(a) General. Pursuant to this rule, Security Executive Agent Directive (SEAD) 3, (available at: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-Reporting-U.pdf) and CSA-provided guidance to supplement unique CSA mission requirements, contractors and their cleared employees are required to:

(1) Report certain events that may have an effect on the status of the entity's or an employee's eligibility for access to classified information; report events that indicate an insider threat to classified information or to employees with access to classified information; report events that affect proper safeguarding of classified information; and report events that indicate classified information has been, or is suspected to be, lost or compromised.

(2) Establish internal procedures to ensure employees with eligibility for access to classified information are aware of their responsibilities for reporting pertinent information to the FSO. The contractor will:

(i) Provide reports to the FBI, or other Federal authorities as required by this rule, the terms of a classified contract or other agreement, and by U.S. law.

(ii) Provide complete information to enable the CSA to ascertain whether classified information is adequately protected.

(iii) Submit reports to the FBI, the CSA, or the ISOO as specified in paragraphs (b), (c), and (g) of this section.

(3) Appropriately mark reports containing classified information in accordance with § 117.14.

(4) Clearly mark a report containing information submitted in confidence as containing that information. When reports contain information pertaining to an individual, 5 U.S.C. 552a (also known as and referred to in this rule as “The Privacy Act of 1974, as amended,”) permits the withholding of certain information from the individual in accordance with specific exemptions, which include authority to withhold release of information to the extent that the disclosure of the information would reveal the identity of a source who furnished the information to the USG under an express promise that the identity of the source would be held in confidence.

(b) Reports to be submitted to the FBI. The contractor will promptly submit a written report to the nearest field office of the FBI regarding information coming to the contractor's attention concerning actual, probable, or possible espionage, sabotage, terrorism, or subversive activities at any of its locations.

(1) An initial report may be made by phone, but it must be followed up in writing (e.g., email or formal correspondence), regardless of the FBI's disposition of the report.

(2) The contractor will promptly notify the CSA when they make a report to the FBI and provide the CSA a copy of the written report.

(c) Reports to be submitted to the CSA—(1) Adverse information. Contractors are required to report adverse information coming to their attention concerning any of their employees determined to be eligible for access to classified information, in accordance with this rule, SEAD 3, and CSA-provided guidance. Contractors will not make reports based on rumor or innuendo.

(i) The termination of employment of an employee does not negate the requirement to submit this report. If a contractor employee is assigned to a USG location, the contractor will furnish a copy of the report and its final disposition to the USG security point of contact for that location.

(ii) Pursuant to Becker v. Philco, 372 F.2d 771 (4th Cir. 1967), cert. denied 389 U.S. 979 (1967), and subsequent cases, a contractor may not be liable for defamation of an employee because of communications that are required of and made by a contractor to an agency of the United States under the requirements of this rule or under the terms of applicable contracts.

(2) Suspicious contacts. Contractors will report information pertaining to suspicious contacts with employees determined to be eligible for access to classified information, and pertaining to efforts to obtain illegal or unauthorized access to the contractor's cleared facility by any means, including:

(i) Efforts by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information.

(ii) Efforts by any individual, regardless of nationality, to elicit information from an employee determined eligible for access to classified information, and any contact which suggests the employee may be the target of an attempted exploitation by an intelligence service of another country. See SEAD 3 for specific information to be reported.

(3) Change in status of employees determined eligible for access to classified information. Contractors will report by means of the CSA-designated reporting mechanism information pertaining to changes in status of employees determined eligible for access to classified information such as:

(i) Death.

(ii) Change in name.

(iii) Termination of employment.

(iv) Change in citizenship.

(4) Citizenship by naturalization. Contractors will report if a non-U.S. citizen employee granted an LAA becomes a citizen through naturalization. The report will include:

(i) City, county, and state where naturalized.

(ii) Date naturalized.

(iii) Court.

(iv) Certificate number.

(5) Employees desiring not to be processed for a national security eligibility determination or not to perform classified work. Contractors will report instances when an employee no longer wishes to be processed for a determination of eligibility for access to classified information or to continue having access to classified information, and the reason for that request.

(6) Classified information nondisclosure agreement (NDA). Contractors will report the refusal by an employee to sign the SF 312, “Classified Information Nondisclosure Agreement,” (available at: https://www.gsa.gov/cdnstatic/SF312-13.pdf?forceDownload=1) or other approved NDA.

