DD254 Training

1
DD254 Training
Susan Deonarine Information Technology July 2007
2
Federal Regulations

• Executive Order
• Executive Order 10865, February 20, 1960
• Executive Order 10909, January 17, 1961
• Executive Order 12829, January 6, 1993
• Executive Order 12958, October 13, 1995
• Executive Order 13292, March 25, 2003
• National Industrial Security Program
• 28 February 2006
• Federal Acquisition Regulation
• Volume 1 Parts 1 to 51, March 2005
• Volume 2 Parts 52, 53 and Index, March 2005

3
GCA Responsibilities

• Pre-solicitation Phase
• Determine if access to classified information may
  be required by offerors
• Solicitation Phase
• Ensure the classified acquisition is conducted as
  required by the NISP or agency procedures
• Include an appropriate Security Requirements
  clause
• Provide requirement for security safeguards
• Award Phase
• Inform contractors and subcontractors of the
  security classifications and requirements
• Prepare and distribute the Contract Security
  Classification Specification, DD Form 254

4
DD254 ITS PURPOSE

• Federal Acquisition Regulation (FAR) establishes
  relationship between Security and Contracts in
  the Presolicitation Phase
• DD254 establishes authority to
• Obtain personnel clearances
• Hold classified materials
• Send visit requests
• Receive incoming visit requests
• Issue subcontractors classified work
• Security reviews the DD254 for
• OPSEC requirements
• Restrictions on computer processing
• Cost for additional security support requirements
  (i.e., closed areas, guards, etc.)

5
DSS May Issue a Waiver to MFO Orgs

• Authorizes wholly owned subsidiaries to function
  as Multiple Facility Organization (MFO).
• The following applies to the waiver
• Classified may only be exchanged among identified
  Wholly-owned cleared subsidiaries, and must be in
  support of a U.S. Government purpose.
• The waiver DOES NOT authorize, Top Secret,
  Special Access Program (SAP), Sensitive
  Compartmented Information (SCI), Restricted Data
  or COMSEC.
• Classification guidance required to the Internal
  Company recipient facility (DD254 not necessary).
• When required the facility must have the ability
  to identify classified provided under the waiver.

6
Issuing a Subcontract Subcontractor Worksheet

• Utilize the Subcontractor Worksheet
• Work with your Technical Lead and your
  Subcontract Administrator.
• Subcontract Administrator will determine the top
  part of the worksheet.
• Technical Lead and Security will determine
• Access Required
• In Performance

7
Issuing work to another internal facility- IF an
approved MFO Waiver exists

• Provide the template cover letter
• Copy of the government or originally issued DD254
  
• Associated Security Guidance

8

• Facility Clearance (FCL) Requirements
• Verify the FCL level using ISFD prior to issuing
• It is not necessary to site special category
  information (i.e., RD/CNWDI,SCI, etc.)
• Remember safeguarding level can be different
  from clearance level, if no storage will be
  required mark 1b None
• If 1b is marked None 11a must be marked Yes

9
Your responsibilities to a Sub

• If you issue a subcontract when the contract ends
  you are responsible
• to notify the subcontract of contract close-out
• determine if any material was received or
  generated during performance on the contract
• and request retention on their behalf (if
  necessary) or assist to ensure appropriate
  disposition

10
Performing Locations

• If actual performance is at another facility
• Identify this in item 8
• If more than one other location will be
  performing then
• Identified in item 13
• Send a copy of the DD254 to each of the
  responsible CSOs
• Performance at customer sites should also be
  listed in item 13

11
Authorizing COMSEC access

• COMSEC includes accountable or non-accountable
  COMSEC
• If accountable COMSEC is involved (KYK, KIV,
  DTDs, etc) then mark item 11h yes
• Prior GCA approval is required for a Prime to
  grant COMSEC access to a sub
• It is NOT necessary to mark Yes for a
  subcontractor to utilize a STU or STE phone

