Skip to main content


Change Number: Change 183 GSAR Case 2022-G517
Effective Date: 07/08/2024

Subpart 504.4 - Safeguarding Classified Information Within Industry

Subpart 504.4 - Safeguarding Classified Information Within Industry

504.402 General.

(a)  This subpart prescribes procedures for safeguarding classified information required to be disclosed to contractors in connection with the solicitation of offers, and the award, performance, and termination of contracts.

(b)  As used in this subpart, the term “Contractor(s)” means prospective contractors, subcontractors, vendors, and suppliers.

504.470 Acquisitions involving classified information.

HCA’s must consider how adequate security will be established, maintained, and monitored before accepting a reimbursable agreement for a requirement involving classified information. Further, HCAs are responsible for ensuring that the contracting officers, other procurement personnel, and contracting officer representatives (CORs) assigned to the acquisition have the appropriate security clearances, prior to accepting a reimbursable agreement involving access to, or generation of, classified information.

504.470-1 [Reserved].

504.470-2 [Reserved].

504.471 Processing security requirements checklist (DD Form 254).

(a) The contracting officer must prepare DD Form 254, Contract Security Classification Specification (illustrated in FAR 53.303-DD-254), for contracts involving contractor access to classified information. This form identifies for contractors the areas of classified information involved. The contracting officer may use written notice of classification for research or service contracts.

(b)  Obtain instructions or guidance on completing DD Form 254 from the Security and Emergency Management Division, Office of Mission Assurance (OMA).

504.472 Periodic review.

(a)  The contracting officer in coordination with the appropriate program security officer must review DD Form 254 at least once a year, or whenever a change in the phase of performance occurs, to determine if the classified information can be downgraded or declassified.

(b)  The contracting officer must inform the contractor of the results of the review by one of the following means:

(1)  Issuance of a revised specification.

(2)  Written instructions instead of DD Form 254, if authorized.

(3)  Written notification if the review results in no change in the classification specifications.

(c) The contracting officer must prepare a final checklist upon termination or completion of the contract in accordance with FAR 4.805-5.

504.473 Recurring procurement.

The contracting officer must prepare a new DD Form 254 only if a change occurs in either of the following:

(a)  End item.

(b)  Previous security classification.

504.474 Control of classified information.

(a)  The contracting officer must record, mark, handle, and transmit classified information in accordance with the requirements of the Security Branch Chief, Security and Emergency Management Division, Office of Mission Assurance (OMA).

(b)  The contracting officer must obtain the consent of the originating agency before releasing classified information to a contractor.

504.475 Return of classified information.

(a)  Contracting officers must recover classified information, unless it has been destroyed as provided in Section 7 of Chapter 5 of the National Industrial Security Program Operating Manual (NISPOM). Information on NISPOM can be found at

(b)  Contracting officers must ensure that classified information provided by the government is returned immediately after any of the following events:

(1)  Bid opening or closing date for receipt of proposals by non-responding offerors.

(2)  Contract award by unsuccessful offerors.

(3)  Termination or completion of the contract.

(4)  Notification that authorization to release classified information has been withdrawn.

(5)  Notification that a facility:

(i)  Does not have adequate means to safeguard classified information; or

(ii)  Has had its security clearance revoked or inactivated.

(6)  Whenever otherwise instructed by the authority responsible for the security classification.

(c)  The Government agency that provided classified information to a GSA contractor is responsible for the return of the information.

504.476 Breaches of security.

GSA employees responsible for the protection of classified information must refer the facts of an unauthorized disclosure promptly to Security Branch Chief, Security and Emergency Management Division, Office of Mission Assurance (OMA).