DoD 5220.22 R

FORWARD

Page

Foreword 2

Table of Contents 3

References 8

Definitions 10

Acronyms and Abbreviations 22

Chapter 1 - General Provisions

C1.1. Purpose 25

C1.2. Authority and Scope 25

C1.3. Superseded Regulation 26

C1.4. Amendment of Regulation 26

C1.5. Distribution and Use of this Regulation 26

C1.6. Expenditure of Funds for Security 26

C1.7. Waivers and Exceptions 27

C1.8. GCA Procedures under This Regulation 27

C1.9. Security Cognizance 27

C1.10. Industrial Security Letters (ISLs) 28

C1.11. Contractor Activities on a GCA Installation within CONUS 28

C1.12. Contractor Activities Outside the U.S., Puerto Rico, U.S. Possessions or Trust Territories

30

C1.13. Privileged Information 30

Chapter 2 - Facility Clearance

C2.1. General 32

C2.2. Reciprocity 32

C2.3. Clearance Request 32

C2.4. Contractor Eligibility Requirements 33

C2.5. FCL Processing 33

C2.6. Interim FCL 34

C2.7. Issuance of the FCL 34

C2.8. DoD Technical Information Dissemination Activities 35

C2.9. Business Structures 35

C2.10. Exclusion Procedures 41

C2.11. PCLs Concurrent with the FCL 42

C2.12. Administrative Termination and Downgrading of an FCL 42

C2.13. Invalidation of an FCL 43

C2.14. Revalidation of an FCL 48

C2.15. Revocation of an FCL 49

C2.16. Maintenance of Contractor Information 50

Chapter 3 - Foreign Ownership, Control, or Influence (FOCI)

C3.1. General 51

C3.2. Policy 51

C3.3. Factors 52

C3.4. Procedures 54

C3.5. Foreign Mergers, Acquisitions and Takeovers, and the Committee on Foreign Investment in the United States (CFIUS) 54

C3.6. FOCI Negation Action Plans 55

C3.7. Methods to Negate Risk in Foreign Ownership Cases 56

C3.8. Government Security Committee 59

C3.9. Annual Review and Certification 59

Chapter 4: Personnel Security Clearances (PCLs)

C4.1. General 61

C4.2. Reciprocity 61

C4.3. Investigative Requirements 61

C4.4. Reinstatements 62

C4.5. Conversion of PCLs for Civilian and Military Personnel of the Department of Defense and Certain Other Governmental Agencies 62

C4.6. Clearance Application 62

C4.7. Pre-Employment Clearance Action 62

C4.8. Trustworthiness Determination 62

C4.9. Issuance of Letter of Consent (LOC) 62

C4.10. Interim PCLs 63

C4.11. Limited Access Authorization 64

C4.12. Consultants to Contractors 65

C4.13. Representatives of a Foreign Interest (RFIs) 65

C4.14. PCL Assurances on US Persons to Foreign Activities 65

C4.15. Sensitive Compartmented Information (SCI) 66

C4.16. Administrative Termination 66

C4.17. Administrative Downgrading of Top Secret PCLs 66

C4.18. Invalid and Void Clearances 66

C4.19. Denial, Suspension, or Revocation of PCL 66

C4.20. Record of PCL 68

Chapter 5: Contracting

C5.1. General 69

C5.2. Procedures 69

C5.3. Security Classification Guidance 70

C5.4. Issuance of Security Classification Guidance 70

C5.5. Special Situations 71

C5.6. Subcontract Guidance 72

C5.7. Unsolicited Proposals 72

C5.8. Public Disclosure 73

C5.9. Review of Classification and Need-to-Know 73

C5.10. Classification Interpretation Procedures 73

C5.11. Retention of Classified Material 73

C5.12. Transfer of Classified Material to a New Contract 73

C5.13. Downgrading and Declassification 73

C5.14. Protective Marking – For Official Use Only 74

Chapter 6. Safeguarding

C6.1. Accountability for Classified Information 75

C6.2. Storage of Classified Material 75

C6.3. Transmission of Classified Material 77

C6.4. Commercial Carriers 78

C6.5. Reproduction of Classified Material 79

C6.6. Destruction of Classified Material 79

Chapter 7 - Espionage, Sabotage, Loss, Compromise, and Other Violations

C7.1. Application 81

C7.2. Espionage, Sabotage, and Subversive Activities 81

C7.3. Loss, Compromise, and Suspected Compromise of Classified

Information 81

C7.4. Investigative Support 83

C7.5. Additional Reporting of Espionage, Criminal Activity, and

Counterintelligence Activity 84

C7.6. Suspicious Contacts 84

Chapter 8 - Industrial Security Education

C8.1. Application 86

C8.2. Responsibility 86

C8.3. Contractor Self-Approval Authority 87

C8.4. Funding 87

C8.5. Briefings 87

C8.6. Oral Attestation 87

C8.7. Classified Information Nondisclosure Agreement (SF 312) 87

Chapter 9 - Visits and Meetings

C9.1. Visits 88

C9.2. Meetings 89

Chapter 10 - Information Systems

C10.1. Responsibilities 93

C10.2. Certification and Accreditation 93

C10.3. Systems Security Plan (SSP) 96

C10.4. User Notification 97

C10.5. Interconnected Systems Management 97

C10.6. Long Haul Communications 98

Chapter 11 - Special Requirements

C11.1. Restricted Data (RD) and Formerly Restricted Data (FRD) 99

C11.2. Critical Nuclear Weapons Design Information (CNWDI) 99

C11.3. Special Access Programs (SAPs) 100

C11.4. Communications Security (COMSEC) Information 101

Chapter 12 - International

C12.1. Security Agreements 104

C12.2. Restricted and Other Foreign Government Information (FGI) Provided in Confidence 105

C12.3. United Kingdom (UK) Restricted 106

C12.4. Export Licensing 106

C12.5. International Transfers 106

C12.6. International Visits and Meetings 110

C12.7. Security Assurances 111

C12.8. Contractor Operations Abroad 112

C12.9. Security Administration of U.S. Classified Contracts or Subcontracts

Awarded to Foreign Contractors 113

C12.10. Foreign Government Classified Contracts or Subcontracts to

U.S. Industry 115

C12.11. North Atlantic Treaty Organization (NATO) 115

C12.12. U.S. Patent Agents Engaged in Filing Classified Patent

Applications for Foreign Governments 117

Chapter 13 - Miscellaneous

C13.1. Defense Treaty Inspection Readiness Program (DTIRP) 119

C13.2. Acquisition System Protection Program (ASPP) 119

C13.3. Nuclear Weapon Personnel Reliability Program (PRP) 120

C13.4. Operations Security (OPSEC) 120

C13.5. TEMPEST Countermeasures 121

C13.6. Independent Research and Development (IR&D) Efforts 122

C13.7. Defense Technical Information Center (DTIC) 123

C13.8. For Official Use Only (FOUO) 123

C13.9. DoD Antiterrorism/Force Protection (AT/FP) Program 124

Chapter 14 - Security Reviews and Defense Security Service (DSS) Continuing Security Assurance Activity

C14.1. Security Reviews 125

C14.2. Advice and Assistance 129

APPENDICES

AP1: Preparation Instructions for the DD Form 254 130

AP2: Operational Areas of the Defense Security Service (DSS) 140

AP3: Cognizant Security Office (COG) Information 146

AP4: DSS Maintenance of Contractor Information 147

AP5: Security Review Report 150

AP6: Foreign Equivalent Markings 151

AP7: Forms 154

AP8: Index 169

(a) DoD 5220.22-R, "Industrial Security Regulation," December 4, 1985 (hereby cancelled)

(b) Executive Order 12829, "National Industrial Security Program," January 6, 1993

(c) DoD 5220.22-M, "National Industrial Security Program Operating Manual," January 1995

(d) Federal Acquisition Regulation, current edition

(e) Department of Defense Federal Acquisition Regulation Supplement

(f) Title 50, U.S.C. Section 403, "National Security Act of 1947"

(g) DoD Directive 5220.22, "DoD Industrial Security Program," December 8, 1980

(h) Classified Information Procedures Act

(i) Section 721 of Title VII of Public Law 102-99, "Defense Production Act," 1950

(j) Public Law 83-703, "Atomic Energy Act of 1954," as amended

(k) DoD 5200.2-R, "Personnel Security Program," January 1987

(l) Executive Order 12958, "Classified National Security Information," April 17, 1995

(m) Section 552 of Title V, United States Code, "Freedom of Information Act"

(n) Presidential Directive on "Safeguarding Classified National Security Information," August 4, 1999.

(o) Director of Central Intelligence Directive No. 1/21, "Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF)," July 29, 1994

(p) DoD 5220.22-C, "Carrier Supplement to Industrial Security Manual for Safeguarding Classified Information," October 1986

(q) DoD Directive 5240.2, "DoD Counterintelligence (CI)," May 22, 1997

(r) DoD Instruction 5240.4, "Reporting of Counterintelligence and Criminal Violations," September 22, 1992

(s) DoD Directive 4640.13, "Management of Base and Long-Haul Telecommunications Equipment and Semites," December 5. 1991

(t) DoD Directive 5210.2, "Access to and Dissemination of Restricted Data," January 12, 1978

(u) DoD Directive O-5205.7, "Special Access Program (SAP) Policy," January 13, 1997

(v) DoD Instruction O-5205.11, "Management, Administration, and Oversight of DoD Special Access Programs (SAPs)," July 1, 1997

(w) DoD 5220.22-M-Sup 1., "National Industrial Security Program Operating Manual Supplement," February 1995

(x) "Department of Defense Overprint to the National Industrial Security Program Operating Manual Supplement," January 14, 1998

(y) DoD Directive 5230.20, "Visits, Assignments, and Exchanges of Foreign Nationals," August 12, 1998

(z) DoD Directive 5205.10, "Defense Treaty Inspection Readiness Program (DTIRP)," July 29, 1996

(aa) DoD 5200.1-M, "Acquisition Systems Protection Program," March 1994

(bb) DoD Directive 5210.42, "Nuclear Weapon Personnel Reliability Program (PRP)," May 25, 1993

(cc) DoD Directive 5205.2, "DoD Operations Security Program," July 7, 1983

(dd) DoD 5200.1-R, "Information Security Program," January 1997

(ee) DoD Directive 2000.12, "DoD Antiterrorism/Force Protection (AT/FP) Program," April 13, 1999

DL1. DEFINITIONS

DL1.1. Access. The ability and opportunity to obtain knowledge of classified information.

DL1.2. Accesses. Indoctrination to classified material that has additional security requirements or caveats. This may be Sensitive Compartmented Information (SCI), Special Access Program (SAP) information, or collateral level accesses such as North Atlantic Treaty Organization (NATO), Critical Nuclear Weapons Design Information (CNWDI), etc.

