NISPOM Sup Overprint

Department of Defense Overprint

to the

NATIONAL INDUSTRIAL SECURITY PROGRAM

23(5$7,1*�0$18$/�6833/(0(17

FOR OFFICIAL USE ONLY

This document contains informationEXEMPT FROM MANDATORY DISCLOSUREunder the FOIA. Exemption 5 applies. Key lockprotection by authorized personnel required.

This document is issued as guidance to all DoD SAPs.

http://www.fas.org/sgp/index.html

NISPOM Supplement (NISPOMSUP) OverprintA key to understanding the Overprint

There are a number of different fonts and typefaces used within the NISPOMSUP Overprint. This pageprovides a key to understanding the Overprint. If you are not thoroughly familiar with the style andlayout of the Overprint, please study the example provided below prior to proceeding. NOTE: As youread the Overprint remember that since the NISPOMSUP was coordinated and approved as aninteragency document, all language in the original NISPOMSUP remains unchanged. Also, since theNISPOMSUP is a supplement to the Baseline NISP Operating Manual (NISPOM), any section that hasnot been supplemented within the Overprint remains governed by Baseline NISPOM requirements.

5-201. Accountability. Accountability ofclassified SAP material shall be determined andapproved in writing by the CSA or designee at thetime the SAP is approved. A separateaccountability control system may be required foreach SAP.

a. The following types of classifiedinformation requires accountability(personal signature or otheridentifiers). This material will beentered into a documentaccountability system whenever it isreceived, generated, or...

This example is clipped from a page of theNISPOMSUP Overprint. It illustrates theuse of the various fonts and type faces topromote understanding of the requirementsin the Overprint. The example also aids inidentifying the origin of the specificrequirement.

The use of Times New Roman fontindicates that this text came directlyfrom the NISPOMSUP. The bolditalics indicates that all SAPs mustcomply with the requirement in thetext. The standard Times NewRoman text following the bolditalics is also verbatim from theNISPOMSUP.

The use of bold Arial fontindicates that this text was added tothe NISPOM Supplement topromote understanding and furtherexplain the requirement.

This text block indicates to which levelof SAP the NISPOMSUP optionapplies. It is written in bold Arial fontto show it has been added to the originallanguage of the NISPOMSUP. Thisblock appears in the Overprintimmediately after each identifiedNISPOMSUP option.

On the following page is a table listing each NISPOMSUP option, where the option is found in theNISPOMSUP Overprint, and the level of SAP to which the individual option applies.

WAIVED - äUNACKNOWLEDGED - äACKNOWLEDGED - ä

SECURITY REQUIREMENTS MENU OF OPTIONS

SAP material will be marked and

be required; non-act ountsble waste may be destroyed by a single perron

SECURITY REQUIREMENTS MENU OF OPTIONS

OPTION NISPOM- OVERPRINT No. SUP PAGE NO. TITLE REMARKS LEVELS 27. 5-8-l Special Access Program Contractor may be required to establish W,U,A

Facility approved SAPF prior to commencing work

28. 5401.1. 5-8-l SAPF Physical Security Unique physical security requirements W,W may be established on a caseby-case basis

29. 5-802.a. 5-8-2 SAPF Physical Security DCID 1/214lke 8tandardS may be required W&A Standards for a SAPF

30. 5-802.b. 5-8-2 SAPF Physical Security NISPOM closed area standards may be WJJ,A Standards applled with DCID l/21-like STC standards

31. 5-802.c. 5-8-2 SAPF Physical Securtty PSO may approve basellne construction WJJA Standards aa additional option for some areas

32. 5-803 5-8-2 SAP Secure Working PSO may approve any area with options WJJA Areas for providing sound protection

33. 5-804 5-8-2 Temporary SAPF PSO may accredit a temporary SAPF WAJ,A 34. 5-808.c 5-8-3 Technical Surveillance TSCM may be required for a WJJA

Countermeasures survey reinstatement of previously accredited SAPF

i

December 29, 1994FOREWORD

I am pleased to promulgate this inaugural edition of the Supplement to the National IndustrialSecurity Program Operating Manual (NISPOMSUP). It provides the enhanced security requirements,procedures, and options to the National Industrial Security Program Operating Manual (NISPOM)for:

Critical Restricted Data (RD) classified at the Secret and Top Secret levels;

Special Access Programs (SAPs) and SAP-type compartmented efforts established andapproved by the Executive Branch;

Sensitive Compartmented Information (SCI) or other DCI SAP-type compartmentedprograms under the Director of Central Intelligence which protect intelligence sources andmethods; and

Acquisition, Intelligence, and Operations and Support SAPs.

This Supplement is applicable to contractor facilities located within the United States, its TrustTerritories and Possessions. In cases of inconsistencies between the NISPOM (baseline) and thisSupplement as imposed by a Cognizant Security Agency (CSA), as defined herein, theSupplement will take precedence.

The NISPOM Supplement has been written as a menu of options. Throughout this NISPOMSUPit is understood that whenever a security option is specified for a SAP by the GovernmentProgram Security Officer (PSO), his or her authority is strictly based on the security menu ofoptions originally approved in writing by the CSA, or designee. CSAs may delegate suchresponsibility for the implementation of SAP security policies and procedures. Since SAPs havevarying degrees of security based on sensitivity and threat, all programs may not have the samerequirements. When a security option is selected as a contract requirement, it becomes a "shall"or "will" rather than a "may" in this document. Bold and italicized print denotes contractorsecurity requirements, except in chapter titles and paragraphs.

The Director of Central Intelligence Directives (DCIDs), which prescribe procedures for the DCISensitive Compartmented Information (SCI) or other SAP-type DCI programs also set the upperstandard of security measures for programs covered by this Supplement. DCIDs may be used byany SAP program manager with approval from the CSA. Specific security measures that areabove the DCIDs (noted by asterisks) shall be approved by the CSA or designee. NOTE: ForDoD this is specified in this Overprint.

The provisions of this NISPOMSUP apply to all contractors participating in the administration of

iii

TABLE OF CONTENTS

CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS

Page

Section 1. Introduction .............................................................................................................1-1-1Section 2. General Requirements .............................................................................................1-2-1Section 3. Reporting Requirements ..........................................................................................1-3-1

CHAPTER 2. SECURITY CLEARANCES

Section 1. Facility Clearances ..................................................................................................2-1-1Section 2. Personnel Clearances and Access.............................................................................2-2-1

CHAPTER 3. SECURITY TRAINING AND BRIEFINGS

Section 1. Security Training and Briefings ..............................................................................3-1-1

CHAPTER 4. CLASSIFICATION AND MARKING

Section 1. Classification ...........................................................................................................4-1-1Section 2. Marking Requirements ............................................................................................4-2-1

CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION

Section 1. General Safeguarding Requirements .......................................................................5-1-1Section 2. Control and Accountability .....................................................................................5-2-1Section 3. Storage and Storage Equipment ..............................................................................5-3-1Section 4. Transmission ...........................................................................................................5-4-1Section 5. Disclosure ................................................................................................................5-5-1Section 6. Reproduction ...........................................................................................................5-6-1Section 7. Disposition and Retention .......................................................................................5-7-1Section 8. Construction Requirements .....................................................................................5-8-1

CHAPTER 6. VISITS AND MEETINGS

Section 1. Visits .......................................................................................................................6-1-1Section 2. Meetings ..................................................................................................................6-2-1

iv

TABLE OF CONTENTS

CHAPTER 7. SUBCONTRACTING

Page

Section 1. Prime Contractor Responsibilities ...........................................................................7-1-1

CHAPTER 8. AUTOMATED INFORMATION SYSTEMS

Section 1. Responsibilities .......................................................................................................8-1-1Section 2. Security Modes ........................................................................................................8-2-1Section 3. System Access and Operation ..................................................................................8-3-1Section 4. Networks .................................................................................................................8-4-1Section 5. Software and Data Files ...........................................................................................8-5-1Section 6. AIS Acquisition, Maintenance, and Release ............................................................8-6-1Section 7. Documentation and Training....................................................................................8-7-1

CHAPTER 9. RESTRICTED DATA

Section 1. Introduction .............................................................................................................9-1-1Section 2. Secure Working Areas..............................................................................................9-2-1Section 3. Storage Requirements ..............................................................................................9-3-1

CHAPTER 10. INTERNATIONAL SECURITY REQUIREMENTS

Section 1. International Security …………………………………………………………………………10-1-1

CHAPTER 11. MISCELLANEOUS

Section 1. TEMPEST .............................................................................................................11-1-1Section 2. Government Technical Libraries............................................................................11-2-1Section 3. Independent Research and Development ..............................................................11-3-1Section 4. Operations Security ................................................................................................11-4-1Section 5. Counterintelligence (CI) Support ...........................................................................11-5-1Section 6. Decompartmentation, Disposition, and Technology Transfer ...............................11-6-1Section 7. Other Topics...........................................................................................................11-7-1

APPENDICES

Appendix A. Definitions .............................................................................................................A-1Appendix B. AIS Acronyms ....................................................................................................... B-1Appendix C. AISSP Outline ....................................................................................................... C-1Appendix D. AIS Certification and Accreditation ......................................................................D-1Appendix E. References .............................................................................................................. E-1

v

Appendix F. Special Access Program Formats .......................................................F-1Appendix G Security Documentation Retention.....................................................G-1

FIGURES

Figure 1. SAP Government and Contractor Relationships .......................................................1-1-4

TABLES

Table 1. Training Requirements................................................................................................3-1-2Table 2. Clearing and Sanitization Data Storage ......................................................................8-5-5Table 3. Sanitizing AIS Components........................................................................................8-5-7

FOR OFFICIAL USE ONLY1-1-1

Chapter 1

General Provisions and Requirements

Section 1. Introduction

1-100. Purpose.

a. This Supplement provides special security

measures to ensure the integrity of SAPs, Critical

SECRET Restricted Data (SRD), and TOP

SECRET Restricted Data (TSRD) and imposes

controls supplemental to security measures

prescribed in the NISPOM for classified contracts.

Supplemental measures fall under the cognizance

of the DoD, DCI, DOE, NRC or other Cognizant

Security Agency (CSA) as appropriate. See page

1-1-4 for Figure 1, SAP Government and

Contractor Relationships. Additionally, specific

contract provisions pertaining to these measures

applicable to associated unacknowledged

activities will be separately provided. Any

Department, Agency, or other organizational

structure amplifying instructions will be inserted

immediately following the applicable security

options selected from the NISPOMSUP. This will

facilitate providing a contractor with a supplement

that is overprinted with the options selected.

b. Security Options. This Supplement contains

security options from which specific security

measures may be selected for individual

programs. The options selected shall be

specifically addressed in the Program Security

Guide (PSG) and/or identified in the Contract.

The PSG shall be endorsed by the CSA or his/her

designee, establishing the program, although, as a

rule, the DCIDs sets the upper limits. In some

cases, security or sensitive factors may require

security measures that exceed DCID standards. In

such cases, the higher standards shall be listed

separately and specifically endorsed by the CSA

creating the program and may be reflected as an

overprint to this Supplement.

WAIVED - √UNACKNOWLEDGED - √ACKNOWLEDGED - √

NOTE: Within DoD, the availableoptions for DoD Waived,Unacknowledged, and AcknowledgedDoD SAPs are specified herein asstandards (requirements). Thematerial appearing in bold Arial fontis DoD implementing language forSAPs. It does not apply to sensitivecompartmented information, which isgoverned by the NISPOM Supplementas implemented by the DCIDs. TheDCIDs (e.g., DCID 1-21) will beimposed on the SCI informationwithin a DoD SAP.

1-101. Scope.

a. The policy and guidancecontained herein and imposed bycontract is binding upon allpersons who are granted access toSAP information. Acceptance ofthe contract security measures is aprerequisite to any negotiationsleading to Program participationand accreditation of a SpecialAccess Program Facility (SAPF):

1. This document will beapplicable to the following SAPactivities: all Government officesparticipating in DoD SAPs, SAPsfor which a DoD organization isthe Executive Agent, and all


contractor locations performingwork on DoD SAPs or SAPs forwhich the DoD is the ExecutiveAgent. This document isapplicable to SAP activitieslocated within the United States,its Trust Territories andPossessions, and at overseaslocations.

2. At Government locations, theGovernment Program Manager(GPM), or equivalent SeniorGovernment Manager, may fulfillthe role of the GPM andContractor Program Manager(CPM) (this applies togovernment employeesconducting the work) asspecified in this document. Theterminology “activity securityofficer” and Contractor ProgramSecurity Officer (CPSO) shall beapplied to the responsiblesecurity officer or manager at aGovernment location.

3. Certain Government andcontractor locations supportingmultiple SAPs may be assigned asingle, cognizant PSO orSecurity Representative. Thissingle, cognizant PSO shall beresponsible for theimplementation of policycontained in this document. Thisresponsibility shall include areaapproval, approval of StandardOperation Procedures,Automated Information SystemSecurity Plans (AISSP), approvalof individuals selected asInformation System SecurityRepresentatives (ISSR), andoverseeing ISSR activitiesspecified in Chapter 8 of this

document .

b. The following is restated from the baseline for

clarity. If a contractor determines that

implementation of any provision of this

Supplement is more costly than provisions

imposed under previous U.S. Government

policies, standards, or requirements, the contractor

shall notify the CSA. Contractors shall, however,implement any such provision within three yearsfrom the date of this Supplement, unless awritten exception is granted by the CSA.

c. The DCIDs apply to all SCI and DCI programs

and any other SAP that selects them as the program

security measures.


