(a) General. Contractors will protect all classified information that they are provided access to or that they possess. This responsibility applies at both contractor and USG locations.

(b) Contractor Security Officials. Contractors will appoint security officials who are U.S. citizens, except in exceptional circumstances (see § 117.9(m) and § 117.11(e)).

(1) Appointed security officials listed in paragraphs (b)(2), (b)(3), and (b)(4) of this section must:

(i) Oversee the implementation of the requirements of this rule. Depending upon the size and complexity of the contractor's security operations, a single contractor employee may serve in more than one position.

(ii) Undergo the same security training that is required for all other contractor employees pursuant to § 117.12, in addition to their position specific training.

(iii) Be designated in writing with their designation documented in accordance with CSA guidance.

(iv) Undergo a personnel security investigation and national security eligibility determination for access to classified information at the level of the entity's eligibility determination for access to classified information (e.g., FCL level) and be on the KMP list for the cleared entity.

(2) SMO. The SMO will:

(i) Ensure the contractor maintains a system of security controls in accordance with the requirements of this rule.

(ii) Appoint a contractor employee or employees, in writing, as the FSO and appoint the same employee or a different employee as the ITPSO. The SMO may appoint a single employee for both roles or may appoint one employee as the FSO and a different employee as the ITPSO.

(iii) Remain fully informed of the facility's classified operations.

(iv) Make decisions based on classified threat reporting and their thorough knowledge, understanding, and appreciation of the threat information and the potential impacts caused by a loss of classified information.

(v) Retain accountability for the management and operations of the facility without delegating that accountability to a subordinate manager.

(3) FSO. The FSO will:

(i) Supervise and direct security measures necessary for implementing the applicable requirements of this rule and the related USG security requirements to ensure the protection of classified information.

(ii) Complete security training pursuant to § 117.12 and as deemed appropriate by the CSA.

(4) ITPSO. The ITPSO will establish and execute an insider threat program.

(i) If the appointed ITPSO is not also the FSO, the ITPSO will ensure that the FSO is an integral member of the contractor's insider threat program.

(ii) The ITPSO will complete training pursuant to § 117.12.

(iii) An entity family may choose to establish an entity family-wide insider threat program with one senior official appointed, in writing, to establish, and execute the program as the ITPSO. Each cleared entity using the entity-wide ITPSO must separately appoint that person as its ITPSO for that facility. The ITPSO will provide an implementation plan to the CSA for executing the insider threat program across the entity family.

(5) ISSM. Contractors who are, or will be, processing classified information on an information system located at the contractor facility will appoint an employee to serve as the ISSM. The ISSM must be eligible for access to classified information to the highest level of the information processed on the system(s) under their responsibility. The contractor will ensure that the ISSM is adequately trained and possesses technical competence commensurate with the complexity of the contractor's classified information system. The contractor will notify the applicable CSA if there is a change in the ISSM. The ISSM will oversee development, implementation, and evaluation of the contractor's classified information system program. ISSM responsibilities are in § 117.18.

(6) Employees performing security duties. Those employees whose official duties include performance of NISP-related security functions will complete security training tailored to the security functions performed. This training requirement also applies to consultants whose official duties include security functions.

(c) Other KMP. In addition to the SMO, the FSO, and the ITPSO, the contractor will include on the KMP list, subject to CSA concurrence, any other officials who either hold majority interest or stock in the entity, or who have direct or indirect authority to influence or decide issues affecting the management or operations of the contractor or issues affecting classified contract performance. The CSA may either:

(1) Require these KMP to be determined to be eligible for access to classified information as a requirement for the entity's eligibility determination or;

(2) Allow the entity to formally exclude these KMP from access to classified information. The entity's governing board will affirm the exclusion by issuing a formal action (see table), and provide a copy of the exclusion action to the CSA. The entity's governing board will document this exclusion action.

(d) Insider Threat Program. Pursuant to this rule and CSA provided guidance to supplement unique CSA mission requirements, the contractor will establish and maintain an insider threat program to gather, integrate, and report relevant and available information indicative of a potential or actual insider threat, consistent with E.O. 13587 and Presidential Memorandum “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.”

(e) Standard practice procedures. The contractor will implement all applicable provisions of this rule at each of its cleared facility locations. The contractor will prepare written procedures when the CSA determines them to be necessary to reasonably exclude the possibility of loss or compromise of classified information, and in accordance with additional CSA-provided guidance, as applicable.

(f) Cooperation with Federal agencies. Contractors will cooperate with Federal agencies and their officially credentialed USG or contractor representatives during official reviews, investigations concerning the protection of classified information, or personnel security investigations of present or former employees and others (e.g., consultants or visitors). At a minimum, cooperation includes:

(1) Providing suitable arrangements within the facility for conducting private interviews with employees during normal working hours;

(2) Providing, when requested, relevant employment or personnel files, security records, supervisory files, records pertinent to insider threat (e.g., security, cybersecurity, and human resources) and any other records pertaining to an individual under investigation that are, in the possession or control of the contractor or the contractor's representatives or located in the contractor's offices;

(3) Providing access to employment and security records that are located at an offsite location; and

(4) Rendering other necessary assistance.

