(a) Original classification. Only a USG official designated or delegated the authority in writing can make an original classification decision.

(1) An OCA classifies information pursuant to E.O. 13526 and 32 CFR part 2001, designates and marks it as TOP SECRET, SECRET, or CONFIDENTIAL, and, except as provided by statute, may use no other terms to identify classified information.

(2) The designation UNCLASSIFIED is used to identify information that does not meet the criteria for classification in accordance with E.O. 13526. In accordance with 32 CFR 2002, CUI implementing guidance (including the Marking Handbook) and any GCA-provided guidance, CUI commingled with classified information must be marked as CUI to alert users to its presence and sensitivity. The CUI regulation, guidance, and handbook are available at: https://www.archives.gov/cui.

(b) Derivative classification. (1) Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified. They must mark the newly developed material consistently with the classification markings that apply to the source information.

(2) Derivative classification is the classification of information based on guidance from an OCA, which may be either a properly marked source document or a current security classification guide provided by a GCA in accordance with E.O. 13526. The duplication or reproduction of existing classified information is not derivative classification.

(3) A source document that does not contain portion markings, due to an ISOO-approved waiver, must contain a warning statement that it may not be used as a source for derivative classification in accordance with 32 CFR 2001.24(k)(4).

(4) Classified information in email messages is marked pursuant to E.O. 13526 and 32 CFR part 2001. If an email is transmitted on a classified system, includes a classified attachment, and contains no classified information within the body of the email itself, the email serves as a transmittal document and is not a derivatively classified document. The email's overall classification must reflect the highest classification level present in the attachment.

(c) Derivative classification responsibilities. Contractors will provide employees with pertinent classification guidance to fulfill their derivative classification responsibilities. All contractor employees authorized to make derivative classification decisions will:

(1) Mark the face of each derivatively classified document with a classification authority block that includes the employee's name and position or personal identifier, the entity name, and when applicable, the division or the branch.

(2) Observe and respect original classification decisions.

(3) Carry forward the pertinent classification markings to any newly created documents. For information derivatively classified based on multiple sources, the derivative classifier will carry forward:

(i) The date or event for declassification that corresponds to the longest period of classification among the sources.

(ii) A listing of the source materials.

(4) Be trained, in accordance with § 117.12(h), in the proper application of the derivative classification principles at least once every two years.

(5) Whenever possible, use a classified addendum if classified information constitutes a small portion of an otherwise unclassified document.

(d) Security classification guidance. (1) Contractors should be aware the GCA will:

(i) Incorporate appropriate security requirement clauses in a classified contract, IFB, RFP, RFQ, or all solicitations leading to a classified contract.

(ii) Provide the contractor with the security classification guidance needed during performance of the contract.

(iii) Provide this guidance to the contractor in the contract security classification specification, or equivalent.

(2) The contract security classification specification, or equivalent, must identify the specific elements of classified information involved in the contract that require security protection.

(3) At the discretion of the CSA, contractors may, to the extent possible, advise and assist in the development and any updates to or any revisions to the contract security classification specification, or equivalent.

(4) The contractor will comply with all aspects of the classification guidance.

(i) Users of classification guides are encouraged to notify the originator of the guide when they acquire information that suggests the need for change in the instructions contained in the guide.

(ii) Classification guidance is the exclusive responsibility of the GCA, and the final determination of the appropriate classification for the information rests with that activity. The contract security classification specification, or equivalent, is a contractual specification necessary for the performance of a classified contract. Challenges to classification status are in paragraph (e) in this section.

(iii) If the contractor receives a classified contract without a contract security classification specification, or equivalent, the contractor will notify the GCA. If the GCA does not respond with the appropriate contract security classification specification, or equivalent, the contractor will notify the CSA.

(5) Upon completion of a classified contract, the contractor must return all USG provided or deliverable information to the custody of the USG.

(i) If the GCA does not advise to the contrary, the contractor may retain copies of the USG material for a period of two years following the completion of the contract. The contract security classification specification, or equivalent, will continue in effect for this two-year period.

(ii) If the GCA determines the contractor has a continuing need for the copies of the USG material beyond the two-year period, the GCA will issue a final contract security classification specification, or equivalent, for the classified contract and will include disposition instructions for the copies.