DL1.3. Accreditation (of Information System). The approval to use an Information System (IS) to process classified information in a specified environment at an acceptable level of risk based upon technical, managerial and procedural safeguards.

DL1.4. Acquisition Systems Protection (ASP). The safeguarding of defense systems anywhere in the acquisition process as defined in DoD Directive 5000.1, the defense technologies being developed that could lead to weapon or defense systems, and defense research data. ASP integrates all security disciplines, counterintelligence, and other defensive methods to deny foreign collection efforts and prevent unauthorized disclosure to deliver to our forces uncompromised combat effectiveness over the live expectancy of the system.

DL1.5. Authorized Person. A person who has a need-to-know for classified information in the performance of official duties and who has been granted a personnel clearance at the required level.

DL1.6. Automatic Declassification Authority. The declassification of information based solely upon the occurrence of a specific date or event as determined by the original classification authority, or the expiration of a maximum time frame for duration of classification established under this order.

DL1.7. Carve-out. A Special Access Program (SAP) from which DSS has been relieved of security oversight responsibility.

DL1.8. Certification (of Information System). The process of validating that protection measures for an Information System have been implemented and are functioning properly.

DL1.9. Classified Contract. Any contract that required or will require access to classified information, by a contractor or his or her employees. (A contract may be a classified contract even though the contract document is not classified.) The requirements for a classified contract also are applicable to all phases of pre-contract activity, including solicitations (bids, quotations, and proposals), pre-contract negotiations, post-contract activity, or other Government Contracting Agency programs or projects, which require access to classified information by a contractor.

DL1.10. Classified National Security Information (or Classified Information). Information that has been determined to require protection against unauthorized disclosure and is so designated. The classifications Top Secret, Secret, and Confidential are used to designate such information.

DL1.11. Classifier. Any person who makes a classification determination and applies a classification category to information or material. The determination may be an original classification action or it may be a derivative classification action. Contractors make derivative classification determinations based on classified source material, a security classification guide, or a Contract Security Classification Specification.

DL1.12. Cognizant Security Agency (CSA). Under the NISP there are four executive branch agencies that are authorized to function as cognizant security agencies (CSAs): DoD, the Central Intelligence Agency (CIA), the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC). CSAs are responsible for security administration of contracts and classified activities within their agency. They may delegate responsibility for security administration within their organization. For DoD, responsibility for security administration of the NISP within Defense contractors has been delegated to the Defense Security Service.

DL1.13. Cognizant Security Office (CSO). As the CSA for the DoD, the Director, DSS, may delegate security cognizance to the DSS Regions, which are designated as the cognizant security offices (CSOs), for all contractor facilities within their jurisdictions.

DL1.14. Collateral Information. Information identified as National Security Information under the provisions of E.O. 12958 but which is not subject to enhanced security protection required for SAP information.

DL1.15. Communications Security (COMSEC). The protection resulting from all measures designed to deny unauthorized persons information of value that might be derived from the possession and study of telecommunications and to ensure the authenticity of such communications. Includes cryptosecurity, emission security, transmission security, and physical security of COMSEC material and information.

DL1.16. Compromise. An unauthorized disclosure of classified information.

DL1.17. Confidential. The designation applied to information or material the unauthorized disclosure of which could reasonably be expected to cause damage to the national security.

DL1.18. Contracting Officer. A government official, who in accordance with departmental or agency procedures, currently is designated as a contracting officer with the authority to enter into and administer contracts, and make determination and finding with respect thereto, or any part of such authority. The term also includes the designated representative of the contracting officer acting within the limits of his or her authority.

DL1.19. Contractor. Any industrial, educational, commercial, or other entity that has been granted a Facility Security Clearance (FCL) by a CSA.

DL1.20. Corporation. A legal entity governed by a set of bylaws and owned by its stockholders.

DL1.21. Counterintelligence (CI). Information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities.

DL1.22. Countermeasures. The employment of devices and/or techniques that has as its objective the impairment of the operational effectiveness of an adversary’s activity. Countermeasures may include anything that effectively negates an adversary’s ability to exploit vulnerabilities.

DL1.23. Criminal activity. Conduct that is or may be a violation of a federal or state criminal law, the Uniform Code of Military Justice, the common law, and the criminal laws of foreign countries that might embarrass or otherwise be of concern to the DoD. Selective judgement should be exercised in determining what matters are to be reported based on such factors as the nature of the criminal act, the clearance level of the individual concerned, and his or her relative position in the company.

DL1.24. Critical Nuclear Weapon Design Information (CNWDI). That Top Secret Restricted Data or Secret Restricted Data revealing the theory of operation or design of the components of a thermo-nuclear or implosion-type fission bomb, warhead, demolition munition or test device. Specifically excluded is information concerning arming, fusing, and firing systems; limited life components; and total contained quantities of fissionable and high explosive materials by type. Among these excluded items are the components that DoD personnel set, maintain, operate, test, or replace.

DL1.25. Critical Program Information (CPI). That information about the program, technologies, and/or systems that if compromised would degrade combat effectiveness or shorten the expected combat-effective life of the system. Access to this information could allow someone to kill, counter or clone the acquisition system before or near scheduled deployment or force a major design change to maintain the same level of effectiveness.

DL1.26. Declassification. The authorized change in the status of information from classified information to unclassified information.

DL1.27. Defense Treaty Inspection Readiness Program (DTIRP). A security education and awareness program pertaining to arms control.

DL1.28. Delegation of Disclosure Authority Letter (DDL). A letter required as part of the Technology Assessment/Control Plan, prepared by the GCA, that provides detailed guidance regarding releasability of all elements of the system or technology in question. The DDL must be approved by the Under Secretary of Defense for Policy (USD(P)) before any promise or release of sensitive technology.

DL1.29. Deliberate Compromise of Classified Information. Any intentional act done with the object of conveying classified information to any person not officially authorized to receive it.

DL1.30. Derivative Classification. The act of incorporating, paraphrasing, restating or generating in new form information that is already classified, and marking the newly developed material consistent with the classification marking that apply to the source information. Derivative classification includes the classification of information based on classification guidance. The duplication or reproduction of existing classified information is not derivative classification.

DL1.31. Downgrading. A determination that information classified at a specified level shall be classified at a lower level.

DL1.32. Export. The sending or taking a defense article out of the U.S. in any manner, except by mere travel outside the U.S. by a person whose personal knowledge includes technical data; or, transferring registration or control to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the U.S. or abroad; or, disclosing (including oral or visual disclosure) or transferring in the U.S. any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic mission); or, performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the U.s. or abroad.

DL1.33. Facility. A plant, laboratory, office, college, university, or commercial structure with associated warehouses, storage areas, utilities, and components, that, when related by function and location, form an operational entity.

DL1.34. Facility Security Clearance. An administrative determination that, from a security viewpoint, a facility is eligible for access to classified information of a certain category (and all lower categories).

DL1.35. Foreign Government Information (GFI). Information provided to the U.S. Government by a foreign government or governments, an international organization of governments, an international organization of governments, or any element thereof, with the expectation that the information, the source of the information, or both, are to be held in confidence; or, information produced by the U.S. pursuant to or as a result of a joint arrangement with a foreign government or governments, or an international organization of governments, or any element thereof, requiring that the information, the arrangement, or both, are to be held in confidence; or, information received and treated as FGI under the terms of a predecessor order to E.O. 12958.

DL1.36. Foreign Interest. Any foreign government, agency of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered or incorporated under the laws of any country other than the U.S. or its possessions and trust territories, and any person who is not a citizen or national of the U.S.

DL1.37. Foreign Military Sales (FMS). That portion of U.S. security assistance authorized by the Arms Export Control Act and conducted on the basis of formal contracts or agreements between the U.S. Government and an authorized recipient of a foreign government or international organization. FMS includes government-to-government sales of defense articles and defense services, from DoD stocks for through purchase under DoD-managed contracts, regardless of the source of funding.

DL1.38. Foreign National. Any person who is not a citizen or national of the U.S.

DL1.39. Foreign Person. Any person who is not a citizen or national of the U.S., any foreign interest, and any U.S. entity effectively owned or controlled by a foreign interest.

DL1.40. Formerly Restricted Data. Information removed from the Restricted Data category upon a joint determination by the DOE (or antecedent agencies) and the DoD that such information related primarily to the military utilization of atomic weapons and that such information can be safeguarded adequately as classified defense information. For purposes of foreign dissemination, this information is treated in the same manner as Restricted Data.

DL1.41. For Official Use Only. Designation applied to unclassified information that may be exempt from mandatory release to the public under the Freedom of Information Act (FOIA).

DL1.42. Freight Forwarder. A commercial firm which makes arrangements for the transfer of freight.

DL1.43. Government Contracting Activity (GCA). An element of an agency designated by the agency head and delegated broad authority regarding acquisition functions.

DL1.44. Home Office Facility (HOF). The headquarters facility of a multiple facility organization.

DL1.45. Independent Research and Development (IR&D). A contractor funded research and development effort that is not sponsored by, or required in performance of, a contract or grant that consists of projects falling within the areas of basic research; applied research; development; and systems, and other concept formulation studies.

DL1.46. Industrial Security. That portion of information security that is concerned with the protection of classified information in the custody of U.S. industry.

DL1.47. Information. Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is know by, produced by or for, or is under the control of the U.S. Government.

DL1.48. Information System. An assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process, store, or control date or information.

DL1.49. Intelligence. The product resulting from the collection, evaluation, analysis, integration, and interpretation of all available information, that concerns one or more aspects of foreign nations or of areas of foreign operations, and that is immediately or potentially significant to military planning and operations.

DL1.50. Intending Citizen. An alien who falls into one of the following four categories under the Immigration Reform and Control Act of 1986:

DL1.50.1. Permanent residents;

DL1.50.2. Temporary residents (individuals who have gone through or are in the process of going through the amnesty legalization program);

DL1.50.3. Individuals admitted as refugees; and

DL1.50.4. Individuals granted asylum.

DL1.51. Interconnected Network. A network information system comprised of two or more separately accredited systems and/or networks.

DL1.52. Interim Security Clearance. A security clearance based on the completion of minimum investigative requirements, which is granted on a temporary basis, pending the completion of the full investigative requirements.

DL1.53. Intrusion Detection System (IDS). A security alarm system to detect unauthorized entry.

DL1.54. Invalidation. An administrative action that renders a contractor ineligible to receive additional classified information except that information necessary for completion of essential contracts as determined by appropriate GCAs.

DL1.55. Joint Venture. A combination of two or more contractors without any actual partnership or corporation designation who perform or act jointly in a specific endeavor, such as the negotiation for or performance of a contract.

DL1.56. Letter of Consent (LOC). The format used by DSS to notify a contractor that a PCL or LAA has been granted to an employee.