DCID like standards will be appliedto DoD SAPs only with SAPOCapproval.

1-102. Agency Agreement SAP ProgramAreas. The Government Agency establishing a SAP

will designate a Program Executive Agent for the

administration, security, execution, and control of the

SAP. The Program Security Officer (PSO), rather

than the Facility CSA, will be responsible for security

of the program and all program areas.

1-103. Security Cognizance. Those heads of

Agencies authorized under E.O. 12356 or successor

order to create SAPs may enter into agreements with

the Secretary of Defense that establish the terms of

the Secretary of Defense’s responsibilities for the

SAP. When a Department or Agency of the Executive

Branch retains cognizant security responsibilities for

its SAP, the provisions of this Supplement will apply.


1-104. Supplement Interpretations. Allcontractor requests for interpretation of thisSupplement will be forwarded to the PSO. WithinDoD, the PSO will submit all policyinterpretations to the cognizantCentral Office for review and anyaction deemed appropriate.

1-105. Supplement Changes. Users of this

Supplement are encouraged to submit recommended

changes and comments through their PSO in

concurrence with the baseline. Within DoD, thePSO will forward all changeproposals to the Director, SpecialPrograms, OUSD (P) via thecognizant Central Office.

1-106. Waivers and Exceptions. The purpose

of having a waiver and exception policy is to ensure

that deviations from established SAP criteria are

systematically and uniformly identified to the

Government Program Manager (GPM). Every effort

will be made to avoid waivers to established SAP

policies and procedures unless they are in the best

interest of the Government. In those cases where

waivers are required, a request will be submitted to

the PSO. As appropriate, the PSO, and if necessary

the GPM (if a different individual) will assess the

request for waiver and provide written approval. If

deemed necessary, other security measures which

address the specific vulnerability may be

implemented.

Use SAP Format 12 to submit waiverrequests to these and other securitydirectives in SAPs. Security Officersat all levels maintain a file ofapproved waivers. Attach maps,photos, or drawings when necessary.Subcontractors submit SAP Format

12 through their prime contractor,who will annotate the REVIEWINGOFFICIAL block. The requesterensures adequate compensatorymeasures are taken for each waiver.Submit completed SAP Format 12 tothe PSO, who will process the waiveras provided for in the Foreword tothe NISPOM Overprint.

1-107. Special Access ProgramsCategories and Types.

a. There are four generic categories of SAPs: (1)

Acquisition SAP (AQ-SAP); (2) Intelligence SAP

(IN-SAP); (3) Operations and Support SAP (OS-

SAP); and (4) SCI Programs (SCI - SAP) or other

DCI programs which protect intelligence sources

and methods.

b. There are two types of SAPs, Acknowledged and

Unacknowledged. An Acknowledged SAP is a

program which may be openly recognized or

known; however, specifics are classified within

that SAP. The existence of an Unacknowledged

SAP or an unacknowledged portion of an

Acknowledged program, will not be made known

to any person not authorized for this information.

Within DoD, three levels of SAPprotection apply. The three levelsare:

1. Waived SAP 2. Unacknowledged SAP 3. Acknowledged SAP.

These SAP levels are furtherexplained in DoD Directive 0-5205.7and DoD Instruction 0-5205.11.


SAP

Government/Contractor Relationships

Figure 1

1ISSR may work for the CPSO, or work as a peer to the CPSO for AIS purposes, depending on Program Requirements.

Cognizant Security Agency

Program Executive Agent

Government Program Manager

Program Security Officer

Contractor Program Manager

Contractor Program Security Officer

Information System SecurityRepresentative 1

Gov

ernm

ent

Con

trac

tor

ContractingOfficer


Section 2. General Requirements

1-200. Responsibilities. A SAP ContractorProgram Manager (CPM) and Contractor ProgramSecurity Officer (CPSO) will be designated by thecontractor. These individuals are the primary focalpoints at the contractor facility who execute thecontract. They are responsible for all Programmatters. The initial nomination or appointment ofthe CPSO and any subsequent changes will beprovided to the PSO in writing. The criterianecessary for an individual to be nominated as theCPSO will be provided in the Request for Proposal(RFP). For the purposes of SAPs, the followingresponsibilities are assigned:

Unless circumstances (size andinvolvement) dictate otherwise, eachorganization associated with a SAPmust designate one or moreknowledgeable Security Officers tobe responsible for implementingprogram security policies within itsactivity. Security Officers must havethe position, responsibility, andauthority commensurate with thedegree of security support requiredfor that organization. The PSO mustapprove or reject the appointment ofall CPSOs.

a. The CPM is (sometimes the same as, or in ad

dition to a Contract Project Manager) the con

tractor employee responsible for:

1. Overall Program management.

2. Execution of the statement of work, contract,

task orders and all other contractual

obligations.

b. The CPSO oversees compliance with SAP

security requirements.

The CPSO will:

1. Possess a personnel clearance and Programaccess at least equal to the highest level ofProgram classified information involved.

2. Provide security administration andmanagement for his/her organization.

3. Ensure personnel processed for access to aSAP meet the prerequisite personnelclearance and/or investigative requirementsspecified.

4. Ensure adequate secure storage and workspaces.

5. Ensure strict adherence to the provisions ofthe NISPOM, its Supplement, and thisOverprint .

6. When required, establish and oversee aclassified material control program for eachSAP.

7. When required, conduct an annualinventory of accountable classified material.

8. When required, establish a SAPF.

9. Establish and oversee visitor controlprogram.

10. Monitor reproduction and/or duplicationand destruction capability of SAPinformation.

11. Ensure adherence to specialcommunications capabilities within the SAPF.

12. Provide for initial Program indoctrinationof employees after their access is approved;rebrief and debrief personnel as required.


13. Establish and oversee specializedprocedures for the transmission of SAPmaterial to and from Program elements.

14. When required, ensure contractualspecific security requirements such asTEMPEST (within DoD this isknown as EMSEC), AutomatedInformation System (AIS), and OperationsSecurity (OPSEC) are accomplished.

15. Establish security training and briefingsspecifically tailored to the uniquerequirements of the SAP.

1-201. *Standard Operating Procedures(SOP). The CPSO may be required to prepare acomprehensive SOP to implement the securitypolicies and requirements for each SAP. Whenrequired, SOPs will address and reflect thecontractor’s method of implementing the PSG.Forward proposed SOPs to the PSO for approval.SOPs may be a single plan or series of individualdocuments each addressing a security function.Changes to the SOP will be made in a timely fashion,and reported to the PSO as they occur.


a. SOPs are similar to StandardPractice Procedures (SPPs)formerly required prior to theNational Industrial SecurityProgram (NISP). Prepare SOPsonly if revision of the current SPPis required to implement newguidance contained in this orprogram-specific securitydirectives/guidance.

b. Refrain from includingrepetitious, word-for-wordverbiage from any other securitydirectives. Instead, address the

local and “nuts-and-bolts”implementation of applicablesecurity directives (including theNISPOM, NISPOMSUP, and thisOverprint). Care should be takennot to add to requirements in sucha way that would increase programcosts. The following subjects, asapplicable, should be consideredfor inclusion:

• Secure communicationsdevice instructions.

• Annual self-reviews.

• Handling classified material(marking, storing, access,working papers, distribution,mailing, hand-carrying, etc.).

• Reproduction.

• Destruction.

• Top Secret controlprocedures (if applicable).

• Safe or vault custodian dutiesand end-of-day securitychecks.

• Emergency protection.

• Entry and exit reviews andbriefcase and parcel searches.

• Security incidents.

• Document control (e.g.,accountability of SAPclassified material) and auditprocedures.

• Subcontracting, handling ofvendors and consultants.

• Personnel selection andprogram access procedures.

• Security organization and


management.

• Operations security (OPSEC).

• Security education.

• Unique security procedures.

c. Prepare and forward SOPs forspecific program activities (i.e.,test, transportation, and handling)to the PSO at least 30 days inadvance of the planned activity.When the activity occurs frequentlyor throughout the contract,develop generic or “boiler plate”plans and omit dates and otherspecifics. Submit dates and plansunder separate cover.

d. Automated Information Systems(AISs). Prepare and maintain acomputer SOP to implement thesecurity policies contained inChapter 8. Do not necessarily writea specific SOP for each system.Instead, write a generic SOP andprepare attachments showingunique details for each specificsystem using SAP Format 16.

e. Contractors are not required toprepare an SOP for pre-solicitationactivity (PSA), a Program Researchand Development Announcement(PRDA), Request for Information(RFI), or Request for Proposal(RFP) when there is no contractualrelationship established for thateffort. Classification guidance andspecial security rules reflected onthe DD Form 254 and in the PSGsuffice for a SOP. If a formalcontract is not executed, one ofthe following three actions (or

combination of the three actions)will be taken:

• The material will be returnedto the Government.

• The material will bedestroyed and a copy of thedestruction certificate will beforwarded to the Government.

• Documentation will beretained by the contractor. Ifinformation is retained, writtenprocedures which establishprotective measures, will be inplace.

f. Subcontractors are not requiredto prepare SOPs when all work bythat subcontractor is performed ata prime contractor facility. Storagenormally is not authorized at thesubcontractor location underthese circumstances. Keepprogram access records and otherprogram documentation at theprime contractor facility.

g. Fabrication. Fabrication ofprogram-related classifiedhardware or models may require aspecific security plan. Consult thePSO to determine when securityplans are required.

1-202. Badging. Contractors performing onPrograms where all individuals cannot be personallyidentified, may be required to implement a PSO-approved badging system.


The best form of entry control is


personal introduction andidentification. Use this procedure tothe maximum extent. Use a badgesystem unless the program area issmall enough (normally less than 25people) to permit total personalidentification and access leveldetermination.

When a badging system isconsidered necessary, the securityofficer will document the badgeapproach in the SOP, addressingtopics such as badge accountability,storage, inventory, disposition,destruction, format and use (i.e.magnetic stripes, photographs,biometrics, and so on).

If card readers are used inconjunction with badges and ameans exist to lock out lost, unused,and relinquished badges, the PSOmay negate the requirements statedabove for badge inventory,accountability and destruction.

1-203. Communications Security(COMSEC). Classified SAP information will beelectronically transmitted only by approved securecommunications channels authorized by the PSO.

1-204. *Two-Person Integrity (TPI)Requirement. The TPI rule may be required andexercised only with the Program CSA approval. Thisrequirement does not apply to those situations whereone employee with access is left alone for briefperiods of time, nor dictate that those employees willbe in view of one another.

WAIVED - √UNACKNOWLEDGED -ACKNOWLEDGED -

1-205. Contractors Questioning PerceivedExcessive Security Requirements. Allpersonnel are highly encouraged to identify excessive

security measures that they believe have no addedvalue or are cost excessive and should report thisinformation to their industry contracting officer forsubsequent reporting through contracting channels tothe appropriate GPM/PSO. The GPM/PSO willrespond through appropriate channels to thecontractor questioning the security requirements.

When required, reports of this typewill be routed through a newlycreated organization established toassist in resolution of disputes:Committee for Special AccessProgram Process Improvement, c/oDepartment of the Air Force, ThePentagon, Room 5D972, Washington,D.C. 20330-1720.

1-206. Security Reviews.

a. General. The frequency of Industrial Security

Reviews (e.g., Reviews, evaluations, and security

surveys) is determined by the NISPOM and will

be conducted by personnel designated by the

CSA.

b. Joint Efforts. In certain cases, an individual

Program may be a joint effort of more than one

component of the U.S. Government or more than

one element of the same component. In such a

case, one element will, by memorandum of

agreement, take the lead as the CSA and may

have security review responsibility for the

Program facility. In order to ensure the most

uniform and efficient application of security

criteria, review activities at contractor facilities

will be consolidated to the greatest extent

possible.

Individual SAPs managed by a jointorganization (one or morecomponents of the Government ormore than one element of the samecomponent) will identify oneorganization having security reviewresponsibility for each SAPF.


c. Prime Contractor Representative. A security

representative from the prime contractor may be

present and participate during reviews of

subcontractors, but cannot be the individual

appointed by the CSA to conduct security reviews

specified in paragraph 1-206a.

WAIVED - √UNACKNOWLEDGED - √ACKNOWLEDGED –

Contractor personnel will not serveas review team chiefs, assign ratings,conduct in/out briefings, or beresponsible for completing thesecurity review report.

d. Review Reciprocity. In order to ensure the most

uniform and efficient application of security

reviews, review reciprocity at contractor facilities

will be considered whenever possible.

e. Contractor Reviews. When applicable, the U.S.

Government may prescribe the intervals that the

contractor will review their systems.

WAIVED - √ UNACKNOWLEDGED - √ ACKNOWLEDGED - √

Contractors will conduct self-reviewsannually. Normally, conduct thisreview halfway between Governmentreviews. Unless the contractor’sreview reveals a significant securityweakness or potential compromisecondition, reports of self-reviewsneed not be submitted to the PSO.

f. Team Reviews. Team Reviews may be

conducted by more than one PSO based on mutual

consent and cooperation of both the Government

and the contractor.