(g) Security training and briefings. Contractors will advise all cleared employees, including those assigned to USG locations or operations outside the United States, of their individual responsibility for classification management and for safeguarding classified information. Contractors will provide security training to cleared employees consisting of initial briefings, refresher briefings, and debriefings in accordance with § 117.12.

(h) Security reviews—(1) USG reviews. The applicable CSA will conduct recurring oversight reviews of contractors' NISP security programs to verify that the contractor is protecting classified information and implementing the provisions of this rule. The contractor's participation in the security review is required for maintaining the entity's eligibility for access to classified information.

(i) Review cycle. The CSA will determine the scope and frequency of security reviews, which may be increased or decreased consistent with risk management principles.

(ii) Procedures. (A) The CSA will generally provide notice to the contractor of a forthcoming review, but may also conduct unannounced reviews at its discretion. The CSA security review may subject contractor employees and all areas and receptacles under the control of the contractor to examination.

(B) The CSA will make every effort to avoid unnecessary intrusion into the personal effects of contractor personnel.

(C) The CSA may conduct physical examinations of the interior space of containers not authorized to secure classified material. Such examinations will always be accomplished in the presence of a representative of the contractor.

(iii) Controlled unclassified information (CUI). 32 CFR part 2002 requires agencies to implement CUI requirements, but compliance with CUI requirements is outside the scope of the NISP and this rule. However, CSAs may conduct CUI assessments in conjunction with NISP USG reviews when:

(A) The contractor is a participant in the NISP based on a requirement to access classified information;

(B) A classified contract under the CSA's cognizance includes provisions for access to, or protection or handling of, CUI; and

(C) The CSA has provided the contractor with specific guidance regarding the assessment criteria and methodology it will use for overseeing protection of the CUI being accessed, stored or transmitted by the contractor as part of the classified contract.

(2) Contractor reviews. Contractors will review their security programs on a continuing basis and conduct a formal self-inspection at least annually and at intervals consistent with risk management principles.

(i) Self-inspections will include the review of the classified activity, classified information, classified information systems, conditions of the overall security program, and the insider threat program. They will have sufficient scope, depth, and frequency, and will have management support during the self-inspection and during remedial actions taken as a result of the self-inspection. Self-inspections will include the review of samples representing the contractor's derivative classification actions, as applicable.

(ii) The contractor will prepare a formal report describing the self-inspection, its findings, and its resolution of issues discovered during the self-inspection. The contractor will retain the formal report for CSA review until after the next CSA security review is completed.

(iii) The SMO at the cleared facility will annually certify to the CSA, in writing, that a self-inspection has been conducted, that other KMP have been briefed on the results of the self-inspection, that appropriate corrective actions have been taken, and that management fully supports the security program at the cleared facility in the manner as described in the certification.

(i) Contractors working at USG locations. Contractor employees performing work within the confines of a USG facility will safeguard classified information according to the procedures of the host installation or agency.

(j) Hotlines. Federal agencies maintain hotlines to provide an unconstrained avenue for USG and contractor employees to report, without fear of reprisal, known or suspected instances of security irregularities and infractions concerning contracts, programs, or projects. These hotlines do not supplant the contractor's responsibility to facilitate reporting and timely investigations of security issues concerning its operations or personnel. Contractor personnel are encouraged to report information through established contractor channels. The hotline may be used as an alternate means to report this type of information. Contractors will inform all personnel that hotlines may be used for reporting issues of national security significance. Each CSA will post hotline information and telephone numbers on their websites for contractor access.

(k) Agency agreements. 32 CFR part 2004 and E.O. 12829 require non-CSA agency heads to enter into agreements with the Secretary of Defense as the Executive Agent for the NISP to provide industrial security services. The Secretary of Defense may also enter into agreements to provide services for other CSA's in accordance with 32 CFR part 2004 and E.O. 12829. Agency agreements establish the terms of the Secretary of Defense's (or the Secretary of Defense's designee's) responsibilities when acting as the CSA on behalf of these agency heads. The list of agencies for which the Secretary of Defense has agreed to render industrial security services is on the DCSA website at https://www.dcsa.mil.

(l) Security cognizance. The CSA will inform contractors if oversight has been delegated to a CSO.

(m) Rule interpretations. Contractors will forward requests for interpretations of this rule to their CSA in accordance with their CSA-provided guidance to supplement unique CSA mission requirements.

(n) Waivers to this rule. Contractors will submit any requests to waive provisions of this rule in accordance with CSA procedures, which may include periodic review of approved waivers. When submitting a request for a waiver, the contractor will, in writing, explain why it is impractical or unreasonable for the contractor to comply with the requirement it is asking to waive, identify alternative measures as prescribed by this rule, and include a proposed duration for the waiver. The contractor cannot implement a waiver unless the waiver is approved by the applicable CSA.

(o) Complaints and suggestions. Contractors may forward NISP administration complaints and suggestions to the Director of ISOO. However, contractors are encouraged to forward NISP administration complaints and suggestions to their respective CSA prior to forwarding to the ISOO.