DL1.57. Limited Access Authorization (LAA). Security access authorization to Confidential or Secret information granted to non-U.S. citizens requiring such limited access in the course of their regular duties.

DL1.58. Limited Liability Corporation. A business entity and an investment vehicle that provides some of the benefits of both the corporation and the partnership. Ownership is divided on a pro rata basis according to the investment of the members.

DL1.59. Long-Haul Telecommunications. All general purpose and special purpose long-distance facilities and services (including terminal equipment and local circuitry supporting the long-haul service) used to support the electromagnetic and/or optical dissemination, transmission, or reception or information via voice, data, video, integrated telecommunications, wire, or radio to or from the post, camp, base, or station switch and/or main distribution frame (except for trunk lines to the first-serving commercial central office for local communications services). That includes FTS2000, DSN, DDN, the Automatic Digital Network, dedicated point-to-point service, and the primary inter-exchange carrier service associated with business or tie line to the local exchange carrier (e.g., DDD, Foreign Exchange, WATS, 800 service, etc.) and contractor-provided telecommunications including the interconnection of various functional Information Systems.

DL1.60. Memorandum of Agreement (MOA). A formal agreement between or among agencies or activities to delineate specific functions.

DL1.61. Multiple Facility Organization (MFO). A legal entity (single proprietorship, partnership, association, trust, or corporation) that is composed of two or more facilities.

DL1.62. Multiple Sources. Two or more source documents, classification guides or a combination thereof.

DL1.63. National Agency Check (NAC). A personnel security investigation consisting of a records review of certain agencies as described in paragraph 1, Appendix B, of DOD 5200.2-R, Personnel Security Program Regulation (Enclosure 5), including a technical fingerprint search of the files of the FBI.

DL1.64. National Agency Check plus Written Inquiries (NACI). A personnel security investigation conducted by the Office of Personnel Management, combining a NAC and written inquiries to law enforcement agencies, former employers and supervisors, references, and schools.

DL1.65. National Security. The national defense or foreign relations of the U.S.

DL1.66. NATO Classified Information. All classified information, military, political and economic circulated within NATO, whether such information originated in NATO or is received from member nations or from international organizations.

DL1.67. Need-to-know. A determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in an lawful and authorized governmental function.

DL1.68. Network. An Information System network composed of a communications medium and all components attached to that medium whose responsibility is the transference of information.

DL1.69. Operations Security (OPSEC). A process of analyzing friendly actions attendant to military operations and other activities to:

DL1.69.1. Identify those actions that can be observed by adversary intelligence systems.

DL1.69.2. Determine the indicators hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries.

DL1.69.3. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

DL1.70. Original Classification. An initial determination that information requires, in the interest of national security protection against unauthorized disclosure.

DL1.71. Original Classification Authority. An individual authorized in writing, either by the President, or by agency heads or other officials designated by the President, to classify information in the first instance.

DL1.72. Ownership of Classified Information. Once information is determined to be classified, it belongs to the United States Government and not the contractor, regardless of proprietary claims.

DL1.73. Parent. A corporation that owns at least a majority of another corporation’s voting securities.

DL1.74. Partnership. An association of two or more individuals or other business entities who have agreed to do business together as owners for profit.

DL1.75. Personnel Security Clearance (PCL). An administrative determination that an individual is eligible, from a security viewpoint, for access to classified information at the same or lower category as the level of the personnel clearance being granted.

DL1.76. Proscribed Information.

DL1.76.1. Top Secret Information;

DL1.76.2. Communications Security (COMSEC) information, except classified keys used to operate secure telephone units (STU IIIs);

DL1.76.3. Restricted Data as defined in the U.S. Atomic Energy Act of 1954, as amended;

DL1.76.4. Special Access Program (SAP) information; or

DL1.76.5. Sensitive Compartmented Information (SCI)

DL1.77. Regrade. To raise or lower the classification assigned to an item of information.

DL1.78. Representative of a Foreign Interest (RFI). A citizen or national of the U.S. who is acting as a representative of a foreign government, an agency of a foreign government, or a representative of a foreign government.

DL1.79. Restricted Data. All data concerning design, manufacture or utilization of atomic weapons; or, the production of special nuclear material; or, the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category under Section 142 of the Atomic Energy Act of 1954, as amended.

DL1.80. Revocation (of FCL). Administrative action that is taken to terminate all classified activity of a contractor because the contractor refuses, is unwilling, or has consistently demonstrated an inability to protect classified information.

DL1.81. Risk Management. The comparison and analysis of the relative threat (intent and capability to collect the information); the vulnerability of the asset; the cost and administrative burden of possible countermeasures; and the value of the asset used to determine the appropriate level of protection to control and reduce the risk of compromise or disclosure to acceptable levels. Risk management allows the acceptance of risk in the security process based upon a cost-benefit analysis.

DL1.82. Safeguarding. Measures and controls that are prescribed to protect classified information.

DL1.83. Secret. The designation applied to classified information the unauthorized disclosure of which could reasonably be expected to cause serious damage to the national security.

DL1.84. Security Assurance. The written confirmation, requested by and exchanged between governments, of the security clearance level or eligibility for clearance, of their employees, contractors and citizens. It includes a statement by a responsible official of a foreign government that the original recipient of U.S. classified information possesses the requisite security clearance and is approved by his or her government for access to information of the security classification involved on behalf of the foreign government and that the recipient will comply with any security requirements specified by the U.S. In the case of contractors, the security assurance includes a statement concerning the level of storage capability.

DL1.85. Security Classification Guidance. Any instruction or source that prescribes the classification of specific information.

DL1.86. Security Classification Guide. A documentary form of classification guidance issued by an original classification authority that identifies the elements of information regarding a specific subject that must be classified and establishes the level and duration of classification for each such element.

DL1.87. Security Cognizance. The DSS office assigned the responsibility for the discharge of industrial security responsibilities.

DL1.88. Security-in-Depth. A determination that a contractor’s security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the contractor facility. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an Intrusion Detection System (IDS), random guard patrols throughout the contractor facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms and security storage cabinets during non-working hours.

DL1.89. Sensitive Compartmented Information (SCI). Classified information concerning or derived from intelligence sources, methods, or analytical processes that is required to be handled within compartmented intelligence systems and for which compartmentation is established by the DCI.

DL1.90. Sensitive Information. Any information, the loss, misuse, or unauthorized access to which would or could adversely affect the organizational and/or national interest but which does not meet classification criteria specified in DoD 5200.1-R.

DL1.91. Single Scope Background Investigation (SSBI). A personnel security investigation consisting of both record reviews and interviews with sources of information prescribed in paragraph 3, Appendix B, DOD 5200.2, Personnel Security Program Regulation, plus certain additional investigative requirements as prescribed in paragraph 4, Appendix B, DOD 5200.2-R. The period of investigation for an SSBI is the last 10 years or since the 18th birthday, whichever is shorter, provided the last 2 full years are covered and that no investigation will be conducted prior to an individual's 16th birthday.

DL1.92. Sole Proprietorship. A business owned by one individual who is liable for the debts and other liabilities incurred in the operation of the business.

DL1.93. Source Document. An existing document that contains classified information that is incorporated, paraphrased, restated, or generated in new form into a new document.

DL1.94. Special Access Program (SAP). Any program approved in accordance with DOD 5200.1-R, Chapter VIII, which imposes need-to-know access controls exceeding those normally required for collateral information at the same level of classification.

DL1.95. Subsidiary. A corporation in which another corporation owns at least a majority of its voting securities.

DL1.96. Suspicious Contact. Efforts by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise a cleared employee, all contacts by cleared employees with known or suspected intelligence officers from any country, or any contact which suggests the employee concerned may be the target of an attempted exploitation by the intelligence services of another country.

DL1.97. Technology. The information and know-how (whether in tangible form, such as models, prototypes, drawings, sketches, diagrams, blueprints, or manuals, or in intangible form, such as training or technical services) that can be used to design, produce, manufacture, utilize, or reconstruct goods, including computer software and technical data, but not the goods themselves, or the technical information and know-how that can be used to design, produce, manufacture, use, or reconstruct goods, including technical data and computer software. The term does not include the goods themselves.

DL1.98. Technology Control Plan (TCP). The document that identifies and describes sensitive program information; the risks involved in foreign access to the information; the participation in the program or foreign sales of the resulting system; and the development of access controls and protective measures as necessary to protect the U.S. technological or operational advantage represented by the system.

DL1.99. Technology Transfer. Transferring, exporting, or disclosing defense articles, defense service, or defense technical data covered by the U.S. Munitions List to any foreign person or entity in the U.S. or abroad.

DL1.100. TEMPEST. An unclassified short name referring to the investigations and studies of compromising emanations.

DL1.101. Temporary Help Supplier. A subcontractor who dispatches personnel on his or her payroll to perform work on the premises of another contractor of GCA.

DL1.102. Threat. The sum of the potential strengths, capabilities, and strategic objectives of any adversary that can limit or negate U.S. mission accomplishment or reduce force, system, or equipment effectiveness.

DL1.103. Top Secret. The designation applied to information the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage to the national security.

DL1.104. Transportation Plan. A comprehensive plan covering the movement of classified material between participants of an international program or project.

DL1.105. Unauthorized Disclosure. A communication or physical transfer of classified information to an unauthorized recipient.

DL1.106. Unified Network. A connected collection of systems or networks that are accredited under a single Information System Security Plan as a single entity by a single CSA.

DL1.107. Upgrade. A determination that certain classified information, in the interest of national security, requires a higher degree of protection against unauthorized disclosure than currently provided, coupled with a changing of the classification designation to reflect such a higher degree.

DL1.108. Violation. Any knowing, willful, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information; or, any knowing, willful, or negligent action to classify or continue the classification of information contrary to the requirements of E.O. 12958 or its implementing directives; or, any knowing, willful, or negligent action to create or continue a special access program contrary to the requirements of E.O. 12958.

DL1.109. Vulnerability. The susceptibility of systems or components to the threat in a given environment.

AL1. ABBREVIATIONS AND/OR ACRONYMS

C1. CHAPTER 1

C1.1. Purpose

The security of the U.S. depends, in part, on the proper safeguarding of classified information released to industry. The National Industrial Security Program (NISP) was established by E.O. 12829 (reference (b)) to assure the safeguarding of classified information in the hands of U.S. industrial organizations, educational institutions, and all organizations and facilities (both prime and sub-contractors), hereinafter referred to as contractors. The purpose of this regulation is to set forth NISP policies, practices and procedures to ensure maximum uniformity and effectiveness in its application to the Department of Defense (DoD) and those federal agencies with whom the DoD has entered into agreements to provide industrial security services. DoD 5220.22-M, "National Industrial Security Program Operating Manual" (NISPOM) (reference (c)), as a companion document to this regulation, is a multi-agency publication which details security requirements for U.S. contractors accessing classified information. A contract’s Federal Acquisition Regulation (FAR) (reference (d)) and Department of Defense Federal Acquisition Regulation Supplement (DFAR) (reference (e)) and execution of the "DoD Security Agreement" (DD Form 441) (See AP7.A1) bind contractors to the requirements of the NISPOM.