WAIVED - √

UNACKNOWLEDGED - √ACKNOWLEDGED - √

1-208. (Baseline). Government andindustry fraud, waste, and abuse(FWA) reporting is encouragedthrough channels designated by thePSO. Do not use other advertisedFWA hotlines when program or SAPinformation (also refers to SARinformation) may be revealed.Therefore, normal FWA reportingchannels (e.g., DoD-advertised FWAhotline) must not be used for SAPsand associated SAR markedinformation.

a. When requested, confidentialitymay be granted. Individuals maybe assured that they can reportFWA instances without fear ofreprisal or unauthorized release oftheir identity.

b. The PSO will provide the nameand telephone number for thecurrent FWA manager or monitorand a poster reflecting thisinformation.

c. Disclosures received by SAPchannels that are deemedinappropriate (e.g., InspectorGeneral (IG) complaints,grievances, suggestions,discrimination complaints), will notbe accepted. Instead, theindividual making the disclosurewill be referred to the appropriateagency or reporting system.Assistance will be provided toensure that adequate programsecurity is maintained for thesereferrals.


Section 3. Reporting Requirements

1-300. General. All reports required by theNISPOM will be made through the PSO. In thoseinstances where the report affects the baseline facilityclearance or the incident is of a personnel securityclearance nature, the report will also be provided tothe Facility CSA. In those rare instances whereclassified program information must be included inthe report, the report will be provided only to thePSO, who will sanitize the report and provide theinformation to the CSA, if appropriate.

a. Adverse Information. Contractors will reportto the PSO any information which may adverselyreflect on the Program-briefed employee’s abilityto properly safeguard classified Programinformation.

b. SAP Non-Disclosure Agreement (NDA). Areport will be submitted to the PSO on anemployee who refuses to sign a SAP NDA.

If an NDA is not signed, access willnot be granted.

c. Change in Employee Status. A written reportof all changes in the personal status of SAPindoctrinated personnel will be provided to thePSO. In addition to those changes identified in

NISPOM subparagraph 1-302c, include censure or

probation arising from an adverse personnel

action, and revocation, or suspension

downgrading of a security clearance or Program

access for reasons other than security

administration purposes.

d. Employees Desiring Not to Perform on SAPClassified Work. A report will be made to thePSO upon notification by an accessed employeeor an employee for whom access has been

requested that they no longer wish to perform onthe SAP. Pending further instructions from thePSO, the report will be destroyed in 30 days.

e. *Foreign Travel. The PSO may require reports

of all travel outside the continental United States,

Hawaii, Alaska and the U.S. possessions (i.e.,

Puerto Rico) except same-day travel to border

areas (i.e., Canada, Mexico) for Program-accessed

personnel. Such travel is to be reported to the

CPSO, and retained for the life of the

Contract/Program [travel]. Travel by Program-

briefed individuals into or through countries

determined by the CSA as high-risk areas, should

not be undertaken without prior notification. A

supplement to the report outlining the type and

extent of contact with foreign nationals, and any

attempts to solicit information or establish a

continuing relationship by a foreign national may

be required upon completion of travel.


Report all foreign travel to the CPSO(preferably within 30 days). (Use SAPFormat 6.) The CPSO will maintain arecord of foreign travel in theindividual’s personnel file. Personnelmust:

• Notify the CPSO before travelto any country identified on theNational Security Threat Listprovided by the PSO. This isrequired so that appropriatedefensive travel briefings canbe provided. Report travel to allother countries to the CPSO.

• CPSOs will ensure that


personnel are given a foreigntravel briefing (required byparagraph 3-107), review theproposed itinerary, and follow-up on security-related issues.

Reporting Foreign Contacts.

Foreign contacts meeting thefollowing criteria must be reported tothe CPSOs. The CPSO provides theinformation to the PSO. Report any ofthe following:

• Contact with personnel fromforeign diplomaticestablishments.

• Recurring contact with a non-US citizen when financial tiesare established or involved.

• A request by anyone forillegal or unauthorized accessto classified or controlledinformation.

• Contact with an individual(regardless of nationality)under circumstances thatsuggest the employeeconcerned may be the target ofan attempted exploitation bythe intelligence services ofanother country.

f. Arms Control Treaty Visits. The GPM andPSO will be notified in advance of any ArmsControl Treaty Visits (see also para 11-704). Such reports permit the GPM and PSO to

assess potential impact on the SAP activity and

effectively provide guidance and assistance.

g. Litigation. Litigation or public proceedingswhich may involve a SAP will be reported. Theseinclude legal proceedings and/or administrativeactions in which the prime contractor,subcontractors, or Government organizations andtheir Program-briefed individuals are a namedparty. The CPSO will report to the PSO any

litigation actions that may pertain to the SAP, toinclude the physical environments, facilities orpersonnel or as otherwise directed by the GPM.

1-301. Security Violations and ImproperHanding of Classified Information.Requirements of the NISPOM baseline pertaining tosecurity violation are applicable, except that allcommunications will be appropriately made throughProgram Security Channels within 24 hours ofdiscovery to the PSO. The PSO must promptlyadvise the Facility CSA in all instances wherenational security concerns would impact on collateralsecurity programs or clearances of individuals underthe cognizant of the Facility CSA.

a. Security Violations and Infractions.

1. Security Violation. A security violation is

any incident that involves the loss,

compromise, or suspected compromise of

classified information. Security violations willbe immediately reported within 24 hours to thePSO. For DoD this applies to component level

SAP Central Office as appropriate.

2. Security Infraction. A security infraction is

any other incident that is not in the best interest

of security that does not involve the loss,

compromise, or suspected compromise of

classified information. Security infractions willbe documented and made available for reviewby the PSO during visits.

b. Inadvertent Disclosure. An inadvertent

disclosure is the involuntary unauthorized access

to classified SAP information by an individual

without SAP access authorization. Personnel

determined to have had unauthorized or

inadvertent access to classified SAP information

(1) should be interviewed to determine the extent

of the exposing, and (2) may be requested to

complete an Inadvertent Disclosure Oath.

1. If during emergency response situations,

guard personnel or local emergency authorities


(e.g., police, medical, fire, etc.) inadvertently

gain access to Program material, they should be

interviewed to determine the extent of the

exposure. If circumstances warrant, a

preliminary inquiry will be conducted. When in

doubt, contact the PSO for advice.

2. Refusal to sign an inadvertent disclosureoath will be reported by the CPSO to the PSO.

3. Contractors shall report all unauthorizeddisclosures involving RD or FormerlyRestricted Data (FRD) to Department ofEnergy (DOE) or Nuclear RegulatoryCommission (NRC) through their CSA.

1-302. (Baseline). Social ContactReporting (foreign or otherwise).Report social contact when:

• The individual is questionedregarding the specifics of hisor her job, organization,mission, etc.

• Questioning is persistentregarding social obligations,family situations, etc.

• Frequent or continuingcontact is anticipated (e.g., penpals, ham operators,INTERNET).

• Any unusual incident with acitizen or other entity of anycountry.



Chapter 2

Security Clearances

Section 1. Facility Clearances

2-100. General. Contractors will possess a

Facility Security Clearance to receive, generate, use,

and store classified information that is protected in

SAPs.

a. If a facility clearance has already been granted,

the SAP Program Executive Agent may carve in

the Facility CSA. The agreement entered into by

the Secretary of Defense (SECDEF) with the

other CSAs will determine the terms of

responsibility for the Facility CSA with regard to

SAP programs. Due to the sensitivity of some

SAPs, the program shall be carved out by the

Executive Agent designated by the CSA.

WAIVED - √UNACKNOWLEDGED - √ACKNOWLEDGED -

b. The CPSO shall notify the PSO of any activity

which affects the Facility Security Clearance,

(FCL).

c. In certain instances, security and the sensitivity

of the project may require the contract and the

association of the contractor with the Program

CSA be restricted and kept at a classified level.

The existence of any unacknowledged effort, to

include its SAPF, will not be released without

prior approval of the PSO.

WAIVED - √UNACKNOWLEDGED - √ACKNOWLEDGED -

2-101. Co-Utilization of SAPF. If multiple

SAPs are located within a SAPF, a Memorandum of

Agreement (MOA) shall be written between

government program offices defining areas of

authorities and responsibilities. The first SAP in an

area shall be considered to be the senior program and

therefore the CSA for the zone unless authority or

responsibility is specifically delegated in the MOA.

The MOA shall be executed prior to the introduction

of the second SAP into the SAPF.

2-102. Access of Senior ManagementOfficials. Only those Senior ManagementOfficials requiring information pertaining to theSAP shall be processed for SAP access.

2-103. Facility Clearances forMultifacility Organizations.

a. When cleared employees are located at uncleared

locations, the CPSO may designate a cleared

management official at the uncleared location

who shall:

1. Process classified visit requests, conduct

initial or recurring briefings for cleared

employees, and provide written confirmation of

the briefing to the CPSO.

2. Implement the reporting requirements of the

NISPOM and this Supplement for all cleared

employees and furnish reports to the CPSO for

further submittal to the CSA.

3. Ensure compliance with all applicable

measures of the NISPOM and this Supplement

by all cleared employees at that location.

b. If a cleared management official is not available

at the uncleared location, the CPSO (or designee)


shall conduct the required briefing during visits to

the uncleared location or during employee visits

to the location or establish an alternative

procedure with CSA approval.

All briefings and indoctrinations mustbe accomplished in a SAPF or otherworking facility (e.g., temporary SAPFas designated by the PSO).



Section 2. Personnel Clearances and Access

2-200. General. This section establishes therequirements for the selection, processing, briefing,and debriefing of contractor personnel for SAPs.

Access to SAP information is neithera right nor an entitlement; it is awholly discretionary securitydetermination granted only to thoseindividuals who meet stringentbackground and security standards.Program Security Guides will listapproved access approvalauthorities. See the limitation inparagraph 2-201d.

When approved by the PSO, atransfer in status may occur,providing the transfer is to a locationwhere the security procedures do notdiffer unless approved by the PSOand there is a valid need to know.Grant special access to no onemerely by reason of federal service,contracting status, as a matter ofright or privilege, or as a result of anyparticular title, rank, position, oraffiliation.

2-201. Program Accessing Requirementsand Procedures.

a. The individual will have a valid need-to-know(NTK) and will materially and directly contributeto the Program.

b. The individual will possess a minimum of a

current, final SECRET security clearance or meet

the investigative criteria required for the level of

access. If a person’s periodic reinvestigation (PR)

is outside the five-year

scope and all other access processing is current and

valid, the PSO may authorize access. However,

the individual will be immediately processed for

either a Single Scope Background Investigation

(SSBI) or National Agency Check with Credit

(NACC) as required by the level of clearance or

as otherwise required by the contract.


PSOs, whenever possible, will acceptthe SSBI or a National Agency Checkwith Local Agencies Check andCredit (NACLC) of another Federalagency if current within five years.When another Federal agencyconducts an individual’s PersonnelSecurity Investigation (PSI), theadjudicative authority must reviewany disqualifying information,including, when available, accessdenial by another agency and thereasons therefore, before grantingspecial access.

c. The contractor will nominate the individual andprovide a description of the NTK justification.The CPM will concur with the nomination andverify Program contribution by signature on theProgram Access Request (PAR). The CPSO willcomplete the PAR and review it for accuracyensuring all required signatures are present. The

CPSO signature verifies that the security

clearance and investigative criteria are accurate,

and that these criteria satisfy the requirements of

the Program. Information regarding the PAR may

be electronically submitted. While basic

information shall remain the same, signatures may

not be required. The receipt of the PAR package

Springer


via a preapproved channel shall be considered

sufficient authentication that the required

approvals have been authenticated by the CPSO

and contractor program manager.

Use SAP Format 1, Program AccessRequest, to request special access.

d. Access Criteria and Evaluation Process. Inorder to eliminate those candidates who clearly

will not meet the scope for access and to complete

the Personnel Security Questionnaire (PSQ),

access evaluation may be required. In the absence

of written instructions from the contracting

activity, the evaluation process will conform to

the following guidelines:

1. Evaluation criteria will not be initiated at the

contractor level unless both the employee and

contractor agree.

2. Contractors will not perform access

evaluation for other contractors.

3. Access evaluation criteria will be specific

and will not require any analysis or

interpretation by the contractor. Access

evaluation criteria will be provided by the

government as required.

4. Those candidates eliminated during this

process will be advised that access processing

has terminated.


As part of the PAR processingprocedure, the CPSO must checklocal record and file repositories,when available and accessible,before submitting a PAR. The querymust reveal the existence of any localadverse information files concerningthe nominee.

e. Submit a Letter of Compelling Need or other

documentation when requested by the PSO.

f. Formats required for the processing of a SAP

access fall into two categories: those required for

the conduct of the investigation and review of the

individual’s eligibility; and those that explain or

validate the individual’s NTK. These constitute

the PAR package. The PAR package used for the

access approval and NTK verification will contain

the following: the PAR; and a recent (within 90

days) PSQ reflecting pen and ink changes, if any,

signed and dated by the nominee.

Unless the employee has exercisedthe privacy option, CPSOs mustreview employee SF 86 for accuracyand completeness unless theemployee seals the information in anenvelope. Forward the sealedenvelope to the PSO.

g. Once the PAR package has been completed, the

CPSO will forward the candidate’s nomination

package to the PSO for review:

1. The PSO will review the PAR package and

determine access eligibility.

2. Access approval or denial will be determined

by the GPM and/or access approval authority.

3. The PSO will notify the contractor of access

approval or denial.

4. Subcontractors may submit the PAR package

to the prime. The prime will review and concur

on the PAR and forward the PAR and the

unopened PSQ package to the PSO.

h. SCI access will follow guidelines established in

DCID 1/14.


