National Industrial Security Program
Final rule.
CFR Part: "32 CFR Part 2004"
RIN Number: "RIN 3095-AB79"
Citation: "83 FR 19950"
Document Number: "FDMS No. NARA-16-0006; Agency No. NARA-2018-032"
Page Number: "19950"
"Rules and Regulations"
SUMMARY: The Information Security Oversight Office (ISOO) of the
EFFECTIVE DATE: This rule is effective on
ADDRESSES:
FOR FURTHER INFORMATION CONTACT: For information about this regulation and the regulatory process, contact
SUPPLEMENTARY INFORMATION: We published proposed revisions to this rule in the
We are not at this time able to eliminate NIDs because certain categories of classified information involve assessment of factors specific to that information. The regulation is also not drafted on the basis of what DSS may or may not do, as DSS is not one of the cognizant security agencies (CSAs) specifically named in Executive Order (E.O.) 12829. DSS has authority granted to it by the
Nonetheless, we have taken the comments and suggestions into consideration and made changes to further streamline the NID process and these regulatory sections in response to the public comments. We have established that the CSA (or DSS for the CSA, in the case of
In addition, we revised the regulation to allow an entity's access to SCI, RD, or
We have coordinated and vetted the comments and resulting revisions through the CSAs listed in E. O. 12829, National Industrial Security Program (
Background
The NISP is the Federal Government's single, integrated industrial security program. E.O. 12829 (amended in 1993) established the NISP to safeguard classified information in industry and preserve the nation's economic and technological interests. The President issued E.O. 13691, Promoting Private Sector Cybersecurity Information Sharing (
E.O. 12829, sec. 102(b), delegated oversight of the NISP to the Director of NARA's Information Security Oversight Office (ISOO). As part of ISOO's responsibilities under E.O. 12829, it is authorized to issue such directives as necessary to implement the E.O., which are binding on agencies. In 2006, ISOO issued, and periodically updates, this regulation, which functions as one of those directives.
This regulation establishes uniform standards throughout the Program, and helps agencies implement requirements in E.O. 12829, as amended (collectively referred to as "E.O. 12829").
This revision also establishes agency responsibilities for implementing the insider threat provisions of E.O. 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information (
Nothing in this regulation supersedes the authority of the Secretary of Energy or the
Regulatory Analysis
The Office of Management and Budget (OMB) has reviewed this proposed regulation.
Review Under Executive Orders 12866 and 13563
Executive Order 12866, Regulatory Planning and Review, 58 FR 51735 (
Review Under the Regulatory Flexibility Act (5 U.S.C.
This review requires an agency to prepare an initial regulatory flexibility analysis and publish it when the agency publishes the proposed rule. This requirement does not apply if the agency certifies that the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities (5 U.S.C. 603). As required by the Regulatory Flexibility Act, we certify that this rulemaking will not have a significant impact on a substantial number of small entities because it applies only to Federal agencies. This regulation does not establish requirements for entities; those requirements are established in the NISPOM. This rule sets out coinciding requirements for agencies. However, agencies implementing this regulation will do so through contracts with businesses (as well as other agreements with entities) and thus it indirectly affects those entities. Agencies have been applying the requirements and procedures contained in the NISPOM (and, to a lesser extent, contained in this regulation) to entities for 20 years, with the exception of insider threat provisions added to the NISPOM in 2016, and the additions to this regulation do not substantially alter those requirements. Most of the provisions being added to this regulation have applied to entities through the NISPOM; we are simply incorporating the agency responsibilities for those requirements into the regulation. Other revisions to this regulation are primarily administrative, except the new insider threat requirements. The insider threat requirements make minor additions to training, oversight, information system security, and similar functions already being conducted by entities, and thus will not have a significant economic impact on a substantial number of small business entities.
Review Under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.)
This rule contains information collection activities that are subject to review and approval by the
Review Under Executive Order 13132, Federalism, 64 FR 43255 (
Review under Executive Order 13132 requires that agencies review regulations for federalism effects on the institutional interest of states and local governments, and, if the effects are sufficiently substantial, prepare a Federal assessment to assist senior policy makers. This rule will not have any direct effects on State and local governments within the meaning of the Executive Order. Therefore, this rule does not include a federalism assessment.
Review Under Executive Order 13771
This final rule is not subject to the requirements of Executive Order 13771 because this final rule is related to agency organization, management, or personnel.
List of Subjects in 32 CFR Part 2004
Classified information, National Industrial Security Program.
For the reasons stated in the preamble, the
PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM (NISP)
Subpart A--Implementation and Oversight
Sec.
2004.1 Purpose and scope.
2004.4 Definitions that apply to this part.
2004.10 Responsibilities of the Director, Information Security Oversight Office (ISOO).
2004.11 CSA and agency implementing regulations, internal rules, or guidelines.
2004.12 ISOO reviews of agency NISP implementation.
Subpart B--Administration
2004.20 National Industrial Security Program Executive Agent (EA) and Operating Manual (NISPOM).
2004.22 Agency responsibilities.
2004.24 Insider threat program.
2004.26 Reviews of entity NISP implementation.
2004.28 Cost reports.
Subpart C--Operations
2004.30 Security classification requirements and guidance.
2004.32 Determining entity eligibility for access to classified information.
2004.34 Foreign ownership, control, or influence (FOCI).
2004.36 Determining entity employee eligibility for access to classified information.
2004.38 Safeguarding and marking.
2004.40 Information system security.
2004.42 [Reserved]
Appendix A to Part 2004--Acronym Table
Authority: Section 102(b)(1) of E.O. 12829 (
Subpart A--Implementation and Oversight
(a) This part sets out the National Industrial Security Program ("NISP" or "the Program") governing the protection of agency classified information released to Federal contractors, licensees, grantees, and certificate holders. It establishes uniform standards throughout the Program, and helps agencies implement requirements in E.O. 12829, National Industrial Security Program, as amended by E.O. 12558 and E.O.13691 (collectively referred to as "E.O. 12829"), E.O. 13691, Promoting Private Sector Cybersecurity Information Sharing, and E.O. 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. It applies to any executive branch agency that releases classified information to current, prospective, or former Federal contractors, licensees, grantees, or certificate holders. However, this part does not stand alone; users should refer concurrently to the underlying executive orders for guidance. ISOO maintains policy oversight over the NISP as established by E.O.12829.
(b) This part also does not apply to release of classified information pursuant to criminal proceedings. The Classified Information Procedures Act (CIPA) (18 U.S.C. Appendix 3) governs release of classified information in criminal proceedings.