C1.2. Authority and Scope

C1.2.1. This regulation, authorized by the Secretary of Defense under the authority of the National Security Act of 1947 (reference (f)), as amended, is established as a DoD regulation published by the Office of the Assistant Security of Defense (Command, Control, Communications and Intelligence)(ASD(C3I)), under the authority of DoD Directive 5220.22, (reference (g)).

C1.2.2. This regulation outlines the industrial security procedures for all industrial security relationships with contractors for the Office of the Secretary of Defense (OSD) (including all of its boards, councils, staffs, and commands), DoD agencies, the Departments of the Army, Navy, and Air Force (including all of their activities), and the 20 non-DoD federal agencies with agreements to use DoD industrial security services.

C1.2.3. Under the NISP there are four executive branch agencies that are authorized to function as cognizant security agencies (CSAs): DoD, the Central Intelligence Agency (CIA), the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC). CSAs are responsible for security administration of contracts and classified activities within their agency. They may delegate responsibility for security administration within their organization. For DoD, responsibility for security administration of the NISP within Defense contractors has been delegated to the Defense Security Service.

C1.2.4. The Secretary of Defense has entered into agreements with the following departments and agencies, hereinafter referred to as Government Contracting Activities (GCAs), for the purpose of rendering industrial security services. This delegation of authority is contained in an exchange of letters between the Secretary of Defense and the Administrator, National Aeronautics and Space Administration; the Secretary of Commerce; the Administrator, General Services Administration; the Secretary of State; the Administrator, Small Business Administration; the Director, National Science Foundation; the Secretary of the Treasury; the Secretary of Transportation; the Secretary of the Interior; the Secretary of Agriculture; the Secretary of Labor; the Administrator, Environmental Protection Agency; the Attorney General, Department of Justice; the Director, Federal Emergency Management Agency; the Chairman, Board of Governors, Federal Reserve System; the Comptroller General of the United States, General Accounting Office; the Director of Administrative Services, United States Trade Representative; the Director of Administration, United States International Trade Commission; the Assistant Administrator for Management, Agency for International Development; the Executive Director for Operations, Nuclear Regulatory Commission.

C1.2.5. This regulation implements the security policies established by the Secretary of Defense and establishes the procedures, requirements, and practices concerned with the effective protection of classified national security information in the hands of contractors. It also pertains to foreign classified information that the U.S. Government is obliged to protect.

C1.2.6. This regulation does not limit in any manner the authority of the Secretary of Defense, the Secretaries of the Army, Navy, and Air Force, or the Heads of GCAs individually to grant access to classified information under the cognizance of their department or agency or to any individual designated by them. The granting of such access is beyond the scope of the NISP.

C1.3. Superseded Regulation

This regulation supersedes the Industrial Security Regulation (ISR) dated December 1985.

C1.4. Amendment of Regulation

Amendment of this regulation requires coordination with all GCAs. Unless otherwise specified in any amendment, compliance with an amendment shall not be mandatory until 30 days after date of publication, although compliance shall be authorized from the date of its publication.

C1.5. Distribution and Use of Regulation

This regulation is intended for the use and guidance of industrial security procurement activities of the GCAs and for DSS as the administrator of the NISP for DoD. It should be distributed through normal channels to staff and operating activities concerned with industrial security and procurement matters. This regulation is not applicable to industrial management, and is not intended for distribution to industry. Parts or all of this regulation may be made available to industrial management, when judged to be in the interest of a GCA

C1.6. Expenditure of Funds for Security

DSS shall not commit the government to reimburse the management of a contractor for funds expended in connection with the facility’s security program. In the case of a cost-reimbursement type contract, the allowability of security costs is determined by the contracting officer in accordance with the terms of the contract and with the cost principles of the Federal Acquisition Regulation (FAR) (reference (d)). Under a fixed price contract, the initial contract price includes all applicable security costs. An equitable adjustment may be made in the initial contract price when, as indicated in the contract security clause, the security classification or security requirements under the contract are changed by the government and the change results in an increase or decrease in the contract price.

C1.7. Waivers and Exceptions

C1.7.1. The ASD (C3I), his or her designee, or higher authority, shall provide overall policy guidance to this program and shall approve waivers to, or deviations from, the security policy promulgated in this regulation. All requests for waivers or deviations, including supporting justification, should be submitted to the OASD (C3I), Attn: Director of Security.

C1.7.2. Report any conflict that develops between instructions in the NISPOM and this regulation to the OASD(C3I). Pending resolution, the provisions of this regulation shall govern.

C1.7.3. Requests for waivers to the NISPOM should be submitted to the Director, DSS, as the administrator for implementation of the NISPOM in industry. A waiver is required when a contractor is unable to comply with the provisions of the NISPOM and proposed compensatory measures do not provide the classified information with a commensurate level of protection. The Director, DSS, is hereby delegated authority to approve such waivers for specific contractors and for specific periods of time (such as, to the completion date of a contract). Blanket waivers of NISPOM requirements and waivers which apply to more than one contractor location require DSS consultation with the Director of Security, OASD (C3I).

C1.8. GCA Procedures under This Regulation

GCAs may augment this regulation by prescribing more detailed regulations and operating instructions as may be required and which are not inconsistent with this regulation. The application of these procedures shall be guided by the twofold objective of establishing uniformity and maintaining maximum security consistent with the accomplishment by each GCA of its assigned mission.

C1.9. Security Cognizance

C1.9.1. The Director, DSS, may delegate security cognizance to the DSS Regions (See Appendix 3), designated as the Cognizant Security Offices (CSOs) for all contractor facilities within their jurisdictions. DSS shall advise each contractor as to the office to which they have been assigned for security cognizance.

C1.9.2. In the case of contractor facilities located on a GCA installation within the U.S., Puerto Rico or a U.S. possession or trust territory, the Commander or Head of the installation (hereinafter referred to as the Commander) may elect to maintain security cognizance and perform security actions. The GCA awarding classified contracts to facilities for performance outside of the U.S., Puerto Rico, or a U.S. possession or trust territory shall assume responsibility for all security aspects of contract supervision.

C1.9.3. In the case of contractors with contracts from more than one CSA, overall security cognizance will be provided by only one of the four CSAs. The CSAs shall determine among themselves which one will provide security cognizance based upon the preponderance of contract activity. A Memorandum of Agreement shall be executed among the CSAs for each affected contractor.

C1.9.4. GCAs have the authority and exercise the functions of a contracting activity as prescribed in this regulation and the NISPOM. Certain functions of the Procuring Contracting Officer (PCO) may be delegated to the Administrative Contracting Officer (ACO).

C1.9.5. DSS industrial security cognizance does not relieve any GCA of the responsibility to ensure the protection and safeguarding of its classified material released to contractors, nor does it prohibit them from visiting contractors to review the security aspects of such contracts. However, visits by a representative of a GCA to a facility to review security aspects of a contract should be coordinated with DSS prior to such visits. Any significant deviation from the requirements of the NISPOM or special security requirements under the contract, which may be noted during the visit, should be referred promptly to DSS, along with any suggested corrective action or additional security requirements to be levied on the contractor. DSS shall be responsible for ensuring appropriate action is taken regarding these matters, and shall notify the GCA of the corrective action taken by the contractor.

C1.10. Industrial Security Letters (ISLS)

ISLs are issued as needed to provide guidance to contractors in carrying out their responsibilities under the NISP and to provide other security-related implementation guidelines. The Director, DSS, is responsible for preparing, coordinating and publishing ISLs, with the approval of the Director of Security, OASD(C3I). GCAs may submit proposed articles for publication in ISLs to the Director, DSS.

C1.11. Contractor Activities on GCA Installations within conus

C1.11.1. For installations located within the U.S., Puerto Rico, or a U.S. possession or trust territory, the contractor and his or her employees can either be considered to be visitors who follow the security requirements of the installation, or the Commander of the installation may elect to declare the contractor activity a facility that will follow NISPOM requirements under one of the following criteria:

C1.11.1.1. The contractor’s operation is sufficiently complex to warrant assignment of an area such as a suite of offices, a building or portion thereof, or a segregated work area.

C1.11.1.2. The contractor’s operation is to be of a quasi-permanent nature.

C1.11.1.3. The contractor maintains management control over his or her operations.

C1.11.1.4. The contractor is in a position to maintain separate security procedures.

C1.11.2. Facility Security Clearances (FCLs) shall not be established on the installation solely for the purpose of permitting a contractor entry authorization into a controlled area unless access to classified information is required in the performance of the contract.

C1.11.3. If the Commander decides that the contractor’s on-installation activity requires a FCL, he or she can either maintain security cognizance or request that DSS do so. If DSS accepts security cognizance, DSS is responsible for all aspects of the contractor’s operations. Responsibility cannot be split between the Commander and DSS.

C1.11.4. If an FCL is required, but the Commander opts to maintain cognizance, DSS shall accomplish the following actions:

C1.11.4.1. Grant the FCL to the contractor.

C1.11.4.2. Assign an industrial security representative to accompany the installation security inspector during security reviews, when requested.

C1.11.4.3. Verify FCL and safeguarding capability.

C1.11.4.4. Terminate, revoke, or suspend FCLs, as appropriate.

C1.11.5. The Commander and DSS shall exchange reports pertaining to initial facility clearance processing, reports of security assessments, letters of requirements to the contractor, and reports resulting from investigations conducted in cases of loss, compromise, or suspected compromise of classified information.

C1.11.6. If the Commander does not elect to clear contractors on his or her installation as facilities, he or she shall provide appropriate security oversight and shall be responsible for the following:

C1.11.6.1. Provide written instructions specifying:

C1.10.6.1.1. Those security actions that shall be performed for the contractor by the installation such as providing storage facilities, guard service, mail and freight services, and visit control.

C1.11.6.1.2. Those security actions for which joint action may be required, such as the packaging and addressing of classified transmittals and control of visitors.

C1.11.6.2. Ensure that the contractor observes required security controls by means of security reviews, and inform the contractor of any corrective actions to be taken as a result of such reviews, if appropriate.

C1.11.6.3. Ensure that prompt remedial action is taken when security practices are deficient in the contractor’s operation.

C1.11.6.4. Ensure that contractors implement a security education program and that defensive security briefings are conducted.

C1.11.6.5. Conduct investigations of contractor security violations, including loss, compromise, or suspected compromise of classified information.