12
Authorizing RD/FRD or CNWDI
RD (Restricted Data) FRD (Formerly Restricted
Data) CNWDI (Critical Nuclear Weapon Design
Information) Very loose Definition data
concerning the design, manufacture of atomic and
thermonuclear weapons

• If access to RD is required mark 10b Yes
• If CNWDI access is required you must mark 10c yes
  and 10 yes
• Note
• -CNWDI requires GCA approval prior to granting
  CNWDI access to subcontractors
• -Prime FSOs are required to be briefed by the
  servicing CSO
• If access to FRD is required mark Yes in 10d (it
  is not necessary to mark 10b or 10c yes)

13
Authorizing SCI (Sensitive Compartmented
Information) Access

• If access to SCI is required Mark 10e.(1) Yes
  and Mark 14 and 15 Yes
• If access to non-SCI (i.e., NOFORN or former
  WNINTEL) is required Mark 10e(2) Yes, Mark 14
  Yes and Mark 15 No
• If access to both SCI and non-SCI is required
• Mark 10e(1), 10e(2), and 14 Yes, Mark 15 as
  appropriate
• Note Prior GCA approval is required before
  issuing access to a subcontractor

14
Authorizing SAP (Special Access Program) Access

• If SAP access is required mark 10f, and 14 Yes
• Complete 15 as appropriate (some SAPS are
  carve-outs, but not all)
• Note Prior Program Security Office approval of
  the GCA is required before issuing access to a
  subcontractor

Sometimes referred to SAR or SAP/SAR SAR Special
Access Required SAP/SAR redundant
15
Authorizing NATO, FGI, LIMDIS
NATO (North Atlantic Treaty Organization) FRD
(Foreign Government Information) includes any
foreign government information except NATO LIMDIS
(Limited Distribution)

• If NATO access is required Mark 10g. Yes
• If FGI access is required Mark 10h. Yes
• For both NATO FGI prior GCA approval is
  required
• For both NATO FGI the Prime FSO must be briefed
  by the CSO
• NATO FGI must be segregated and disposition
  requirements
• NATO FGI must be inventoried annually, combos
  changed annually
• Annual NATO rebriefs are required
• Contract should include special handling
  instructions as an attachment or in item 13

LIMDIS is no longer a recognized caveat and
should always be marked No
16
Authorizing FOUO

• If FOUO access is required Mark 10j. Yes
• FOUO is information that is not classified under
  an executive order but can be kept from public
  disclosure under the Freedom of Information Act
• When this item is marked Yes the GCA must provide
  additional guidance and requirements in Item 13.
• FOUO should not be faxed unless approved prior
• FOUO must not be sent over the internet unless
  128 byte encryption
• or within the NGGN

17
Issuing for Subs that will have access elsewhere

• This should be marked Yes only when the sub
  will have access to classified material at other
  government locations or other contractors
  facilities
• Only is the key word, mark yes when storage
  of classified material is not required

18
Issuing for Subs receiving classified documents
only

• Only is the key word, mark yes when the
  contractor will receive marked material and will
  not be required to use classification guides
• If you think this scenario could change item 13
  can include this statement Any classified
  information generated in the performance of this
  contract shall be classified according to the
  markings shown on the source material.

19
Issuing for Subs receiving and generating
classified documents

• Mark Yes in item 11.c. provide detailed
  guidance in Item 13, or as an attachment to the
  DD254 or under separate cover or in the contract
  document itself
• If the contract requires storage of classified
  hardware and it will be more than 2 cubic feet
  verify storage with the sub and/or CSO

20
Issuing for Subs with Service Only

• Mark Yes in item 11a. If the contractor is
  performing services only you should enter a
  statement in item 13 that explains the service
  provided i.e.,
• Guard Services
• Contract is for guard services. Cleared
  personnel are required by the NISPOM to provide
  supplemental protection.
• Graphic Arts Support (reproductions services),
  Engineering Services, Equipment Maintenance
  Services, Guard Services

21
Subs w/access outside the U.S. (includes U.S.
Puerto Rico, U.S. Possessions Trust Territories

• If Yes is marked
• Indicate in Item 13, where the overseas
  performance will occur (city country)
• Provide a copy of the 254 to DSS
• See NISPOM 10-202 for additional wording that
  should be added in item 13 protection guidance
  etc.

