Revision 2011-03 / 05 09 2011 DoD 5220. 22-M OPERATING MANUAL February 2006 http://www. ncms-isp. org/NISPOM_200602_with_ISLs. pdf NISPOM Hyper-Link and Color-Code Guide All hyper-links that take you to a specific reference have a corresponding link that will return you to the original text. • Summary of Major NISPOM Changes The Summary of Major NISPOM Changes table of content is color-coded aqua in the bookmark section. All aqua hyper-link boxes NISPOM Changes document. • link to references in the Summary of Major
Industrial Security Letters Current Industrial Security Letters have been added to the NISPOM document. All Blue hyper-link boxes Industrial Security Letters. link to references in the • NISPOM Text Chapters in the NISPOM table of content are color-coded rust in the bookmark section. • Sections, paragraphs, sub-paragraphs, etc. , are further broken down into different colors within each chapter. All rust colored hyper-link boxes located within the NISPOM text (Chapters 1 through 11) will link to other section(s) within the NISPOM text that are being referenced. If you click on a rust colored hyper-link box, you will be taken to that reference within the actual NISPOM text. • The rust colored hyper-link button located next to that reference will take you back to the original portion of the NISPOM text. Dianne Walton, CISSP,ISP Facility Security Officer Northrop Grumman Space & Mission Systems Network Communications Division 2721 Discovery Drive, Suite # 100 Orlando, Florida 32826 Phone: 321-235-3910 dianne. walton@ngc. com http://www. ncms-isp. org/NISPOM_200602_with_ISLs. pdf February 2006
NATIONAL INDUSTRIAL SECURITY PROGRAM DoD 5220. 22-M February 28, 2006 FOREWORD As required by Executive Order 12829 and under the authority of DoD Directive 5220. 22, “National Industrial Security Program (NISP),” September 27, 2004, this Manual reissues DoD 5220. 22-M, “National Industrial Security Program Operating Manual (NISPOM),” January 1995 (hereby canceled). It provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP. This Manual cancels DoD 5220. 2-S, “COMSEC Supplement to the Industrial Security Manual for Safeguarding Classified Information,” March 1988. Users of the NISPOM are encouraged to submit recommended changes through their Cognizant Security Agency to the designated representative of the Secretary of Defense in his capacity as the Executive Agent for the NISP pursuant to Presidential guidance at the following address: Department of Defense Under Secretary of Defense for Intelligence ATTN: OUSD(I)/ODUSD(CI&S), Room 3A666 5000 Defense Pentagon Washington, D. C. 20301-5000 Summary of Major NISPOM Changes
General The term “contractor” used throughout the NISPOM means a cleared contractor; i. e. , a contractor that has been granted a facility clearance (FCL). The term “company” is used for those contractors that are not cleared or not yet granted an FCL. The term “personnel” is used in place of “employees” to recognize that subcontractors fill many roles traditionally handled by company employees. The use of a CSA-designated database; i. e. , JPAS; for maintaining records of eligibility and access to classified information is incorporated throughout.
The Intelligence Reform and Terrorism Prevention Act of 2004 established the Office of the Director of National Intelligence (DNI) and changed the roles and responsibilities of the Director of the Central Intelligence Agency (CIA). The NISPOM has been changed to acknowledge that intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes. The CIA is still designated as the CSA per Executive Order (EO) 12829 and the NISP Implementing Directive.
DoD publication policy requires certain formatting conventions, which have been incorporated into this version. Some minor wording modifications were required. A reference section has been added to this version, as well. This has resulted in a document that is less user-friendly, but meets the DoD publication requirements. Note: This is a summary list of major changes. There are many other minor changes throughout the NISPOM that have not been listed. CHAPTER 1 – General Provisions and Requirements Section. 1. Introduction 1-103. Agency Agreements.
The list of agencies with agreements with the Secretary of Defense is updated. 1-105. Composition of Manual. “COMSEC Supplement to the Industrial Security Manual for Safeguarding Classified Information,” DoD 5220. 22-S-1, August 1983, is cancelled. Section 2. General Requirements 1 1-204. Cooperation with Federal Agencies and Officially Credentialed Representatives of Those Agencies. Officially credentialed representatives of government agencies; i. e. , contractor investigators; are to be afforded the same level of cooperation as required for federal investigative agents. Section 3.
Reporting Requirements 1-301. Reports to be Submitted to the FBI. Actual, probable, or possible terrorism are added to the reporting requirement to the FBI. 1-302. Reports to be Submitted to the CSA. Adverse information and changes in cleared employee status can be reported electronically via JPAS. The requirement to identify representatives of a foreign interest is eliminated. Foreign affiliation is reviewed as part of the adjudication process. The requirement to update the SF 328 every 5 years is eliminated. The form should be updated only when there are material changes to the information previously reported.
CHAPTER 2 – Security Clearances General: Paragraphs pertaining to concurrent PCLs, conversions, terminations, and reinstatements are eliminated, as processes are now handled through JPAS. Section 1. Facilities Clearances (FCLs) 2-108. Multiple Facility Organizations (MFOs). Adds the responsibility for the CSA to determine the necessity for branch offices of multiple facility organizations to be cleared. Section 2. Personnel Security Clearances 2-200. General. LOCs are eliminated. Notification of granting of eligibility for access to classified information; i. . , personnel security clearance (PCL); is accomplished by use of the JPAS. The contractor is responsible for maintaining the records of its employees in JPAS. Contractors within a corporate family may centrally manage the eligibility and access records (i. e. , PCLs) of their employees in JPAS. 2 Access to SCI and SAP information is a determination made by the government granting authority. 2-201. Investigative Requirements. Requires the use of the electronic SF 86 (e-QIP). Reinvestigation is added to the investigative requirements.
Financial disclosure is added to investigative requirements when the GCA advises that it is necessary. The employee should be afforded the opportunity to complete and submit the financial disclosure form in private. 2-202. Procedures for Completing the Electronic Version of the SF 86. The FSO or a designee is required to review of the entire SF 86 completed by the employee for adequacy and completeness; however, the privacy of the individual must be maintained. The information on an employee’s SF 86 must not to be used for any other purpose within the company.