C1.11.6.6. Conduct the initial briefing and debriefing of the Facility Security Officer. Also brief and debrief the COMSEC custodian and alternate COMSEC custodian when there is a COMSEC account.

C1.11.6.7. Furnish guidance to the contractor regarding the application of security requirements to the contractor’s operations.

C1.11.6.8. Forward contractor requests for interpretations of the NISPOM to DSS.

C1.11.6.9. Ensure that the contractor promptly reports any incidents that involve espionage, sabotage, subversive activity or the loss, compromise, or suspected compromise of classified information. In addition, the CSA of the visiting contractor shall be advised concerning the incident.

C1.12. CONTRACTOR ACTIVITIES OUTSIDE THE U.S., PUERTO RICO, U.S. POSSESSIONS OR TRUST TERRITORIES

Contractor activities outside of the U.S., Puerto Rico, or a U.S. possession or trust territory shall be under the security responsibility of the GCA. For contractor activities that take place on an installation, the contractor and his or her employees shall be considered to be visitors under the security cognizance of the installation commander.

C1.13. Privileged Information

C1.13.1. DSS shall treat as privileged information those reports that are received from contractors pertaining to:

C1.13.1.1. Espionage, sabotage, or subversive activities,

C1.13.1.2. Loss, compromise, or suspected compromise,

C1.13.1.3. Security violations, or

C1.13.1.4. Adverse information, that are either classified if they so qualify, or offered in confidence and so marked by the contractor.

C1.13.2. When such reports are submitted in confidence, DSS shall invoke the applicable exemptions of the Freedom of Information Act to withhold them from public disclosure.

C1.13.3. Such reports, other than those already classified, shall be marked "FOR OFFICIAL USE ONLY, " following their receipt and the determination that they fall within one of the exemptions.

C1.13.4. The identity of a source that has furnished information to the government under an expressed promise of confidentiality shall be protected. When such reports contain unclassified information pertaining to an individual, that information must be provided to the individual under the provisions of the DoD Privacy Program, except that the identity of a source who furnished information to the government under an expressed promise of confidentiality may be protected by making necessary deletions from that information.

C2.1. General

A facility security clearance (FCL) is an administrative determination that a contractor is eligible for access to classified information or award of a classified contract. Contract award may be made prior to the issuance of the FCL in those cases where classified material shall not be accessed during the pre-contract phases of the procurement. The prime contractor for a classified procurement must have an FCL at the appropriate level even if a subcontractor will perform all classified activity. Contractors are authorized possession of classified material if they have an FCL and storage capability at the appropriate level.

C2.2. Reciprocity

An FCL issued by any Cognizant Security Agency (CSA) shall be considered valid and acceptable for use on a fully reciprocal basis by all Federal departments and agencies, provided it meets or exceeds the level of clearance needed.

C2.3. Clearance Request

A Government Contracting Activity (GCA) or cleared contractor initiates the FCL process through DSS as the CSA for DoD and those GCAs with whom the Secretary of Defense has entered into agreements to provide industrial security services. Contractors initiate requests for classified subcontracts. Requests for FCLs must be based on a bona fide procurement requirement for a contractor to have access to, or possession of, classified information in connection with a classified procurement. The request shall be addressed to DSS, Defense Industrial Security Clearance Office (DISCO), Facility Clearance Division (See AP3 Cognizant Security Office Information), and must contain the following information:

C2.3.1. The name, address and telephone number of the requester, including a point of contact.

C2.3.2. The name, address (physical and mailing), and telephone number of the contractor to be cleared, including the name of a company official who shall serve as the point of contact during FCL processing.

C2.3.3. The level of FCL required.

C2.3.4. Justification for the request, including information regarding the nature of the tasks or services to be performed by the contractor (RFP, RFQ, RFI, contract number, or copy of Contract Security Classification Specification (DD Form 254) (See AP7.A4), when possible.

C2.3.5. Safeguarding requirements, if any.

C2.4. Contractor Eligibility Requirements

C2.4.1. Access to classified information shall only be provided to a contractor who holds a valid FCL at the appropriate level, has a need-to-know, and has the capability for safeguarding the information, if access is required at the contractor’s location.

C2.4.2. Prior to processing a company for an FCL, DSS shall determine that:

C2.4.2.1. The company requires access to classified information in connection with a legitimate U.S. or foreign government requirement.

C2.4.2.2. The contractor is organized and operating under the laws of at least one of the fifty states, the District of Columbia, or Puerto Rico and is located in the U.S., its territorial areas or possessions.

C2.4.2.3. The contractor has a reputation for integrity and lawful conduct in its business dealings.

C2.4.2.4. The contractor and its key managers have not been barred from participating in U.S. Government contracts.

C2.4.2.5. The contractor is not under foreign ownership, control, or influence (FOCI) to such a degree that the granting of the FCL would be inconsistent with the national interest. (Refer to Chapter 3, Foreign Ownership, Control or Influence.)

C2.4.2.6. The contractor has not been issued nor is in process for an FCL by another CSA.

C2.5. FCL Processing

C2.5.1. When processing a contractor for an FCL, DSS shall:

C2.5.1.1. Conduct an on-site survey to obtain the information pertaining to clearance eligibility. The visit shall also serve as an opportunity to educate the contractor on aspects of the NISP and contractor responsibilities pertaining to access to classified information.

C2.5.1.2. Obtain information regarding the existence of FOCI from the "Certificate Pertaining to Foreign Interests" (SF 328) (See AP7.A3).

C2.5.1.3. Execute the "The DoD Security Agreement" (DD Form 441) or "Appendage to DoD Security Agreement" (DD Form 441-1) (See AP7.A2), as applicable, on behalf of the government. Ensure that the contractor executes their portion of the DD Form 441 or 441-1.

C2.5.1.4. Review the "Consolidated List of Debarred, Suspended, and Ineligible Contractors" to ensure the contractor is not included.

C2.5.1.5. Ensure personnel security clearance (PCL) processing is initiated for key management personnel (KMP), as appropriate.

C2.5.1.6. Ensure appropriate security procedures are established and implemented, including appropriate storage capability, if required.

C2.5.1.7. Advise the requesting GCA or prime contractor in writing when the FCL or interim FCL has been granted.

C2.5.2. GCA responsibilities:

C2.5.2.1. Allow sufficient lead-time when requesting an FCL in connection with the award of a classified contract to a prospective contractor who does not currently possess a valid FCL.

C2.5.2.2. When processing cannot be accomplished within the time limits to qualify the prospective contractor for participation in the procurement action which gave rise to the request, request that DSS continue the clearance action in order to qualify the prospective contractor for future classified contract negotiations of a similar nature, provided:

C2.5.2.2.1. The delay in processing the FCL was not occasioned by a lack of cooperation on the part of the prospective contractor; and

C2.5.2.2.2. There is reasonable likelihood that the prospective contractor shall participate in future classified contract negotiations and the contractor agrees to such participation.

C2.6. Interim FCL

C2.6.1. DSS shall consider all FCL requests for interim FCLs. An Interim FCL shall be based upon issuance of Interim PCLs for KMP at the appropriate level and satisfaction of the minimum eligibility requirements for an FCL (see paragraph C2.4).

C2.6.2. An Interim Secret or Confidential FCL is valid for access to classified information at the level of the Interim FCL granted, except that it is not valid for access to SCI, COMSEC information, Special Access Program, Restricted Data or NATO information.

C2.6.3. An Interim TS FCL is valid for access to TS information and Restricted Data, NATO, and COMSEC information at the Secret and Confidential levels.

C2.7. Issuance of the FCL

DSS shall issue the FCL when KMPs have been issued PCLs at the appropriate level and any elements of FOCI have been resolved.

C2.8. DoD Technical Information Dissemination Activities

The GCA shall verify the contractor’s need-to-know for DTIC by means of DD Form 1540 (See AP7.A6). Separate 1540s are required for each contract.

C2.9. Business Structures

C2.9.1. There are many types of contractor facilities with differing business structures that DSS shall process for FCLs. These various business structures require different levels of analysis regarding their impact on the FCL process. In addition, they have varying requirements regarding the KMP to be cleared in connection with the FCL.

C2.9.2. Those KMP of the contractor who occupy positions that affect the organization’s policies or practices in the performance of classified contracts must be granted personnel security clearances (PCLs) at the same level of the FCL as a key component of the FCL process. An FCL shall not be granted when any individual in a key management position who is required to be cleared in connection with a FCL is found to be ineligible for access to classified information.

C2.9.3. At a minimum, the senior management official and the facility security officer (FSO) shall always be cleared in connection with the FCL. In addition, DSS shall take the following factors into account when considering business structures:

C2.9.3.1. Sole Proprietorships. The sole proprietorship, the simplest type of business structure, is a business owned by one individual who is liable for the debts and other liabilities incurred in the operation of the business.

C2.9.3.1.1. KMP Considerations. The owner is required to be cleared in connection with the FCL.

C2.9.3.2. Partnerships. A partnership is an association of two or more individuals (or other business entities) who have agreed to do business together as owners for profit. No separate legal entity is created.

C2.9.3.2.1. KMP Considerations. The following additional individuals are required to be cleared in connection with the FCL:

C2.9.3.2.1.1. All general partners; or if the partnership has delegated certain duties and responsibilities to a legally constituted executive committee, all members of this committee shall be cleared in connection with the FCL. Non-executive committee member general partners may be excluded, provided the committee has full executive authority to exercise management control and supervision for the organization, and with respect to these other partners, the organization complies with the exclusion procedures in accordance with paragraph C2.10 below.

C2.9.3.2.1.2. Partners other than general partners who do not require access to classified information and do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of classified contracts are not required to be cleared, provided they are effectively excluded from access.

C2.9.3.2.1.3. Partners other than general partners who require access to classified information, but at a level less than that of the FCL, may be cleared at the lower level provided they do not occupy positions that would enable them to adversely affect the organization’s policies and practices in the performance of the higher level classified contracts, and they are effectively excluded from access to the higher level information.

C2.9.3.3. Corporations. A corporation is a legal entity that is governed by state statute. It can hold property, may sue and be sued in its own name, and generally is solely liable for its obligations. Articles of incorporation are generally filed with the government of the state in which the corporation is established. The corporation is governed by a set of bylaws and is owned by its stockholders who elect a board of directors to manage the company. Stockholders do not normally have any personal liability for the actions of the corporation. A stockholder without corporate authority cannot bind a corporation by contract. However, stockholders have voting rights generally based on the distribution of the shares of stock issued on the basis of the corporate charter. Corporations must act through boards of directors or through their authorized officers and agents. The board of directors possesses power of overall direction and may designate officers and other agents to act for the corporation, or may delegate authority to one or more of its members. Management is usually entrusted to officers who are appointed by a board of directors.