(e) Challenges to classification status. (1) The contractor will address challenges to classification status with the GCA and request remedy when:

(i) Information is classified improperly or unnecessarily.

(ii) Current security considerations justify downgrading to a lower classification level or upgrading to a higher classification level.

(iii) Security classification guidance is not provided, improper or inadequate.

(2) If the GCA does not provide a remedy, and the contractor still believes that corrective action is required, the contractor will make a formal written challenge to the GCA. The challenge will include:

(i) A description sufficient to identify the issue.

(ii) The reasons why the contractor thinks that corrective action is required.

(iii) Recommendations for appropriate corrective action.

(3) The contractor will safeguard the information as required for its assigned or proposed level of classification, whichever is higher, until action is completed.

(4) If the contractor does not receive a written answer from the GCA within 60 days, the contractor will request assistance from the CSA. If the contractor does not receive a response from the GCA within 120 days, the contractor may appeal the challenge to the Interagency Security Classification Appeals Panel through ISOO.

(5) The fact that a contractor has initiated such a challenge will not, in any way, serve as a basis for adverse action against the contractor by the USG. If a contractor believes that adverse action did result from a classification challenge, the contractor will promptly furnish full details to ISOO for resolution.

(f) Contractor developed information. Whenever a contractor develops an unsolicited proposal or originates information not in the performance of a classified contract, the provisions of this paragraph apply.

(1) If the information was previously identified as classified, it will be classified according to an appropriate classification guide, or source document, and appropriately marked.

(2) If the information was not previously classified, but the contractor believes the information may or should be classified, the contractor will:

(i) Protect the information as though classified at the appropriate level.

(ii) Submit the information to the agency that has an interest for a classification determination. In such cases, clearly mark the material “CLASSIFICATION DETERMINATION PENDING; Protect as either TOP SECRET, SECRET, or CONFIDENTIAL.” This marking will appear conspicuously at least once on the material but no further markings are necessary until a classification determination is received.

(iii) Not be precluded from marking such material as entity-private or entity-proprietary information, unless the material was based upon information obtained from prior deliverables to the USG or was developed from USG material.

(iv) Protect the information pending a final classification determination. The information may be CUI, if it is not classified. Only information that is owned by, produced by, produced for, or is under the control of the USG can be classified in accordance with E.O. 13526.

(3) To be eligible for classification:

(i) The information must incorporate classified information to which the contractor was given prior access.

(ii) The information must be partially or wholly owned by, produced by or for, or under the control of the USG.

(4) 10 CFR 1045.21 includes provisions for the DOE with regard to privately generated RD, whereby the DOE may classify such information in accordance with the AEA.

(g) Improperly released classified information appearing in public media. Improperly released classified information is not automatically declassified. When classified information has been improperly released, and even when that classified information has become publicly available, contractors will:

(1) Continue to protect the information at the appropriate classification level until formally advised to the contrary by the GCA.

(2) Bring any questions about the propriety of continued classification in these cases to the immediate attention of the GCA.

(3) Notify the applicable CSA if an employee downloads the improperly released classified information to determine how to resolve a data spill.

(h) Downgrading or declassifying classified information. Information is downgraded or declassified based on the loss of sensitivity of the information due to the passage of time or on occurrence of a specific event. Downgrading or declassifying actions constitute implementation of a directed action based on a review by either the OCA or the USG-designated classification authority. Declassification is not an approval for public disclosure.

(1) Downgrading. Contractors will refer information for classification or downgrade to the GCA based on the guidance provided in a contract security classification specification, or equivalent, or upon formal notification.

(2) Declassification. Contractors are not authorized to implement downgrading or declassification instructions even when the material is marked for automatic downgrading or declassification. If the material is marked for automatic declassification and the contractor notes that the date or event for the automatic declassification has occurred, the contractor will seek guidance from the GCA.

(i) RD, FRD, and TFNI. Protection requirements for RD, FRD, and TFNI are pursuant to § 117.23(e). Information about classification and declassification of RD, FRD, or TFNI documents is in § 117.23(e)(5).