The requirement for a contractor employee to witness fingerprinting is eliminated. 2-205. Pre-employment Clearance Action. The 180-day limitation for pre-employment clearance action is eliminated. Pre-employment clearance action is permitted provided that the commitment for employment indicates that employment will commence within 30 days of the granting of eligibility for a PCL. 2-209. Non-U. S. Citizens. Clarifies that LAA requests must have the concurrence of the GCA in all instances. The requirement to obtain the concurrence of the CSA in certain circumstances is eliminated. 2-211. Interim PCLs.
Access to SCI or SAP information based on an interim PCL is a determination made by the government activity that is the granting authority. 2-212. Consultants. Consultants to GCAs must be processed for PCLs by the GCA in accordance with GCA procedures. Section 3. Foreign Ownership, Control, or Influence (FOCI) 2-300. Policy. Clarifies that invalidation of the FCL should be taken only if the contractor is not negotiating an acceptable FOCI mitigation/negation measure in good faith. 2-301. Factors. Expands the factors to be considered to determine FOCI, FCL eligibility, and protective measures. 2-302. Procedures. Information provided on the SF 328 regarding FOCI should reflect the corporate family of the company vs. the individual company. It is not necessary to break down the information by subsidiary. 2-303. FOCI Action Plans. Clarifies that preparation of the NID is the responsibility of the GCA and that the CSA will notify the GCA of the need for a NID. Clarifies that DSS will not delay implementation of a FOCI action plan pending completion of a GCA’s NID process as long as there is no indication that the NID would be denied.
CHAPTER 4 – Classification and Marking General: Updated to reflect guidance in EO 12958, as amended, dated 23 March 2003. Section 1. Classification 4-101. Original Classification. Clarifies that originally classified information is owned by, produced by or for, or is under the control of the U. S. Government. Clarifies that only an original classification authority; i. e. , a government official who has been designated in writing; may make a determination to originally classify information. The definition of damage to national security, with regard to classification determination, now includes transnational terrorism. -102. Derivative Classification Responsibilities. Eliminates the requirement for manager/supervisor determination of classification, and manager/supervisor signature prior to transmission outside the facility. 4-107. Downgrading or Declassifying Classified Information. The contractor must seek the guidance of the GCA prior to taking any declassification action on material marked for automatic declassification. Section 2. Marking Requirements 4-206. Portion Markings. Guidance on marking FGI and NATO information is in Chapter 10. 4-208. Markings for Derivatively Classified Documents.
The 10-year declassification exemptions are no longer valid. When the duration instruction on the source document is marked “X1 through X8” the “Declassify On” line 4 should indicate that that source material was marked with these instructions and the date of origin of the most recent source document as appropriate to the circumstances. Reference to guidance on the permanent exemption from automatic declassification at 25 years (25X) is eliminated. 4-210. Marking Special Types of Material. The category of electronic messages now includes email. 4-216. Downgrading or Declassification Actions.
The contractor must seek the guidance of the GCA prior to taking any declassification action on material marked for automatic declassification. Old classification markings shall be cancelled only if the GCA approves the declassification action. CHAPTER 5 – Safeguarding Classified Information Section 2. Control and Accountability 5-200. Policy. The requirement to maintain “External Receipt and Dispatch Records” is eliminated. There is still a requirement to include a receipt in a package. 5-202. Receiving Classified Material. Classified material must be received by an authorized person regardless of delivery method.
This means that a cleared person has to get the Fed Ex or U. S. Post Office delivery directly from the Fed Ex or U. S. Postal Service employee. 5-203. Generation of Classified Material. Classified working papers retained for more than 30 days from creation for TS, or 180 days from creation for S and C material, must be marked in the same manner as a finished document. Section 3. Storage and Storage Equipment 5-303. SECRET Storage. Clarifies that supplemental controls are required for storage of SECRET material in Closed Areas. 5-306. Closed Areas.
Clarifies that closed areas must be afforded supplemental protection during non-working hours. Clarifies that closed areas must be secured by the approved locking device during working hours when the area is unattended. Supplemental controls are not necessary during working hours when the area is temporarily unattended. Clarifies that procedures are necessary to ensure the structural integrity of closed areas above false ceilings and below raised floors. 5 The CSA may grant self-approval authority to the FSO for closed area approval. 5-311. Repair of Approved Containers.
Procedures for container repair are removed. Repair standards are unchanged. Section 4. Transmission 5-401. Preparation and Receipting. Eliminates the requirement to retain package receipts for 2 years. 5-404. CONFIDENTIAL Transmission Outside a Facility. Clarifies that a commercial carrier is not required to be cleared for CONFIDENTIAL transmissions. 5-410. Use of Couriers, Handcarriers, and Escorts. Eliminates the requirement to maintain receipt and dispatch records with regard to couriers, handcarriers, and escorts. 5-411. Use of Commercial Passenger Aircraft for Transmitting Classified Material.
Eliminates reference to obsolete procedures regarding the use of commercial passenger aircraft. 5-412. Use of Escorts for Classified Shipments. The requirements for escorts apply only when an escort is determined to be necessary to ensure the protection of classified information during transport. Section 7. Disposition and Retention 5-701. Retention of Classified Material. Clarifies that contractors are authorized to retain classified material received or generated under a contract for 2 years after contract completion unless the GCA advises to the contrary.
If retention is not authorized, the remaining classified material should be destroyed unless the GCA requests its return. 5-703. Disposition of Classified Material Not Received Under a Specific Contract. Clarifies the retention period for material other than that received or generated under a specific contract. 5-705. Methods of Destruction. New crosscut shredders authorized for destruction of classified material must be from the NSA Evaluated Products List of High Security Crosscut Shredders. 5-706. Witness to Destruction.