C2.9.3.3.1. Multiple Facility Organization (MFO)

C2.9.3.3.1.1. The Home Office Facility (HOF) is the legal entity, while a division of an MFO is not. When clearing a company that is part of an MFO, the home office facility (HOF) must be processed for an FCL at the same or higher level than the division facility. A division may or may not be cleared depending upon whether it is performing on a classified contract. The HOF executes DD Form 441 and SF 328. The HOF executes a DD Form 441-1 for the cleared division.

C2.9.3.3.1.2. The HOF may designate a cleared division of the MFO as a Principal Management Facility (PMF) to administer the contractor’s industrial security program within a defined geographical or functional area. The HOF or PMF shall be responsible for personnel security administration pertaining to cleared employees who may be employed by or physically located at uncleared divisions of the MFO or divisions with an FCL at a lower level than the employee’s PCL.

C2.9.3.3.2. Parent/Subsidiary. Both the parent and the subsidiary are legal entities. When a parent/subsidiary relationship exists, a parent may or may not be cleared depending upon whether it is performing on a classified contract. If access to classified information is not required, the parent may be excluded. Additionally, the parent may be cleared at a lower level than the subsidiary if the parent does not have an independent contractual requirement for the higher level clearance. In either event, the parent must complete the SF 328 and any FOCI factors must be mitigated before either the parent or subsidiary can be cleared.

C2.9.3.3.3. KMP Considerations. The following additional individuals are required to be cleared in connection with and at the level of the FCL:

C2.9.3.3.3.1. The chairman of the board.

C2.9.3.3.3.2. Other officers who do not require access to classified information and who do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of classified contracts are not required to be cleared, provided they are effectively excluded from access.

C2.9.3.3.3.3. Other officers who require access to classified information, but at a lower level than that of the FCL, may be cleared at the lower level, provided they do not occupy positions that would enable them to adversely affect the organization’s policies and practices in the performance of the higher level classified contracts, and the organization assures that they are effectively excluded from access to the higher level information.

C2.9.3.3.3.4. All board members who are eligible for or could sit as pro tem board chairmen, if chairmanship revolves among members.

C2.9.3.3.3.5. Directors who do not require access to classified information and who do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of classified contracts are not required to be cleared provided that they are effectively excluded from access.

C2.9.3.4. Limited Liability Corporation (LLC)

C2.9.3.4.1. An LLC is both a business entity and an investment vehicle that seeks to provide some of the benefits of both the corporation and the partnership. Ownership of the LLC is divided pro rata according to the members’ investments. Regardless of the degree of ownership, a member of the LLC has the legal power to bind the LLC in the making of contracts and many other undertakings. The same authority to bind the entire enterprise applies to LLC managers. This legal authority exists whether or not the manager is also a member, and whether the manager has been authorized by the LLC to enter into the transaction.

C2.9.3.4.2. In most cases, the LLC is run by a management board selected by the members; however, it may be run by the members themselves. The management board may be made up of members, hired (non-member) management personnel, or a combination of both.

C2.9.3.4.3. Because the laws under which LLCs are organized differ from state to state, DSS shall consider the following guidelines when processing an LLC for an FCL:

C2.9.3.4.3.1. Consult the appropriate state statute to ensure that the business is an LLC versus some other similar-sounding form of business.

C2.9.3.4.3.2. Determine the duration of the LLC.

C2.9.3.4.3.3. Locate documentation that identifies LLC members.

C2.9.3.4.3.4. Determine the extent that members can transfer, sell, pledge, etc., their ownership interests, and the rights that transferees obtain.

C2.9.3.4.3.5. Obtain copies of the LLC’s "Certificate of Formation" or "Articles of Organization" on file with the state government.

C2.9.3.4.3.6. Determine if the LLC is qualified to do business in other states.

C2.9.3.4.3.7. Obtain copies of any written agreements between LLC members that describe the entity and the members’ understandings about its operation.

C2.7.3.4.3.8. Find out the name and address of the LLC’s registered agent and registered office in the state of formation.

C2.9.3.4.4. KMP Considerations. The following additional individuals are required to be cleared in connection with the FCL:

C2.9.3.4.4.1. All managers and members who are empowered to enter into contracts on behalf of the LLC.

C2.9.3.4.4.2. LLC Members who do not require access to classified information and whose duties and degree of ownership or control and influence would not enable them to adversely affect the organization’s policies or practices in the performance of classified contracts are not required to be cleared, provided they are effectively excluded from access.

C2.9.3.5. Joint Ventures

C2.9.3.5.1. A joint venture consists of a combination of two or more contractors without any actual partnership or corporation designation, who perform or act jointly in a specific endeavor, such as the negotiation for or performance of a contract.

C2.9.3.5.2. If access to classified information is required, each of the contractors that make up the joint venture shall be processed for a FCL. When it is necessary for only some, but not all, of the participating contractors to have access to classified information, a formal agreement must be executed by all participating contractors which states that the uncleared contractor(s) can be effectively excluded from access to classified information as a member of the joint venture. If any of the participating contractors are determined to be under foreign ownership, control or influence (FOCI), the FOCI factors must be mitigated. (See Chapter 3, Foreign Ownership, Control or Influence.) When the joint venture entity itself shall have possession of classified information, an FCL is required for the joint venture entity.

C2.9.3.5.3. For purposes of exchange of classified information and visits among the participating contractors, the general rules applicable to the exchange of classified information and visits between prime and subcontractors shall apply. Each cleared contractor who is a participant in the joint venture shall have the prerogative of a prime contractor.

C2.9.3.6. Colleges and Universities. Colleges and universities are owned and directed in much the same way that corporations are, except that there are no stockholders. Some colleges and universities are owned and controlled by a state or city while others are partially supported by state or city funds. Private institutions are supported by student tuition, contributions from alumni, and grants from foundations and endowments.

C2.9.3.6.1. KMP Considerations. The following additional individuals are required to be cleared in connection with the FCL:

C2.9.3.6.1.1. Chairman of the board. Regents, trustees, or directors who do not require access to classified information and do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of classified contracts, are not required to be cleared.

C2.9.3.6.1.2. All board members who are eligible for or could sit as pro tem board chairman shall be cleared. All uncleared regents, trustees, or directors must be effectively excluded from access.

C2.9.3.6.1.3. If the board has delegated certain of its duties and responsibilities to a legally constituted executive committee, all members of this committee must be cleared.

C2.9.3.7. Temporary Help Suppliers. A temporary help supplier is a subcontractor who dispatches personnel on his or her payroll to perform work on the premises of another contractor or GCA. A detailed analysis must be made of the business structure of the temporary help supplier, the employer-employee relationships, and the classified contract information to determine the entity to be granted the FCL. Many temporary help suppliers are franchise or licensee businesses where ownership and employer-employee relationships may not be clearly defined.

C2.9.3.8. Commercial Carriers. Commercial Carriers are subject to Interstate Commerce Commission (ICC) and Civil Aeronautics Board (CAB) regulations or similar regulations of the state in which they operate. In order to qualify for the shipment of Secret material, a Commercial Carrier must be approved by the Military Traffic Management Command (MTMC) and be granted a Secret FCL. FCL processing shall be in accordance with the business structure of the commercial carrier entity.

C2.9.3.9. Freight Forwarders

C2.9.3.9.1. A freight forwarder is an agent or contractor designated to receive, process, and transship U.S. or foreign material for U.S. or foreign recipients. An FCL is granted to a freight forwarder specifically for the purpose of transferring U.S. or foreign classified material to U.S. or foreign recipients.

C2.9.3.9.2. Freight forwarders may fall into the following categories:

C2.9.3.9.2.1. U.S.-owned: authorized to handle U.S. classified materials or foreign government classified material, provided that the U.S. material is authorized for release to the applicable foreign government and the foreign government designates the freight forwarder to move its classified materials.

C2.9.3.9.2.2. Foreign-owned: requires mitigation of the FOCI through a Limited Facility Clearance. The freight forwarder can receive, process and transship classified material to any country provided that:

C2.9.3.9.2.2.1. Appropriate export authorizations or ITAR exemptions have been obtained.

C2.9.3.9.2.2.2. The freight forwarder has been designated by the foreign country as its representative to receive, process and transship classified material.

C2.9.3.9.2.2.3. The foreign country is made aware of the foreign ownership.

C2.9.3.9.3. Freight forwarders may be sponsored for an FCL by a U.S. government activity or a foreign government, directly or through its embassy. Prior to processing a freight forwarder for an FCL, a bilateral security agreement must be in place between the U.S. and the applicable foreign government. The foreign government must issue a classified contract directly to the freight forwarder.

C2.9.3.9.4. KMP Considerations

C2.9.3.9.4.1. Supervisors who directly oversee the handling of classified freight shall be U.S. citizens cleared in connection with the FCL. Uncleared personnel may move classified freight under the direct supervision of a cleared supervisor.

C2.9.3.9.4.2. For foreign-owned freight forwarders, the KMPs can be non-U.S. citizens, with the exception of the FSO and the senior management official, who must be a U.S. citizen.

C2.9.3.10. Legal Services

C2.9.3.10.1. The procedures for processing the contractor or individual for a clearance depend upon the nature of the legal services to be provided.

C2.9.3.10.2. Criminal proceedings. Access to classified information during criminal proceedings is determined by a Court of competent jurisdiction and comes under the purview of the Classified Information Procedures Act (CIPA) (reference (h)).

C2.9.3.10.3. Civil litigation. The GCA shall determine the requirement for access to classified information or need-to-know. If the GCA determines that the attorney should be cleared, DSS shall process the law firm for an FCL.

C2.9.3.10.4. Non-criminal legal services. If legal services are not provided by in-house counsel for such non-criminal legal services as review of contracts, etc., the law firm providing such services shall be cleared as a subcontractor.

C2.9.3.10.5. U.S. and foreign patent applications. The law firm shall be processed for an FCL for work on a specific contract only.

C2.9.3.11. Off-site Location. When activities of a contractor are located within the same given geographical area, DSS may determine that the various contractor locations qualify for a single FCL. DSS shall base its determination on the following factors:

C2.9.3.11.1. Maintenance of a centrally directed security program.

C2.9.3.11.2. Whether separation of the activities allows feasible supervision of their security operations.

C2.9.3.12. Other Key Management Personnel. Other individuals who exercise control or exert influence over the management of the contractor through stock ownership, proxy voting rights, majority ownership of securities, or some other method, and affect the appointment and tenure of KMP of the contractor, shall be processed for a determination of clearance eligibility. An FCL shall not be issued until a favorable determination is made or until the matter is otherwise resolved.