SAP access will follow guidelinesestablished by the Security PolicyBoard and published in DoD 5200.2Rwith the following clarifications:

1. The individual’s immediatefamily or cohabitant(s), mustalso be U.S. citizens. Anexception to this requirementmay be granted when acompelling need exists. Submitletters of compelling need to thePSO.

2. Anytime a candidate acquiresimmediate family members (toinclude spouse’s parents) orother persons to whom he or sheis bound by affection orobligation and who are not U.S.citizens, he or she must report itto their security officer. SAPFormat 20, Foreign Relative orAssociate Interview, will be usedto conduct an interview asdetermined by the PSO.

3. For the purpose of SAPaccess eligibility determinations,marijuana or any other form ofcannabis sativa is considered a“drug” (e.g., as described inDCID 1/14).

4. Adjudication Authorities areestablished to uniformly applythe adjudication standards inthis supplement and to ensureequitable and consistent accessdecisions that are neithercapricious nor arbitrary and thatconform to existing statutes andExecutive Orders.

i. Briefings

1. Complete a SAP Format 2,Special Access ProgramIndoctrination Agreement forpersonnel being accessed. If aprogram requires a polygraphagreement, also complete SAPFormat 2a, Special AccessProgram IndoctrinationAgreement (PolygraphSupplement).

2. Have the individual approvedfor access sign thenondisclosure (SAP Format 2)and prebriefing (Format 2a ifpolygraph is authorized for theprogram) acknowledgmentsections before briefing. Then,conduct the program or projectbriefing and have the individualsign the briefingacknowledgment portion of SAPFormat 2. Prepare a new SAPFormat 2 (and Format 2a, ifappropriate) each time anindividual is briefed to a higherlevel or reindoctrinated afterbeing debriefed. A single SAPFormat 2 (and Format 2a, ifappropriate) may be executed forsubcompartments of the sameprogram, to include access tomultiple projects or independentresearch and development(IRAD).

3. If the program or projectrequires a polygraph agreement,as approved by the OSD SAPOC,and the individual has previouslysigned a briefing statementreflecting that he or she was notsubject to a random polygraph,the individual must sign a SAPFormat 2a, or be exempted bythe component SAP Central


Office. This may beaccomplished during annualrefresher training (see paragraph3-103).

j. Periodic Reinvestigations (PRs).A current investigation is definedas an investigation not older thanfive years.

1. For outdated PSIs, request aPR when initial access isinvolved.

2. Do not place SAP points ofcontact (POCs), program names,or other program identifiers onthe DD Form 1879. Insteadannotate these forms inaccordance with PSO guidance.

2-202. Supplementary Measures andPolygraph.

a. Due to the sensitivity of a Program or criticality

of information or emerging technology, a

polygraph may be required. The polygraph

examination will be conducted by a properly

trained, certified U.S. Government Polygraph

Specialist. If a PR is outside the 5-year

investigative scope, a polygraph may be used as

an interim basis to grant access until completion

of the PR.


In all cases where the polygraph isused for SAP screening purposes,the SAPOC will be notified as part ofthe annual review process.

b. There are three categories of polygraph:

Counterintelligence (CI), Full Scope (CI and life

style), and Special Issues Polygraph (SIP). The

type of polygraph conducted will be determined

by the CSA.

2-203. Suspension and Revocation. All PSOdirection to contractors involving the suspension orrevocation of an employee’s access will be providedin writing and if appropriate, through the contractingofficer.

When time is of the essence, theADJUDICATION Authorities and thePSOs are empowered to verballysuspend a person’s special access.Unless unusual conditions prevail,written confirmation of the verbaldirection is provided to thecontractor no later than the close ofbusiness on the next working day.

2-204. Appeal Process. The CSA will establishan appeal process.

Whenever possible, all accessedpersons or candidates for access areguaranteed the opportunity to appealdecisions to deny or limit theirspecial access. They may appeal to ahigher authority. Denial, revocation,or limitation of a candidate’s SAPaccess is an access decision onlyand may not be the basis for furtherunfavorable administrative actions.Such a decision does not reflect onany other aspect of the candidate’sloyalty, trustworthiness, or reliability.

The appropriate AdjudicationAuthority notifies the employer’sCPSO of a decision to deny, revoke,warn, or limit its employee’s specialaccess. The CPSO, in turn, notifiesthe employee, who has 30 days fromthe date of receipt of the letter inwhich to appeal the decision. He or


she must sign the request andprovide a mailing address for thewritten reply.

On appeal, the appropriateAdjudication Authority provides anyadditional information from thecandidate and the rationale behindthe decision to the next higher reviewauthority.

The Appeals Board/Authority makesfinal SAP access determinations. Onoccasion, overriding nationalsecurity interests will not allow fulldisclosure of pertinent information.

2-205. Agent of the Government. TheGovernment may designate a contractor-nominatedemployee as an Agent of the Government on a case-by-case basis. Applicable training and requirementswill be provided by the Government to contractorsdesignated as Agents of the Government.


2-206. Access Roster or List. Current accessrosters of Program briefed individuals are requiredat each contractor location. They should be properlyprotected and maintained in accordance with the PSG.The access roster should be continually reviewed andreconciled for any discrepancies. The data base orlisting may contain the name of the individualorganization, position, billet number (if applicable),level of access, social security number, militaryrank/grade or comparable civilian rating scheme, andsecurity clearance information. Security personnelrequired for adequate security oversight will notcount against the billet structure.

Submit an updated access list to the GovernmentProgram Office semiannually. If there is no change,send a negative report.

2-213. Consultants (Baseline).

a. A consultant is an individual

whose services are retained by acompany to provide specialized,professional services toaccomplish a specific task.Services are retained through aprofessional service agreementand/or statement of work betweenthe individual and the sponsoringcompany.

A consultant to a SAP activity musthave the appropriate personnelsecurity clearance on file with thesponsoring company and beapproved for Program Access by theGPM and PSO. The consultant willperform classified work at anapproved SAPF in accordance withthe DD Form 254. In addition, beforethe consultant can be considered toperform his specialized service, thecompany sponsoring the consultantmust submit to the PSO, a copy ofthe professional service agreementand/or Statement of Work detailingwhat specific tasks he/she will beperforming. Once consultant statusis approved, the consultant’sProgram Access Request package,which will also include an executedConsultant Security Agreement, canbe adjudicated for access to theprogram. A Consultant SecurityAgreement can be obtained from thePSO.

Upon access approval, theconsultant will be escorted into theSAP area and given a thorough andin-depth security and technicalbriefing outlining the policies andprocedures on how the programfacility operates in a Special Accessenvironment.


Any change in the consultant’sstatus, (i.e., he/she is hired by thesponsoring entity to work in theirorganization or any other deviation tothe existing professional servicesagreement which would negatehis/her consultant status), must bereported immediately to the GPM andPSO.

b. Job Shopper/Temporary Help.Contact the PSO for furtherguidance.


Chapter 3

Security Training and Briefings

Section 1. Security Training and Briefings

3-100. General. Every Special Access Program(SAP) will have a Security Training and BriefingProgram. As a minimum, SAP-indoctrinated

personnel will be provided the same or similar

training and briefings as outlined in the baseline

NISPOM. In addition, CPSOs responsible for SAPsat contractor facilities will establish a SecurityEducation Program to meet any specific or uniquerequirements of individual special access programs.Topics which will be addressed, if appropriate to the

facility or the SAP(s), include:

The security education programapplies to all program-accessedindividuals. Tailor specific securityeducation programs to the missionand function of the activity. Gearindividual training to the currentspecific job. Table 1 summarizestraining requirements

a. Security requirements unique to SAPs;

b. Protection of classified relationships;

c. Operations Security (OPSEC);

d. Use of nicknames and code words;

e. Use of special transmission methods;

f. Special test-range security procedures;

g. Procedures for Unacknowledged SAP security.

An Unacknowledged SAP will require additional

security training and briefings, beyond that

required in the baseline. Additional requirements

will be specified in the Contract Security

Classification Specification and will address steps

necessary to protect sensitive relationships,

locations, and activities.

h. Specific procedures to report fraud, waste, and

abuse.

i. Computer security education that is to include

operational procedures, threats, and

vulnerabilities.

Ensure that all persons who areresponsible for and accesscomputers are aware of properoperational and security-relatedprocedures. Conduct computersecurity refresher training at leastannually (along with, or separatelyfrom, other refresher training[paragraph 3-103]).

j. Writing unclassified personnel appraisals and

reviews.

k. Third-Party Introductions. The purpose of the

Third-Party Introduction is to provide a clearance

and/or access verification to other cleared

personnel. The introduction is accomplished by a

briefed third party, who has knowledge of both

individual’s accesses.

The CPSO or other securityeducation manager who providesoverall management and direction forsecurity education programs. ThePSO exercises responsibility for


individual SAP programs. AppointedSecurity Officers at all levelssupervise security education,determine specific trainingrequirements, and provide assistanceand guidance as required.Supervisors ensure completion of

required training. The ProgramDirector and other managementofficials are responsible to implementa security education program andemphasize their support by individualexample.

Table 1. Training Requirements

Type Frequency Documentation Remarks

Indoctrination One Time SAP Format 2/2a Gear Toward JobInvolved

Specialized Ongoing Any Method Use Any Method

Refresher Annual Format 17/DataBase

Mandatory Subjects

ForeignTravel

Event-Driven/Annually

SAP Format 17 Mandatory Subjects

Termination One Time SAP Format 2/2a Mandatory Subjects

(NOTE: other types of training are addressed on a case by case basis.)

3-101. Security Training. The CPSO willensure that the following security trainingmeasures are implemented:

a. Initial Program Security Indoctrination. Everyindividual accessed to a SAP will be given aninitial indoctrination. The briefing will clearlyidentify the information to be protected, thereasons why this information requiresprotection, and the need to execute a NDA. Theindividual will be properly briefed concerningthe security requirements for the Program,understand their particular securityresponsibilities, and will sign a NDA. This

indoctrination is in addition to any other briefing

required for access to collateral classified or

company proprietary information. It will be the

responsibility of the PSO to provide to the

contractor information as to what will be included

in the initial indoctrination to include fraud,

waste, and abuse reporting procedures.

b. Professionalized AIS training may be required of

all contractor Information Systems Security

Representatives (ISSRs) to ensure that these

individuals have the appropriate skills to perform

their job functions in a competent and cost-

effective manner. This training will be made

available by the CSA. The training should consist

of, but not be limited to, the following criteria:



1. Working knowledge of all applicable and

national CSA regulations and policies including

those contained in this supplement;

2. Use of common Information Security

(INFOSEC) practices and technologies;

3. AIS certification testing procedures;

4. Use of a risk management methodology;

5. Use of configuration management

methodology.

Industrial security education andtraining materials are frequentlydeveloped and issued by the DefenseSecurity Service (DSS), defensecontractors, and other Governmentagencies. Such materials areavailable by purchase, on loan, orfree of charge. All Security Officersare encouraged to obtain, tailor, anduse these materials to enhance theirsecurity education program. A wordof caution: Before use, closely reviewthese materials and ensure that theydo not contain guidance thatcontradicts established SAPprocedures. Additionally, use ofthese materials by themselves doesnot fully satisfy SAP securityeducation requirements (SAPsecurity education programs mustinclude program-unique and SAPitems).

The PSO may distribute SAP-specificmaterials through each CPSO.Materials include the Security ActionReport, posters, FWA items, andcounterintelligence items of interest.Retain these materials withinapproved SAPFs.

Ensure that each individual to be

program accessed understands hisor her obligations andresponsibilities for security. Include acombination of written and verbalbriefings. Use excerpts from theespionage laws and explain theagreement and laws to eachindividual. Include actions personsmay take to defeat ForeignIntelligence Service (FIS) efforts.

If appropriate, design a separatebriefing for each level of access,compartment, and project. Includelocal procedures as well as itemsfrom the specific PSD document. Ifappropriate, cover the potentialrequirement for a polygraphexamination and state that suchexamination is limited tocounterintelligence andcounterespionage questions. Briefeach individual based on functionand specific to the role and functionthe individual will be accessed. Donot solely use the “read-and-sign”method to satisfy this trainingrequirement.

3-102. Unacknowledged Special AccessPrograms (SAP). Unacknowledged SAPs require

a significantly greater degree of protection than

Acknowledged SAPs. Special emphasis should be

placed on:

a. Why the SAP is Unacknowledged;

b. Classification of the SAP;

c. Approved communications system;

d. Approved transmission systems;

e. Visit procedures;

f. Specific program guidance.

3-103. Refresher Briefings. Every accessedindividual will receive an annual refresher briefing


from the CPSO to include the following, as aminimum:


a. Review of Program-unique security directives or

guidance;

b. Review of those elements contained in the

original NDA.

NOTE. The PSO may require a record to bemaintained of this training.

This refresher training replaces whatused to be called reindoctrinationtraining. The name change was madeto emphasize that the purpose of thistraining is to present new andapplicable training rather than areaccomplishment of theindoctrination briefing. There is noneed to re-sign the initial briefingstatement (SAP Format 2) once it hasbeen initially authenticated. Thistraining should be conducted on aface-to-face basis and must includeall non-full-time employeesregardless of their work location.Refresher training may be conductedthroughout the calendar year oraccomplished at one session.Individuals accessed to multipleSAPs need only attend one briefingor training session. If approved bythe PSO (or higher authority), similartraining conducted by securitypersonnel from other agencies ordepartments may also satisfyrefresher training. Topics to coverinclude:

• Foreign intelligence

techniques and threatreporting (information thatmust be reported to the PSO).