22
Subs authorized to use DTIC (Defense Technical
Services)
This service is used to order technical documents
and sometimes is used for verification to attend
meetings. A DD Form 1540 and 2345 (Military
Critical Technical Data Agreement) this form is
also required to be certified by your government
sponsor are required to register for DTIC See
NISPOM Chapter 11, Section 2 for more
information To learn more about
DTIC http//www.dtic.mil/
23
Subs requiring a COMSEC account

• Mark Yes in item 11.h. if accountable COMSEC
  (KYK, KIV, DTDs, etc) information must be
  accessed. If non-accountable COMSEC is involved
  mark No
• Prior GCA approval is required for a Prime to
  grant COMSEC access to a sub
• It is NOT necessary to mark Yes for a
  subcontractor to utilize a STU or STE phone

24
Subs having TEMPEST Requirements
TEMPEST is a U.S. government code word that
identifies a classified set of standards for
limiting electric or electromagnetic radiation
emanations from electronic equipment.

• TEMPEST requirements should not be imposed prior
  to a vulnerability assessment
• TEMPEST requirements are additional and require
  GCA approval before they can be imposed on a
  subcontractor
• For more information
• http//www.eskimo.com/joelm/tempestintro.htmlWha
  t20is

25
Subs having OPSEC Requirements
Operations Security (OPSEC) is an analytic
process used to deny an adversary information -
generally unclassified - concerning our
intentions and capabilities by identifying,
controlling, and protecting indicators associated
with our planning processes or operations. OPSEC
does not replace other security disciplines - it
supplements them. OPSEC plan template

• Marking Yes in item 11j. Requires that you have
  a written, GCA approved plan that describes how
  the information, equipment etc. will be handle
  and describes in detail appropriate
  countermeasures
• If 11j is marked Yes Item 14 must also be
  marked Yes
• For more information
• http//www.ioss.gov/

26
Subs authorized to use DCS (Defense Courier
Service)

• Yes in this block authorizes the use of DCS.
• The GCA must obtain written approval to authorize
  use of DCS.
• Prior approval from the GCA is required before
  authorizing DCS use by a subcontractor

27
PUBLIC RELEASE

• Each contractor is responsible for obtaining
  approval PRIOR to releasing any information
  generated under the contract
• Prime contractor should refer subs to the GCA
  office for approval

28
ADDITIONAL SECURITY GUIDANCE AND REQUIREMENTS

• Item 13. should include SCGs (Security
  Classification Guides) or other classification
  guidance
• Item 14 should list additional security
  requirements remember additional requirements
  extra costs and should be negotiated between the
  contractor and the GCA

29

• Item 15. should be filled out if an organization
  other than the CSO will be responsible for
  inspection
• It is still necessary to provide a copy of the
  DD254 to the CSO as well as any other
  notifications that would normally go to the CSO
  (unless exemptions are in writing by the GCA)

30
CLOSING OUT A SUBCONTRACT

• NISPOM 7-103 covers these requirements
• Issue a Subcontract Close-Out Letter
• Issue Final DD254

31
REFERENCE MATERIALS

• Posting on the Emerald Coast Website
• This briefing
• DD254 Preparation Pamphlet
• Template Closeout Letter to Subcontractor
• DSS Waiver Letter
• Template NG Performing Facility Under the
  Waiver
• Template OPSEC Plan
• Special Acknowledgement materials used in
  preparation of this briefing included NCMS
  publication
• Preparation of a DD Form 254, National
  Classification Management Society and Defense
  Security Service