C2.9.3.13. Foreign Nationals Serving as Officers, Partners, or Members of Boards of Directors. Corporations, associations, colleges, universities, partnerships, or other entities which have foreign nationals serving as partners, officers (other than principal officers of corporations and associations), or members of the board of directors may be issued an FCL if they are otherwise eligible and are found not to be under FOCI, provided that the following conditions are met:

C2.9.3.13.1. The partner, officer, or director who is a foreign national does not occupy a position that would enable him or her to adversely affect the contractor’s policies or practices in the performance of its classified contracts.

C2.9.3.13.2. The partner, officer or director who is a foreign national is effectively denied access to all classified information.

C2.10. Exclusion Procedures

C2.10.1. DSS shall ensure that officials who do not require a PCL or who require a PCL for access to classified information at a lower level than the FCL are officially excluded from unauthorized access.

C2.10.2. DSS shall maintain a copy of the formal exclusion action taken by the contractor organization’s board of directors or similar executive body in accordance with one of the following resolutions:

C2.10.2.1. "Such officers, directors, partners, regents, or trustees (designated by name) shall not require, shall not have and can be effectively excluded from access to all classified information disclosed to the organization. They also do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of classified contracts."

C2.10.2.2. "Such officers or partners (designated by name) shall not require, shall not have, and can be effectively denied access to higher-level classified information (specify which higher level(s)) and do not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of higher-level classified contracts (specify higher level(s))."

C2.11. PCLs Concurrent with the FCL

DSS may process PCLs concurrent with the FCL processing for employees of the contractor who require access to classified information during the preaward phase of a procurement or at the start of a time-sensitive contract. The PCLs will not be issued until the FCL has been issued. The granting of an FCL is not dependent on the clearance of such employees. DSS shall obtain information pertaining to those individuals who should be processed for PCLs concurrent with FCL processing during their initial visit to the contractor.

C2.12. Administrative Termination and Downgrading of an FCL

C2.12.1. As part of the security review process (see Chapter 13, Security Assessments), DSS shall determine those facilities for which an FCL is no longer required. When a cleared contractor has not participated in a classified procurement effort for a 12-month period, has not been afforded authorized access during the preceding 12 months, and has no immediate prospects for obtaining a classified contract, DSS shall administratively terminate the FCL after giving the contractor 30 days written notice. When a contractor has not had a classified contract or project for the preceding 12 months, but has classified material in its custody, request that the GCA who approved the retention determine whether or not there is a continuing requirement for the contractor to retain custody of the classified material.

C2.12.2. Where a Top Secret FCL has been granted, DSS shall review the contractor on an annual basis to determine the need for continuation of the clearance at the Top Secret level. If there has been no possession of or access to Top Secret information, and no bid, quote, or proposal submitted by the contractor in response to a government procurement invitation during the preceding 3-year period which would have required contract performance at the Top Secret level, the FCL shall be administratively downgraded to Secret.

C2.12.3. DSS shall notify any activity that has requested verification of safeguarding capability within the preceding 12 months.

C2.12.4. GCA Responsibility:

2.12.4.1. Determine if there is a continuing requirement for the contractor to retain custody of classified material if there is no active classified contract. Justification for retention of a FCL may be:

2.12.4.1.1. An impending request for a bid or quotation on a classified contract from a GCA or a prime contractor.

2.12.4.1.2. Planned attendance at a forthcoming classified meeting that is supported by a contracting officer.

2.12.4.1.3. Current preparation of an unsolicited proposal containing classified information.

2.12.4.1.4. Imminent award of a classified contract.

2.12.4.1.5. Continuing requirement for use of the contractor as a bid source.

2.12.4.1.6. A contractor’s unique capabilities.

2.12.4.2. Revalidate justification for retention of an inactive FCL annually in writing.

C2.13. Invalidation of an FCL

C2.13.1. Invalidation is an administrative action that renders a contractor ineligible to receive additional classified material except that information necessary for completion of essential contracts as determined by appropriate GCAs. DSS shall invalidate an FCL as a last resort if a changed condition has occurred affecting the ability of a cleared contractor to adequately protect classified information. The occasions when it is necessary to invalidate an FCL should be kept to a minimum.

C2.13.2. When changed conditions occur pertaining to a cleared contractor, the first consideration shall be the safeguarding of classified information to which the contractor has current or impending access. DSS shall take action to ensure the safeguarding of the classified information immediately upon an initial determination that conditions have changed. FCLs shall not be invalidated immediately because of changed conditions if:

C2.13.2.1. The contractor is not performing on classified contracts or is not in possession of classified information, in which case the FCL will be administratively terminated.

C2.13.2.2. DSS determines that classified information in the contractor’s possession can be adequately safeguarded.

C2.13.2.3. In the case of a change of ownership or management, the new KMP can and will be effectively denied access to classified information pending completion of their PCL actions.

C2.13.2.4. The required PCL or FCL forms are promptly submitted for processing. (If new KMP are not expected to be cleared within 15 days, DSS shall obtain an exclusion certificate in accordance with paragraph C2.10 as an assurance of the contractor’s intent to deny access to uncleared KMP.)

C2.13.2.5. In the case of changed conditions regarding FOCI, an acceptable FOCI mitigation plan has been received and the contractor is negotiating FOCI mitigation in good faith.

C2.13.3. If it is necessary to invalidate the FCL, DSS shall provide the contractor with immediate written notice that includes the reasons, ramifications and required actions to bring the FCL back into a valid status, along with a specific time frame for corrective actions. All activities that have classified contracts with the contractor and all activities that have verified the contractor clearance and safeguarding capability within the last year shall be advised.

C2.13.4. DSS shall request advice from the GCA as to whether or not the contractor may continue to perform on their existing contracts, pending resolution of the security issues caused by the changed condition.

C2.13.4.1. DSS shall inform the GCA as to the specific reasons for the invalidation in sufficient detail to enable the GCA to make the risk management decision as to whether or not the contractor should be permitted to continue performing on their classified contracts.

C2.13.4.2. If no response is received from the GCA, DSS shall permit the contractor to continue performing on classified contracts.

C2.13.5. GCA Responsibility:

C2.13.5.1. Make a decision as to whether or not the contractor should be permitted to continue performing on their classified contracts.

C2.13.5.2. Notify DSS of the decision.

C2.13.5.3. Coordinate with DSS regarding the recovery of classified material, if necessary.

C2.13.6. Changed Conditions Affecting the Facility Clearance. DSS is responsible for taking the following actions when notified of any change occurring concerning the contractor that would affect the FCL and the contractor has a current procurement requirement for access to classified information or has classified information in its possession.

C2.13.6.1. Change of Operating Name. If ownership and management remain the same:

C2.13.6.1.1 Execute a new Security Agreement.

C2.13.6.1.2. Issue a new FCL notification.

C2.13.6.2. Change in Management

C2.13.6.2.1. Initiate clearance action for the new KMPs.

C2.13.6.2.2. Coordinate with the GCA regarding the continued retention of classified material unless assured that it can be appropriately safeguarded and that the new management is effectively excluded from access to the classified information while PCLs are being processed.

C2.13.6.3. Change in Partners

C2.13.6.3.1. Initiate clearance action for the new partners who are required to be cleared in connection with the FCL.

C2.13.6.3.2. Coordinate with the GCA regarding the continued retention of classified material unless assured that it can be appropriately safeguarded and that the new partners are effectively excluded from access to classified information while their personnel security clearances are being processed.

C2.13.6.4. Change in Ownership

C2.13.6.4.1. When classified material or contracts are involved in the proposed sale of all or part of the physical assets of a cleared contractor, process the buyer for an FCL.

C2.13.6.4.2. If classified information cannot be protected from unauthorized access prior to consummation of the sale and transfer, invalidate the FCL and coordinate with the GCA to recover all classified information from the contractor.

C2.13.6.4.3. When a merger or consolidation occurs and one of the corporations involved is either cleared or excluded, either formally exclude the surviving corporation or process the surviving corporation for an FCL.

C2.13.6.5. Change of Address

C2.13.6.5.1. When a contractor has relocated:

C2.13.6.5.1.1. If the contractor possesses classified material, conduct an on-site security review of the contractor to assess the contractor’s security procedures and safeguarding capabilities at the new location.

C2.13.6.5.1.2. Amend the existing DD Form 441, or DD Form 441-1 as appropriate, to reflect the change in address of the contractor or execute a DD Form 441 or DD Form 441-1.

C2.13.6.5.1.3. Issue a new FCL notification.

C2.13.6.5.1.4. Notify activities that have verified safeguarding capability within the last year.

C2.13.6.5.2. When the change involves only a change of address, with no relocation of any elements of the contractor (such as post office change, change of zip code, etc.):

C2.13.6.5.2.1. Amend the existing DD Form 441, or DD Form 441-1 as appropriate, to reflect the change in address of the contractor or execute a new DD Form 441 or 441-1.

C2.13.6.5.2.2. Issue a new FCL notification.

C2.13.6.5.2.3. Notify activities that have verified safeguarding capability within the last year.

C2.13.6.6. Business Closing. Administratively terminate the FCL in all instances in which a contractor previously granted a FCL has closed its doors, gone out of business, or has ceased to operate the business under any circumstances.

C2.13.6.7. Placement of Contractor on Debarred Bidders’ List.

C2.13.6.7.1. Review each issuance of the "Consolidated List of Debarred, Suspended, and Ineligible Contractors" to identify any cleared facilities that have been listed. If a contractor is listed under Code A, Code A(1) or Code B, take the following action:

C2.13.6.7.1.1. Invalidate the FCL.

C2.13.6.7.1.2. If the contractor has current access to classified information, notify the GCAs of the invalidation.

C2.13.6.7.1.3. Notify the contractor that their FCL is invalid, that performance on existing contracts may be continued pending final determination by the GCA, and that access to additional information or contracts shall not be permitted until the debarment or suspension is terminated.

C2.13.6.7.1.4. Administratively terminate the FCL if the contractor is not performing on a classified contract and is no longer in possession of, or having access to, classified information.

C2.13.6.7.2. GCA Responsibility: Determine whether the contractor may continue to perform on existing classified contracts.

C2.13.6.8. Changes Involving a Parent Organization. When the FCL of a parent organization is terminated, terminate the FCLs of the subsidiaries unless exclusion procedures have been taken.

C2.13.6.9. Changes Involving a Multiple Facility Organization. If the clearance of the HOF of a MFO is terminated, terminate the FCL of all operating facilities.

C2.13.6.10. Upgrading of a Facility Security Clearance

C2.13.6.10.1. Process the KMPs for PCLs and upgrade the FCL when all PCLs have been issued.

C2.13.6.10.2. Provide an updated letter of notification of facility security clearance reflecting the new FCL level.

C2.13.6.11. Changes Involving FOCI

C2.13.6.11.1. Obtain a new SF 328.

C2.13.6.11.2. Determine if the contractor is under FOCI.