• Discussing programinformation over unsecuredtelephones and use of STU IIIs.Ensure that personnel arebriefed on the use of STU IIIsbefore use and annuallythereafter. As a minimum,discuss the protection ofinformation transmitted,specific STU III securityrequirements, STU III securityincident identification, andreporting requirements. Payparticular attention to, andexpand the training for,personnel who operate faxmachines connected to STUIIIs.

• Information concerningactual or potential terrorism,terrorist groups, espionage, orsabotage of any U.S. facility,activity, person, or resource.

• Adverse affects to nationalsecurity resulting fromunauthorized disclosure.

• Derivative classification andmarking requirements.

• Adverse reporting(Continuing Evaluation ofPersonnel Program).

• Reporting FWA (through SAPchannels).

• Program vulnerabilities,program threat, and OPSEC.

• Computer security(applicable for computer usersonly), to include computeroperating procedures, audittrails, logs, forms, receipts,media protection, use ofsystem, copyright laws, andlicensing agreements.


• Common securitydeficiencies discovered duringrecent security self-reviews;usually, self-reviews or othersecurity reviews identifysecurity weaknesses and arean excellent tool to identifyadditional training needs.

• Other security educationtopics such as documentcontrol, TEMPEST,reproduction, etc., may beincluded in refresher training.

Personal Status Changes. Duringrefresher training, give personnel theopportunity to report any previouslyunreported personal status changes.Optionally, require persons to reviewtheir SF Form 86, update asnecessary, and authenticate itscurrency in block 18 on the originalform.

NOTE: Pursuant to the training matrixon page 3-1-2, document all securityeducation training and file thedocumentation in individual’s folder.Use SAP Formats 2/2A to documentbriefings and debriefings. Use SAPFormat 17 to record refresher orforeign travel training. If multipleSAPs are involved, a centralizedrecord system may be used. Acomputer database to reflect trainingconducted may be substituted forfiling training records in individualfolders.

3-104. Debriefing and/or AccessTermination. Persons briefed to SAPs will bedebriefed by the CPSO or his designee. Thedebriefing will include as a minimum a reminder ofeach individual’s responsibilities according to theNDA which states that the individual has noProgram or Program-related material in his/her

possession, and that he/she understands his/herresponsibilities regarding the disclosure of classifiedProgram information.

Design a formal debriefing programwhich appropriately addresses thefollowing:

• How to obtain a releasebefore publishing.

• What can and cannot bediscussed or placed inresumes and applications forsecurity clearances.

• Turning in all holdings.

• Applicability of, and penaltiesfor, engaging in espionage.

• Who (the POC) to reportsuspected FIS contacts or anyattempt by unauthorizedpersons to solicit programdata. The priority (top tobottom) for reporting thisinformation is as follows:

• Servicing SAP SecurityOfficer.

• CPSO or member ofCPSO’s organization.

• Nearest FBI office.

(NOTE: Contact the PSO/CPSObefore discussing classified orprogram information with theFBI).

• Ensure that appropriateespionage laws and codes areavailable (as an optionalhandout) and provide the sameon request.

a. Debriefings should be conducted in a SAPF,

Sensitive Compartmented Information Facility

(SCIF), or other secure area when possible, or as

authorized by the PSO.


b. Procedures for debriefing will be arranged to

allow each individual the opportunity to ask

questions and receive substantive answers from

the debriefer.

c. Debriefing Acknowledgments will be used andexecuted at the time of the debriefing andinclude the following:

1. Remind the individual of his/her continuingobligations agreed to in the SAP NDA.

2. Remind the individual that the NDA is alegal contract between the individual and theU.S. Government.

3. Advise that all classified information toinclude Program information is now andforever the property of the U.S. Government.

4. Remind the individual of the penalties forespionage and unauthorized disclosure ascontained in Titles 18 and 50 of the U.S.Code. The briefer should have thesedocuments available for handout uponrequest. Require the individual to sign andagree that questions about the NDA have beenanswered and that Titles 18 and 50 (U.S.Codes) were made available and understood.

5. Remind the individual of his/her obligationnot to discuss, publish, or otherwise revealinformation about the Program. Theappearance of Program information in thepublic domain does not constitute a de factorelease from the continuing secrecyagreement.

6. Advise that any future questions orconcerns regarding the Program (e.g.,solicitations for information, approval topublish material based on Program knowledgeand/or experience) will be directed to theCPSO. The individual will be provided atelephone number for the CPSO or PSO.

7. Advise that each provision of the agreementis severable ( i.e., if one provision is declaredunenforceable, all others remain in force).

8. Emphasize that even though an individualsigns a Debriefing AcknowledgmentStatement, he/she is never released from theoriginal NDA/secrecy agreement unlessspecifically notified in writing.

d. Verify the return of any and all SAP classified

material and unclassified Program-sensitive

material and identify all security containers to

which the individual had access.

e. When debriefed for cause, include a brief

statement as to the reason for termination of

access and notify the PSO. In addition the CPSO

will notify all agencies holding interest in that

person’s clearance/accesses.

Because the CPSO may not be awareof all programs an individual isaccessed to, the PSO will notifyservice counterparts known to haveactivity at a particular location. ThePSO will ensure that the adjudicationauthority is notified as well whensuch notification is required.

f. The debriefer will advise persons who refuse to

sign a debriefing acknowledgment that such

refusal could affect future access to special access

programs and/or continued clearance eligibility. It

could be cause for administrative sanctions and it

will be reported to the appropriate Government

Clearance Agency.

If an individual refuses to execute adebriefing form, administer an oraldebriefing in the presence of awitness and annotate the debriefingform: "ORAL DEBRIEFINGCONDUCTED; INDIVIDUAL REFUSEDTO SIGN." The briefer and witness


sign beneath the statement attestingto this action. Immediately report thisfact to the PSO. The PSO will contactother organizations as required.

g. Provide a point of contact for debriefed

employees to report any incident in the future

which might affect the security of the Program.

3-105. Administrative Debriefings. Efforts

to have all Program-briefed personnel sign a

Debriefing Acknowledgment Statement may prove

difficult. If attempts to locate an individual either by

telephone or mail are not successful, the CPSO

should prepare a Debriefing Acknowledgment

Statement reflecting the individual was

administratively debriefed. The DebriefingAcknowledgment Statement will be forwarded to thePSO. The CPSO will check to ensure that noProgram material is charged out to, or in thepossession of these persons.

a. If an individual is not available tocomplete the debriefing form, sendan unclassified debriefing form tothe individual via certified mail(return receipt requested) andrequest that he or she completethe form and return it to theactivity.

b. If the individual does notrespond or return the completeddebriefing form. Follow theprocedures in para C.

c. If the whereabouts of theindividual cannot be determined in6 months, administratively debriefthe individual by completing adebriefing form, annotating theform with, INDIVIDUAL NOTAVAILABLE; ADMINISTRATIVELY

DEBRIEFED. The SO (SecurityOfficer) signs the debriefing formand attaches a narrativeexplanation.

3-106. Recognition and Award Program.Recognition and award programs could be establishedto single out those employees making significantcontributions to Program contractor security. If used,CPSOs will review award write-ups to ensurerecommendations do not contain classifiedinformation.

3-107. Foreign Travel. Training isprovided to all accessed personnelannually or before travel, whicheveris earlier. Include both general andcountry-specific information andthreat advisories, when appropriate.See paragraph 1-300e for additionalinformation on reporting foreigntravel and contacts.

a. Recommended Topics.Depending on destination include:

• Foreign intelligencetechniques, terrorist activities,civil situations, or otherhazards to personal safety forthe region being visited.

• Reporting foreign travel andforeign contacts ofsignificance (information thatmust be reported to the PSO aslisted in paragraph 1-300e).

b. Reciprocity. Individualsaccessed to multiple SAPs needonly attend one foreign travelbriefing.

3-108. Specialized Training. Trainingis given periodically throughout theperiod of time an individual hasprogram access. It is designed for acategory of individual job


assignment, (e.g., security specialist,administrative, document handler,engineer). It also may be designed tocover specific items of interest, e.g.,review result, new test, or change inprogram status.

a. Security Officers must developan aggressive, on-going securityeducation program. Conduct thistraining when special events arescheduled.

b. Provide a defensive briefing onelicitation techniques used by FISto persons attending internationalconferences and symposia,regardless of location. On theirreturn, provide the PSO a reportwhen FIS contact was made orsuspected. Information in thisbriefing is normally provided bythe Government.

c. Brief couriers as specified inparagraph 5-402b.


Chapter 4Classification and Markings

Section 1. Classification

Challenges to Classification. All challenges toSAP classified information and/or material shall beforwarded through the CPSO to the PSO to theappropriate Government contracting activity. Allsuch challenges shall remain in Program channels.

4-100. Program Directors (PDs) andContractor Program managers(CPMs) share responsibility foraccuracy, currency, and necessity ofclassifications applied to documentsand material.

4-101. Program Classification. Seeeach Program or Project SecurityClassification Guide (PSCG) forprogram specific, operational andtechnical security classificationguidance.

4-102. Nicknames, Codewords, andother Identifiers (See Appendix A fordefinitions).

a. Coordinate and requestnicknames and project namesthrough the PSO.

b. Request a change of nicknames,codewords, and other programidentifiers immediately whencompromised or suspected ofcompromise.

c. There is no establishedtimeframe to change program

identifiers. After continuous use,however, they becomesynonymous with the program.This defeats their purpose andthey become ineffective from anOPSEC viewpoint. The PD or PSOmakes this determination andrequests a nickname or codewordchange through the SecurityDirector.

d. Codewords will be used withinprogram channels by properlyindoctrinated personnel. The useof a codeword, its meaning, andclassification guidance must beplaced in the program securityclassification guide.

4-103. DD Form 254 Requirements.

a. Prepare DD Form 254, DoDContract Security ClassificationSpecification, for each contractor,subcontractor, or consultant. UseDD Form 254 to transmit thePSCG, Program Security Guide(PSG), and other documentscontaining security classificationguidance.

b. The contractor will maintain acurrent listing of the location ofcontainers, rooms, and completelydedicated buildings that containSAP materials and are carved out


from DSS cognizance. Provide thislist to the PSO, who will includethis information in the programdata base.

c. Do not attach lengthyattachments to DD Forms 254 thatmerely repeat information, policy,and procedures contained in anyother security directive (e.g.,TEMPEST policy).

d. The PSO will prepare andforward to the Contracting Officeran approved DD Form 254 for eachprime contract. For subcontracts,the prime CPSO will prepare aproposed DD Form 254 andforward it to the PSO for approvalbefore release to subcontractors.

e. The PSO provides detailedguidance pertaining to DD Forms254 on classification, release tothe DSS, carve-out status, etc. Thisguidance is based on the specificPSCG.



Section 2. Marking Requirements

4-200. General. Classified material that isdeveloped under a SAP will be marked andcontrolled in accordance with the NISPOM, thisSupplement, the Program Security ClassificationGuide, and other Program guidance as directed bythe PSO.


4-201. Additional Provisions andControls. The PSO may specify additionalmarkings to be applied to SAP working papers basedon the sensitivity and criticality of the Program, whenapproved by the CSA.

a. All program-classifieddocuments, media, and materialswill contain the following markingson the top and bottom of eachpage:

SECRET/CODEWORD orNICKNAME or SPECIAL ACCESSREQUIRED

b. Government OriginalClassification: The OriginalClassification Authority has fourchoices for determining thedeclassification date. That datedepends on the sensitivity of theinformation involved. A date orevent that does not exceed 10years; example: completion of atest.

Ten years from the date of theoriginal decision (not the date thedocument was originated); thisdate does not change; example:budget information.

Extension of a 10 yearclassification; example:technology remains unknown toother nations, X(1-8).

Information is exempt fromautomatic declassification;example: Top Secret RCS DataNormally 25X(1-9) (not a date)would appear on thedeclassification line.

Classified By: (Name of the person{a designated OriginalClassification Authority} signingthe guide or document).

Reason: E.O. 12958 Section1.5a,c,e,g,d.

Declassify On: Specific Date orEvent, 10-Year Date, X-3 (see EO12958, Section 1.6(a)), or 25X-4(see EO 12958, Section 3.4 (b)).

c. Government/ContractorDerivative Classification.

1. For derived classification(single source):

Derived From: SRPSCG, 1 Oct 95

2. Declassify On: (Varies-Seeexamples in paragraph b). Ifmultiple sources are used, show“Multiple Sources” on theclassification line and show thelongest duration of any of thesources on the declassificationline.

Derived From: Multiple Sources(list each source on originator’sfile copy).


Declassify On: (longest period ofany source).

d. Unless the classification isbased on a compilation ofinformation, portion markings arerequired for each document.Identify classified as well asunclassified paragraphs. Mark SAPclassified paragraphs with theclassification abbreviations.

e. When marking documentscontaining a specific SAP’sinformation, the followingparagraph or portion markings arerequired: (a) The classification ofthe paragraph, (i.e.CONFIDENTIAL, SECRET or TOPSECRET), and (b) an appropriateprogram identifier. For example:S/ABC or C/SE. For informationinvolving multiple programs,include all applicable di/trigraphs.