Witnesses to destruction are not limited to company employees, but may be subcontractors, as well. Section 8. Construction Requirements 5-801. Construction Requirements for Closed Areas. Closed Area construction is not limited to wood or metal. Walls and doors may be constructed of any material offering resistance to and detection of unauthorized entry. 6 A barrier is not required over miscellaneous openings if an approved IDS provides protection of the opening. Adds an equivalent gauge commercial metal duct barrier to the options for covering miscellaneous openings in closed areas. -802. Construction Required for Vaults. Crossbars on rigid metal bars covering miscellaneous openings in vaults are only required on bars exceeding 18 inches in length. Section 9. Intrusion Detection Systems 5-902. Central Monitoring Station. Clarifies that a sufficient number of SECRET cleared central station employees must be in attendance at the alarm monitoring station to monitor alarms. 5-903. Investigative Response to Alarms. A GCMS may be manned by cleared subcontractor security force personnel under a classified contract. 5-904. Installation.
Clarifies alarm installation standards as described in the U. L. 2050 installation guide. Clarifies the conditions requiring CSA authorization on the Alarm System Description Form. CHAPTER 6. – Visits and Meetings Section 1. Visits 6-102. Need-to-know Determination. Eliminates the requirement to obtain GCA approval for non-contract related classified visits 6-104. Visit Authorization. Eliminates the requirement for a visit authorization letter (VAL) for classified visits within DoD when a CSA-designated database is available. Basically this means that within DoD, you do not need a VAL if you use JPAS. -105. Long-Term Visitors. Clarifies that host contractor security procedures apply to government employees temporarily stationed at a contractor facility, but that contractors may not require government personnel to relinquish control of their work products to the contractor. Clarifies that contractor employees at government installations follow the security requirements of the government host. 7 6-107. Visitor Record. Paragraph has been deleted which eliminates the requirement to maintain visitor records. CHAPTER 7 – Subcontracting Section 1. Prime Contractor Responsibilities 7-101.
Responsibilities. Verification of subcontractor FCL and safeguarding capability may be accomplished by use of a CSA-designated database. (The database is currently identified as ISFD on the DSS website. ) CHAPTER 9 – Special Requirements Section 1. Restricted Data and Formerly Restricted Data Section provided by DOE, included for information purposes. Requirements for access to RD outlined in this section will be contractually imposed if applicable. Section 2. DoD Critical Nuclear Weapon Design Information (CNWDI) CNWDI access must be annotated in JPAS. Section 3.
Intelligence Information Section provided by CIA and included for information purposes. Requirements for access to intelligence information will be contractually imposed, if applicable. Section 4. Communications Security (COMSEC) Section provided by NSA and contains general requirements for any contractor accessing COMSEC information. Any requirements beyond the NISPOM baseline must be contractually imposed. CHAPTER 10 – International Security Requirements General: Many changes to eliminate information that was not relevant to the protection of classified information in industry. Government-to-government” terminology changed to “through government channels. ” 8 Eliminates the requirement for a separate briefing and written acknowledgement prior to contractor employees being granted access to FGI. Standard Request for Visit Format (RFV) moved to Appendix B. Email addresses and fax numbers added to visit format. Lead time chart updated. Section 2. Disclosure of U. S. Information to Foreign Interests 10-200. Authorization for Disclosure. Clarifies disclosure authorization formats. 10-201. Direct Commercial Arrangements. Clarifies disclosure of classified information pursuant to a direct commercial sale. 0-202. Contract Security Provisions. Reference to contract “provisions” versus “clauses. ” Section 3. Foreign Government Information (FGI) 10-301. Contract Security Requirements. Clarifies that the foreign entity is responsible for providing appropriate security classification guidance. 10. 303. Foreign Government RESTRICTED Information and “In Confidence” Information Protection and marking requirements for Foreign Government RESTRICTED or “In Confidence” information are to be incorporated into the contract by the foreign government. Foreign government RESTRICTED is to be protected as U.
S. CONFIDENTIAL only if the contract requires that protection level. 10-306. Storage and Control. Eliminates the requirement for annual inventory of classified foreign government material. 10-308. Transfer. Clarifies that non-cleared express overnight carriers cannot be used for transfers of FGI. Section 4. International Transfers 10-401. International Transfer of Classified Material. Eliminates the requirement for the DGR to be a U. S. Government employee. 10-402. Transfers of Freight. The transportation plan (TP) must address the need for escorts. 10-405.
Handcarrying Classified Material. The CSA may authorize contractor employees to handcarry classified material outside of the United States in order to meet contractual requirements. 9 10-408. Transfers of Technical Data Pursuant to an ITAR Exemption. Clarifies signatory of written authorization for export of classified technical data. Section 5. International Visits and Control of Foreign Nationals 10-507. Visits by Foreign Nationals to U. S. Contractor Facilities. A visit authorization for a foreign national to a U. S. contractor is valid throughout the corporate family.
Section 6: Contractor Operations Abroad 10-605. Report of Assignment. Eliminates the requirement to report overseas assignments. Section 7. NATO Information Security Requirements 10-702. NATO RESTRICTED. Updates the guidance regarding NATO RESTRICTED, clarifying that no FCL is required for the company, PCLs are not required for personnel, and certification and accreditation are not required for IS. 10-706. NATO Briefings. The record of NATO briefings and debriefings is maintained in JPAS. 10-713. International Transmission. Eliminates reference to NATO sub-control points. 10-716.