(c) Nothing in this part supersedes the authority of the Secretary of Energy or the
(a) Access is the ability or opportunity to gain knowledge of classified information.
(b) Agency(ies) are any "Executive agency" as defined in 5 U.S.C. 105; any "Military department" as defined in 5 U.S.C. 102; and any other entity within the executive branch that releases classified information to private sector entities. This includes component agencies under another agency or under a cross-agency oversight office (such as ODNI with
(c) Classified Critical Infrastructure Protection Program (CCIPP) is the
(d) Classified Critical Infrastructure Protection Program (CCIPP) security point of contact (security POC) is an official whom a CCIPP entity designates to maintain eligibility information about the entity and its cleared employees, and to report that information to
(e) Classified information is information the Government designates as requiring protection against unauthorized disclosure in the interest of national security, pursuant to E.O. 13526, Classified National Security Information, or any predecessor order, and the Atomic Energy Act of 1954, as amended. Classified information includes national security information (NSI), restricted data (RD), and formerly restricted data (FRD), regardless of its physical form or characteristics (including tangible items other than documents).
(f) Cognizance is the area over which a CSA has operational oversight. Normally, a statute or executive order establishes a CSA's cognizance over certain types of information, programs, or non-CSA agencies, although CSAs may also have cognizance through an agreement with another CSA or non-CSA agency or an entity. A CSA may have cognizance over a particular type(s) of classified information based on specific authorities (such as those listed in
(g) Cognizant security agencies (CSAs) are the agencies E.O. 12829, sec. 202, designates as having NISP implementation and security responsibilities for their own agencies (including component agencies) and any entities and non-CSA agencies under their cognizance. The CSAs are:
(h) Cognizant security office (CSO) is an organizational unit to which the head of a CSA delegates authority to administer industrial security services on behalf of the CSA.
(i) Contracts or agreements are any type of arrangement between an agency and an entity or an agency and another agency. They include, but are not limited to, contracts, sub-contracts, licenses, certificates, memoranda of understanding, inter-agency service agreements, other types of documents or arrangements setting out responsibilities, requirements, or terms agreed upon by the parties, programs, projects, and other legitimate
(j) Controlling agency is an agency that owns or controls the following categories of proscribed information and thus has authority over access to or release of the information:
(k) Entity is a generic and comprehensive term which may include sole proprietorships, partnerships, corporations, limited liability companies, societies, associations, institutions, contractors, licensees, grantees, certificate holders, and other organizations usually established and operating to carry out a commercial, industrial, educational, or other legitimate business, enterprise, or undertaking, or parts of these organizations. It may reference an entire organization, a prime contractor, parent organization, a branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity (referred to as "sub-entities" when necessary to distinguish such entities from prime or parent entities), a specific location or facility, or the headquarters/official business location of the organization, depending upon the organization's business structure, the access needs involved, and the responsible CSA's procedures. The term "entity" as used in this part refers to the particular entity to which an agency might release, or is releasing, classified information, whether that entity is a parent or subordinate organization.
(l) Entity eligibility determination is an assessment by the CSA as to whether an entity is eligible for access to classified information of a certain level (and all lower levels). Eligibility determinations may be broad or limited to specific contracts, sponsoring agencies, or circumstances. A favorable determination results in eligibility to access classified information under the cognizance of the responsible CSA to the level approved. When the entity would be accessing categories of information such as RD or SCI for which the CSA for that information has set additional requirements, CSAs must also assess whether the entity is eligible for access to that category. Some CSAs refer to their favorable determinations as facility security clearances (FCL). A favorable entity eligibility determination does not convey authority to store classified information.
(m) Foreign interest is any foreign government, element of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered, or incorporated under the laws of any country other than
(n) Government contracting activity (GCA) is an agency component or subcomponent to which the agency head delegates broad authority regarding acquisition functions. A foreign government may also be a GCA.
(o) Industrial security services are those activities performed by a CSA to verify that an entity is protecting classified information. They include, but are not limited to, conducting oversight reviews, making eligibility determinations, and providing agency and entity guidance and training.
(p) Insider(s) are entity employees who are eligible to access classified information and may be authorized access to any
(q) Insider threat is the likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of
(r) Insider threat response action(s) are actions (such as investigations) an agency takes to ascertain whether an insider threat exists, and actions the agency takes to mitigate the threat. Agencies may conduct insider threat response actions through their counterintelligence (CI), security, law enforcement, or inspector general organizations, depending on the statutory authority and internal policies that govern the agency.
(s) Insider threat program senior official (SO) is the official an agency head or entity designates with responsibility to manage, account for, and oversee the agency's or entity's insider threat program, pursuant to the National Insider Threat Policy and Minimum Standards. An agency may have more than one insider threat program SO.
(t) Key managers and officials (KMO) are the senior management official (or authorized executive official under CCIPP), the entity's security officer (or security POC under CCIPP), the insider threat program senior official, and other entity employees whom the responsible CSA identifies as having authority, direct or indirect, to influence or decide matters affecting the entity's management or operations, its contracts requiring access to classified information, or national security interests. They may include individuals who hold majority ownership interest in the entity (in the form of stock or other ownership interests).
(u) Proscribed information is information that is classified as top secret (TS) information; communications security (
(v) Security officer is a
(w) Senior agency official for NISP (SAO for NISP) is the official an agency head designates to direct and administer the agency's National Industrial Security Program.
(x) Senior management official (SMO) is the person in charge of an entity. Under the CCIPP, this is the authorized executive official with authority to sign the security agreement with
(y) Sub-entity is an entity's branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity. Sub-entities fall under the definition of "entity," but this part refers to them as sub-entities when necessary to distinguish such entities from prime contractor or parent entities. See definition of "entity" in paragraph (k) of this section for more context.
The Director, ISOO:
(a) Implements E.O. 12829, including ensuring that:
(1) The NISP operates as a single, integrated program across the executive branch of the Federal Government (i.e., such that agencies that release classified information to entities adhere to NISP principles);
(2) A responsible CSA oversees each entity's NISP implementation in accordance with
(3) All agencies that contract for classified work include the Security Requirements clause, 48 CFR 52.204-2, from the Federal Acquisition Regulation (FAR), or an equivalent clause, in contracts that require access to classified information;
(4) Those agencies for which the
(5) Each CSA issues directions to entities under their cognizance that are consistent with the NISPOM insider threat guidance;
(6) CSAs share with each other, as lawful and appropriate, relevant information about entity employees that indicates an insider threat; and
(7) CSAs conduct ongoing analysis and adjudication of adverse or relevant information about entity employees that indicates an insider threat.
