DD 254 Roadmap Justification Step by Step Common DSS findings
Why a DD-254? The document provides the basis for a contractor to have a facility clearance (FCL) and have access to classified information. DD-254 is the GCA’s direction for how to handle classified at the contractor’s location. The document may be the only classification guidance provided to a contractor for a government contract. The document may be used by a contractor to flow down classified requirements to a cleared sub-contractor or use as a basis to sponsor an uncleared sub-contractor. The DD-254 can be used to have GCA’s concurrence when a contractor needs to flow down certain information to a sub-contractor, i.e. NATO, COMSEC, Top Secret, SAP, SCI, CNWDI. DD-254s can be classified or unclassified as required. Normally they are unclassified.
Examples of DD-254s Block 1b is checked “N/A”. This indicates that there will be no classified work performed at the sub-contractor’s cleared facility. If this block is “N/A” blocks 11b, c, and d should be checked “NO”. DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the National Industrial Security Program Operating Manual apply to all security aspects of this effort) 1. CLEARANCE AND SAFEGUARDING a. FACILITY CLEARANCE REQUIRED: SECRET b. LEVEL OF SAFEGUARDING REQUIRED: N/A
Examples of DD-254s Block 2a should show the Prime Contract number but should not be checked for a sub-contract DD-254. Block 2b should be checked and show the sub- contract number. Block 2c is normally not used with a sub-contract. 2. THIS SPECIFICATION IS FOR: (X and complete as applicable) a. PRIME CONTRACT NUMBER b. SUBCONTRACT NUMBER c. SOLICITATION OR OTHER NUMBER Due Date (YYYYMMDD)
Examples of DD-254s Block 3a should be checked and show the date the original DD-254 was signed. Block 3b should be checked if it is a revised DD-254, show a revision number and a date that the revision was issued. Block 3a in a revised DD-254 should show the original date of the DD-254 but with no check mark. 3. THIS SPECIFICATION IS: (X and complete as applicable) a. ORIGINAL (Complete date in all cases) Date (YYYYMMDD) b. REVISED (Supersedes all previous specs) Revision No. Date (YYYYMMDD) c. FINAL (Complete item 5 in all cases)Date (YYYYMMDD)
Examples of DD-254s 4. IS THIS A FOLLOW-ON CONTRACT? [ X ] YES [ ] NO, If yes, complete the following Classified material received or generated under N D-0037 (Preceding Contract Number) is transferred to this follow-on contract 5. IS THIS A FINAL DD FORM 254 [ ] YES [X ] NO, If yes, complete the following: In response to the contractors request dated,retention of the identified classified material is authorized for a period of: These two blocks are self-explanatory.
Examples of DD-254s Blocks 6a, b, & c should show the prime contractor’s name, cage code and CSA. Blocks 7a, b, & c should show the sub-contractor’s name, cage code and CSA. Blocks 8a, b, & c should show the actual place of performance. If it this a Military base then the cage code is left blank and the CSA will be a military Security office. The Military normally has security cognizance on military installations. Block 8 can have “See attached” or “See Block 13” if there are multiple places of performance. 6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code) a.NAME, ADDRESS, AND ZIP Your Company 123 Wherever Drive Dallas, TX b. CAGE CODE c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code) DEFENSE SECURITY OFFICE (IOFSI) 5800 East Campus Circle Drive, STE 218A Irving, TX SUBCONTRACTOR a. NAME, ADDRESS, AND ZIP N/A b. CAGE CODE c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code) 8. ACTUAL PERFORMANCE a. LOCATION SEE BLOCK 13 b. CAGE CODE c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code)
Examples of DD-254s Block 9 gives an unclassified description of the work to be performed. 9. GENERAL IDENTIFICATION OF THIS PROCUREMENT LETHALITY TESTING AND CRITERIA DEVELOPMENT
Blocks 10a if checked “YES” requires GCA approval for access to classified COMSEC – NISPOM Blocks c, e (1), and g, if checked “yes” require GSA approval – NISPOM 9-204, 9-304, and respectively. Block e(2) checked “yes” gives the contract authority to access “NOFORN”. Blocks 10f may require PSO approval prior to sub-contracting. Requires GCA approval – NISPOM Examples of DD-254s 10. THIS CONTRACT WILL REQUIRE ACCESS TO YESNO a.COMMUNICATIONS SECURITY (COMSEC) INFORMATION X b. RESTRICTED DATA X c. CRITICAL NUCLEAR WEAPON DESIGN INFORMATION X d. FORMERLY RESTRICTED DATA X e. INTELLIGENCE INFORMATION (1) Sensitive Compartmented Information (SCI) X (2) Non-SCI X f. SPECIAL ACCESS INFORMATION X g. NATO INFORMATION X h. FOREIGN GOVERNMENT INFORMATION X i. LIMITED DISSEMINATION INFORMATION X j. FOR OFFICIAL USE ONLY INFORMATION X k. OTHER (Specify) (CLASSIFIED IS PROCESSING) X
This sub-contract was issued for work to be performed on a military installation. Blocks 11a should be checked “YES”. 11c should be checked “NO”. Block 1b of this sub-contract is checked “N/A”. 11e is always be checked “YES” if block 11a is checked “YES”. 11j is checked yes and OPSEC guidance should be provided the sub-contractor by the prime contractor. Examples of DD-254s 11. IN PERFORMING THIS CONTRACT, THE CONTRACTOR WILL: YESNO a. HAVE ACCESS TO CLASSIFIED INFORMATION ONLY AT ANOTHER CONTRACTORS FACILITY OR GOVERNMENT ACTIVITY X b. RECEIVE CLASSIFIED DOCUMENTS ONLY X c. RECEIVE AND GENERATE CLASSIFIED MATERIAL X d. FABRICATE, MODIFY, OR STORE CLASSIFIED HARDWARE X e. PERFORM SERVICES ONLY X f. HAVE ACCESS TO US CLASSIFIED INFORMATION OUTSIDE THE U.S., PUERTO RICO, U.S. POSSESSIONS AND TRUST TERRITORIES X g. BE AUTHORIZED TO USE THE SERVICES OF THE DEFENSE TECHNICAL INFORMATION CENTER (DTIC) OR OTHER SECONDARY DISTRIBUTION CENTER X h. REQUIRE A COMSEC ACCOUNT (TRADITIONAL ACCOUNT) X i. HAVE TEMPEST REQUIREMENTS X j. HAVE OPERATIONS SECURITY (OPSEC) REQUIREMENTS X k. BE AUTHORIZED TO USE THE DEFENSE COURIER SERVICE X l. OTHER (specify) X SEE BLOCK 13 REMARKS
Examples of DD-254s This is a self-explanatory box. 12. PUBLIC RELEASE. Any information (classified or unclassified) pertaining to this contract shall not be released for public dissemination except as provided by the National Industrial Security Program Operating Manual or unless it has been approved for public release by appropriate U.S. Government authority. Proposed public releases shall be submitted for approval prior to release. [ ] DIRECT [ X ] THROUGH (Specify) Commander Naval Air Force, Atlantic to the Directorate for Freedom of Information and Security Review, Office of the Assistant Secretary of Defense (Public Affairs)* for review. *In the case of non-DoD User Agencies, requests for disclosure shall be submitted to that agency.
