As we continue the series of articles on the
self-inspection, we should understand that FSOs or designated inspecting officers may find themselves
addressing “Elements of Inspection” that are common to ALL cleared companies
participating in the NISP. Still, there are other topics that do not apply, but
the opportunity to learn something new applies. There are a few more elements
that might be applied at unique cleared facilities, but FSOs in those situations can adapt these articles
to those specific needs. As a recap, according to DSS’ The Self-Inspection Handbook for NISP
Contractors, the five elements that pertain to ALL cleared defense contractors
are:
(A)
Facility Security Clearance (FCL)
(B)
Access Authorizations
(D)
FOCI
(E)
Classification
Though not applicable to all cleared contractors, subcontracting
is covered in NISPOM. This article will address the requirements of the
subcontracting and how to set up both the prime and sub for success. The following are questions from the
self-inspection handbook and how to address them.
Are all required actions completed prior to release or disclosure
of classified information to sub-contractors?
An FSO might get direction by referring directly to the DD Form
254. Since it’s called the Contract Security Classification Specification, it
should be used for the prime to direct classified work requirements and the sub
to prepare their cleared employee and facility to perform. Items 10 and 11
provide performance and access information required of the subcontractor. These
yes or no questions will outline expectations. Will the sub-contractor be
expected to use COMSEC equipment, operate a SCIF, or create classified
documents? If so, there are some subtasks required during preparation. For
example, if the prime expects the sub to perform classified work on site,
appropriate storage space, designated or dedicated work areas, information
systems, and etc. should be approved, certified and accredited in time to meet
performance requirements.
Are the clearance status and safeguarding capability of all
subcontractors determined as required?
The cleared contractor should identify work requirements in the DD
Form 254 to include storage level, where classified work will be performed,
access requirements, and security guidance expected to be flowed down to the
subcontractor. The DD Form 254 should be provided with the statement of work,
contract, request for quote and etc. Iis the nexus of work, preparation, and
expectations required of the sub and it allows the sub to cost the work performance.
This documented performance requirement ranges from simply requiring a facility
clearance with no storage capability to provide cleared employees to perform
off site to classified storage capability to receive and generate classified
information on site.
The DD Form 254 should trigger some actions by the prime
contractor. For example, in block 11, the prime informs the subcontractor
whether or not they will need to access classified information on-site. Prior to the subcontracting effort, the prime
contractor should make that determination and flow requirements to the
sub-contractor. The prime contractor should show due diligence that they vetted
and awarded the classified contract to a subcontractor who is able or will be
able to protect classified information or otherwise perform on classified
contracts per NISPOM when the performance requirements begin.
Do requests for facility clearance or safeguarding include the
required information?
If the winning subcontractor is not currently cleared, the prime
will have to jump into action to sponsor them (see how this is done) for a facility security clearance (FCL). This
requires the prime to be proactive as they must solicit the cognizant security
agency (usually Defense Security Services (DSS) for the Department of Defense)
on behalf of the sub-contractor and provide rationale for the FCL. This rationale should include any safeguarding requirements
and description of classified work required in the contract. The rationale
should also include all factors to help DSS determine whether or not the
subcontractor meets NISPOM requirements.
Though the sub can prepare administrative actions such as compiling and
completing required documents and certificates, the sub-contractor cannot
request their own clearance.
If your company is a prime contractor, have you incorporated
adequate security classification guidance into each classified subcontract?
This is where blocks 13 and 14 really count. According to the
DSS’s Guide For Preparing a DD Form 254,
block 13 should not just be a list of requirements documentation. Prime
contractors should not just write, “protect all classified information
according to NISPOM” or similar vague instruction. This area should be used to
provide explicit information to help the subcontractor understand the nuances
of protecting classified information according to the contract. To be specific,
exact protection language should be incorporated here. If reference documents
are used, such as security classification guides, statements of work, or other
requirements items, the prime should list the document name, page number and
exact language. This also includes any source documents as attachments to the
DD Form 254 or delivered separately. The point is that blocks 13 should include
specific security language to protect contract specific classified information.
If there are any security requirements that go above and beyond
the NISPOM, these should be listed in Block 14. These also require prior
approval from the government contracting activity.
Are original Contract Security Classification Specifications (DD
254) included with each classified solicitation?
This is a fair and accurate way to get the message across that any
contractor that bids on the classified contract understands the requirements to
protect the classified information. The DD Form 254 is a legally binding
contractual document and the subcontractor will be required to perform to the
contract specification. This requires the prime contractor to present the
expected work outright in the statement of work and the DD Form 254.
If your company is a prime contractor, have you obtained approval
from the GCA for subcontractor retention of classified information associated
with a completed contract?
If the prime contractor expects to deliver 2000 classified
documents or expects the sub-contractor to generate and or store classified
information on site, the prime will need to secure approval from the Government
Contracting Activity. Then the prime will flow approval and protection
requirements down to the sub-contractor. Among other uses, this approval
provides the GCA with assurance that the classified information is offered the
same level of protection as required at the prime contractor cleared facility.
The sub in return will receive the protection specifications and prepare the
storage and work performance compliance and prepare to receive them.
The FSO or self-inspecting official should look at all DD Form 254s generated by the cleared facility. They should validate that each is issued properly while seeking a demonstration of answers to each question.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing
Red Bike Publishing .
He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures.
He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".