(b) Raises an issue to the
(a) Each CSA implements NISP practices in part through policies and guidelines that are consistent with this regulation, so that agencies for which it serves as the CSA are aware of appropriate security standards, engage in consistent practices with entities, and so that practices effectively protect classified information those entities receive (including foreign government information that the
(b) Each CSA must also routinely review and update its NISP policies and guidelines and promptly issue revisions when needed (including when a change in national policy necessitates a change in agency NISP policies and guidelines).
(c) Non-CSA agencies may choose to augment CSA NISP policies or guidelines as long as the agency policies or guidelines are consistent with the CSA's policies or guidelines and this regulation.
(a) ISOO fulfills its oversight role based, in part, on information received from
(b) ISOO reviews agency policies and guidelines to ensure consistency with NISP policies and procedures. ISOO may conduct reviews during routine oversight visits, when a problem or potential problem comes to ISOO's attention, or after a change in national policy that impacts agency policies and guidelines. ISOO provides the responsible agency with findings from these reviews.
Subpart B--Administration
(a) The executive agent (EA) for NISP is the Secretary of Defense. The EA:
(1)
(2)
(3) Issues and maintains the National Industrial Security Program Operating Manual (NISPOM) in consultation with all affected agencies and with the concurrence of the other CSAs.
(b) The NISPOM sets out the procedures and standards that entities must follow during all phases of the contracting process to safeguard any classified information an agency releases to an entity. The NISPOM requirements may apply to the entity directly (i.e., through FAR clauses or other contract clauses referring entities to the NISPOM) or through equivalent contract clauses or requirements documents that are consistent with NISPOM requirements.
(c) The EA, in consultation with all affected agencies and with the concurrence of the other CSAs, develops the requirements, restrictions, and safeguards contained in the NISPOM. The EA uses security standards applicable to agencies as the basis for developing NISPOM entity standards to the extent practicable and reasonable.
(d) The EA also facilitates the NISPOM coordination process, which addresses issues raised by entities, agencies, ISOO, or the NISPPAC, including requests to create or change NISPOM security standards.
(a) Agency categories and general areas of responsibility. Federal agencies fall into three categories for the purpose of NISP responsibilities:
(1) CSAs. CSAs are responsible for carrying out NISP implementation within their agency, for providing NISP industrial security services on behalf of non-CSA agencies by agreement when authorized, and for overseeing NISP compliance by entities that access classified information under the CSA's cognizance. When the CSA has oversight responsibilities for a particular non-CSA agency or for an entity, the CSA also functions as the responsible CSA;
(2) Non-CSA agencies. Non-CSA agencies are responsible for entering agreements with a designated CSA for industrial security services, and are responsible for carrying out NISP implementation within their agency consistently with the agreement, the CSA's guidelines and procedures, and this regulation; or
(3) Agencies that are components of another agency. Component agencies do not have itemized responsibilities under this regulation and do not independently need to enter agreements with a CSA, but they follow, and may have responsibilities under, implementing guidelines and procedures established by their CSA or non-CSA agency, or both.
(b) Responsible CSA role. (1) The responsible CSA is the CSA (or its delegated CSO) that provides NISP industrial security services on behalf of an agency, determines an entity's eligibility for access, and monitors and inspects an entity's NISP implementation.
(2) In general, the goal is to have one responsible CSA for each agency and for each entity, to minimize the burdens that can result from complying with differing CSA procedures and requirements.
(i) With regard to agencies, NISP accomplishes this goal by a combination of designated CSAs and agreements between agencies and CSAs.
(ii) With regard to entities, CSAs strive to reduce the number of responsible CSAs for a given entity as much as possible. To this end, when more than one CSA releases classified information to a given entity, those CSAs agree on which is the responsible CSA. However, due to certain unique agency authorities, there may be circumstances in which a given entity is under the oversight of more than one responsible CSA.
(3) Responsible CSA for agencies:
(i) In general, each CSA serves as the responsible CSA for classified information that it (or any of its component agencies) releases to entities, unless it enters an agreement otherwise with another CSA.
(ii)
(iii)
(iv) ODNI serves as the responsible CSA for
(4) Responsible CSA for entities: When determining the responsible CSA for a given entity, the involved CSAs consider, at a minimum: retained authorities, the information's classification level, number of contracts requiring access to classified information, location, number of Government customers, volume of classified activity, safeguarding requirements, responsibility for entity employee eligibility determinations, and any special requirements.
(5) Responsible CSAs may delegate oversight responsibility to a cognizant security office (CSO) through CSA policy or by written delegation. The CSA must inform entities under its cognizance if it delegates responsibilities. For purposes of this rule, the term CSA also refers to the CSO.
(c) CSA responsibilities. (1) The CSA may perform GCA responsibilities as its own GCA.
(2) As CSA, the CSA performs or delegates the following responsibilities:
(i) Designates a CSA senior agency official (SAO) for NISP;
(ii) Identifies the insider threat program senior official (SO) to the Director, ISOO;
(iii) Shares insider threat information with other CSAs, as lawful and appropriate, including information that indicates an insider threat about entity employees eligible to access classified information;
(iv) Acts upon and shares--with security management, GCAs, insider threat program employees, and Government program and CI officials--any relevant entity-reported information about security or CI concerns, as appropriate;
(v) Submits reports to ISOO as required by this part; and
(vi) Develops, coordinates, and provides concurrence on changes to the NISPOM when requested by the EA.