4-202. Engineer’s Notebook. An engineer’snotebook is a working record of continually changingProgram technical data. It should NOT include draftsof correspondence, reports, or other materials. Theouter cover and first page will be marked with thehighest classification level contained in thenotebook. Portion marking or numbering is notrequired. Other requirements pertaining to thesenotebooks may be imposed by the PSO.


4-203. Cover Sheets. Cover sheets will beapplied to SAP documents when the documents arecreated or distributed. NOTE: CODE WORDSWILL NOT BE PRINTED ON THE COVERSHEETS. The unclassified nickname, digraph, ortrigraph may be used.

4-204. Warning Notices. Generally, Programclassified marking and transmission requirementswill follow this Supplement. Transmission ofProgram or Program-related material will bedetermined by the PSO. Besides the classificationmarkings, inner containers will be marked:

"TO BE OPENED ONLY BY:"

followed by the name of the individual to whom thematerial is sent. A receipt may be required. Apply thefollowing markings on the bottom center of the frontof the inner container:

WARNING

THIS PACKAGE CONTAINS CLASSIFIED U.S.GOVERNMENT INFORMATION.TRANSMISSION OR REVELATION OF THISINFORMATION IN ANY MANNER TO ANUNAUTHORIZED PERSON IS PROHIBITED BYTITLE 18, U.S. CODE, SECTION 798 (OR TITLE42, SECTION XX FOR RD OR FRD MATERIAL).IF FOUND, PLEASE DO NOT OPEN. "CALLCOLLECT" THE FOLLOWING NUMBERS, (areacode) (number) (PSO/CPSO work number) DURINGWORKING HOURS OR (area code) (number)(PSO/CPSO) AFTER WORKING HOURS.

The protective marking Handle ViaSpecial Access Channels Only(HVSACO) may be imposed by thePSO to identify information whichmust remain in SAP controlledprotective channels. See Appendix Afor a detailed definition. Whenapplicable, a separate proceduraldocument is issued by the serviceswhich explains control,dissemination, transmission, etc., ofHVSACO.


Chapter 5

Safeguarding Classified Information

Section 1. General Safeguarding Requirements

5-100. General. Classified and unclassified

sensitive SAP material must be stored in SAP CSA

approved facilities only. Any deviations must have

prior approval of the SAP CSA or designee. DoDwill strive for consistent applicationsof physical security safeguards.



Section 2. Control and Accountability

5-200. General. Contractors shall develop andmaintain a system that enables control of SAPclassified information and unclassified Programsensitive information for which the contractor isresponsible.

5-201. Accountability. Accountability ofclassified SAP material shall be determined andapproved in writing by the CSA or designee at thetime the SAP is approved. A separate accountabilitycontrol system may be required for each SAP.


a. The following types of classifiedinformation requires accountability(personal signature or otheridentifiers). This material will beentered into a documentaccountability system whenever itis received, generated, ordispatched, either internal orexternal to the command orcontractor.

1. All TOP SECRET informationrequires accountability. Assign adocument control number andspecific copy number to eachTop Secret document generatedin, received by or dispatchedfrom the SAPF.

2. Maintain a disclosure (access)record for each Top Secretdocument maintained in theSAPF. Use a cover sheet andattach it to each TOP SECRETdocument. Record the identity ofpersons given access to theinformation and the date of

disclosure on the cover sheet.Record the name only onceregardless of the number oftimes subsequent accessoccurs.

3. All COMSEC material will beaccounted for in accordancewith published COMSECguidelines.

4. Vendor software shall beaccounted for in accordancewith paragraph 8-500.

5. At the direction of the CSA, fullaccountability may be requiredfor SECRET/SAR material.

b. (NOTE: refers to NISPOMBaseline.) Unless otherwisestipulated by the CSA, only receiptand dispatch records are requiredfor Confidential and Secret SAPmaterial (individual receipting isnot required). The SO will establisha dedicated document log,classified at the appropriate level,for record dispatch and receipttransactions involving SAPclassified documents. Althoughdocument titles may beunclassified, the compilation ofinformation may require thedocument log to be classified.Consult the program classificationguide and the PSO for guidance.Refer to paragraph 5-202 of theNISPOM baseline for furtherinformation on the receipt anddispatch log.


c. To minimize proliferation ofmultiple document logs andaccountability systems in theSAPF, the SO may elect to log allConfidential and Secret SARreceipt and dispatch transitions inthe Top Secret documentaccountability system rather thencreate separate documents logs.

d. The accountability system willrequire individual responsibility forall TOP SECRET information,COMSEC material, and vendorsoftware in the SAPF. It will beapproved by the PSO prior toimplementation. The documentaccountability system will be ableto produce a Master DocumentListing that reflects alltransactions within 30 day ofgeneration, receipt, or dispatch. Ifan automated system is used, abackup duplicate record (manualor automated) will be retained topermit recall in even of loss(system crash).

e. Specific format, retentionrequirements, and dispositioninstructions for custodial logs willbe incorporated in the agency andcontractor’s SOP. After PSOapproval, the control log will bemaintained in accordance with theSOP.

f. AIS Media Control System. Asystem of procedures, approvedby the PSO, which providescontrols over use, possession, andmovement of magnetic media inSAPFs. These procedures mustinsure all magnetic media

(classified and unclassified) isadequately protected to avert theunauthorized use, duplication orremoval of the media. The mediamust be secured in limited accesscontainers or labeled with theidentity of the individualresponsible for maintaining thematerial.

5-202. Annual Inventory. An annual inventoryof accountable SAP classified material may berequired. The results of the inventory and anydiscrepancies, may be required to be reported inwriting to the PSO.


If specifically instructed by the PSO,a 100-percent annual inventory willbe conducted for Top Secret material.If the CSA approves accountabilityrequirements for other levels ofclassified material, the PSO mayspecify the frequency of inventories.

5-203. Collateral classified material required tosupport a SAP contract may be transferred withinSAP controls. Transfer will be accomplished in amanner that will not compromise the SAP or anyclassified information. The PSO will provideoversight for collateral classified materialmaintained in the SAP. Collateral classified materialgenerated during the performance of a SAP contractmay be transferred from the SAP to the contractor’scollateral classified system. The precautions requiredto prevent compromise will be approved by the PSO.


5-204. TOP SECRET/SAR WORKINGPAPERS ACCOUNTABILITY, MARK-ING AND DESTRUCTION.


a. TOP SECRET/SAR workingpapers may be created for short-term material development withinthe SAPF.

b. TOP SECRET/SAR workingpapers shall be properly classified,program marked and protected inan approved SAPF. Attach a coversheet and plainly mark the date oforigin and annotate “WORKINGPAPER” on the cover sheet.

c. TOP SECRET/SAR workingpapers shall either be entered intothe accountability system ordestroyed within 30 calendar daysfrom the date of origin or asstipulated in other Defensedirectives. Thereafter, thedocument must be assigned adocument accountability numberand copy designation. It will beformally entered into theaccountability system.

d. A TOP SECRET/SAR workingpaper will be reconfigured todisplay the appropriate documentaccountability and copydesignation and all applicablecover, page, paragraph, portionmarkings, and declassificationinstructions prior to removal fromthe SAPF.

5-205. Secret Working Papers.

a. If the CSA establishedaccountability requirement forprogram SECRET/SAP material,then the instructions in 5-204 shallapply to all SECRET/SAP working

papers and 5-206 WorkingNotebooks.

5-206. Top Secret WorkingNotebooks. Working notebooks areauthorized only as a special categoryof working papers for which theretention limitation does not apply.

a. Consider only materials thatundergo frequent change andrevision in this category. Do notinclude in these notebooksverbatim drafts of finalcorrespondence or other materialsthat transition from notes to draftto formal documentation.

b. Working notebooks (loose-leaf)are exempt from normal documentaccountability for each page ordocument within the notebook.Instead, assign and control thenotebook as one document. Atable of contents is required toensure completeness.

c. Before using bound notebooks,prenumber each pageconsecutively and place thenotebook document controlnumber on each page. Do notremove pages from thesenotebooks. As an optional methodto a bound notebook, three ring orloose-leaf binders can be used.

d. Mark the outer cover or first pagewith the highest anticipatedclassification. Date entries whenthey are created. Mark each pagewith the highest classificationcontained therein, but portionmarking is not required.


e. Do not reproduce workingnotebooks or transfer materialfrom a notebook to any locationunless the material is entered intoformal document accountability.


Section 3. Storage and Storage Equipment

(not further supplemented)



Section 4. Transmission

5-400. General. SAP classified material shall betransmitted outside the contractor’s facility in amanner that prevents loss or unauthorized access.

Establish a focal point to overseetransmission of program material.Use the following order ofprecedence:

• Cryptographiccommunications systems(secure fax/AIS).

• Courier (PSO approvalrequired for commercialcourier).

• United States Postal Service(USPS) registered mail (returnreceipt requested); limit toS/SAP and below materials.

(Baseline) Hardware. Before anyhardware movement of programassets, develop a transportation planand obtain the PSO’s approval.Develop the plan early in the programdevelopment to facilitate requiredcoordination between variousentities. Appoint a program-accessedindividual, knowledgeable aboutprogram security requirements, toserve as the focal point fortransportation issues. Ensure thatthe planning includes priority oftransportation modes (Governmentsurface/air, commercial surface/air)and inventory of classified hardwareto ensure program integrity. Also,make sure that transportationmethods maintain a continuous chainof custody between the originationand destination, and comply with all

Department of Transportation lawsand PSGs.

5-401. Preparation. All classified SAP materialwill be prepared, reproduced, and packaged byProgram-briefed personnel in approved Programfacilities.

Do not include or require a receipt(other than the receipt and dispatchrecords) for Secret/Confidential/SAPor Unclassified HVSACO material.Include a listing of materialscontained in the package which therecipient will acknowledge. Do notnormally classify receipts. Show anunclassified address on the TO andFROM blocks. Classify material onlywhen the compilation of subjectsrequires classification. SecurityOfficers make these determinationsbased on their judgment.

When a receipt or acknowledgment isnot returned within 30 days,immediately initiate tracer action.Reproduce a copy of the receipt heldin suspense control files; mark itTRACER – ORIGINAL RECEIPT NOTRECEIVED – PLEASE RESPONDWITHIN 7 DAYS. Send the receipt tothe intended recipient of the initialtransmission. If the recipient doesnot respond within 15 days or did notreceive the material, initiate apreliminary inquiry.

5-402. Couriers. The PSO through the CPSOwill provide detailed courier instructions to courierswhen hand-carrying SAP material. The CPSO willprovide the courier with an authorization letter.Report any travel anomalies to the CPSO as soon aspractical. The CPSO will notify the PSO.


The PSO must approve transmissionof TOP SECRET/SAP informationaboard commercial aircraft.

a. Prepare a courier authorizationletter in accordance with Section5-411.c of the NISPOM and brief inaccordance with Appendix F. Briefcouriers and then obtain thecouriers’ signaturesacknowledging the briefing. Brieffrequent couriers initially andannually thereafter. Debriefcouriers on their return whenproblems are encountered orreported.

b. Unless a single courier isapproved by the PSO, a two-person courier team is required forTop Secret/SAP. A single-personcourier can be used for Secret/SAPand below materials. Provisionsshall be made for additionalcouriers and/or access toapproved security containers forovernight storage when it appearscontinuous vigilance over thematerial cannot be sustained.

5-403. Secure Facsimile and/or ElectronicTransmission. Secure facsimile and/or electronictransmission encrypted communications equipmentmay be used for the transmission of Programclassified information. When secure facsimile and/orelectronic transmission is permitted, the PSO orother Government cognizant security reviewingactivity will approve the system in writing.Transmission of classified Program material by thismeans may be receipted for by an automated systemgenerated message that transmission and receipt havebeen accomplished. For TOP SECRET documents areceipt on the secure facsimile may be required by thePSO.

WAIVED - √

UNACKNOWLEDGED - √ACKNOWLEDGED - √

The following additional rules applyto secure facsimile transmission:

a. Do not use facsimile terminalsequipped with an automatic pollingfunction.

b. Establish voice contact with therecipient before sending Top Se-cret messages (sent via securefax). Ensure that the Secure Tele-phone Unit (STU) III indicates TopSecret. Obtain a receipt at the timeof transmission and include a date,copy number, subject, and signa-ture of the recipient (communica-tions operator). Thecommunications operator will inturn obtain a written receipt on de-livery to the intended office shownin the address element. The faxcover page (transmittal sheet) canbe used for this purpose.

5-404. U.S. Postal Mailing. A U.S. Postalmailing channel, when approved by the PSO may beestablished to ensure mail is received only byappropriately cleared and accessed personnel.


Use U.S. Postal Service certified mailfor CONFIDENTIAL/SAR. “For OfficialUse Only” and unclassified HVSACOmaterial may go by First Class mail.P.O. Boxes should be used only withprior approval of the PSO.

a. Except for TS, USPS ExpressMail can be used for overnight


transmission.

b. Use only currently approved U.S.Government contract commercialcarrier.

c. These means of transmittingselected special access materialsis in addition to, not a replacementfor, other transmission meanspreviously approved for suchmaterial. Secure facsimile remainsthe preferred method oftransmission.

d. Use overnight delivery onlywhen:

• Approved by the PSO.

• It is necessary to meetprogram requirements.

• It is essential to missionaccomplishment.

• Time is of the essence,negating other approvedmethods of transmission.