(7) Changed conditions affecting the contractor's eligibility for access to classified information. Contractors are required to report certain events that affect the status of the entity eligibility determination (e.g., FCL), affect the status of an employee's PCL, may indicate an employee poses an insider threat, affect the proper safeguarding of classified information, or indicate classified information has been lost or compromised, including:

(i) Change of ownership or control of the contractor, including stock transfers that affect control of the entity.

(ii) Change of operating name or address of the entity or any of its locations determined eligible for access to classified information.

(iii) Any change to the information previously submitted for KMP including, as appropriate, the names of the individuals the contractor is replacing. A new complete KMP listing need be submitted only at the discretion of the contractor or when requested by the CSA. The contractor will provide a statement indicating:

(A) Whether the new KMP are cleared for access to classified information, and if cleared, to what level they are cleared and when they were cleared, their dates and places of birth, social security numbers, and citizenship.

(B) Whether they have been excluded from access to classified information in accordance with § 117.7(b)(5)(ii).

(C) Whether they have been temporarily excluded from access to classified information pending the determination of eligibility for access to classified information in accordance with § 117.9(g).

(iv) Any action to terminate business or operations for any reason, imminent adjudication or reorganization in bankruptcy, or any change that might affect the validity of the contractor's eligibility for access to classified information.

(v) Any material change concerning the information previously reported concerning foreign ownership, control, or influence (FOCI). This report will be made by the submission of an updated SF 328, “Certificate Pertaining to Foreign Interests,” in accordance with CSA-provided guidance. When submitting this information, it is not necessary to repeat answers that have not changed. When entering into discussion, consultations, or agreements that may reasonably lead to effective ownership or control by a foreign interest, the contractor will report the details to the CSA in writing. If the contractor has received a Schedule 13D from the investor, the contractor will forward a copy with the report.

(8) Changes in storage capability. The contractor will report any changes in their storage requirement or capability to safeguard classified material.

(9) Inability to safeguard classified material. The contractor will report any emergency situation that renders their location incapable of safeguarding classified material as soon as possible.

(10) Unsatisfactory conditions of a prime or subcontractors. (i) Prime contractors, including subcontractors who have in turn subcontracted work, will report any information coming to their attention that may indicate that classified information cannot be adequately protected by a subcontractor, or other circumstances that may impact the validity of the eligibility for access to classified information of any subcontractors.

(ii) Subcontractors will report any information coming to their attention that may indicate that classified information cannot be adequately protected or other circumstances that may impact the validity of the eligibility for access to classified information of their prime contractor.

(11) Dispositioned material previously terminated. The contractor will make a report when the location or disposition of material previously terminated from accountability is subsequently discovered and brought back into accountability.

(12) Foreign classified contracts. Contractors will report any pre-contract negotiation or award not placed through a CSA or U.S. GCA that involves, or may involve:

(i) The release or disclosure of U.S. classified information to a foreign interest.

(ii) Access to classified information furnished by a foreign interest.

(13) Reporting of improper receipt of foreign government material. The contractor will report to the CSA the receipt of classified material from foreign interests that is not received through USG channels.

(14) Reporting by subcontractor. Subcontractors will also notify their prime contractors if they make any reports to their CSA in accordance with the provisions of paragraphs (c)(7) through (c)(10) of this section.

(d) Reports of loss, compromise, or suspected compromise. The contractor will report any loss, compromise, or suspected compromise of classified information, U.S. or foreign, to the CSA in accordance with paragraph (d)(1) through (d)(3) of this section. Each CSA may provide additional guidance concerning the reporting time period. If the contractor is located on a USG facility, the contractor will submit the report to the CSA and to the head of the USG facility.

(1) Preliminary inquiry. Immediately upon receipt of a security violation report involving classified information, the contractor will initiate a preliminary inquiry to ascertain all of the circumstances surrounding the presumed loss, compromise, or suspected compromise, including validation of the classification of the information.

(2) Initial report. If the contractor's preliminary inquiry confirms that a loss, compromise, or suspected compromise of any classified information occurred, the contractor will promptly submit an initial report of the incident unless otherwise notified by the CSA.