(3) As a responsible CSA, the CSA also performs or delegates the following responsibilities:
(i) Determines whether an entity is eligible for access to classified information (see
(ii) Allocates funds, ensures appropriate investigations are conducted, and determines entity employee eligibility for access to classified information (see
(iii) Reviews and approves entity safeguarding measures, including making safeguarding capability determinations (see
(iv) Conducts periodic security reviews of entity operations (see
(v)
(A) Entity implementation of NISPOM (or equivalent) requirements, including: responsibility for protecting classified information, requesting NISPOM interpretations, establishing training programs, and submitting required reports;
(B) Initial security briefings and other briefings required for special categories of information;
(C) Authorization measures for information systems processing classified information (except
(D) Security training for security officers (or CCIPP POCs) and other employees whose official duties include performing NISP-related functions;
(E) Insider threat programs in accordance with the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs; and
(F) Other guidance and training as appropriate;
(vi) Establishes a mechanism for entities to submit requests for waivers to NISPOM (or equivalent) provisions;
(vii) Reviews, continuously analyzes, and adjudicates, as appropriate, reports from entities regarding events that:
(A) Impact the status of the entity's eligibility for access to classisfied information;
(B) Impact an employee's eligibility for access;
(C) May indicate an employee poses an insider threat;
(D) Affect proper safeguarding of classified information; or
(E) Indicate that classified information has been lost or compromised;
(viii) Verifies that reports offered in confidence and so marked by an entity may be withheld from public disclosure under applicable exemptions of the Freedom of Information Act (5 U.S.C. 552);
(ix) Requests any additional information needed from an entity about involved employees to determine continued eligibility for access to classified information when the entity reports loss, possible compromise, or unauthorized disclosure of classified information; and
(x) Posts hotline information on its website for entity access, or otherwise disseminates contact numbers to the entities for which the CSA is responsible.
(d) Non-CSA agency head responsibilities. The head of a non-CSA agency that is not a CSA component and that releases classified information to entities, performs the following responsibilities:
(1) Designates an SAO for the NISP;
(2) Identifies the insider threat program SO to ISOO to facilitate information sharing;
(3) Enters into an agreement with the EA (except agencies that are components of another agency or a cross-agency oversight office) to act as the responsible CSA on the agency's behalf (see paragraph (a)(1)(ii) of this section);
(4) Performs, or delegates in writing to a GCA, the following responsibilities:
(i)
(ii) Includes FAR security requirements clause 52.204-2, or equivalent (such as the DEAR clause 952.204-2), and a contract security classification specification (or equivalent guidance) into contracts and solicitations that require access to classified information (see
(iii) Reports to the appropriate CSA adverse information and insider threat activity pertaining to entity employees having access to classified information.
(a) Responsible CSAs oversee and analyze entity activity to ensure entities implement an insider threat program in accordance with the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (via requirements in the NISPOM or its equivalent) and guidance from the CSA. CSA oversight responsibilities include, but are not limited to:
(1) Verifying that entities appoint insider threat program SOs;
(2) Requiring entities to monitor, report, and review insider threat program activities and response actions in accordance with the provisions set forth in the NISPOM (or equivalent);
(3) Providing entities with access to data relevant to insider threat program activities and applicable reporting requirements and procedures;
(4) Providing entities with a designated means to report insider threat-related activity; and
(5) Advising entities on appropriate insider threat training for entity employees eligible for access to classified information.
(b) CSAs share with other CSAs any insider threat information reported to them by entities, as lawful and appropriate.
(a) The responsible CSA conducts recurring oversight reviews of entities' NISP security programs to verify that the entity is protecting classified information and is implementing the provisions of the NISPOM (or equivalent). The CSA determines the scope and frequency of reviews. The CSA generally notifies entities when a review will take place, but may also conduct unannounced reviews at its discretion.
(b) CSAs make every effort to avoid unnecessarily intruding into entity employee personal effects during the reviews.
(c) A CSA may, on entity premises, physically examine the interior spaces of containers not authorized to store classified information in the presence of the entity's representative.
(d) As part of a security review, the CSA:
(1) Verifies that the entity limits entity employees with access to classified information to the minimum number necessary to perform on contracts requiring access to classified information.
(2) Validates that the entity has not provided its employees unauthorized access to classified information;
(3) Reviews the entity's self-inspection program and evaluates and records the entity's remedial actions; and
(4) Verifies that the GCA approved any public release of information pertaining to a contract requiring access to classified information.
(e) As a result of findings during the security review, the CSA may, as appropriate, notify:
(1) GCAs if there are unfavorable results from the review; and
(2) A prime entity if the CSA discovers unsatisfactory security conditions pertaining to a sub-entity.
(f) The CSA maintains a record of reviews it conducts and the results. Based on review results, the responsible CSA determines whether an entity's eligibility for access to classified information may continue. See
(a) Agencies must annually report to the Director, ISOO, on their NISP implementation costs for the previous year.
(b) CSAs must annually collect information on NISP implementation costs incurred by entities under their cognizance and submit a report to the Director, ISOO.
Subpart C--Operations
(a) Contract or agreement and solicition requirements. (1) The GCA must incorporate FAR clause 52.204-2, Security Requirements (or equivalent set of security requirements), into contracts or agreements and solicitations requiring access to classified information.
(2) The GCA must also include a contract security classification specification (or equivalent guidance) with each contract or agreement and solicitation that requires access to classified information. The contract security classification specification (or equivalent guidance) must identify the specific elements of classified information involved in each phase of the contract or agreement life-cycle, such as:
(i) Level of classification;
(ii) Where the entity will access or store the classified information, and any requirements or limitations on transmitting classified information outside the entity;
(iii) Any special accesses;
(iv) Any classification guides or other guidance the entity needs to perform during that phase of the contract or agreement;
(v) Any authorization to disclose information about the contract or agreement requiring access to classified information; and
(vi) GCA personnel responsible for interpreting and applying the contract security specifications (or equivalent guidance).
(3) The GCA revises the contract security classification specification (or equivalent guidance) throughout the contract or agreement life-cycle as security requirements change.
(b) Guidance. Classification guidance is the exclusive responsibility of the GCA. The GCA prepares classification guidance in accordance with 32 CFR 2001.15, and provides appropriate security classification and declassification guidance to entities.
(c) Requests for clarification and classification challenges. (1) The GCA responds to entity requests for clarification and classification challenges.
(2) The responsible CSA assists entities to obtain appropriate classification guidance from the GCA, and to obtain a classification challenge response from the GCA.
(d) Instructions upon contract or agreement completion or termination. (1) The GCA provides instructions to the entity for returning or disposing of classified information upon contract or agreement completion or termination, or when an entity no longer has a legitimate need to retain or possess classified information.
(2) The GCA also determines whether the entity may retain classified information for particular purposes after the contract or agreement terminates, and if so, provides written authorization to the entity along with any instructions or limitations (such as which information, for how long, etc).
(a) Eligibility determinations. (1) The responsible CSA determines whether an entity is eligible for access to classified information. An entity may not have access to classified information until the responsible CSA determines that it meets all the requirements in this section. In general, the entity must be eligible to access classified information at the appropriate level before the CSA may consider any of the entity's subsidiaries, sub-contractors, or other sub-entities for eligibility. However, when the subsidiary will perform all classified work, the CSA may instead exclude the parent entity from access to classified information rather than determining its eligibility. In either case, the CSA must consider all information relevant to assessing whether the entity's access poses an unacceptable risk to national security interests.
