media should be returned to DS/DO in accordance with 12 FAM 371.5. The CORs or GTMs should refer to 7 FAM 1300 for the return of diplomatic passports. Contracting firms must obtain and return these items to the COR or GTM if their personnel fail to provide them.
12 FAM 578 INDUSTRIAL SECURITY COMPLIANCE PROGRAMS
(CT:DS-427; 07-16-2024)
12 FAM 578.1 Inspection Programs
(CT:DS-427; 07-16-2024)
12 FAM 578.1-1 Program Responsibility
(CT:DS-345; 01-14-2021)
a. The objective of the Department's Industrial Security Program is to ensure that firms with a contractual relationship with the Department requiring access to classified information, or to areas where precluding access to classified information cannot occur, as well as such firms that require access to SBU information, comply with the requirements in this subchapter.
b. DS/IS/IND is responsible for inspecting contractors performing on classified or designated SBU projects at Department locations domestically and abroad. RSOs and/or SSMs are also responsible for inspecting contractors abroad. RSOs, SSMs, the Office of Security Management (OBO/CFSM/SM) and/or the Certification, Accreditation, Transit Security Branch (DS/PSD/CAT) may request DS/IS/IND to perform inspections abroad. The COs, CORs, and GTMs may request inspections at domestic locations, as well. These inspections may occur on an announced or unannounced basis at Department locations worldwide.
12 FAM 578.1-2 Scope
(CT:DS-427; 07-16-2024)
12 FAM 578.1-2(A) Domestic Inspections
(CT:DS-392; 11-07-2022)
a. For contractors performing on classified or designated SBU projects at domestic Department locations, DS/IS/IND conducts security and compliance reviews. DS/IS/IND contacts the FSO to determine the status of the contract, individuals assigned to the contract, and any areas of concern. DS/IS/IND also contacts the COR or GTM and compares this information.
b. The inspections focus on the contractors' ability to protect the Department's classified and/or SBU information. DS/IS/IND interviews contractor personnel to determine if they understand their security responsibilities.
c. As appropriate, DS/IS/IND provides to the CO, COR or GTM, and company FSO a report of the inspection findings, with any corrective actions required. Contractors must take immediate corrective action on specific inspection findings and provide a report on the corrective actions taken with 15 business days of receipt of the findings.
12 FAM 578.1-2(B) Inspections Abroad
(CT:DS-345; 01-14-2021)
a. The RSOs, SSMs, and/or DS/IS/IND conduct inspections of contractors assigned to Department facilities and/or construction project sites abroad. These inspections are necessary to ensure compliance with the Department's Industrial Security Program and must occur annually, or at least once during a project of a duration less than one year.
b. The RSOs and SSMs contact DS/IS/IND for guidance in the conduct of these inspections. DS/IS/IND provides guidance for pre-inspection research, inspection, and post-inspection activities.
12 FAM 578.2 Contractor Extensions To Department Automated Information Systems
(CT:DS-427; 07-16-2024)
a. Contractor extensions are Department OpenNet and/or ClassNet systems located at the contractor facility. Program offices may request approval for these extensions from DS/CTS and DT. The request will require justification demonstrating the need for the extension(s) that includes an explanation as to why a Department location is insufficient and why global OpenNet would not be adequate to meet mission requirements.
b. As part of the DSCTS and DT/IA contractor extension approval process, DS/IS/IND performs initial and recurring inspections of contractor spaces to ensure they are compliant with Department physical security requirements for OpenNet and/or ClassNet. DS/IS/IND provides the security language specific to these requirements to the CO and/or COR for inclusion in the contract. Program offices are responsible for the costs associated with traveling to contractor spaces outside of the immediate Washington Metropolitan Area for these inspections.
c. The program offices and CORs/GTMs should contact DS/IS/IND for specific guidance pertaining to the Department’s contractor extension program and the approval process.
12 FAM 579 Committee on Foreign Investment in the United States (CFIUS)
(CT:DS-392; 11-07-2022)
a. CFIUS is an interagency committee authorized to review transactions that could result in a foreign person or entity controlling a U.S. business, in order to determine the effect of such transactions on the national security of the United States. The Secretary of the Treasury serves as Chairperson of CFIUS, and the membership of the committee includes several agency heads, including the Secretary of State.
b. DS/IS/IND coordinates the security review and analysis of proposed foreign acquisitions of U.S. firms performing on Department contracts and other agency contracts and provides the Bureau of Economic and Business Affairs with the consensus DS position. In collaboration with Department program offices, DS/IS/IND makes recommendations for mitigating the foreign ownership control or influence resulting from foreign acquisitions, and where the Department is a signatory to the mitigation agreement, monitors the mitigated-parties’ compliance with the mitigation agreement.