• Government programmanagement considers thismethod to be cost-effective.

e. Packages must meet the carrier’ssize and weight limitations or othersimilar restrictions.

f. Use the wrapping, addressing,and receipting procedurespreviously prescribed in paragraph5-401 and approved contractsecurity annexes. The commercialexpress carrier envelope is notconsidered the second envelope

for double-wrapping; hence, thecarrier envelope becomes the thirdwrap. Check with the PSO toobtain the proper address andspecific shipping instructions priorto use.

g. To ensure direct delivery toaddress provided by the PSO:

1. Do not execute the Waiver ofSignature and Indemnity onU.S.P.S. Label.

2. Do not execute the releaseportion on commercial carrierforms.

3. Ensure an appropriaterecipient s designated andavailable to receive material.

4. Do not disclose to the expressservice carrier that the packagecontains classified material.

h. When using an U.S. Government-approved contract carrier, shippackages only on Monday throughThursday to ensure that the carrierdoes not retain a classifiedpackage over a weekend.

i. Immediately report any problem,misdelivery, loss, or other securityincident encountered with thistransmission means to the PSO.

5-405. TOP SECRET Transmission. TOPSECRET (TS) SAP will be transmitted via securedata transmission or via Defense Courier Serviceunless other means have been authorized by thePSO.


5-407. (Baseline). Do not removeprogram materials (classified orunclassified) from a SAPF withoutthe PSO’s/CPSO’s approval. Within afacility or installation, transportprogram materials in envelopescontained within an outer container(briefcase, pouch, etc.). Place onlythe identity of the unclassifiedprogram or project office and the“national defense” label on the innercontainer. When transporting TopSecret materials, call ahead to therecipient’s office, providing the nameof the courier and estimated arrivaltime. On arrival, call the departureoffice to confirm the material’s safearrival.



Section 5. Disclosure

5-500. Release of Information. Public releaseof SAP information is not authorized without writtenauthority from the Government as provided for inU.S. Code, Titles 10 and 42. Any attempt byunauthorized personnel to obtain Programinformation and sensitive data will be reportedimmediately to the Government Program Manager(GPM) through the PSO using approved securecommunication channels.

Do not release informationconcerning programs or technologyto any non-program-accessedindividual, firm, agency, orGovernment activity without theSecurity Director’s or PSO’sapproval. Do not include informationconcerning SAPs in general orunclassified publications, technicalreview documents, or marketingliterature. Submit all materialproposed for release to the GPM orPSO 60 days before the proposedrelease date. After an approval isreceived for public release, additionalcase-by-case requests to releaseidentical data are not required.

NOTE: Public release of informationincludes any form of, or anythingrelated to, program information,items, or technology-classified orunclassified.

Submit any program informationintended for discussion at symposia,seminars, conferences, or other formof non-program meeting to the GPMor PSO for review and approval 60days before intended attendance andrelease.

Program history, systemtechnological advances, operational

concepts, special managementfunctions and techniques, andrelationships with non-DoD activitiesremain classified, requiring specialaccess authorization. The PSOcontrols disposition and access tohistorical material.



Section 6. Reproduction

5-600. General. Program material will bereproduced on equipment specifically designated bythe CPSO and may require approval by the PSO. TheCPMs and CPSOs may be required to prepare writtenreproduction procedures.

WAIVED - √UNACKNOWLEDGED - √ACKNOWLEDGED -√

Post a notice indicating if equipmentcan or cannot be used forreproduction of classified material.

Reproduction of SAP material is to berestricted to authorized machineslocated within a SAPF.

Locate reproduction equipment(classified and unclassified) inprogram areas. Machines should beunder routine surveillance by thepersonnel who are responsible forenforcing rules. Ideally, positionreproduction equipment withindocument control workstations toassure immediate and positiveaccountability.

5-601. The PSO will approvereproduction of TS material in DoD.



Section 7. Disposition and Retention

5-700. Disposition. CPSOs may be required toinventory, dispose of, request retention, or return fordisposition all classified SAP-related material(including AIS media) at contract completion and/orclose-out. Request for proposal (RFP), solicitation,or bid and proposal collateral classified andunclassified material contained in Program files willbe reviewed and screened to determine appropriatedisposition (i.e., destruction, request for retention).Disposition recommendations by categories ofinformation or by document control number, whenrequired, will be submitted to the PSO forconcurrence. Requests for retention of classifiedinformation (SAP and non-SAP) will be submittedto the Contracting Officer, through the PSO forreview and approval. Requirements for storage andcontrol of materials approved for retention will beapproved by the PSO.


5-701. Retention of SAP Material. Thecontractor may be required to submit a request to theContracting Officer (CO), via the PSO, for authorityto retain classified material beyond the end of thecontract performance period. The request will alsoinclude any retention of Program-related material.The contractor will not retain any Programinformation unless specifically authorized in writingby the Contracting Officer. Storage and controlrequirements of SAP materials will be approved bythe PSO.


See Appendix G for guidance onretaining security documentation.

5-702. Destruction. Appropriately indoctrinatedpersonnel shall ensure the destruction of classifiedSAP data. The CSA or designee may determine thattwo persons are required for destruction.Nonaccountable waste and unclassified SAP material

may be destroyed by a single Program-briefedemployee.


The destruction of accountableclassified material must beconducted by at least two program-accessed individuals. See Chapter 8for special destruction proceduresinvolving computer media.

Classified Materials, ManufacturingWaste, and By Products. Whereapplicable, security provisions will beestablished to securely dispose ofmaterials (e.g. Radar AbsorbingMaterials (RAM) and Radar AbsorbingStructures (RAS)), waste, andmanufacturing by products whichprovide a material signature ofclassified elements of a SAP.Procedures will be coordinated withthe PSO.

5-703. The PSO must review andapprove all destruction procedures. Ifmaterials are removed from a SAPFfor destruction at a central activity,ensure that materials are destroyedthe same day they are removed.

5-704. (Baseline). Destroy allclassified waste as soon as possible,but do not allow materials toaccumulate beyond 30 days. Applythis concept to all waste materialcontaining classified information,such as preliminary drafts, carbonsheets, carbon ribbons, plates,stencils, and masters. Safeguardtypewriter and computer equipment


ribbons used in transcribingclassified material in the mannerappropriate for the classificationcategory involved. Mark this materialPROTECT AS (enter appropriateclassification). Consider all material,including unclassified, generated inprogram areas as classified wasteand destroy accordingly. Contact thePSO for instructions and approval fordisposal of waste productsgenerated by laser and color outputdevices (e.g., laser printers,cartridges, film ribbons, andmagnetic storage units).

5-707. (Baseline). Prepare certificatesof destruction itemizing eachaccountable document (includingcomputer media) or materialdestroyed and cite the appropriatedocument control or copy number.Destruction certificates must becompleted and signed by both of theindividuals completing thedestruction immediately afterdestruction is completed. Show thedate of destruction on documentcontrol logs.



Section 8. Construction Requirements

5-800. General. Establishing a Special AccessProgram Facility (SAPF). Prior to commencing workon a SAP, the contractor may be required to establishan approved SAPF to afford protection for Programclassified information and material. Memoranda ofAgreement (MOA) are required prior to allowingSAPs with different CSAs to share a SAPF.


All organizations must store SAPmaterial in approved SAPFs. Updatethe accreditation checklist oncompletion of construction or whenchanges to physical securitysafeguards are planned. Beforeconstructing a SAPF, prepare anaccreditation checklist according toDCID 1/21, forward it to the PSO, andobtain the PSO’s approval. Do notmodify facilities (change physicalsecurity safeguards) without firstobtaining the PSO’s approval.

5-801. Special Access Program Facility.

a. A SAPF is a program area, room, group of

rooms, building, or an enclosed facility accredited

by the PSO where classified SAP Program

business is conducted. SAPFs will be affordedpersonnel access control to preclude entry byunauthorized personnel. Non-accessed personsentering a SAPF will be escorted by anindoctrinated person.

b. A Sensitive Compartmented Information Facility

(SCIF) is an area, room, building, or installation

that is accredited to store, use, discuss, or

electronically process SCI. The standard and

procedures for a SCIF are stated in DCIDs 1/19

and 1/21.

c. SAPFs accredited prior to implementation ofthis Supplement will retain accreditation until nolonger required or recertification is required dueto major modification of the external perimeter,or changes to the Intrusion Detection System(IDS), which affect the physical safeguardingcapability of the facility.

d. Physical security standards will be stated in theGovernment’s RFP, RFQ, contract, or other pre-contract or contractual document.

e. The need-to-know (NTK) of the SAP effort may

warrant establishment of multi-compartments

within the same SAPF.

When multicompartments within thesame facility are present, ensure thatsound-attenuation requirements, ifappropriate, are met.

f. *There may be other extraordinary or unique

circumstances where existing physical security

standards are inconsistent with facility operating

requirements, for example, but not limited to,

research and test facilities or production lines.

Physical security requirements under thesecircumstances will be established on a case-by-case basis and approved by the PSO/ContractingOfficer, as appropriate. (NOTE: as approved bythe CSA at establishment of the SAP.)


g. The PSO will determine the appropriatesecurity countermeasures for discussion areas.


5-802. Physical Security CriteriaStandards.

a. DCID 1/21 standards may apply to a SAPF when

one or more of the following criteria are

applicable:


1. State-of-the-art technology as determined by

CSAs to warrant enhanced protection.

2. Contractor facility is known to be working

on specific critical technology.

3. Contractor facility is one of a few (3 or less)

known facilities to have the capability to work

on specific critical technology.

4. TOP SECRET or SECRET material is

maintained in open storage.

5. A SAPF is located within a commercial

building, and the contractor does not control all

adjacent spaces.

6. SCI or Intelligence Sources and methods are

involved.

7. Contractors or technologies known to be a

target of foreign intelligence services (FIS).

b. The NISPOM baseline closed area construction

requirements with Sound Transmission Class

(STC) in accordance with DCID 1/21, Annex E

and intrusion alarms in accordance with Annex B,

DCID 1/21 may apply to a SAPF when one of the

following criteria is applicable.

1. Not state-of-the-art technology and the

technology is known to exist outside U.S.

Government control.

2. The SAP is a large-scale weapon system

production program.

3. No open storage of Confidential SAP

material in a secure working area unless

permitted by the PSO on a case-by-case basis.

4. A SAPF located within a controlled access

area.

5. Intelligence related activities.


c. The PSO may approve baseline closed area

construction requirements as an additional option

for some SAP program areas.


5-803. SAP Secure Working Area. The PSOmay approve any facility as a SAP Secure WorkingArea. Visual and sound protection may be providedby a mix of physical construction, perimeter control,guards, and/or indoctrinated workers.


5-804. Temporary SAPF. The PSO mayaccredit a temporary SAPF.


5-805. Guard Response.

a. Response to alarms will be in accordance with

DCID 1/21, or

b. the NISPOM

c. Response personnel will remain at the scene

until released by the CPSO or designated


representative.

NOTE: The CPSO will immediately providenotification to the PSO if there is evidence of forcedentry, with a written report to follow within 72hours.

5-806. Facility Accreditation.

a. Once a facility has been accredited to a stated

level by a Government Agency, that accreditation

should be accepted by any subsequent agency.

Provide verification of the previousaccreditation and obtain the PSO’sapproval before introducing SAPmaterial into an area.

b. For purposes of co-utilization, costs associated

with any security enhancements in a SCIF or

SAPF above preexisting measures may be

negotiated for reimbursement by the contractor’s

contracting officer or designated representative.

Agreements will be negotiated between affected

organizations.

c. If a previously accredited SAPF becomesinactive for a period not to exceed one year, theSAP accreditation will be reinstated by thegaining accrediting agency provided thefollowing is true:

1. The threat in the environment surrounding

the SAPF has not changed.

2. No modifications have been made to the

SAPF which affect the level of safeguarding.

3. The level of safeguarding for the new

Program is comparable to the previous

Program.

4. The SAPF has not lost its SAP accreditation

integrity and the contractor has maintained

continuous control of the facility.

5. A technical surveillance countermeasure

survey (TSCM) may be required.


NOTE: Previously granted waivers are subject tonegotiation.

5-807. Prohibited Items. Items that constitute athreat to the security integrity of the SAPF (e.g.,cameras or recording devices) are prohibited unlessauthorized by the PSO. All categories of storagemedia entering and leaving the SAPFs may requirethe PSO or his/her designated representativeapproval.


a. The following items do not posea threat to a SAPF and can betaken into and out of a SAPFwithout approval:

• Hearing aids, heartpacemakers, and motorizedwheelchairs.

• Amplified telephone handsetand teletypewriters (when usedby the hearing impaired).

• Audio and video equipmentwith no record capability.

• Compact disk players.

• Televisions and AM/FMradios.

• Receive-only (tone-only)beepers.

• Receive-only (voice) pagers.


b. The following items may not beintroduced into a SAPF:

• Personally-owned computersand associated media.

• Personally-ownedphotographic, video and audiorecording equipment.

• Two-way audio RF (e.g. two-way radios and cellularphones) transmitting devicesthat are government orcompany owned for programuse can be authorized by thePSO (see NOTE below).

• Cameras and film, unlessspecifically approved by thePSO for a program missionrequirement, (e.g., badgeissuance or documenting testresults).

• Other emanating andreproducing devices identifiedby the PSO.