Disposition. Clarifies that destruction certificates are not required for NATO CONFIDENTIAL. APPENDIX A – Cognizant Security Office Information Refers to the DSS website. APPENDIX B – International Visits Standard Request for Visit Format (RFV) Contains the “Standard Request for Visit” format to be used for foreign visits. 10 February 28, 2006 NISPOM INDEX Access Control Systems or Devices (Supplanting)——–5-312 Automated—————————————–5-313 Electronic, Mechanical or Electro-mechanical——5-314 Accountability (See “Control and Accountability”) Acronyms (AL. Acronyms)—————————— page 14 Administrative Inquiry Reports of Loss, Compromise or Suspected Compromise Final Report————————————–1-303c Initial Report————————————1-303b Individual Culpability Report———————1-304 Loss, Compromise, or Suspected Compromise———1-303 Preliminary Inquiry——————————-1-303a Agency Agreements————————————–1-103 Alarm Systems (See “Intrusion Detection Systems”) Authority———————————————-1-101 Briefings and Security Training CNWDI———————————————9-202 COMSEC——————————————–9-404 Contractor Operations Abroad———————-10-604 Courier, Handcarriers, and Escorts—————-5-410a Debriefings—————————————3-108 Derivative Classification————————-4-102 FSO Training————————————–3-102 General——————————————-3-100 Government Provided Briefings———————3-103 Initial Security Briefings————————3-106 NATO———————————————-10-706 Refresher Briefings——————————-3-107 SF 312——————————————–3-105 Security Training and Briefings——————-1-205 Temporary Help Suppliers————————–3-104 Training Materials——————————–3-101 Page 1 July 2006
Classification Challenges to Classification———————-4-104 Classified Information Appearing in Public Media———————————4-106 Contractor Developed Information——————4-105 Derivative Classification Responsibilities——–4-102 Downgrading or Declassifying———————-4-107 General——————————————-4-100 IR&D———————————————-11-301 NATO———————————————-10-710 Original Classification—————————4-101 Security Classification Guidance——————4-103 Classified Information Procedures Act (CIPA)———–1-208 Closed Areas——————————————-5-306 Construction Requirements————————-5-801 Cognizant Security Agency——————————1-104a Cognizant Security Office Information——————APP A. Combinations Changing——————————————5-309 Electric or Mechanical Devices—————5-314c NATO Combinations—————————-10-712b Protection of
Combinations————————5-308 Supervision of Keys and Padlocks——————5-310 Composition of Manual———————————-1-105 Consultants——————————————–2-212 Containers (See “Storage and Storage Equipment”) Contractors Operations Abroad (Overseas Assignment) Access by Contractor Employees Assigned Outside the United States——————–10-601 General——————————————-10-600 Reports of Assignments—————————-10-605 Security Briefings——————————–10-604 Storage, Custody, and Control of Classified Information Abroad by Employees of a U. S. Contractor—–10-602 Transmission of Classified Material To Employees Abroad————————–10-603 Page 2 July 2006
Control and Accountability Accountability for TOP SECRET———————5-201 Generation of Classified Material—————–5-203 Information Management System———————5-200 NATO Accountability Records———————–10-717 Receiving Classified Material———————5-202 Cooperation with Federal Agencies———————-1-204 Critical Nuclear Weapon Design Information (CNWDI) Background—————————————-9-201 Briefings—————————————–9-202 General——————————————-9-200 Marking——————————————-9-203 Records——————————————-9-206 Subcontractors————————————9-204 Transmission Outside the Facility—————–9-205 Weapon Data—————————————9-207 Defense Technical Information Center Downgrading or Declassification Notices———–11-204 General——————————————-11-200 Questions
Concerning Reference Material———–11-205 Registration Process——————————11-202 DD Form 1540——————————– 11-202a DD Form 2345——————————– 11-202b Safeguarding Requirements————————-11-203 Subcontractors————————————11-206 User Community————————————11-201 Definitions——————————————–App. C Destruction Classified Waste———————————-5-708 COMSEC——————————————–9-406 General (Destruction)—————————–5-704 Methods——————————————-5-705 Records——————————————-5-707 Witness——————————————-5-706 Disclosure Classified Information in Connection with Litigation———————————–5-510 Contractors—————————————5-509 DoD Activities————————————5-505 Employees—————————————–5-501 Export Controlled Info.
To Foreign Persons——–5-508 Federal Agencies———————————-5-506 Foreign Persons———————————–5-507 Foreign Government Information——————–10-307 Intelligence Information ————————— 9-304 Page 3 July 2006 Multiply Facility Organization (MFO)————–5-504 NATO, Access by Foreign Nationals—————–10-707 NATO, Further Distribution————————10-711 Parent/Subsidiaries——————————-5-503 Public——————————————–5-511 RD/FRD, Unauthorized Disclosures——————9-102 Subcontractors————————————5-502 U. S. Information to Foreign Interests————-10-200 Disposition Disposition of Classified
Material Not Received Under a Specific Contract——————–5-703 of COMSEC Material—————————9-406 of Foreign Government Information————10-310 of NATO Information————————–10-716 General——————————————-5-700 Emergency Procedures———————————–5-104 End of Day Security Checks—————————–5-102 Facility Clearance Advertising FCL———————————–2-100c Eligibility Requirements————————–2-102 Exclusion Procedures——————————2-106 General——————————————-2-100 Interim——————————————-2-107 Multiple Facility Organization (MFO)————–2-108 NATO Facility Security Clearance Certificate——10-704 PCLs Concurrent with the FCL———————-2-105 PCLs Required in Connection with the FCL———-2-104 Parent-Subsidiary Relationship——————–2-109 Processing the FCL——————————–2-103 Reciprocity—————————————2-101 Records Maintenance——————————-2-111 Termination of the FCL—————————-2-110 Verification————————————–7-101 Facility Security Officer (FSO)————————1-201 Processing the FCL——————————–2-103c Training——————————————3-102 Foreign Government Information Contract Security Requirements——————–10-301 Disclosure and Use Limitations——————–10-307 Disposition—————————————10-310 Exports of Foreign Government Information———10-308 General——————————————-10-300 Marking Foreign Government Classified Material—-10-302 Marking U. S. Documents Containing FGI————-10-304 Page 4 July 2006 Marking Documents Prepared for Foreign
