2 DD 254 Roadmap Justification Step by Step Common DSS findings First of all, this training is not meant to be all inclusive, but a guideline to contractors of what to look for when you receive a DD 254 and what to be aware of when you are ‘hiring’ a subcontractor for work under an existing DD 254.We’ll give you some step by step direction on what is required in each block of the 254 and finally, we’ll share with you some of the common mistakes and findings that have been noted in the Irving Field Office inspections.We are by no means experts, but as the inspectors of your work, we’re here to assist you in doing your job.Let’s get started.
3 Why a DD-254?The document provides the basis for a contractor to have a facility clearance (FCL) and have access to classified information.DD-254 is the GCA’s direction for how to handle classified at the contractor’s location.The document may be the only classification guidance provided to a contractor for a government contract.The document may be used by a contractor to flow down classified requirements to a cleared sub-contractor or use as a basis to sponsor an uncleared sub-contractor.The DD-254 can be used to have GCA’s concurrence when a contractor needs to flow down certain information to a sub-contractor, i.e. NATO, COMSEC, Top Secret, SAP, SCI, CNWDI.DD-254s can be classified or unclassified as required. Normally they are unclassified.So, Why do we issue DD-254s and how do we use them?It is a requirement that when a company is sponsored for a Facility Clearance, a DD 254 must be submitted to the Facilities Clearance Branch as justification for the FCL.Has anyone bought anything at Ikea lately? You can’t get out of there without a much smaller boxed version of a piece of furniture. You need the instructions to put it together, whether you are using the English or Norwegian version, you are basically out of luck without the directions. Well, that’s what the DD 254 is! It is the government customers direction to the Cleared Defense Contractor (CDC), on how to put together their security plan for this work. How are you going to protect the classified material they place in your hands, what materials or equipment (tools) will be needed to accomplish the project.Next, if you have work that you need to sub to another defense contractor, this is the tool you’ll utilize to either assign or sponsor the work with.The 254 also has an abundance of information about additional or special requirements the contractor will need to accomplish the work, we’re talking about NATO, COMSEC, CNWDI and the other areas mentioned on the slide.Now, most contracts are unclassified, but you should know that there are instances when they are classified and can only be reviewed during the inspection process. This is more likely the exception than the rule.
4 Examples of DD-254sDEPARTMENT OF DEFENSECONTRACT SECURITY CLASSIFICATION SPECIFICATION(The requirements of the National Industrial Security Program Operating Manual apply to all security aspects of this effort)1. CLEARANCE AND SAFEGUARDINGa. FACILITY CLEARANCE REQUIRED: SECRETb. LEVEL OF SAFEGUARDING REQUIRED: N/ABlock 1b is checked “N/A”. This indicates that there will be no classified work performed at the sub-contractor’s cleared facility.If this block is “N/A” blocks 11b, c, and d should be checked “NO”.So, lets take a look at the DD 254, block by block. What do you need to know about Section 1?
5 Examples of DD-254s2. THIS SPECIFICATION IS FOR: (X and complete as applicable)a. PRIME CONTRACT NUMBERb. SUBCONTRACT NUMBERc. SOLICITATION OR OTHER NUMBERDue Date (YYYYMMDD)Block 2a should show the Prime Contract number but should not be checked for a sub-contract DD-254.Block 2b should be checked and show the sub-contract number.Block 2c is normally not used with a sub-contract.Block 2 deals with the contract numbers.
6 Examples of DD-254s3. THIS SPECIFICATION IS: (X and complete as applicable)a. ORIGINAL (Complete date in all cases)Date (YYYYMMDD)b. REVISED (Supersedes all previous specs)Revision No.c. FINAL (Complete item 5 in all cases)Block 3a should be checked and show the date the original DD-254 was signed.Block 3b should be checked if it is a revised DD-254, show a revision number and a date that the revision was issued.Block 3a in a revised DD-254 should show the original date of the DD-254 but with no check mark.Block 3 is often overlooked, but concerns the dates. Revisions should be numbered and dated.
7 These two blocks are self-explanatory. Examples of DD-254s4. IS THIS A FOLLOW-ON CONTRACT? [ X ] YES [ ] NO, If yes, complete the followingClassified material received or generated under N D (Preceding Contract Number) is transferred to this follow-on contract5. IS THIS A FINAL DD FORM [ ] YES [X ] NO, If yes, complete the following:In response to the contractors request dated ,retention of the identified classified material is authorized for a period of:These two blocks are self-explanatory.No explanation necessary!
