Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contract Security Classification Specification

Similar presentations

Presentation on theme: "Contract Security Classification Specification"— Presentation transcript:

1 Contract Security Classification Specification
DD-254 Guidance

2 DD 254 Roadmap Justification Step by Step Common DSS findings
First of all, this training is not meant to be all inclusive, but a guideline to contractors of what to look for when you receive a DD 254 and what to be aware of when you are ‘hiring’ a subcontractor for work under an existing DD 254. We’ll give you some step by step direction on what is required in each block of the 254 and finally, we’ll share with you some of the common mistakes and findings that have been noted in the Irving Field Office inspections. We are by no means experts, but as the inspectors of your work, we’re here to assist you in doing your job. Let’s get started.

3 Why a DD-254? The document provides the basis for a contractor to have a facility clearance (FCL) and have access to classified information. DD-254 is the GCA’s direction for how to handle classified at the contractor’s location. The document may be the only classification guidance provided to a contractor for a government contract. The document may be used by a contractor to flow down classified requirements to a cleared sub-contractor or use as a basis to sponsor an uncleared sub-contractor. The DD-254 can be used to have GCA’s concurrence when a contractor needs to flow down certain information to a sub-contractor, i.e. NATO, COMSEC, Top Secret, SAP, SCI, CNWDI. DD-254s can be classified or unclassified as required. Normally they are unclassified. So, Why do we issue DD-254s and how do we use them? It is a requirement that when a company is sponsored for a Facility Clearance, a DD 254 must be submitted to the Facilities Clearance Branch as justification for the FCL. Has anyone bought anything at Ikea lately? You can’t get out of there without a much smaller boxed version of a piece of furniture. You need the instructions to put it together, whether you are using the English or Norwegian version, you are basically out of luck without the directions. Well, that’s what the DD 254 is! It is the government customers direction to the Cleared Defense Contractor (CDC), on how to put together their security plan for this work. How are you going to protect the classified material they place in your hands, what materials or equipment (tools) will be needed to accomplish the project. Next, if you have work that you need to sub to another defense contractor, this is the tool you’ll utilize to either assign or sponsor the work with. The 254 also has an abundance of information about additional or special requirements the contractor will need to accomplish the work, we’re talking about NATO, COMSEC, CNWDI and the other areas mentioned on the slide. Now, most contracts are unclassified, but you should know that there are instances when they are classified and can only be reviewed during the inspection process. This is more likely the exception than the rule.

4 Examples of DD-254s DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the National Industrial Security Program Operating Manual apply to all security aspects of this effort) 1. CLEARANCE AND SAFEGUARDING a. FACILITY CLEARANCE REQUIRED: SECRET b. LEVEL OF SAFEGUARDING REQUIRED: N/A Block 1b is checked “N/A”. This indicates that there will be no classified work performed at the sub-contractor’s cleared facility. If this block is “N/A” blocks 11b, c, and d should be checked “NO”. So, lets take a look at the DD 254, block by block. What do you need to know about Section 1?

5 Examples of DD-254s 2. THIS SPECIFICATION IS FOR: (X and complete as applicable) a. PRIME CONTRACT NUMBER b. SUBCONTRACT NUMBER c. SOLICITATION OR OTHER NUMBER Due Date (YYYYMMDD) Block 2a should show the Prime Contract number but should not be checked for a sub-contract DD-254. Block 2b should be checked and show the sub-contract number. Block 2c is normally not used with a sub-contract. Block 2 deals with the contract numbers.

6 Examples of DD-254s 3. THIS SPECIFICATION IS: (X and complete as applicable) a. ORIGINAL (Complete date in all cases) Date (YYYYMMDD) b. REVISED (Supersedes all previous specs) Revision No. c. FINAL (Complete item 5 in all cases) Block 3a should be checked and show the date the original DD-254 was signed. Block 3b should be checked if it is a revised DD-254, show a revision number and a date that the revision was issued. Block 3a in a revised DD-254 should show the original date of the DD-254 but with no check mark. Block 3 is often overlooked, but concerns the dates. Revisions should be numbered and dated.