Governments———————————-10-305 Policy——————————————–10-301 Reporting of Improper Receipt of Foreign Government Information—————10-311 Reproduction————————————–10-309 Restricted and “In Confidence” Information——–10-303 Storage and Control——————————-10-306 Subcontracting————————————10-312 Transfer——————————————10-308 Foreign Ownership, Control and Influence (FOCI) Annual Review and Certification——————-2-308 Citizenship of Persons Requiring PCLs————-2-304 Factors——————————————-2-301 FOCI Action Plans———————————2-303 Foreign Mergers, Acquisitions, Takeovers And the CIFIUS——————————-2-310 General——————————————-2-300 GSC (Government Security Committee)—————2-306 Limited FCL—————————————2-309 Policy——————————————–2-300 Procedures—————————————-2-302 Qualifications of Trustees, Proxy Holders and Outside Directors—————————2-305 TCP (Technology Control Plan)———————2-307 Hotlines———————————————–1-207 Independent Research & Development (IR&D) Classification Guidance—————————11-302 General——————————————-11-300 Information Generated Under and IR&D Efforts that Incorporates Classified Information—–11-301 Preparation of Classification Guidance————11-303 Retention of Classified Documents General Under IR&D Efforts——————-11-304 Information System Security Access Controls (Access)————————–8-606 Accreditation————————————-8-202 Interim Approval to Operate——————8-202a Reaccreditation——————————8-202b Review of security-Relevant Changes———-8-202c Re-evaluation of an Accreditation————8-202d Withdrawal of Accreditation——————8-202e Invalidation of an Accreditation————-8-202f Certificaiton and Accreditation of Similar Systems————————-8-202g Systems under Multiple CSAs——————8-202h Alternate Power Source (Power)——————–8-600 Page 5 July 2006
Assurances for CIs——————————–8-703 Audit Capability———————————-8-602 Backup and Restoration of Data (Backup)———–8-603 Certification and Accreditation Overview———-8-200 Certification Process—————————–8-201 Changes to Data (Integrity)———————–8-604 Clearing and Sanitization————————-8-301 Common Requirements Introduction——————8-300 Configuration Management————————–8-311 Controlled Interface Function———————8-701 Controlled Interface Requirements—————–8-702 Data Transmission (Trans)————————-8-605 Designated Accrediting/Approving Authority——–8-102 Disaster Recovery Planning ———————–8-615 Examination of Hardware and Software————–8-302 Identification and Authentication (I&A)———–8-607 Identification and Authentication Management——8-303 Information System Security Officer (ISSO)——–8-104 Interconnected Systems Management—————–8-700 IS Security Manager (ISSM)————————8-103 Level of Concern———————————-8-401 Maintenance—————————————8-304 Cleared Maintenance Personnel—————-8-304a Uncleared (or Lower Cleared) Maintenance Personnel——————-8-304b Malicious Code————————————8-305 Marking Hardware, Output and Media—————-8-306 Hardware Components————————–8-306a Hard copy Output and Removable
Media———8-306b Unclassified Media—————————8-306c Periods Processing——————————–8-502 Personnel Security——————————–8-307 Physical Security———————————8-308 Protection Level———————————-8-402 Protection of Media——————————-8-309 Protection Profiles——————————-8-403 Protection Requirements Introduction————–8-600 Pure Servers————————————–8-503 Resource Control (ResrcCtrl)———————-8-608 Responsibilities———————————-8-101 Responsibilities and Duties General—————8-100 Review of Output and Media————————8-310 Human-Readable Output Review—————–8-310a Media Review———————————8-310b Security Documentation (Doc)———————-8-610 Security Testing (Test)—————————8-614 Separation of Function Requirements (Separation)–8-611 Session Controls (SessCtrl)———————–8-609 Single-user, Stand-alone Systems——————8-501 Special Categories——————————–8-500 Page 6 July 2006
System Assurance (SysAssur)———————–8-613 System Recovery (SR)——————————8-612 Systems with Group Authenticators—————–8-505 Tactical, Embedded, Data-Acquisition, and Special-Purpose Systems———————-8-504 Users of IS—————————————8-105 Intelligence Information Access Limitations Contractor-Granted Confidential————–2-206 LAA——————————————2-210 Interim————————————–2-211 Background—————————————-9-300 Control Markings ORCON—————————————-9-303a FOUO—————————————–9-303b PROPIN—————————————9-303c
NOFORN—————————————9-303d REL TO—————————————9-303e Definitions Foreign Intelligence————————-9-301a Counterintelligence————————–9-301b Intelligence Information———————9-301c Intelligence Community———————–9-301d Senior Officials—————————–9-301e Senior Intelligence Officer (SIO)————9-301f Sensitive Compartmented Information (SCI)—-9-301g SCI Facility (SCIF)————————–9-301h Inquiries—————————————–9-306 Limitations on Dissemination———————-9-304 Safeguarding————————————–9-305 Interim Clearances Facility——————————————2-107 Personnel—————————————–2-211 International Applicable Federal Laws—————————10-101 Authorization for Disclosure———————-10-200 Government-to-Government International Agreements—————-10-200a Symposia, Seminars, Exhibitions and Conferences————————-10-200b Foreign Visits——————————-10-200c Temporary Exports—————————-10-200d Direct Commercial Sales—————————10-201 Bilateral Security Agreements———————10-102 Contract Security Provisions———————-10-202 International Security Requirements General——-10-100 Page 7 July 2006 International Transfers Classified Material Receipts—————————10-406 Contractor Preparations for International Transfers Persuant to Commercial and User Agency Sales——10-407 General——————————————-10-400 Handcarrying Classified Material——————10-405 Return of Material for Repair, Modification or Maintenance——————————-10-403