(3) Final report. When the investigation has been completed, the contractor will submit a final report to the CSA which, in turn, will follow CSA procedures to notify the applicable GCA. The report will include:

(i) Material and relevant information that was not included in the initial report.

(ii) The full name and social security number of the individual or individuals primarily responsible for the incident, including a record of prior loss, compromise, or suspected compromise for which the individual had been determined responsible.

(iii) A statement of the corrective action taken to preclude a recurrence.

(iv) Disciplinary action taken against the responsible individual or individuals, if any.

(v) Specific reasons for reaching the conclusion that loss, compromise, or suspected compromise occurred or did not occur.

(4) Employee information in compromise cases. When requested by the CSA, the contractor will report information concerning an employee or other individual, determined to be responsible for the incident, when the information is needed by the CSA for the loss, compromise, or suspected compromise of classified information.

(e) Individual culpability reports. Contractors will establish and enforce policies that provide for appropriate administrative or disciplinary actions taken against employees who violate the requirements of this rule.

(1) Contractors will establish a system to manage and track information regarding employees with eligibility for access to classified information who violate the requirements of this rule in order to be able to identify patterns of negligence or carelessness, or to identify a potential insider threat.

(2) Contractors will establish and apply a graduated scale of administrative and disciplinary actions in the event of employee security violations or negligence in the handling of classified information. CSAs may provide guidance to contractors with examples of administrative or disciplinary actions that the contractor may consider implementing in the event of employee violations or negligence. Contractors are required to submit a final report to the CSA with the findings of an employee's culpability and what corrective actions were taken.

(3) Contractors will include a statement of the administrative or disciplinary actions taken against an employee in a final report to the CSA. A statement must be included when the individual responsible for a security violation can be determined. Contractors' final reports will indicate whether one or more of the following factors are evident:

(i) Involved a deliberate disregard of security requirements.

(ii) Involved negligence in the handling of classified material.

(iii) Was not deliberate in nature but reflects a recent or recurring pattern of questionable judgment, irresponsibility, negligence, or carelessness.

(f) CDC cyber incident reports. This paragraph applies only to CDCs and sets forth reporting requirements pursuant to 10 U.S.C. 391 and 393 and Defense Federal Acquisition Regulation Supplement Clause 252.204-7012. The reporting requirements of paragraph (f) of this section are in addition to the requirements in paragraphs (b) and (d) of this section, which can include certain activities occurring on unclassified information systems. DoD will provide detailed reporting instructions for contractors affected by these references via industrial security letter in accordance with DoDI 5220.22.

(1) Reports to be submitted to the designated DoD CSO. CDCs will immediately report to the DoD CSO, any cyber incident on a classified covered information system that has been approved by that CSO to process classified information.

(i) At a minimum, the report will include:

(A) A description of the technique or method used in the cyber incident.

(B) A sample of the malicious software involved in the cyber incident, if discovered and isolated by the CDC,

(C) A summary of information in connection with any DoD program that has been potentially compromised due to the cyber incident.

(ii) Information that is reported by the CDC (or derived from information reported by the CDC) will be safeguarded, used, and disseminated in a manner consistent with DoD procedures governing the handling of such information pursuant to Public Law 112-239 and 10 U.S.C. 391.

(iii) Reports involving classified foreign government information will be reported to the Director, Defense Technology Security Administration (DoD).

(2) Reports on non-Federal information systems not authorized to process classified information. CDCs will report cyber incidents on non-Federal, unclassified information systems in accordance with contract requirements.

(3) Access to equipment and information by DoD personnel. (i) The CDC will allow, upon request by DoD personnel, access by DoD personnel to additional equipment or information of the CDC that is necessary to conduct forensic analysis of reportable cyber incidents in addition to any analysis conducted by the CDC.

(ii) The CDC is only required to provide DoD access to equipment or information to determine whether information created by or for DoD in connection with any DoD program was successfully exfiltrated from a CDC's network or information system, and what information was exfiltrated from the CDC's network or information system.

(g) Reports to ISOO. (1) Contractors will report instances of redundant or duplicative security review and audit activity by the CSAs to the Director, ISOO, for resolution.

(2) Contractors will report instances of CSAs duplicating processing to determine an entity's eligibility for access to classified information when there is an existing determination of an entity's eligibility for access to classified information by another CSA.