7 These two blocks are self-explanatory.
Examples of DD-254s 4. IS THIS A FOLLOW-ON CONTRACT? [ X ] YES [ ] NO, If yes, complete the following Classified material received or generated under N D (Preceding Contract Number) is transferred to this follow-on contract 5. IS THIS A FINAL DD FORM [ ] YES [X ] NO, If yes, complete the following: In response to the contractors request dated ,retention of the identified classified material is authorized for a period of: These two blocks are self-explanatory. No explanation necessary!

8 Examples of DD-254s 6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code) NAME, ADDRESS, AND ZIP  Your Company 123 Wherever Drive Dallas, TX 75000 b. CAGE CODE 12345 c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code) DEFENSE SECURITY OFFICE (IOFSI) 5800 East Campus Circle Drive, STE 218A Irving, TX 74063  7. SUBCONTRACTOR a. NAME, ADDRESS, AND ZIP N/A 8. ACTUAL PERFORMANCE a. LOCATION SEE BLOCK 13    Blocks 6a, b, & c should show the prime contractor’s name, cage code and CSA. Blocks 7a, b, & c should show the sub-contractor’s name, cage code and CSA. Blocks 8a, b, & c should show the actual place of performance. If it this a Military base then the cage code is left blank and the CSA will be a military Security office. The Military normally has security cognizance on military installations. Block 8 can have “See attached” or “See Block 13” if there are multiple places of performance. A few notes about these sections before we go over them. For the last 3 or more years, DSS has been asking contractors for more detailed information about the Government Customer that ultimately owns the information you protect. Why? Well, if there is a security violation or problem we discover during your inspection, WE want to be able to communicate that to the ultimate owner. If you the sub to a prime contractor, we’ve asked that you get the GCA information from them. In some cases, prime contractors do not want to share that information, but in those rare cases, DSS will intervene or communicate with the Rep responsible for the prime CDC and attempt to get the information. So, when you get the notification letter for your security inspection and we ask for the UA POC, we want a name, phone number, address. This goes into our database for our use. Review slide information…

9 Block 9 gives an unclassified description of the work to be performed.
Examples of DD-254s 9. GENERAL IDENTIFICATION OF THIS PROCUREMENT LETHALITY TESTING AND CRITERIA DEVELOPMENT Block 9 gives an unclassified description of the work to be performed. This is a key area for DSS use also. We ‘log’ each contract into our database and pull keywords from this area to name each contract.

10 Examples of DD-254s Requires GCA approval – NISPOM 9-304
10.THIS CONTRACT WILL REQUIRE ACCESS TO YES NO a.COMMUNICATIONS SECURITY (COMSEC) INFORMATION X b. RESTRICTED DATA c. CRITICAL NUCLEAR WEAPON DESIGN INFORMATION d. FORMERLY RESTRICTED DATA e. INTELLIGENCE INFORMATION (1) Sensitive Compartmented Information (SCI) (2) Non-SCI f. SPECIAL ACCESS INFORMATION g. NATO INFORMATION h. FOREIGN GOVERNMENT INFORMATION i. LIMITED DISSEMINATION INFORMATION j. FOR OFFICIAL USE ONLY INFORMATION k. OTHER (Specify) (CLASSIFIED IS PROCESSING) Requires GCA approval – NISPOM 9-304 Block 10 – descriptions of categories of accessed information Blocks 10a if checked “YES” requires GCA approval for access to classified COMSEC – NISPOM 9-407 Blocks c, e (1), and g, if checked “yes” require GSA approval – NISPOM 9-204, 9-304, and respectively. Block e(2) checked “yes” gives the contract authority to access “NOFORN”. Blocks 10f may require PSO approval prior to sub-contracting.