(2) A favorable access eligibility determination is not the same as a safeguarding capability determination. Entities may access classified information with a favorable eligibility determination, but may possess classified information only if the CSA determines both access eligibility and safeguarding capability, based on the GCA's requirement in the contract security classification specification (or equivalent).
(3) If an entity has an existing eligibility determination, a CSA will not duplicate eligibility determination processes performed by another CSA. If a CSA cannot acknowledge an entity eligibility determination to another CSA, that entity may be subject to duplicate processing.
(4) Each CSA maintains a record of its entities' eligibility determinations (or critical infrastructure entity eligibility status under the CCIPP, for
(b) Process. (1) The responsible CSA provides guidance to entities on the eligibility determination process and on how to maintain eligibility throughout the period of the agreement or as long as an entity continues to need access to classified information in connection with a legitimate
(2) The CSA coordinates with appropriate authorities to determine whether an entity meets the eligibility criteria in paragraph (e) of this section. This includes coordinating with appropriate
(3) An entity cannot apply for its own eligibility determination. A GCA or an eligible entity must sponsor the entity to the responsible CSA for an eligibility determination. The GCA or eligible entity may sponsor an entity at any point during the contracting or agreement life-cycle at which the entity must have access to classified information to participate (including the solicitation or competition phase). An entity with limited eligibility granted under paragraph (f) of this section may sponsor a sub-entity for a limited eligibility determination for the same contract, agreement, or circumstance so long as the sponsoring entity is not under FOCI (see
(4) The GCA must include enough lead time in each phase of the acquisition or agreement cycle to accomplish all required security actions. Required security actions include any eligibility determination necessary for an entity to participate in that phase of the cycle. The GCA may award a contract or agreement before the CSA completes the entity eligibility determination. However, in such cases, the entity may not begin performance on portions of the contract or agreement that require access to classified information until the CSA makes a favorable entity eligibility determination.
(5) When a CSA is unable to make an eligibility determination in sufficient time to qualify an entity to participate in the particular procurement action or phase that gave rise to the GCA request (this includes both solicitation and performance phases), the GCA may request that the CSA continue the determination process to qualify the entity for future classified work for any GCA, provided that the processing delay was not due to the entity's lack of cooperation. Once the CSA determines that an entity is eligible for access to classified information, but a GCA does not award a contract or agreement requiring access to classified information to the entity, or the entity's eligibility status changes, the CSA terminates the entity eligibility determination in accordance with paragraph (g) of this section.
(c) Coverage. (1) A favorable eligibility determination allows an entity to access classified information at the determined eligibility level, or lower.
(2) The CSA must ensure that all entities needing access to classified information as part of a legitimate
(3) If a parent and sub-entity need to share classified information with each other, the CSA must validate that both the parent and the sub-entity have favorable eligibility determinations at the level required for the classified information prior to sharing the information.
(d) DHS Classified Critical Infrastructure Protection Program (CCIPP).
(e) Eligibility criteria. An entity must meet the following requirements to be eligible to access classified information:
(1) It must need to access classified information as part of a legitimate
(2) It must be organized and existing under the laws of any of the 50 States, the
(3) It must be located in
(4) It must have a record of compliance with pertinent laws, regulations, and contracts (or other relevant agreements);
(5) Its KMOs must each have and maintain eligibility for access to classified information that is at least the same level as the entity eligibility level;
(6) It and all of its KMOs must not be excluded by a Federal agency, contract review board, or other authorized official from participating in Federal contracts or agreements;
(7) It must meet all requirements the CSA or the authorizing law, regulation, or Government-wide policy establishes for access to the type of classified information or program involved; and
(8) If the CSA determines the entity is under foreign ownership, control, or influence (FOCI), the responsible CSA must:
(i) Agree that sufficient security measures are in place to mitigate or negate risk to national security interests due to the FOCI (see
(ii) Determine that it is appropriate to grant eligibility for a single, narrowly defined purpose (see
(iii) Determine that the entity is not eligible to access classified information.
(9)
(f) Limited entity eligibility determination. CSAs may choose to allow GCAs to request limited entity eligibility determinations (this is not the same as limited entity eligibility in situations involving FOCI when the FOCI is not mitigated or negated; for more information on limited entity eligibility in such FOCI cases, see
(1) The GCA, or an entity with limited eligibility, must first request a limited entity eligibility determination from the CSA for the relevant entity and provide justification for limiting eligibility in that case;
(2) Limited entity eligibility is specific to the requesting GCA's classified information, and to a single, narrowly defined contract, agreement, or circumstance;
(3) The entity must otherwise meet the requirements for entity eligibility set out in this part;
(4) The CSA documents the requirements of each limited entity eligibility determination it makes, including the scope of, and any limitations on, access to classified information;
(5) The CSA verifies limited entity eligibility determinations only to the requesting GCA or entity. In the case of multiple limited entity eligibility determinations for a single entity, the CSA verifies each one separately only to its requestor; and
(6) CSAs administratively terminate the limited entity eligibility when there is no longer a need for access to the classified information for which the CSA approved the limited entity eligibility.
(g) Terminating or revoking eligibility. (1) The responsible CSA terminates the entity's eligible status when the entity no longer has a need for access to classified information.
(2) The responsible CSA revokes the entity's eligible status if the entity is unable or unwilling to protect classified information.
(3) The CSA coordinates with the GCA(s) to take interim measures, as necessary, toward either termination or revocation.
(a) FOCI determination. A
(1) A foreign interest has the power to direct or decide matters affecting the entity's management or operations in a manner that could:
(i) Result in unauthorized access to classified information; or
(ii) Adversely affect performance of a contract or agreement requiring access to classified information; and
(2) The foreign interest exercises that power:
(i) Directly or indirectly;
(ii) Through ownership of the
(iii) By the ability to control or influence the election or appointment of one or more members to the entity's governing board (e.g., board of directors, board of managers, board of trustees) or its equivalent; or
(iv) Prospectively (i.e., is not currently exercising the power, but could).
(b) CSA guidance. The CSA establishes guidance for entities on filling out and submitting a Standard Form (SF) 328, Certificate Pertaining to Foreign Interests (OMB Control No. 0704-0194), and on reporting changes in circumstances that might result in a determination that the entity is under FOCI or is no longer under FOCI. The CSA also advises entities on the Government appeal channels for disputing CSA FOCI determinations.
