Subpart 4.4 - Safeguarding Classified Information Within Industry
(a) Executive Order12829, January 6, 1993 (58 FR3479, January 8, 1993), entitled "National Industrial Security Program" (NISP), establishes a program to safeguard Federal Government classified information that is released to contractors, licensees, and grantees of the United States Government. Executive Order 12829 amends Executive Order 10865, February 20, 1960 (25 FR1583, February 25, 1960), entitled "Safeguarding Classified Information Within Industry," as amended by Executive Order 10909, January 17, 1961 (26 FR508, January 20, 1961).
(b) The National Industrial Security Program Operating Manual (NISPOM) incorporates the requirements of these Executive orders. The Secretary of Defense, in consultation with all affected agencies and with the concurrence of the Secretary of Energy, the Chairman of the Nuclear Regulatory Commission, the Director of National Intelligence, and the Secretary of Homeland Security, is responsible for issuance and maintenance of this Manual. The following publications implement the program:
(1) National Industrial Security Program Operating Manual (NISPOM) (32 CFR part 117).
(2) DoD Manual 5220.22, Volume 2, National Industrial Security Program: Industrial Security Procedures for Government Activities.
(c) Procedures for the protection of information relating to foreign classified contracts awarded to U.S. industry, and instructions for the protection of U.S. information relating to classified contracts awarded to foreign firms, are prescribed in 32 CFR 117.19.
(d) Nondefense agencies that have industrial security services agreements with DoD, and DoD components, shall use the DD Form 254, Contract Security Classification Specification, to provide security classification guidance to U.S. contractors, and subcontractors as applicable, requiring access to information classified as "Confidential", "Secret", or "Top Secret".
(1) Provided that the data submittal is unclassified, the DD Form 254 shall be completed electronically in the NISP Contract Classification System (NCCS), which is accessible at https://www.dcsa.mil/is/nccs/ . Nondefense agencies with an existing DD Form 254 information system may use that system.
(i) A contractor, or subcontractor (if applicable), requiring access to classified information under a contract shall be identified with a Commercial and Government Entity (CAGE) code on the DD Form 254 (see subpart 4.18 for information on obtaining and validating CAGE codes).
(ii) Each location of contractor or subcontractor performance listed on the DD Form 254 is required to reflect a corresponding unique CAGE code for each listed location unless the work is being performed at a Government facility, in which case the agency location code shall be used. Each subcontractor location requiring access to classified information must be listed on the DD Form 254.
(iii) Contractor and subcontractor performance locations listed on the DD Form 254 are not required to be separately registered in the System for Award Management (SAM) solely for the purposes of a DD Form 254 (see subpart 4.11 for information on registering in SAM).
(e) Part 27, Patents, Data, and Copyrights, contains policy and procedures for safeguarding classified information in patent applications and patents.
4.403 Responsibilities of contracting officers.
(a) Presolicitation phase. Contracting officers shall review all proposed solicitations to determine whether access to classified information may be required by offerors, or by a contractor during contract performance.
(1) If access to classified information of another agency may be required, the contracting officer shall-
(i) Determine if the agency is covered by the NISP; and
(ii) Follow that agency’s procedures for determining the security clearances of firms to be solicited.
(2) If the classified information required is from the contracting officer’s agency, the contracting officer shall follow agency procedures.
(b) Solicitation phase. Contracting officers shall-
(1) Ensure that the classified acquisition is conducted as required by the NISP or agency procedures, as appropriate; and
(i) An appropriate Security Requirements clause in the solicitation (see 4.404); and
(ii) As appropriate, in solicitations and contracts when the contract may require access to classified information, a requirement for security safeguards in addition to those provided in the clause (52.204-2, Security Requirements).
(c) Award phase. Contracting officers shall inform contractors and subcontractors of the security classifications and requirements assigned to the various documents, materials, tasks, subcontracts, and components of the classified contract as identified in the requirement documentation as follows:
(1) Nondefense agencies that have industrial security services agreements with DoD, and DoD components, shall use the Contract Security Classification Specification, DD Form 254. The contracting officer, or authorized agency representative, is the approving official for the DD Form 254 associated with the prime contract and shall ensure the DD Form 254 is properly prepared, distributed by and coordinated with requirements and security personnel in accordance with agency procedures, see 4.402(d)(1).
(2) Contracting officers in agencies not covered by the NISP shall follow agency procedures.
4.404 Contract clause.
(a) The contracting officer shall insert the clause at 52.204-2, Security Requirements, in solicitations and contracts when the contract may require access to classified information, unless the conditions specified in paragraph (d) of this section apply.
(b) If a cost contract (see 16.302) for research and development with an educational institution is contemplated, the contracting officer shall use the clause with its Alternate I.
(c) If a construction or architect-engineer contract where employee identification is required for security reasons is contemplated, the contracting officer shall use the clause with its Alternate II.
(d) If the contracting agency is not covered by the NISP and has prescribed a clause and alternates that are substantially the same as those at 52.204-2, the contracting officer shall use the agency-prescribed clause as required by agency procedures.