11 Examples of DD-254s 11. IN PERFORMING THIS CONTRACT, THE CONTRACTOR WILL: YES NO a. HAVE ACCESS TO CLASSIFIED INFORMATION ONLY AT ANOTHER CONTRACTORS FACILITY OR GOVERNMENT ACTIVITY X b. RECEIVE CLASSIFIED DOCUMENTS ONLY c. RECEIVE AND GENERATE CLASSIFIED MATERIAL d. FABRICATE, MODIFY, OR STORE CLASSIFIED HARDWARE e. PERFORM SERVICES ONLY f. HAVE ACCESS TO US CLASSIFIED INFORMATION OUTSIDE THE U.S., PUERTO RICO, U.S. POSSESSIONS AND TRUST TERRITORIES g. BE AUTHORIZED TO USE THE SERVICES OF THE DEFENSE TECHNICAL INFORMATION CENTER (DTIC) OR OTHER SECONDARY DISTRIBUTION CENTER h. REQUIRE A COMSEC ACCOUNT (TRADITIONAL ACCOUNT) i. HAVE TEMPEST REQUIREMENTS j. HAVE OPERATIONS SECURITY (OPSEC) REQUIREMENTS k. BE AUTHORIZED TO USE THE DEFENSE COURIER SERVICE l. OTHER (specify) SEE BLOCK 13 REMARKS This sub-contract was issued for work to be performed on a military installation. Blocks 11a should be checked “YES”. 11c should be checked “NO”. Block 1b of this sub-contract is checked “N/A”. 11e is always be checked “YES” if block 11a is checked “YES”. 11j is checked yes and OPSEC guidance should be provided the sub-contractor by the prime contractor. This is a more detailed area where specifics are spelled out. Will computers need to be accredited, closed areas set up, GSA approved containers purchased?

12 This is a self-explanatory box.
Examples of DD-254s 12. PUBLIC RELEASE. Any information (classified or unclassified) pertaining to this contract shall not be released for public dissemination except as provided by the National Industrial Security Program Operating Manual or unless it has been approved for public release by appropriate U.S. Government authority. Proposed public releases shall be submitted for approval prior to release.   [ ] DIRECT [ X ] THROUGH (Specify) Commander Naval Air Force, Atlantic   to the Directorate for Freedom of Information and Security Review, Office of the Assistant Secretary of Defense (Public Affairs)* for review. *In the case of non-DoD User Agencies, requests for disclosure shall be submitted to that agency. This is a self-explanatory box. Self explanatory, yes, but of utmost importance and should be coordinated with your company’s public information officer. We normally interview them and ask if they’ve been contacted by any news media outlet for comments on products or systems your company operates on. If you were Lockheed Martin, building the JSF, there is a lot of information in the press. Did your PIO release that, and did they have permission from the govt to do so? Valid points worth knowing about and following.

13 Block 13 is used to provide security guidance to the sub-contractor.
Examples of DD-254s 13. SECURITY GUIDANCE. The security classification guidance needed for this classified effort is identified below. If any difficulty is encountered in applying this guidance or if any other contributing factor indicates a need for changes in this guidance, the contractor is authorized and encouraged to provide recommended changes; to challenge the guidance or the classification assigned to any information or material furnished or generated under this contract; and to submit any questions for interpretation of this guidance to the official identified below. Pending final decision, the information involved shall be handled and protected at the highest level of classification assigned or recommended. (Fill in as appropriate for the classified effort. Attach, or forward under separate correspondence, any documents/guides/extracts referenced herein. Add additional pages as needed to provide complete guidance.) Block 13 is used to provide security guidance to the sub-contractor. It can also be used to show additional locations of performance and any security relevant information. This is the catch all section. Any information that has not been spelled out throughout the rest of the document can be added here.

