What is the purpose of Cognizant Security Agencies (CSA)?
These organizations establish industrial security programs and oversee security requirements
What is the purpose of Cognizant Security Offices (CSO)?
These organizations administer the NISP and provide security guidance, oversight, and policy clarifications
What is the role of an Industrial Security Representative (IS Rep)?
Serves as contractor’s primary point of contact for security matters
Works closely with the FSO to provide advice, assistance, and oversight
Conducts Security Vulnerability Assessments (SVAs) and administrative inquiries
Contractors report security violations to IS rep
*Government role
What is the role of an Information System Security Professional (ISSP)/Security Control Assessor (SCA)?
Works closely with IS Reps and contractor personnel on all matters related to the authorization and maintenance of authorized contractor classified Information Systems (ISs)
Oversees authorized contractor IS use
*Government role
What is the role of a Counterintelligence Special Agent?
Provides advice, oversight, and training regarding counterintelligence issues
Works with contractors to identify potential threats to U.S. technology, including insider threats
*Government role
What is the role of the Installation Commander/Agency Head?
Serves as the CSO for government-controlled and leased facilities.
Has overall responsibility for the security of the installation
Reviews and updates installation directives to reflect minimum NISPOM guidance for those contractors who are required to work on the installation
*Government role
What is the role of a Facility Security Officer (FSO)?
Has ultimate responsibility for the administration, oversight, and day-to-day operation of the contractor security program
Meets NISPOM requirements and contract specific DD 441 and DD 254
*Contractor role
What is the role of an Information System Security Manager (ISSM)?
Manages each Information System (IS) and ensures all IS security requirements are met.
Implements NISPOM IS security requirements to include self inspections of IS
Establishes, documents, maintains, and monitors IS security programs and procedures
Conducts IS security education and training
Notifies the CSO of relevant changes to IS
Develops facility procedures for: handling media and equipment containing classified information, implementing security features, incident reporting, user acknowledgment of responsibility, and threat detection, including auditing and monitoring for malware attacks, phishing attempts, and other threats
*Contractor role
What is the role of an Insider Threat Program Senior Official (ITPSO)?
Responsible for establishing and maintaining an Insider Threat Program that gathers, integrates, and reports any information that might indicate an insider threat
*Contractor role
What is the purpose of a Government Contracting Activity (GCA)?
Defines the initial requirements for the product or service, as well as the acquisition strategy for the contract
Publishes a Request for Proposal (RFP) as part of the solicitation stage
Evaluates the submitted proposals and, based on the criteria outlined in the GCA’s RFP
Awards the contract to the contractor that provides the best value to the government.
What is included in a Request for Proposal (RFP)?
- Contract requirements
- Contract clause
- Work statements
- Specifications
- Delivery schedule
- Payment terms
What are the facility requirements for a classified contract?
The government must verify that the contractor has a valid Facility Clearance (FCL)
- At the appropriate level
- With the appropriate storage capabilities, if applicable
- If the company does not have a valid FCL:
- The government will need to sponsor the company for an initial FCL at the proper level
If the company has an FCL at a lower level:
- The government will need to sponsor an upgrade to the proper level prior to awarding any classified contracts
What is the role of a Contracting Officer (CO)?
Authority to enter into, administer, and terminate contracts.
Oversight and contract responsibility for numerous programs
Authority may be delegated for
- Contract administration to an Administrative Contracting Officer, or ACO.
- Settling terminated contracts may be delegated to a Termination Contracting Officer, or TCO
*Government role
What is the role of a Contracting Officer’s Representative (COR)?
- Designated by the CO
- Assigned to specific contracts (SME), and oversees the contracting process, making sure that all of the necessary requirements are met
- Determine whether a contractor has the need for access to classified information, verify the contractor’s FCL, and sponsor the contractor for an FCL, if necessary.
- Communicate the security requirements, monitor contractor performance
- Not authorized to make any commitments or changes that will affect price, quality, quantity, delivery, or any other term or condition of the contract; these are the responsibility of the CO
- Government role
What are the requirements for Contract Documentation?
- Include security clauses, as required by the Federal Acquisition Regulation, or FAR and the Defense Federal Acquisition Regulation Supplement, or DFAR.
- Follow the security classification guidance to include classified and CUI
What does the Statement of Work (SOW) contain?
Provides the contractor with background, objective and completion information on the desired end product
Contains contract information such as
- Project scope
- Deadlines and steps
- Contractor details
- Lists of contract working personnel
- Billing hours and rates
- Clearance levels required
- Travel, if applicable
What does the Department of Defense Contract Security Classification Specification (DD 254) provide to contractors?
Provides contractors with security requirements and security classification guidance to perform on the classified contract
- Specific clearance and access requirements
- Authorization to generate classified information
- Classified storage requirements
- Instructions about public disclosure
- Other special security regulations above and beyond those detailed in the NISPOM
*Mandatory for all contracts requiring access to classified information
What knowledge/roles are required to complete the DD 254?
- Contracting authority and knowledge (Example: the COR)
- Program knowledge and subject matter expertise (Example: program manager for the contract)
- Security knowledge of information and industrial security requirements (Example: FSO or security specialist)
What is a DoD Security Agreement (DD Form 441)?
- Legally binding contract between the U.S. Government and the contractor
- Executed when a company receives its FCL
- Must be completed before any work on a classified contract begins
What are the basics of a Facility Clearance (FCL)?
- Administrative determination that a company is eligible for access to classified information of a certain classification level and all lower levels
- Contractor or facility cannot access or possess classified material until the FCL is granted and safeguarding capabilities are approved
- All Key Management Personnel (KMP) must be granted a PCL before the FCL will be granted
- It is not the actual facility building or structure that is cleared, but the individuals who run, own, and manage the facility
What is the government’s role in DoD Security Agreement (DD Form 441)?
- Establishes authority to review the contractor’s security program to ensure compliance
- Makes a commitment to process PCLs for contractor employees
- Agrees to provide security classification guidance and oversight
What is required in order to obtain a Personnel Security Clearances (PCL)?
- Favorable clearance eligibility determination at the proper level
- Possess a need-to-know
- Execute a Classified Information Non-Disclosure Agreement (SF 312)
What are the steps in the Personnel Security Clearances (PCL) Process?
- The GCA and RFP (not PM) decide if an employee needs a PCL based on requirements to perform on the classified contract
- The FSO initiates the process and the employee completes the SF-86
- The FSO sends the SF-86 to the Personnel Security Management Office for Industry (PSMO-I)
- PSMO-I determines whether the request for a clearance is legitimate and forwards the application to the investigative agency that will conduct the background investigation
- The investigative agency puts all of the information collected into a report that the DoD CAF reviews
- The DoD CAF uses the national standards laid out in the DoDM 5200.2, Procedures for the DoD Personnel Security Program, to make a national security eligibility determination
- If the determination is favorable, the DoD CAF records the eligibility level in the DoD system of record
- The FSO may then grant the employee access to classified information, up to the level for which the employee is eligible.
Who determines the level of clearance for the PCL?
The GCA based on the RFP
*Not the PM