8 Examples of DD-254s6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code)NAME, ADDRESS, AND ZIP Your Company123 Wherever DriveDallas, TX 75000b. CAGE CODE12345c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code)DEFENSE SECURITY OFFICE (IOFSI)5800 East Campus Circle Drive, STE 218AIrving, TX 74063 7. SUBCONTRACTORa. NAME, ADDRESS, AND ZIPN/A8. ACTUAL PERFORMANCEa. LOCATIONSEE BLOCK 13Blocks 6a, b, & c should show the prime contractor’s name, cage code and CSA.Blocks 7a, b, & c should show the sub-contractor’s name, cage code and CSA.Blocks 8a, b, & c should show the actual place of performance. If it this a Military base then the cage code is left blank and the CSA will be a military Security office. The Military normally has security cognizance on military installations.Block 8 can have “See attached” or “See Block 13” if there are multiple places of performance.A few notes about these sections before we go over them. For the last 3 or more years, DSS has been asking contractors for more detailed information about the Government Customer that ultimately owns the information you protect. Why? Well, if there is a security violation or problem we discover during your inspection, WE want to be able to communicate that to the ultimate owner. If you the sub to a prime contractor, we’ve asked that you get the GCA information from them. In some cases, prime contractors do not want to share that information, but in those rare cases, DSS will intervene or communicate with the Rep responsible for the prime CDC and attempt to get the information. So, when you get the notification letter for your security inspection and we ask for the UA POC, we want a name, phone number, address. This goes into our database for our use.Review slide information…
9 Block 9 gives an unclassified description of the work to be performed. Examples of DD-254s9. GENERAL IDENTIFICATION OF THIS PROCUREMENTLETHALITY TESTING AND CRITERIA DEVELOPMENTBlock 9 gives an unclassified description of the work to be performed.This is a key area for DSS use also. We ‘log’ each contract into our database and pull keywords from this area to name each contract.
10 Examples of DD-254s Requires GCA approval – NISPOM 9-304 10.THIS CONTRACT WILL REQUIRE ACCESS TOYESNOa.COMMUNICATIONS SECURITY (COMSEC) INFORMATIONXb. RESTRICTED DATAc. CRITICAL NUCLEAR WEAPON DESIGN INFORMATIONd. FORMERLY RESTRICTED DATAe. INTELLIGENCE INFORMATION(1) Sensitive Compartmented Information (SCI)(2) Non-SCIX f. SPECIAL ACCESS INFORMATIONg. NATO INFORMATIONh. FOREIGN GOVERNMENT INFORMATIONi. LIMITED DISSEMINATION INFORMATIONj. FOR OFFICIAL USE ONLY INFORMATIONk. OTHER (Specify) (CLASSIFIED IS PROCESSING)Requires GCA approval – NISPOM 9-304Block 10 – descriptions of categories of accessed informationBlocks 10a if checked “YES” requires GCA approval for access to classified COMSEC – NISPOM 9-407Blocks c, e (1), and g, if checked “yes” require GSA approval – NISPOM 9-204, 9-304, and respectively.Block e(2) checked “yes” gives the contract authority to access “NOFORN”.Blocks 10f may require PSO approval prior to sub-contracting.
11 Examples of DD-254s11. IN PERFORMING THIS CONTRACT, THE CONTRACTOR WILL:YESNOa. HAVE ACCESS TO CLASSIFIED INFORMATION ONLY AT ANOTHER CONTRACTORS FACILITY OR GOVERNMENT ACTIVITYXb. RECEIVE CLASSIFIED DOCUMENTS ONLYc. RECEIVE AND GENERATE CLASSIFIED MATERIALd. FABRICATE, MODIFY, OR STORE CLASSIFIED HARDWAREe. PERFORM SERVICES ONLYf. HAVE ACCESS TO US CLASSIFIED INFORMATION OUTSIDE THE U.S., PUERTO RICO, U.S. POSSESSIONS AND TRUST TERRITORIESg. BE AUTHORIZED TO USE THE SERVICES OF THE DEFENSE TECHNICAL INFORMATION CENTER (DTIC) OR OTHER SECONDARY DISTRIBUTION CENTERh. REQUIRE A COMSEC ACCOUNT (TRADITIONAL ACCOUNT)i. HAVE TEMPEST REQUIREMENTSj. HAVE OPERATIONS SECURITY (OPSEC) REQUIREMENTSk. BE AUTHORIZED TO USE THE DEFENSE COURIER SERVICEl. OTHER (specify)SEE BLOCK 13 REMARKSThis sub-contract was issued for work to be performed on a military installation. Blocks 11a should be checked “YES”.11c should be checked “NO”. Block 1b of this sub-contract is checked “N/A”.11e is always be checked “YES” if block 11a is checked “YES”.11j is checked yes and OPSEC guidance should be provided the sub-contractor by the prime contractor.This is a more detailed area where specifics are spelled out. Will computers need to be accredited, closed areas set up, GSA approved containers purchased?
12 This is a self-explanatory box. Examples of DD-254s12. PUBLIC RELEASE. Any information (classified or unclassified) pertaining to this contract shall not be released for public dissemination except as provided by the National Industrial Security Program Operating Manual or unless it has been approved for public release by appropriate U.S. Government authority. Proposed public releases shall be submitted for approval prior to release. [ ] DIRECT [ X ] THROUGH (Specify) Commander Naval Air Force, Atlantic to the Directorate for Freedom of Information and Security Review, Office of the Assistant Secretary of Defense (Public Affairs)* for review. *In the case of non-DoD User Agencies, requests for disclosure shall be submitted to that agency.This is a self-explanatory box.Self explanatory, yes, but of utmost importance and should be coordinated with your company’s public information officer. We normally interview them and ask if they’ve been contacted by any news media outlet for comments on products or systems your company operates on. If you were Lockheed Martin, building the JSF, there is a lot of information in the press. Did your PIO release that, and did they have permission from the govt to do so? Valid points worth knowing about and following.