(c) FOCI factors. To determine whether an entity is under FOCI, the CSA analyzes available information to determine the existence, nature, and source of FOCI. The CSA:
(1) Considers information the entity or its parent provides on the SF 328/CF 328 (OMB Control No. 0704-0194), and any other relevant information; and
(2) Considers in the aggregate the following factors about the entity:
(i) Record of espionage against
(ii) Record of enforcement actions against the entity for transferring technology without authorization;
(iii) Record of compliance with pertinent
(iv) Type and sensitivity of the information the entity would access;
(v) Source, nature, and extent of FOCI, including whether foreign interests hold a majority or minority position in the entity, taking into consideration the immediate, intermediate, and ultimate parent entities;
(vi) Nature of any relevant bilateral and multilateral security and information exchange agreements;
(vii) Ownership or control, in whole or in part, by a foreign government; and
(viii) Any other factor that indicates or demonstrates foreign interest capability to control or influence the entity's operations or management.
(d) Entity access while under FOCI. (1) If the CSA is determining whether an entity is eligible to access classified information and finds that the entity is under FOCI, the CSA must consider the entity ineligible for access to classified information. The CSA and the entity may then attempt to negotiate FOCI mitigation or negation measures sufficient to permit a favorable eligibility determination.
(2) The CSA may not determine that the entity is eligible to access classified information until the entity has put into place appropriate security measures to negate or mitigate FOCI or is otherwise no longer under FOCI. If the degree of FOCI is such that no mitigation or negation efforts will be sufficient, or access to classified information would be inconsistent with national security interests, then the CSA will determine the entity ineligible for access to classified information.
(3) If an entity comes under FOCI, the CSA may allow the existing eligibility status to continue while the CSA and the entity negotiate acceptable FOCI mitigation or negation measures, as long as there is no indication that classified information is at risk. If the entity does not actively negotiate mitigation or negation measures in good faith, or there are no appropriate measures that will remove the possibility of unauthorized access to classified information or adverse effect on the entity's performance of contracts or agreements involving classified information, the CSA will take steps, in coordination with the GCA, to terminate eligibility.
(e) FOCI and entities under the CCIPP.
(1) The Secretary of
(i) Is authorized for release to the country involved;
(ii) Does not include information classified under the Atomic Energy Act; and
(iii) Does not impede or interfere with the entity's ability to manage and comply with regulatory requirements imposed by other Federal agencies, such as the
(2) If the CSAs agree the mitigation or negation measures are sufficient,
(f) Mitigation or negation measures to address FOCI. (1) The CSA-approved mitigation or negation measures must assure that the entity can offset FOCI by effectively denying unauthorized people or entities access to classified information and preventing the foreign interest from adversely impacting the entity's performance on contracts or agreements requiring access to classified information.
(2) Any mitigation or negation measures the CSA approves for an entity must not impede or interfere with the entity's ability to manage and comply with regulatory requirements imposed by other Federal agencies (such as
(3) If the CSA approves a FOCI mitigation or negation measure for an entity, it may agree that the measure, or particular portions of it, may apply to all of the present and future sub-entities within the entity's organization.
(4) Mitigation or negation measures are different for ownership versus control or influence.
(5) Methods to mitigate foreign control or influence (unrelated to ownership) may include:
(i) Assigning specific oversight duties and responsibilities to independent board members;
(ii) Formulating special executive-level security committees to consider and oversee matters that affect entity performance on contracts or agreements requiring access to classified information;
(iii) Modifying or terminating loan agreements, contracts, agreements, and other understandings with foreign interests;
(iv) Diversifying or reducing foreign-source income;
(v) Demonstrating financial viability independent of foreign interests;
(vi) Eliminating or resolving problem debt;
(vii) Separating, physically or organizationally, the entity component performing on contracts or agreements requiring access to classified information;
(viii) Adopting special board resolutions;
(ix) A combination of these methods, as determined by the CSA; or
(x) Other actions that effectively negate or mitigate foreign control or influence.
(6) Methods to mitigate or negate foreign ownership include:
(i) Board resolutions. The CSA and the entity may agree to a board resolution when a foreign interest does not own voting interests sufficient to elect, or is otherwise not entitled to representation on, the entity's governing board. The resolution must identify the foreign shareholders and their representatives (if any), note the extent of foreign ownership, certify that the foreign shareholders and their representatives will not require, will not have, and can be effectively excluded from, access to all classified information, and certify that the entity will not permit the foreign shareholders and their representatives to occupy positions that might enable them to influence the entity's policies and practices, affecting its performance on contracts or agreements requiring access to classified information.
(ii) Security control agreements (SCAs). The CSA and the entity may agree to use an SCA when a foreign interest does not effectively own or control an entity (i.e., the entity is under
(iii) Special security agreements (SSAs). The CSA and the entity may agree to use an SSA when a foreign interest effectively owns or controls an entity. The SSA preserves the foreign owner's right to be represented on the entity's board or governing body with a direct voice in the entity's business management, while denying the foreign owner majority representation and unauthorized access to classified information. When a GCA requires an entity to have access to proscribed information, and the CSA proposes an SSA as the mitigation measure, the CSA makes a national interest determination (NID) as part of determining an entity's eligibility for access. See paragraph (h) of this section for more information on NIDs.
(iv) Voting trust agreements (VTAs) or proxy agreements (PAs). The CSA and the entity may agree to use one of these measures when a foreign interest effectively owns or controls an entity. The VTA and PA are arrangements that vest the voting rights of the foreign-owned stock in cleared
(v) Combinations of the measures in paragraphs (f)(6)(i) through (iv) of this section or other similar measures that effectively mitigate or negate the risks involved with foreign ownership. CSAs must identify combination agreements in a way that distinguishes them from other agreements (e.g., a combination SSA-proxy agreement cannot be identified as either an SSA or a proxy agreement beause those names would not distinguish the combination agreement from either of the other types). CSAs must also coordinate terms in combination agreements with the controlling agency prior to releasing proscribed information.