14 Block 14 is used to provide additional security guidance.
Examples of DD-254s 14. ADDITIONAL SECURITY REQUIREMENTS. Requirements, in addition to NISPOM requirements, are established for this contract. [ ] YES [ x ] NO (If Yes, identify the pertinent contractual clauses in the contract document itself, or provide an appropriate statement which identifies additional requirements. Provide a copy of the requirements to the cognizant security office. Use Item 13 if additional space is required.) Block 14 is used to provide additional security guidance. Second catch all box! Additional security guidances are set forth here.

15 Examples of DD-254s 15. INSPECTIONS. ELEMENTS OF THIS CONTRACT ARE OUTSIDE THE INSPECTION RESPONSIBILITY OF THE COGNIZANT SECURITY OFFICE. (If yes, explain and [ ] YES [X ] NO identify specific areas or elements carved out and the activity responsible for inspections. Use Item 13 if more space is needed.) This block provides guidance on who has security oversite of the contract or sub-contract. This block may be checked “yes” when there is SAP or SCI. Additional information about security inspections and their frequency is sometimes included here.

16 Examples of DD-254s These blocks are self-explanatory.
16. CLASSIFICATION AND SIGNATURE. Security requirements stated herein are complete and adequate for safeguarding the classified information to be released or generated under this classified effort. All questions shall be referred to the official named below. a. TYPED NAME OF CERTIFYING OFFICIAL b. TITLE c. TELEPHONE (Include Area Code) d. ADDRESS (Include Zip Code) 17. REQUIRED DISTRIBUTION [ ] a. CONTRACTOR [ ] b. SUBCONTRACTOR [ ] c. COGNIZANT SECURITY OFFICE FOR PRIME & SUBCONTRACTOR [ ] d. U.S. ACTIVITY RESPONSIBLE FOR OVERSEAS SECURITY ADMINISTRATION [ ] e. ADMINISTRATIVE CONTRACTING OFFICER [ ] f. OTHERS AS NECESSARY e. SIGNATURE Unless otherwise specified, we will sometimes contact these signatory individuals to determine contractor performance. These blocks are self-explanatory.

17 Conclusion A prime contractor can never flow to a sub-contractor greater responsibility than what is listed on the prime contract DD-254. A prime contractor can flow down lesser responsibilities. All classified work performed at a “other contractor’s facility or government activity” is “services only” unless the contractor or sub-contractor has a cleared facility at the other site. Do not flow down requirements to your sub-contractor if that sub-contractor has no reason to have the information at that facility. The wrap up – more points to remember.

18 DSS Noted DD-254 Errors Contracting Officers and Contractors writing DD-254s showing that work will be on a government location or other contractor’s facility but show that possessing of classified will not be required at the contractor or sub-contractor facility. Conflicting information within the DD-254s. No indication where the actual performance will conducted. No actual guidance is provided by the DD-254 to the contractor. Contractors using incorrect DD-254s received from the GCA’s Contracting Officer to flow down incorrect information to the sub-contractor. Sub-contract DD-254s giving the sub-contractor more that is shown on the prime contract DD-254. Flowing down requirements to the sub-contractor that is not required or necessary. Generating prime and sub-contract DD-254s that are for unclassified work. GCA’s approval to flow down to sub-contractors not granted for COMSEC, CNWDI, SCI, SAP, NATO, & LIMDIS. Requirements for DTIC, COMSEC Account, Tempest and OPSEC at the contractor’s facility but really required at the remote location, i.e. government activity or other contractor’s facility. This is really what you came for! What have we cited as findings or observations at your companies? Here is a sampling, b no means all inclusive, but we’ve probably been over most of them by what we’ve already reviewed in the what to do sections of this training. These are examples of what ‘not’ to do’s that we’ve found.

19 Questions? Now it’s your turn, are there any questions?

20 Brought to you by: ISR Tom Morgan ISR Kathi Varner Ronald Dimicco
Now it’s your turn, are there any questions?

Download ppt "Contract Security Classification Specification"

Similar presentations

Ads by Google