Transfers of Classified Material——————10-401 Transfers of Freight——————————10-402 Transportation Plan (TP)———————10-402a Government Agency Agreements—————–10-402b Commercial Arrangements———————-10-402c International Carriers———————–10-402d Transfer of Technical Data Pursuant to an ITAR Exemption————————-10-408 Use of Freight Forwarders————————-10-404 International Visits and Control of Foreign Nationals Amendments—————————————-10-505 Control of Access by On-Site Foreign Nationals————————————10-508 Emergency Visits———————————-10-503 General——————————————-10-500 International Visits——————————10-501 Policy——————————————–10-501 Requests for Recurring Visits———————10-504 Security and Export Control Violations Involving Foreign Nationals——————10-510 TCP———————————————–10-509 Types and Purpose of International Vi-sits——–10-502 One-time Visits——————————10-502a Recurring Visits—————————–10-502b Extended Visits——————————10-502c Visits Abroad by U. S. Contractors—————–10-506 Requests Format——————————10-506a Government Agency Programs——————-10-506b Visits by Foreign Nationals to U. S. Contractor Facilities——————-10-507 Government-Approved Visits——————-10-507a Visit Request Denials————————10-507b Non-Sponsorship——————————10-507c Access by Foreign Visitors to Classified Information——————10-507d Visitor Records——————————10-507e Visits to Subsidiaries———————–10-507f Page 8 July 2006
Intrusion Detection Systems Central Monitoring Station————————5-902 Certification of Compliance———————–5-905 CSA Approval————————————–5-901 Exceptional Cases———————————5-906 General——————————————-5-900 Installation————————————–5-904 Investigative Response to Alarms——————5-903 Key Management Personnel Exclusion Procedures——————————2-106 PCLs Required in Connection with the FCL———-2-104 Reporting Requirement—————————–1-302g(3) Limited Access Authorization (LAA) Access Limitations of an LAA———————-2-210 Non-U. S. Citizens———————————2-209 Manual Interpretations———————————1-106 Markings CNWDI———————————————9-203 Compilations————————————–4-213 Component Markings——————————–4-205 Documents Generated Under Previous E. O. ———-4-209 Documents Prepared for Foreign Governments——–10-304 Downgrading or Declassification Actions———–4-216 Foreign Government Classified Material————10-302 General——————————————-4-200 Hardware, Output, and Media———————–8-306 Inadvertent Release——————————-4-218 Identification Markings—————————4-202 Intelligence Information————————–9-303 Marking Requirements for Information and Material———————————4-201 Markings for Derivatively Classified Documents—-4-208 “Derived From”——————————-4-208a “Declassify On” Line————————-4-208b “Downgrade to” Line————————–4-208c “Classified by” Line and “Reason Classified” Line—————-4-208d Miscellaneous Material—————————-4-214 NATO
Information———————————-10-709 Overall Markings———————————-4-203 Page Markings————————————-4-204 Portion Markings———————————-4-206 Reproductions————————————-5-602 RD/FRD——————————————–9-108 Special Types of Material————————-4-210 Files, Folders or Groups of Documents——–4-210a E-mail and other Electronic Messages———4-210b Page 9 July 2006 Microforms———————————–4-210c Translations———————————4-210d Subject and Title Marking————————-4-207 Training Material———————————4-215 Transmittal Documents—————————–4-211 Upgrading Actions———————————4-217 U. S.
Documents that Contain FGI——————-10-304 Wholly Unclassified Material———————-4-212 Working Papers————————————5-203b Meetings Disclosure Authority——————————6-202 General——————————————-6-200 Government Sponsorship of Meetings—————-6-201 Requests for Authorizations——————6-201a Location of Meetings————————-6-201b Security Arrangements for Meetings———–6-201c Requests to Attend Classified Meetings————6-203 Multiple Facility Organization Facility Clearance——————————–2-108 Disclosure in an MFO——————————5-504 Personnel Clearances——————————2-200c Records Maintenance——————————-2-111 NATO Information Security Requirements Access to NATO Classified Information By Foreign Nationals————————-10-707 Accountability Records—————————-10-717 Classification
Guidance—————————10-710 Classification Levels—————————–10-701 Disposition—————————————10-716 Extracting from NATO Documents——————–10-719 Further Distribution——————————10-711 General——————————————-10-700 Handcarrying————————————–10-714 International Transmission————————10-713 NATO Briefings————————————10-706 NATO Contracts————————————10-703 NATO Facility Clearance Certificate—————10-704 NATO Restricted———————————–10-702 PCL Requirements———————————-10-705 Preparing and Marking NATO Documents————–10-709 Release of U. S.
Information to NATO—————10-720 Reproduction————————————–10-715 Security Violations and Loss, Compromise and Suspected Compromise———-10-718 Storage of NATO Documents————————-10-712 Subcontracting for NATO Contracts—————–10-708 Visits——————————————–10-721 NPLO and NIAG Recurring Visits—————10-720a Page 10 July 2006 Visitor Records——————————10-720b NISP Authority—————————————–1-101 One-Person Facilities———————————-1-203 Parent-Subsidiary Relationships Facility Clearance——————————–2-109 Disclosure—————————————-5-503 Perimeter Controls————————————-5-103 Personnel Clearances Acceptable Proof of Citizenship——————-2-208 Access Limitations of an LAA———————-2-210 Common Adjudicative Standards———————2-203
Consultants—————————————2-212 Contractor-Granted Clearances———————2-206 General —————————————-2-200 Interim PCLs————————————–2-211 Investigative Requirements————————2-201 SSBI—————————————–2-201a NACLC—————————————-2-201b Polygraph————————————2-201c Reinvestigation——————————2-201d Financial Disclosure————————-2-201e Limiting PCL Requests to Minimum——————2-200d Multiple Facility Organization (MFO)————–2-200c NATO 10-705 Non-U. S. Citizens———————————2-209 Pre-employment Clearance Action——————-2-205 Procedures for Completing the Electronic Version of the SF 86————————-2-202 RD and FRD—————————————-9-104 Reciprocity—————————————2-204 Verification of U. S.