(g) Standards for FOCI mitigation or negation measures. The CSA must include the following requirements as part of any FOCI mitigation or negation measures, to ensure that entities implement necessary security and governing controls:
(1) Annual certification and annual compliance reports by the entity's governing board and the KMOs;
(2) The
(3) Supplements to FOCI mitigation or negation measures as the CSA deems necessary. In addition to the standard FOCI mitigation or negation measure's requirements, the CSA may require more procedures via a supplement, based upon the circumstances of an entity's operations. The CSA may place these requirements in supplements to the FOCI mitigation or negation measure to allow flexibility as circumstances change without having to renegotiate the entire measure. When making use of supplements, the CSA does not consider the FOCI mitigation measure final until it approves the required supplements (e.g., technology control plan, electronic communication plan); and
(4) For agreements to mitigate or negate ownership (PAs, VTAs, SSAs, and SCAs), the following additional requirements apply:
(i) FOCI oversight. The CSA verifies that the entity establishes an oversight body consisting of trustees, proxy holders or outside directors, as applicable, and those officers or directors whom the CSA determines are eligible for access to classified information (see
(A) Maintains policies and procedures to safeguard classified information in the entity's possession with no adverse impact on performance of contracts or agreements requiring access to classified information; and
(B) Verifies the entity is complying with the FOCI mitigation or negation measure and related documents, contract security requirements or equivalent, and the NISP;
(ii) Qualifications of trustees, proxy holders, and outside directors. The CSA determines eligibility for access to classified information for trustees, proxy holders, and outside directors at the classification level of the entity's eligibility determination. Trustees, proxy holders, and outside directors must meet the following criteria:
(A) Be a
(B) Be completely disinterested individuals with no prior involvement with the entity, the entities with which it is affiliated, or the foreign owner and its affiliates. Individuals who are serving as trustees, proxy holders, or outside directors as part of a mitigation measure for the entity are not considered to have prior involvement solely by performing that role; and
(C) Be involved in no other circumstances that may affect an individual's ability to serve effectively, such as the number of boards on which the individual serves or the length of time serving on any other boards;
(iii) Annual meeting. The CSA meets at least annually with the oversight body to review the purpose and effectiveness of the FOCI mitigation or negation agreement; establish a common understanding of the operating requirements and their implementation; and provide guidance on matters related to FOCI mitigation and industrial security. These meetings include a CSA review of:
(A) Compliance with the approved FOCI mitigation or negation measure;
(B) Problems regarding practical implementation of the mitigation or negation measure; and
(
(iv) Annual certification. The CSA reviews the entity's annual report; addresses, and resolves issues identified in the report; and documents the results of this review and any follow-up actions.
(h) National interest determination (NID) --(1) Requirement for a NID. (i) The CSA must determine whether allowing an entity access to proscribed information under an SSA is consistent with national security interests of
(A) The GCA requires an entity to have access to proscribed information;
(B) The entity is under FOCI; and
(C) The CSA proposes an SSA to mitigate the FOCI.
(ii) This determination is called a national interest determination (NID). A favorable NID confirms that an entity's access to the proscribed information under an SSA is consistent with national security interests. If the CSA is unable to render a favorable NID, it must consider other FOCI mitigation measures instead of an SSA or reassess the entity's eligibility for access to classified information.
(2) NID process. (i) The CSA makes the NID for any categories of proscribed information for which the entity requires access.
(ii) In cases in which any category of the proscribed information is controlled by another agency (ODNI for SCI,
(iii) The CSA informs the GCA and the entity when the NID is complete. In cases involving SCI, RD, or
(iv) An entity's access to SCI, RD, or
(A) The CSA, GCA, or controlling agency becomes aware of adverse information that impacts the entity eligibility determination;
(B) The CSA's threat assessment pertaining to the entity indicates a risk to one of the categories of proscribed information;
(C) The CSA becomes aware of any material change regarding the source, nature, and extent of FOCI; or
(D) The entity's record of NISP compliance, based on CSA reviews in accordance with
(v) Under any of these circumstances, the CSA determines whether an entity may continue being eligible for access to classified information, it must change the FOCI mitigation measure in order to remain eligible, or the CSA must terminate or revoke access.
(3) Process for concurring or non-concurring on a NID. (i) Each controlling agency tells the CSAs what information the controlling agency requires to consider a NID. ODNI identifies the information it requires to assess a NID for access to SCI,
(ii) The CSA requests from the GCA justification for access, a description of the proscribed information involved, and other information the controlling agency requires to concur or non-concur on the NID.
(iii) The CSA requests concurrence on the NID from the controlling agency for the relevant category of proscribed information (ODNI for SCI,
(iv) The relevant controlling agency (ODNI for SCI,
(A) The controlling agency may concur with the NID for access under a particular contract or agreement, access under a program or project, or for all future access to the same category of proscribed information.
(B) If the relevant controlling agency does not concur with the NID, the controlling agency informs the CSA in writing, citing the reasons why it does not concur. The CSA notifies the applicable GCA and, in coordination with the GCA, then notifies the entity. The entity cannot have access to the category of proscribed information under the control of that agency (i.e., if ODNI does not concur, the entity may not have access to SCI; if
(v) When an entity is eligible for access to classified information that includes a favorable NID for SCI, RD, or
(A) Renewing the contract or agreement;
(B) New task orders issued under the contract or agreement;
(C) A new contract or agreement that contains the same provisions as the previous one (this usually applies when the contract or agreement is for a program or project); or
(D) Renewing the SSA.
(vi) When making the decision whether or not to concur with a NID for proscribed information under its control, the controlling agency will not duplicate work already performed by the GCA during the contract award process or by the CSA when determining entity eligibility for access to classified information.
(4) Timing for concurrence process. (i) The CSA requests NID concurrence from the controlling agency as soon as the CSA has made a NID, if the entity needs access to SCI, RD, or
(ii) The controlling agency provides a final, written concurrence or non-concurrence to the CSA within 30 days after receiving the request for concurrence from the CSA.
(iii) In cases when a controlling agency requires clarification or additional information from the CSA, the controlling agency responds to the CSA within 30 days to request clarification or additional information as needed, and to coordinate a plan and timeline for concurring or non-concurring. The controlling agency must provide written updates to the CSA every 30 days until it concurs or non-concurs. In turn, the CSA provides the GCA and the entity with updates every 30 days.
(i) Limited eligibility determinations (for entities under FOCI without mitigation or negation). (1) In exceptional circumstances when an entity is under FOCI, the CSA may decide that limited eligibility for access to classified information is appropriate when the entity is unable or unwilling to implement FOCI mitigation or negation measures (this is not the same as limited eligibility in other circumstances; for more information on limited eligibility in other cases, see
(2) The GCA first decides whether to request a limited eligibility determination for the entity and must articulate a compelling need for it to the CSA that is in accordance with
(3) The CSA may grant a limited eligibility determination if the GCA requests and the entity meets all other eligibility criteria in
(4) A foreign government may sponsor a
(5) Limited eligibility determinations are specific to the classified information of the requesting GCA or foreign government, and specific to a single, narrowly defined contract, agreement, or circumstance of that GCA or foreign government.