C2.13.6.11.3. Assist the contractor in formulating a plan to mitigate the FOCI.

C2.13.6.11.4. Ensure that security procedures are in place to preclude unauthorized access to classified information.

C2.13.6.11.5. If the FOCI cannot be mitigated, revoke the FCL. (See paragraph C2.15.)

C2.13.6.12. Personnel Actions Affecting a Facility Security Clearance

C2.13.6.12.1. When a PCL for an individual who is required to be cleared in connection with a FCL is denied, revoked, suspended, or withdrawn, deny, invalidate or revoke the FCL accordingly, unless assured that one of the following conditions is met:

C2.13.6.12.1.1. The individual whose PCL is suspended is effectively excluded from access and is not in a position to adversely affect the organization’s policies or practices in the performance of classified contracts.

C2.13.6.12.1.2. The contractor has taken immediate action to remove the individual from his/her official position and that he/she is effectively excluded from access to all classified information.

C2.13.6.12.1.3. Consider the following guidelines when making a determination of the contractor’s assurances of exclusion from access:

C2.13.6.12.1.3.1. The position of the individual.

C2.13.6.12.1.3.2. The seriousness of allegations which led to the PCL suspension.

C2.13.6.12.1.3.3. The actions that the contractor has taken to relieve the official of the authority.

C2.13.6.12.1.3.4. The degree to which they have been removed from access to classified information.

C2.13.6.12.2. If the contractor does not take appropriate action to remove or exclude the individual from access:

C2.13.6.12.2.1. Suspend or revoke the FCL and recover all classified information in the contractor’s possession, if the contractor is not performing on a current classified contract.

C2.13.6.12.2.2. If the contractor is performing on a classified contract, notify the GCA and ensure that all classified information in the contractor’s possession is being effectively safeguarded.

C2.13.6.12.2.3. If contract is continued, ensure that the contractor is permitted access only to that classified information necessary in the performance of the contract concerned. Coordinate with the GCA to ensure appropriate disposition of all other classified information in the contractor’s possession.

C2.13.6.12.2.4. If contract is terminated, terminate the FCL, as appropriate, and coordinate with the GCA to ensure appropriate disposition of all classified information in the contractor’s possession.

C2.13.6.12.3. GCA Responsibility:

C2.13.6.12.3.1. Determine whether to terminate or continue the contract.

C2.13.6.12.3.2. Coordinate with DSS to ensure appropriate disposition of all classified information in the contractor’s possession.

C2.14. Revalidation of an FCL

Once the situation that caused an invalidation of the FCL has been corrected, the FCL shall be revalidated and all customers who were advised of the invalidation action shall be advised that the invalidation action has been lifted.

C2.15. Revocation of an FCL

C2.15.1. Revocation of an FCL is action that is taken to terminate all classified activity of a contractor because the contractor refuses, is unwilling, or has consistently demonstrated an inability to protect classified information.

C2.15.2. If the contractor refuses or is unable to take action to correct the situation that caused an invalidation, DSS shall revoke the FCL, terminate all PCLs, and coordinate with all GCAs to ensure that classified information in the possession of the contractor is properly safeguarded until it is removed.

C2.15.3. If a GCA determines that it is in the best interest of the government to permit contract completion in spite of a revocation action, DSS shall coordinate with the GCA to determine the procedures to be followed to protect any remaining classified information in the possession of the contractor until contract completion. In addition, DSS shall take the following actions:

C2.15.3.1. Notify each contractor having a classified subcontract with the contractor that the subcontractor’s FCL is being revoked and advise the subcontractor of the GCA’s determination regarding continued subcontract performance.

C2.15.3.2. Ensure appropriate disposition of all other classified material prior to the revocation action.

C2.15.3.3. Notify all activities that have verified the FCL of the contractor within the past three years of the revocation action.

C2.15.3.4. Terminate the contractor’s DD Form 441 or 441-1 in accordance with Section IV of the agreement.

C2.15.3.5. Withdraw the letter of notification of FCL.

C2.15.3.6. Advise DTIC of the revocation action, if appropriate.

C2.15.3.7. If the contractor subsequently takes corrective action, and the GCA submits a new FCL request, a new FCL may be granted.

C2.15.4. GCA Responsibility:

C2.15.4.1. Determine whether it is in the best interest of the government to permit contract completion in spite of revocation action.

C2.15.4.2. Determine if any subcontractors should continue contract performance upon revocation of a prime contractor’s FCL.

C2.15.4.3. If contract performance will continue in spite of revocation, coordinate with DSS to determine the procedures to be followed to protect any remaining classified information until contract completion.

C2.15.4.4. Coordinate with DSS to ensure the appropriate disposition of classified material prior to revocation action.

C2.16. Maintenance of Contractor Information

C2.16.1. DSS is the office of record for the maintenance of all information pertaining to contractor clearance records and information about all cleared contractors under its cognizance. This information is used to respond to all inquiries regarding the clearance status and storage capability of cleared contractors. It is also used to provide continuing assurance to GCAs regarding the contractor’s ability to protect classified information. (AP4 contains a listing of contractor information to be maintained.)

C2.16.2. DSS shall retain information pertaining to the FCL and safeguarding capability for a period of two years after termination of the FCL. Information pertaining to industrial security actions shall be retained for a period of two years after completion of the action.

C3. CHAPTER 3

C3.1. General

C3.1.1. This section establishes the policy concerning the initial or continued clearance eligibility of U.S. companies with foreign involvement; provides criteria for determining whether U.S. companies are under foreign ownership, control or influence (FOCI); prescribes responsibilities in FOCI matters; and outlines security measures that may be considered to negate or reduce FOCI-based security risks to an acceptable level.

C3.1.2. For the purposes of this regulation, DSS shall make the determination of the foreign involvement of U.S. companies cleared or under consideration for a facility security clearance (FCL). FOCI determinations shall be made on a case-by-case basis. In this regard, DSS shall:

C3.1.2.1. Examine the extent of a contractor’s foreign involvement to ensure appropriate resolution of matters determined to be of national security significance;

C3.1.2.2. Develop security measures to negate FOCI determined to be unacceptable based on the concept of risk management; and

C3.1.2.3. Make the determination of whether a U.S. company is under FOCI, determine its eligibility for an FCL, and recommend the security measures deemed necessary to negate or mitigate FOCI.

C3.2. Policy

C3.2.1. Foreign investment can play an important role in maintaining the vitality of the U.S. industrial base. Therefore, it is U.S. policy to allow foreign investment consistent with the national security interests of the United States. The following FOCI policy for U.S. companies subject to an FCL is intended to facilitate foreign investment by ensuring that foreign firms cannot undermine U.S. security and export controls to gain unauthorized access to critical technology and classified information.

C3.2.2. A U.S. company is considered under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the U.S. company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts.

C3.2.3. A U.S. company determined to be under FOCI is ineligible for an FCL, or an existing FCL shall be invalidated or revoked unless security measures are taken as necessary to remove the possibility of unauthorized access or the adverse affect on classified contracts.

C3.2.4. It may be presumed that minimum additional security measures will be necessary when the sources of FOCI emanate from a country with which the U.S. has effective bilateral law enforcement, national security, and customs arrangements governing control of classified and export controlled information.

C3.2.5. The U.S. reserves the right and has the obligation to impose any security method, safeguard, or restriction it believes necessary to ensure that unauthorized access to classified information is effectively precluded and that performance of classified contracts is not adversely affected.

C3.2.6. Changed conditions, such as a change in ownership, indebtedness, or the foreign intelligence threat, may justify certain adjustments to the security terms under which a company is operating or, alternatively, that a different FOCI mitigation method be employed. If a changed condition is of sufficient significance, it might also result in a determination that a company is no longer considered to be under FOCI or, conversely, that a company is no longer eligible for an FCL. (See C2. Facility Security Clearances.)

C3.2.7. Nothing contained in this Section shall affect the authority of a GCA to limit, deny or revoke access to classified information under its statutory, regulatory or contract jurisdiction.

C3.3. Factors

C3.3.1. The following factors with regard to the source of FOCI and the country from which it emanates will be considered in the aggregate with regard to both the foreign interest and the country from which it is derived to determine whether an applicant company is under FOCI, its eligibility for an FCL, and the protective measures required:

C3.3.1.1. Record of economic and government espionage against U.S. targets.

C3.3.1.2. Record of enforcement and/or engagement in unauthorized technology transfer.

C3.3.1.3. Type and sensitivity of the information requiring protection.

C3.3.1.4. Nature and extent of FOCI, to include whether a foreign person occupies a controlling or dominant minority position; and source of FOCI, to include identification of immediate, intermediate and ultimate parent organizations.

C3.3.1.5. Record of compliance with pertinent U.S. laws, regulations and contracts.

C3.3.1.6. Nature of bilateral and multilateral security and information exchange agreements that may pertain, to include agreements with third parties.

C3.3.1.7. Intelligence sharing and cooperation with U.S. on economic espionage, industrial security, export violations.

C3.3.1.8. Information security controls for government and industry.

C3.3.1.9. Law enforcement cooperation with U.S. on economic espionage, industrial security, export violations.

C3.3.1.10. Export policies and controls for both weapons and technologies.

C3.3.1.11. Political and defense relationship with the United States defense industry and potential for U.S. industrial relationships.

C3.3.1.12. Ownership or control, in whole or in part, by a foreign government.

C3.3.2. In addition to the factors above, DSS shall consider the following information, which is required to be furnished by the contractor on the Certificate Pertaining to Foreign Interests (SF 328) (See AP7.A3). The information shall be considered in the aggregate and the fact that some of the below listed conditions may apply does not necessarily render the applicant company ineligible for an FCL.

C3.3.2.1. Ownership or beneficial ownership, direct or indirect, of 5 percent or more of the applicant company's equity securities by a foreign person; or direct or indirect subscription of 5 percent or more of the company’s total capital commitment.

C3.3.2.2. Ownership by the company of 10 percent or more of a foreign interest.

C3.3.2.3. Management positions, such as directors, officers, or executive personnel of the applicant company held by non-U.S. citizens.

C3.3.2.4. Foreign person power, direct or indirect, to control the election, appointment, or tenure of directors, officers, or executive personnel of the applicant company and the power to control other decisions or activities of the applicant company.

C3.3.2.5. Contracts, agreements, understandings, or arrangements between the applicant company and a foreign person.

C3.3.2.6. Indebtedness, liabilities, or obligations between the applicant company and a foreign person.

C3.3.2.7. Total revenues or net income in excess of 5 percent from a single foreign person or in excess of 30 percent from foreign persons in the aggregate.

C3.3.2.8. Ten percent or more of any class of the applicant's voting securities held in "nominee shares," in "street names," or in some other method that does not disclose the beneficial owner of