13 Block 13 is used to provide security guidance to the sub-contractor. Examples of DD-254s13. SECURITY GUIDANCE. The security classification guidance needed for this classified effort is identified below. If any difficulty is encountered in applying this guidance or if any other contributing factor indicates a need for changes in this guidance, the contractor is authorized and encouraged to provide recommended changes; to challenge the guidance or the classification assigned to any information or material furnished or generated under this contract; and to submit any questions for interpretation of this guidance to the official identified below. Pending final decision, the information involved shall be handled and protected at the highest level of classification assigned or recommended. (Fill in as appropriate for the classified effort. Attach, or forward under separate correspondence, any documents/guides/extracts referenced herein. Add additional pages as needed to provide complete guidance.)Block 13 is used to provide security guidance to the sub-contractor.It can also be used to show additional locations of performance and any security relevant information.This is the catch all section. Any information that has not been spelled out throughout the rest of the document can be added here.
14 Block 14 is used to provide additional security guidance. Examples of DD-254s14. ADDITIONAL SECURITY REQUIREMENTS. Requirements, in addition to NISPOM requirements, are established for this contract. [ ] YES [ x ] NO(If Yes, identify the pertinent contractual clauses in the contract document itself, or provide an appropriate statement which identifies additional requirements. Provide a copy of the requirements to the cognizant security office. Use Item 13 if additional space is required.)Block 14 is used to provide additional security guidance.Second catch all box! Additional security guidances are set forth here.
15 Examples of DD-254s15. INSPECTIONS. ELEMENTS OF THIS CONTRACT ARE OUTSIDE THE INSPECTION RESPONSIBILITY OF THE COGNIZANT SECURITY OFFICE. (If yes, explain and [ ] YES [X ] NOidentify specific areas or elements carved out and the activity responsible for inspections. Use Item 13 if more space is needed.)This block provides guidance on who has security oversite of the contract or sub-contract.This block may be checked “yes” when there is SAP or SCI.Additional information about security inspections and their frequency is sometimes included here.
16 Examples of DD-254s These blocks are self-explanatory. 16. CLASSIFICATION AND SIGNATURE. Security requirements stated herein are complete and adequate for safeguarding the classified information to be released or generated under this classified effort. All questions shall be referred to the official named below.a. TYPED NAME OF CERTIFYING OFFICIALb. TITLEc. TELEPHONE (Include Area Code)d. ADDRESS (Include Zip Code)17. REQUIRED DISTRIBUTION[ ] a. CONTRACTOR[ ] b. SUBCONTRACTOR[ ] c. COGNIZANT SECURITY OFFICE FOR PRIME & SUBCONTRACTOR[ ] d. U.S. ACTIVITY RESPONSIBLE FOR OVERSEAS SECURITY ADMINISTRATION[ ] e. ADMINISTRATIVE CONTRACTING OFFICER[ ] f. OTHERS AS NECESSARYe. SIGNATUREUnless otherwise specified, we will sometimes contact these signatory individuals to determine contractor performance.These blocks are self-explanatory.
17 ConclusionA prime contractor can never flow to a sub-contractor greater responsibility than what is listed on the prime contract DD-254.A prime contractor can flow down lesser responsibilities.All classified work performed at a “other contractor’s facility or government activity” is “services only” unless the contractor or sub-contractor has a cleared facility at the other site.Do not flow down requirements to your sub-contractor if that sub-contractor has no reason to have the information at that facility.The wrap up – more points to remember.
18 DSS Noted DD-254 ErrorsContracting Officers and Contractors writing DD-254s showing that work will be on a government location or other contractor’s facility but show that possessing of classified will not be required at the contractor or sub-contractor facility.Conflicting information within the DD-254s.No indication where the actual performance will conducted.No actual guidance is provided by the DD-254 to the contractor.Contractors using incorrect DD-254s received from the GCA’s Contracting Officer to flow down incorrect information to the sub-contractor.Sub-contract DD-254s giving the sub-contractor more that is shown on the prime contract DD-254.Flowing down requirements to the sub-contractor that is not required or necessary.Generating prime and sub-contract DD-254s that are for unclassified work.GCA’s approval to flow down to sub-contractors not granted for COMSEC, CNWDI, SCI, SAP, NATO, & LIMDIS.Requirements for DTIC, COMSEC Account, Tempest and OPSEC at the contractor’s facility but really required at the remote location, i.e. government activity or other contractor’s facility.This is really what you came for! What have we cited as findings or observations at your companies? Here is a sampling, b no means all inclusive, but we’ve probably been over most of them by what we’ve already reviewed in the what to do sections of this training. These are examples of what ‘not’ to do’s that we’ve found.
19 Questions?Now it’s your turn, are there any questions?
20 Brought to you by: ISR Tom Morgan ISR Kathi Varner Ronald Dimicco Now it’s your turn, are there any questions?