Examples of DD-254s Block 13 is used to provide security guidance to the sub-contractor. It can also be used to show additional locations of performance and any security relevant information. 13. SECURITY GUIDANCE. The security classification guidance needed for this classified effort is identified below. If any difficulty is encountered in applying this guidance or if any other contributing factor indicates a need for changes in this guidance, the contractor is authorized and encouraged to provide recommended changes; to challenge the guidance or the classification assigned to any information or material furnished or generated under this contract; and to submit any questions for interpretation of this guidance to the official identified below. Pending final decision, the information involved shall be handled and protected at the highest level of classification assigned or recommended. (Fill in as appropriate for the classified effort. Attach, or forward under separate correspondence, any documents/guides/extracts referenced herein. Add additional pages as needed to provide complete guidance.)
Examples of DD-254s 14. ADDITIONAL SECURITY REQUIREMENTS. Requirements, in addition to NISPOM requirements, are established for this contract. [ ] YES [ x ] NO (If Yes, identify the pertinent contractual clauses in the contract document itself, or provide an appropriate statement which identifies additional requirements. Provide a copy of the requirements to the cognizant security office. Use Item 13 if additional space is required.) Block 14 is used to provide additional security guidance.
Examples of DD-254s 15. INSPECTIONS. ELEMENTS OF THIS CONTRACT ARE OUTSIDE THE INSPECTION RESPONSIBILITY OF THE COGNIZANT SECURITY OFFICE. (If yes, explain and [ ] YES [X ] NO identify specific areas or elements carved out and the activity responsible for inspections. Use Item 13 if more space is needed.) This block provides guidance on who has security oversite of the contract or sub-contract. This block may be checked “yes” when there is SAP or SCI.
Examples of DD-254s 16. CLASSIFICATION AND SIGNATURE. Security requirements stated herein are complete and adequate for safeguarding the classified information to be released or generated under this classified effort. All questions shall be referred to the official named below. a. TYPED NAME OF CERTIFYING OFFICIALb. TITLE c. TELEPHONE (Include Area Code) d. ADDRESS (Include Zip Code) 17. REQUIRED DISTRIBUTION [ ] a. CONTRACTOR [ ] b. SUBCONTRACTOR [ ] c. COGNIZANT SECURITY OFFICE FOR PRIME & SUBCONTRACTOR [ ] d. U.S. ACTIVITY RESPONSIBLE FOR OVERSEAS SECURITY ADMINISTRATION [ ] e. ADMINISTRATIVE CONTRACTING OFFICER [ ] f. OTHERS AS NECESSARY e. SIGNATURE These blocks are self-explanatory.
Conclusion A prime contractor can never flow to a sub-contractor greater responsibility than what is listed on the prime contract DD-254. A prime contractor can flow down lesser responsibilities. All classified work performed at a “other contractor’s facility or government activity” is “services only” unless the contractor or sub- contractor has a cleared facility at the other site. Do not flow down requirements to your sub-contractor if that sub- contractor has no reason to have the information at that facility.
DSS Noted DD-254 Errors Contracting Officers and Contractors writing DD-254s showing that work will be on a government location or other contractor’s facility but show that possessing of classified will not be required at the contractor or sub-contractor facility. Conflicting information within the DD-254s. No indication where the actual performance will conducted. No actual guidance is provided by the DD-254 to the contractor. Contractors using incorrect DD-254s received from the GCA’s Contracting Officer to flow down incorrect information to the sub-contractor. Sub-contract DD-254s giving the sub-contractor more that is shown on the prime contract DD-254. Flowing down requirements to the sub-contractor that is not required or necessary. Generating prime and sub-contract DD-254s that are for unclassified work. GCA’s approval to flow down to sub-contractors not granted for COMSEC, CNWDI, SCI, SAP, NATO, & LIMDIS. Requirements for DTIC, COMSEC Account, Tempest and OPSEC at the contractor’s facility but really required at the remote location, i.e. government activity or other contractor’s facility.
Brought to you by: ISR Tom Morgan ISR Kathi Varner Ronald Dimicco