(6) The access limitations of a favorable limited eligibility determination apply to all of the entity's employees, regardless of citizenship.
(7) A limited eligibility determination is not an option for entities that require access to proscribed information when a foreign government has ownership or control over the entity. See
(8) The CSA administratively terminates the entity's limited eligibility when there is no longer a need for access to the classified information for which the CSA made the favorable limited eligibility determination. Terminating one limited eligibility status does not impact other ones the entity may have.
(a) Making employee eligibility determinations. (1) The responsible CSA:
(i) Determines whether entity employees meet the criteria established in the Security Executive Agent Directive (SEAD) 4, National Security Adjudicative Guidelines (
(ii) Notifies entities of its determinations of employee eligibility for access to classified information.
(iii) Terminates eligibility status when there is no longer a need for access to classified information by entity employees.
(2) The responsible CSA maintains:
(i) SF 312s, Classified Information Nondisclosure Agreements, or other approved nondisclosure agreements, executed by entity employees, as prescribed by ODNI in accordance with 32 CFR 2001.80 and E.O. 13526; and
(ii) Records of its entity employee eligibility determinations, suspensions, and revocations.
(3) CSAs ensure that entities limit the number of employees with access to classified information to the minimum number necessary to work on contracts or agreements requiring access to classified information.
(4) The CSA determines the need for event-driven reinvestigations for entity employees.
(5) CSAs use the Federal Investigative Standards (FIS) issued jointly by the Suitability and Security Executive Agents.
(6) The CSA provides guidance to entities on:
(i) Requesting employee eligibility determinations, to include guidance for submitting fingerprints; and
(ii) Granting employee access to classified information when the employee has had a break in access or a break in employment.
(7) If the CSA receives adverse information about an eligible entity employee, the CSA should consider and possibly investigate, as authorized, to determine whether the employee's eligibility to access classified information remains clearly consistent with the interests of national security. If the CSA determines that an entity employee's continued eligibility is not in the interest of national security, the CSA implements procedures leading to suspension and ultimate revocation of the employee's eligible status, and notifies the entity.
(b) Consultants. A consultant is an individual under contract or agreement to provide professional or technical assistance to an entity in a capacity requiring access to classified information. A consultant is considered an entity employee for security purposes. The CSA makes eligibility determinations for entity consultants in the same way it does for entity employees.
(c) Reciprocity. The responsible CSA determines if an entity employee was previously investigated or determined eligible by another CSA. CSAs reciprocally accept existing employee eligibility determinations in accordance with applicable and current national level personnel security policy, and must not duplicate employee eligibility investigations conducted by another CSA.
(d) Limited access authorization (LAA). (1) CSAs may make LAA determinations for non-
(i) A non-
(ii) A
(2) A CSA may grant LAAs up to the secret classified level.
(3) CSAs may not use LAAs for access to:
(i) Top secret (TS) information;
(ii) RD or FRD information;
(iii) Information that a Government-designated disclosure authority has not determined releasable to the country of which the individual is a citizen;
(iv)
(v) Intelligence information, to include SCI;
(vi)
(vii) Information for which the
(viii) Information provided to the
(4) The responsible CSA provides specific procedures to entities for requesting LAAs. The GCA must concur on an entity's LAA request before the CSA may grant it.
(a) Safeguarding approval. (1) The CSA determines whether an entity's safeguarding capability meets requirements established in 32 CFR part 2001, and other applicable national level policy (e.g., Atomic Energy Act for RD). If the CSA makes a favorable determination, the entity may store classified information at that level or below. If the determination is not favorable, the CSA must ensure that the entity does not possess classified information or does not possess information at the classification level denied or a higher level.
(2) The CSA maintains records of its safeguarding capability determinations and, upon request from GCAs or entities, and as appropriate and to the extent authorized by law, verifies that it has made a favorable safeguarding determination for a given entity and at what level.
(b) Marking. The GCA provides guidance to entities that meets requirements in 32 CFR 2001.22, 2001.23, 2001.24, and 2001.25, Derivative classification, Classification marking in the electronic environment, Additional requirements, and Declassification markings; ISOO's marking guide, Marking Classified National Security Information; and other applicable national level policy (e.g., Atomic Energy Act for RD) for marking classified information and material.
(a) The responsible CSA must authorize an entity information system before the entity can use it to process classified information. The CSA must use the most complete, accurate, and trustworthy information to make a timely, credible, and risk-based decision whether to authorize an entity's system.
(b) The responsible CSA issues to entities guidance that establishes protection measures for entity information systems that process classified information. The responsible CSA must base the guidance on standards applicable to Federal systems, which must include the Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, and may include
Appendix A to Part 2004--Acronym Table
For details on many of these terms, see the definitions at
CCIPP--Classified Critical Infrastructure Protection Program
CCIPP POC--Entity point of contact under the CCIPP program
CIA--
CSA--Cognizant security agency
CNSS--Committee on National Security Systems
COMSEC--Communications security
CSO--Cognizant security office
DHS--Department of Homeland Security
DoD--
DOE--
EA--Executive agent (the NISP executive agent is
E.O.--Executive Order
FAR--Federal Aquisition Regulation
FOCI--Foreign ownership, control, or influence
GCA--Government contracting activity
Insider threat program SO--insider threat senior official (for an agency or for an entity)
ISOO--
KMO--Key managers and officials (of an entity)
LAA--Limited access authorization
NID--National interest determination
NISPOM--National Industrial Security Program Operating Manual
NRC--
NSA--
ODNI--Office of the Director of National Intelligence
PA--Proxy agreement
RD--Restricted data
SF--Standard Form
SAO--Senior agency official for NISP
SAP--Special access program
SCA--Security control agreement
SCI--Sensitive compartmented information
SSA--Special security agreement
TS--Top secret (classification level)
VT--Voting trust
Archivist of
[FR Doc. 2018-09465 Filed 5-4-18;
BILLING CODE 7515-01-P
AbbyLynn moves, Daniel’s Hobbies takes space for race track
Military Reservist Economic Injury Disaster Loans Interest Rate for Third Quarter FY 2018
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News