Citizenship——————2-207 Purpose of Manual————————————–1-100 Reporting Requirements Adverse Information——————————-1-302a Change in Cleared Employee’s Status—————1-302c Change in Storage Capability———————-1-302h Changed Conditions Affecting the FCL————–1-302g Citizenship by Naturalization———————1-302d Disposition of Classified Material Terminated from Accountability—————1-302m Employee Information in Compromise Cases———-1-302l Employees Desiring Not to Perform on Classified Work——————————1-302e Page 11 July 2006 Foreign Classified Contracts———————-1-302n General——————————————-1-300 Reports Offered In Confidence—————-1-300a Privacy Act———————————-1-300b Improper Receipt of Foreign Government Material—10-311 Inability to Safeguard Classified
Material——–1-302i Improper Receipt of Foreign Government Information———————————-10-311 Individual Culpability Reports——————–1-304 Reports of Loss, Compromise or Suspected Compromise————————-1-303 Preliminary Inquiry————————–1-303a Initial Report——————————-1-303b Final Report———————————1-303c Reports to be Submitted to the FBI—————-1-301 Security Equipment Vulnerabilities—————-1-302j Standard Form (SF) 312—————————-1-302f Suspicious Contacts——————————-1-302b Unauthorized Receipt of Classified Material——-1-302k Reproduction General——————————————-5-600 Foreign Government Information——————–10-309 Limitations—————————————5-601 Marking Reproductions—————————–5-602 NATO ———————————————10-715 Records——————————————-5-603 Restricted Areas—————————————5-305 Restricted Data and Formerly Restricted Data Access Limitations——————————–2-211a Authority and Responsibilities——————–9-101 Challenges to RD/FRD Classification—————9-107 Classification————————————9-105 Declassification———————————-9-106 General——————————————-9-100 International Requirements————————9-103 Marking——————————————-9-108 Front of the Document————————9-108a Interior Page——————————–9-108b Other Caveats——————————–9-108c Personnel Security Clearances———————9-104 Unauthorized Disclosure—————————9-102 Retention General——————————————-5-700 Responsibilities (Completion of the Subcontract)———————————7-103 Page 12 July 2006
Retention of Classified Documents Generated Under IR Efforts—————–11-304 Retention of Classified Material——————5-701 Termination of Security Agreement—————–5-702 Safeguarding Oral Discussions————————–5-101 Safeguarding Classified Intelligence Information——-9-304 Scope of Manual—————————————-1-102 Security Cognizance————————————1-104 Security Reviews—————————————1-206 Contractor Review———————————1-206b Government Reviews——————————–1-206a Security Training and Briefings————————1-205 Standard Practice Procedures—————————1-202 Storage and Storage Equipment Automated Access Control Systems——————5-313 Changing Combinations—————————–5-309 Closed Areas————————————–5-305 CONFIDENTIAL Storage——————————5-304 Electronic, Mechanical, or Electro-mechanical Devices——————-5-314 General——————————————-5-300 GSA Storage Equipment—————————–5-301 Protection of Combinations to Security Containers, Cabinets, Vaults and Closed Areas————5-308 Repair of Approved Containers———————5-311 Restricted Areas———————————-5-305 SECRET Storage————————————5-303 Storage and Control Foreign Government Information ————–10-306 Storage of NATO Documents————————-10-712 Supervision of Keys and Padlocks——————5-310 Supplanting Access Control Systems or Devices—–5-312 Supplement Protection—————————–5-307 TOP SECRET Storage——————————–5-302 Subcontracting COMSEC Work—————————————9-407 Defense Technical Information Center (DTIC) Subcontracts———————————11-206 Foreign Government Information——————–10-312 General——————————————-7-100 Notification of Unsatisfactory Conditions———7-104 Responsibilities———————————-7-101 Page 13 July 2006
Determine the Security Requirements of the Subcontract———————-7-101a Determine Clearance Status of Prospective Subcontractors————–7-101b Responsibilities (Completion of the Subcontract)—————————–7-703 Security Classification Guidance——————7-102 Technology Control Plan (TCP) Foreign Nationals ——————————–10-509 FOCI —————————————-2-307 Tempest Cost ———————————————11-102 General——————————————-11-100 TEMPEST Requirements——————————11-101 Transmission Addressing Classified Material——————–5-406 Classified Material to Employees Abroad———–10-603 CNWDI———————————————9-205 CONFIDENTIAL Transmission by Commercial Carrier—5-409 CONFIDENTIAL Transmission Outside a Facility——5-404 Foreign Government Information Transfers———-10-308 Functions of an Escort—————————-5-413 General——————————————-5-400 International Transfers—————————10-401 NATO International Transmissions——————10-713 Preparation and Receipting————————5-401 SECRET Transmission Outside a Facility————5-403 SECRET Transmission by Commercial Carrier———5-408 Technical Data Pursuant to an ITAR Exemption Transfers————————–10-402 TOP SECRET Transmission Outside a Facility——–5-402 Transmission of Classified Material to Employees Abroad—————————–10-603 Transmission Outside the U. S. nd its Territorial Areas—————————-5-405 Transmission Within a Facility——————–5-407 Use of Commercial Passenger Aircraft for Transmitting Classified Material————-5-411 Routine Processing—————————5-411a Special Processing—————————5-411b Authorization Letter————————-5-411c Use of Couriers, Handcarriers, and Escorts——–5-410 Use of Escorts for Classified Shipments———–5-412 Vaults Construction Requirements————————-5-802 General——————————————-5-800 Supplemental protection—————————5-307 Page 14 July 2006
Violations Individual Culpability Reports——————–1-304 NATO Information———————————-10-718 Reports of Loss, Compromise, or Suspected Compromise————————-1-303 Visits -Classified Visits——————————–6-101 -Foreign Visits———————————–10-200c -Foreign Visitor Records————————–10-507c -General——————————————6-100 -International Visits to Subsidiaries————-10-507f -Long-Term Visitors——————————-6-105 -NATO Visits————————————–10-721 -Need-To-Know Determination———————–6-102 -Visit Authorization——————————6-104 -Visits Abroad by U. S.
Contractors—————-10-506 -Visits by Government Representatives————-6-103 Waivers and Exceptions to this Manual——————1-107 Page 15 July 2006 TABLE OF CONTENTS Page Foreword……………………………………………………………. …………………………………….. 1 Table of Contents……………………………………………………………………………………….. 2 References……………………………………………………………………………………………….. 12 AL1. Acronyms………………………………………………………………………………………… 14 CHAPTER 1.
GENERAL PROVISIONS AND REQUIREMENTS Section 1. Introduction 1-100. Purpose………………………………………………………………………………………….. 1-1-1 1-101. Authority……………………………………………………………………………………….. 1-1-1 1-102. Scope…………………………………………………………………………………………….. 1-1-2 1-103. Agency Agreements………………………………………………………………………. 1-1-2 1-104. Security Cognizance………………………………………………………………………. 1-1-2 1-105.
Composition of Manual………………………………………………………………….. 1-1-2 1-106. Manual Interpretations……………………………………………………………………. 1-1-3 1-107. Waivers and Exceptions to this Manual………………………………………….. 1-1-3 Section 2. General Requirements 1-200. General…………………………………………………………………………………………….. 1-2-1 1-201. Facility Security Officer (FSO)………………………………………………………… 1-2-1 1-202. Standard Practice Procedures……………………………………………………………. -2-1 1-203. One-Person Facilities……………………………………………………………………….. 1-2-1 1-204. Cooperation with Federal Agencies and Officially Credentialed Representatives of Those Agencies………………………………………………………. 1-2-1 1-205. Security Training and Briefings………………………………………………………… 1-2-1 1-206. Security Reviews……………………………………………………………………………… 1-2-1 1-207. Hotlines……………………………………………………………………………………………. 1-2-1 1-208.
Classified Information Procedures Act (CIPA)…………………………………. 1-2-2 Section 3. Reporting Requirements 1-300. General………………………………………………………………………………………….. 1-3-1 1-301. Reports to be Submitted to the FBI…………………………………………………. 1-3-1 1-302. Reports to be Submitted to the CSA……………………………………………….. 1-3-1 1-303. Reports of Loss, Compromise, or Suspected Compromise………………. 1-3-2 1-304. Individual Culpability Reports………………………………………………………… 1-3-3 CHAPTER 2. SECURITY CLEARANCES Section 1. Facility Clearances 2-100.
General………………………………………………………………………………………….. 2-1-1 2-101. Reciprocity…………………………………………………………………………………….. 2-1-1 2-102. Eligibility Requirements…………………………………………………………………. 2-1-1 2-103. Processing the FCL………………………………………………………………………… 2-1-1 2-104. PCLs Required in Connection with the FCL…………………………………… 2-1-1 2-105. PCLs Concurrent with the FCL………………………………………………………. 2-1-1 2-106.
Exclusion Procedures…………………………………………………………………….. 2-1-1 2-107. Interim FCLs…………………………………………………………………………………. 2-1-2 2-108. Multiple Facility Organizations (MFOs)…………………………………………. 2-1-2 2-109. Parent-Subsidiary Relationships……………………………………………………… 2-1-2 2-110. Termination of the FCL………………………………………………………………….. 2-1-2 2-111. Records Maintenance…………………………………………………………………….. 2-1-2 Section 2.
Personnel Security Clearances 2-200. General………………………………………………………………………………………….. 2-2-1 2-201. Investigative Requirements…………………………………………………………….. 2-2-1 2-202. Procedures for Completing the Electronic Version of the SF 86………. 2-2-1 2-203. Common Adjudicative Standards…………………………………………………… 2-2-2 2-204. Reciprocity…………………………………………………………………………………….. 2-2-2 2-205. Pre-employment Clearance Action…………………………………………………. 2-2-2 2-206.
Contractor-Granted Clearances………………………………………………………. 2-2-2 2-207. Verification of U. S. Citizenship……………………………………………………… 2-2-2 2-208. Acceptable Proof of Citizenship……………………………………………………… 2-2-2 2-209. Non-U. S. Citizens………………………………………………………………………….. 2-2-3 2-210. Access Limitations of an LAA……………………………………………………….. 2-2-3 2-211. Interim PCLs…………………………………………………………………………………. 2-2-3 2-212.
Consultants……………………………………………………………………………………. 2-2-3 Section 3. Foreign Ownership, Control, or Influence (FOCI) 2-300. Policy…………………………………………………………….. ……………………………….. 2-3-1 2-301. Factors……………………………………………………………………………………………… 2-3-1 2-302. Procedures……………………………………………………………………………………….. 2-3-2 2-303. FOCI Action Plans…………………………………………………………………………… 2-3-2 2-304.
Citizenship of Persons Requiring PCLs……………………………………………. 2-3-3 2-305. Qualifications of Trustees, Proxy Holders, and Outside Directors…….. 2-3-4 2-306. GSC…………………………………………………………………………………………………. 2-3-4 2-307. TCP…………………………………………………………………………………………………. 2-3-4 2-308. Annual Review and Certification……………………………………………………… 2-3-4 2-309. Limited FCL……………………………………………………………………………………. 2-3-5 2-310.
Foreign Mergers, Acquisitions and Takeovers and the Committee on Foreign Investment in the United States (CFIUS)…………………………………….. 2-3-5 CHAPTER 3. SECURITY TRAINING AND BRIEFINGS Section 1. Security Training and Briefings 3-100. General………………………………………………………………………………………….. 3-1-1 3-101. Training Materials………………………………………………………………………….. 3-1-1 3-102. FSO Training…………………………………………………………………………………. 3-1-1 3-103. Government-Provided Briefings…………………………………………………….. 3-1-1 3-104.
Temporary Help Suppliers……………………………………………………………… 3-1-1 3-105. Classified Information Nondisclosure Agreement (SF 312)…………….. 3-1-1 3-106. Initial Security Briefings………………………………………………………….. …….. 3-1-1 3-107. Refresher Training…………………………………………………………………………. 3-1-1 3-108. Debriefings……………………………………………………………………………………. 3-1-1 CHAPTER 4. CLASSIFICATION AND MARKING Section 1. Classification 4-100. General……………………………………………………………………………………….. 4-1-1 4-101.
Original Classification…………………………………………………………………. 4-1-1 4-102. Derivative Classification Responsibilities…………………………………….. 4-1-1 4-103. Security Classification Guidance…………………………………………………. 4-1-1 4-104. Challenges to Classification…………………………………………………………. 4-1-2 4-105. Contractor Developed Information………………………………………………. 4-1-2 4-106. Classified Information Appearing in Public Media……………………….. 4-1-2 4-107. Downgrading or Declassifying Classified Information………………….. 4-1-3 Section 2. Marking Requirements 4-200.
General………………………………………………………………………………………….. 4-2-1 4-201. Marking Requirements for Information and Material………………………. 4-2-1 4-202. Identification Markings………………………………………………………………….. 4-2-1 4-203. Overall Markings…………………………………………………………………………… 4-2-1 4-204. Page Markings……………………………………………………………………………….. 4-2-1 4-205. Component Markings…………………………………………………………………….. 4-2-1 4-206.
Portion Markings……………………………………………………………………………. 4-2-1 4-207. Subject and Title Markings…………………………………………………………….. 4-2-2 4-208. Markings for Derivatively Classified Documents……………………………. 4-2-2 4-209. Documents Generated Unde