NOTE: Two-way audio RFtransmitting devices can beauthorized by the PSO when requiredfor operational necessity.

c. See Chapter 8 for additionalcomputer type items that are notpermitted in SAPFs.

d. In exceptional circumstances,when necessary for a specificactivity or threat, programmanager or SO may apply morestringent requirements. Suchrequirements must be reported tothe SAP Central Office.

e. Personally-owned equipment

brought into a SAPF is subject toinspection at any time. Any deviceremoved from a SAPF also may besubjected to an inspection.

f. Allow emergency responseforces such as guard forces andfire department personnel, as wellas their two-way communicationsequipment, immediate access toSAPFs. Debrief these personnelwhen appropriate and execute aSAP Format 5, InadvertentDisclosure Statement.


Chapter 6

Visits and Meetings

Section 1. Visits

6-100. General. A visit certification request forall Program visits will be made prior to a visit to aProgram facility. When telephone requests are made,a secure telephone should be used whenever possible.Visit requests will be handled exclusively by thecognizant CPSO or designated representative. TheGPM or PSO or his/her designated representative willapprove all visits between Program activities.However, visits between a prime contractor and theprime’s subcontractors and approved associates willbe approved by the CPSO. Twelve-month visitrequests are not authorized unless approved by thePSO.

Continuously escort and closelycontrol movement of non-program-accessed visitors who require accessto a program area for any purpose.Use only program-accessedpersonnel as escorts.

a. Establish and maintain adequatecontrols to ensure that programvisitors are kept within theframework of the “need to know”requirement and that informationdiscussed or furnished is withinthe visitor’s level of access.

b. Consider installing an internalwarning system to warn accessedoccupants of the presence ofuncleared personnel. Employ otheror additional methods (e.g., verbalwarnings) to warn or remindpersonnel of the presence ofuncleared personnel.

6-101. Visit Request Procedures. All visit

requests will be sent only via approved channels. Inaddition to the NISPOM, the following additionalinformation for visits to a SAPF will include:

a. Name and telephone number of individual (notorganization) to be visited;

b. Designation of person as a Program courierwhen applicable; and

c. Verification (e.g., signature) of the CPSO ordesignated representative that the visit requestinformation is correct.

d. The PSO and personnelapproved by the PSO may visit allprogram facilities, withoutfurnishing advanced notification.Deny access and notify the CPSOor PSO whenever any visitorarrives at a Government orcontractor facility unannounced.

6-102. Termination and/or Cancellation ofa Visit Request. If a person is debriefed from theProgram prior to expiration of a visit certification,or if cancellation of a current visit certification isotherwise appropriate, the CPSO/FSO or his/herdesignated representative will immediately notify allrecipients of the cancellation or termination of thevisit request.

6-103. Visit Procedures.


a. Identification of Visitors. An officialphotograph if identification such as a validdriver’s license is required.

b. Extension. When a visit extends past the date on

the visit certification, a new visit request is not

required if the purpose remains the same as that

stated on the current visit request to a specific

SAPF.

c. Rescheduling. When a rescheduled visit occurs

after a visit request has been received, the visit

certification will automatically apply if the visit is

rescheduled within thirty days and the purpose

remains the same.

d. Hand-carrying. It is the responsibility of the

host CPSO to contact the visitor’s CPSO should

the visitor plan to hand-carry classified material.

CPSOs will use secure means for notification. In

emergency situations where secure

communications are not available, contact the

PSO for instructions. When persons return totheir facility with SAP material, they willrelinquish custody of the material to the CPSOor designated representative. Arrangement willbe made to ensure appropriate overnight storageand protection for material returned after closeof business.

6-104. Collateral Clearances and SpecialAccess Program Visit Requests. Collateral

clearances and SAP accesses may be required in

conjunction with the SAP visit. If access to collateral

classified information is required outside the SAPF,

then the CPSO can certify clearances and accesses as

required within the facility. Certification will be

based on the SAP visit request received by the CPSO.

The CPSO will maintain the record copy of the visit

certification. SCI visit certification will be forwarded

through appropriate SCI channels.

6-105. Non-Program-Briefed Visitors.Instances where entry to a SAPF by non-Program-briefed personnel is required (e.g., maintenance,repair), they will complete and sign a visitor’s recordand will be escorted by a Program-briefed person atall times. Sanitization procedures will beimplemented in advance to ensure that personnelterminate classified discussions and other actionsand protect SAP information whenever a non-briefed visitor is in the area. If maintenance isrequired of a classified device, the unclearedmaintenance person shall be escorted by a Program-briefed, technically knowledgeable individual. Everyeffort should be made to have a technicallyknowledgeable Program-briefed person as an escort.

6-106. Visitor Record. *The PSO may requirethe CPSO to establish a Program visitor’s record. Thisrecord will be maintained inside the SAPF, andretention may be required.


Maintain a visitor sign-in and sign-out record for all accessed programvisitors. Show the visitor’s name,SSN, organization or firm, date, timein and out, and sponsor on the log.When necessary to protect a SAP,maintain a separate record foruncleared visitors that shows theescort official instead of the sponsor.


Section 2. Meetings

6-200. Conduct meetings andconferences where programinformation is discussed only inapproved SAPFs. PSOs mayauthorize additional locations.

6-201. Appoint a person to ensurethat adequate security is provided.

6-202. Establish entry control andperimeter area surveillance whenneeded. When authorized, request aTechnical SurveillanceCountermeasures (TSCM) survey forunsecure conference rooms whenSAP information is to be discussed.

NOTE: Use SAP Format 8 to requestthe TSCM.



Chapter 7Subcontracting

Section 1. Prime Contracting Responsibilities

7-100. General. This section addresses theresponsibilities and authorities of primecontractors concerning the release of classifiedSAP information to subcontractors. Prior to anyrelease of classified information to a prospectivesubcontractor, the prime contractor willdetermine the scope of the bid and procurementeffort. Prime contractors will use extremecaution when conducting business with non-Program-briefed subcontractors to preclude therelease of information that would divulgeProgram-related (classified or unclassifiedProgram sensitive) information.

7-101. Determining Clearance Status ofProspective Subcontractors. All prospectivesubcontractor personnel will have theappropriate security clearance and meet theinvestigative criteria as specified in thisSupplement prior to being briefed into a SAP.The eligibility criteria will be determined inaccordance with the NISPOM and thisSupplement. For Acknowledged Programs, inthe event a prospective subcontractor does nothave the appropriate security clearances, theprime contractor will request that the cognizantPSO initiate the appropriate security clearanceaction. A determination will be made incoordination with the PSO as to the levels offacility clearance a prospective subcontractorfacility has for access to classified informationand the storage capability level.

When a subcontractor is identifiedwho does not have a facilityclearance, the PSO will initiate thenecessary paperwork throughprogram channels and coordinate

with DSS to initiate action to providethe subcontractor a facility clearance.

7-102. Security Agreements and Briefings.In the pre-contract phase, the prime contractorwill fully advise the prospective subcontractor(prior to any release of SAP information) of theprocurement's enhanced special securityrequirements. Arrangements for subcontractorProgram access will be pre-coordinated with thePSO. When approved by the PSO, the primecontractor CPSO will provide Programindoctrinations and obtain NDAs from thesubcontractors. A security requirementsagreement will be prepared that specificallyaddresses those enhanced security requirementsthat apply to the subcontractor. The securityrequirements agreement may include thefollowing elements, when applicable:

a. General Security Requirements.

b. Reporting Requirements.

c. Physical and/or Technical Security

Requirements.

d. Release of Information.

e. Program Classified Control or

Accountability.

f. Personnel Access Controls.

g. Security Classification Guidance.


h. Automated Information System.

i. Security Audits and Reviews.

j. Program Access Criteria.

k. Subcontracting.

l. Transmittal of Program Material.

m. Storage.

n. Testing and/or Manufacturing.

o. Program Travel.

p. Finances.

q. Sanitization of Classified Material.

r. Security Costs and Charging Policy.

s. Fraud, Waste, and Abuse Reporting.

t. Test Planning.

u. OPSEC.

v. TEMPEST.

WAIVED - √√UNACKNOWLEDGED - √√ACKNOWLEDGED - √√

Prior to initiating contact with aprospective vendor or subcontractor,the CPSO will complete a SAPFormat 13, Subcontractor/SupplierData Sheet, for submission to thePSO. The CPSO will include thereason for considering a vendor andattach a proposed DD Form 254 tothe SAP Format 13. The DD Form 254

shall be tailored to be consistent withthe proposed support being sought.The DD Form 254 may be classifiedbased on the information containedtherein.

7-103. Transmitting SecurityRequirements. Contract SecurityClassifications Specifications (DD254)prepared by the prime contractor willcoordinate with the GPM/PSO andcontracting officer prior to transmitting tothe subcontractor. The DD254 prepared bythe prime contractor will be forwarded tothe GPM/PSO and contracting officer forcoordination and signature.


Chapter 8Automated Information Systems (AIS)

Section 1. Responsibilities

8-100. Introduction.

a. Purpose and Scope. This chapteraddresses the protection and control ofinformation processed on AIS. This entirechapter is contractor required and is not anoption. The type is not bold or italicized,because it would include the completechapter. AISs typically consist of computerhardware, software, and/or firmwareconfigured to collect, create, communicate,compute, disseminate, process, store, orcontrol data or information. This chapterspecifies requirements and assurances forthe implementation, operation, maintenance,and management of secure AIS used insupport of SAP activities. Prior to using anAIS or AIS network for processing U.S.Government, Customer, or Programinformation, the Contractor/ Provider willdevelop an AIS Security Plan (AISSP) asdescribed herein and receive writtenCustomer authorization to process Customerinformation. Such authorization to processrequires approval by the Customer. TheProvider will also assign an InformationSystem Security Representative (ISSR) tosupport the preparation of these documentsand to subsequently manage AIS securityon-site for the Customer's program. Afterthe AISSP is approved by the Customer, theProvider will thereafter conform to the planfor all actions related to the Customer'sprogram information. This informationincludes the selection, installation, test,operation, maintenance, and modification ofAIS facilities, hardware, software, media,and output.

Requirements specified in thischapter apply to all AISs in SAPareas regardless of the classificationlevel being processed on individualsystems.

b. Requirements. The AISSP selected menuupgrades to the NISPOM baseline will be tailoredto the Provider's individual AIS configuration andprocessing operations. Alternatives to theprotective measures in this Supplement may beapproved by the Customer after the Providerdemonstrates that the alternatives are reasonableand necessary to accommodate the Customer'sneeds. Prior to implementation, the Provider willcoordinate any envisioned changes orenhancements with the Customer. Approvedchanges will be included in the AISSP. Anyverbal approvals will subsequently bedocumented in writing. The information andguidance needed to prepare and obtain approvalfor the AISSP is described herein.

c. Restrictions. No personally owned AISs will beused to process classified information.

Personally owned computers will notbe introduced into SAP areas.

8-101. Responsibilities. The Customer isthe Government organization responsible forsponsoring and approving the classifiedand/or unclassified processing. The Provideris the Contractor who is responsible foraccomplishing the processing for theCustomer. The Information System SecurityRepresentative (ISSR) is the Provider-


assigned individual responsible for on-siteAIS processing for the Customer in a securemanner.

a. Provider Responsibilities. The Provider willtake those actions necessary to meet with thepolicies and requirements outlined in thisdocument. The provider will:

1. Publish and promulgate a corporate AISSecurity Policy that addresses the classifiedprocessing environment.

2. Designate an individual to act as the ISSR.

3. Incorporate AISs processing Customerinformation as part of a configurationmanagement program.

4. Enforce the AIS Security Policy.

b. ISSR Responsibilities. The Provider-designatedISSR has the following responsibilities:

1. AIS Security Policy. Implement the AISSecurity Policy.

2. AIS Security Program. Coordinateestablishing and maintaining a formal AISSecurity Program to ensure compliance withthis document:

(a) AIS Security Plan (AISSP). Coordinatethe preparation of an AISSP in accordancewith the outline and instructions providedin this document. After Customerapproval, the AISSP becomes thecontrolling security document for AISprocessing Customer information.Changes affecting the security of the AISmust be approved by the Customer prior toimplementation and documented in theAISSP.

(b) AIS Technical Evaluation TestPlans. For systems operating in thecompartmented or multi-levelmodes, prepare an AIS TechnicalEvaluation Test Plan incoordination with the Customer andapplicable security documents.

(c) Certification. Conduct a certification testin accordance with 8-102, c. and provide acertification report.

(d) Continuity of Operations Plan (COOP).When contractually required, coordinatethe development and maintenance of anAIS COOP to ensure the continuation ofinformation processing capability in theevent of an AIS-related disaster resultingfrom fire, flood, malicious act, humanerror, or any other occurrence that mightadversely impact or threaten to impact thecapability of the AIS to process informa-tion. This plan will be referenced in theAISSP.

(e) Documentation. Ensure that all AISsecurity-related documentation as requiredby this chapter is current and is accessibleto properly authorized individuals.

(f) Customer Coordination. Coordinate allreviews, tests, and AIS security actions.

(g) Auditing. Ensure that the required audittrails are being collected and reviewed asstated in 8-303.

(h) Memorandum of Agreement. Asapplicable, ensure that Memoranda ofAgreement are in place for AISssupporting multiple Customers.


(i) Compliance Monitoring. Ensure that thesystem is operating in compliance with theAISSP.

(j) AIS Security Education and Awareness.Develop an on-going AIS SecurityEducation and Awareness Program.

(k) Abnormal Occurrence. Advise Customerin a timely manner of any abnormal eventthat affects the security of an approvedAIS.

This notification of abnormaloccurrences will be made within 72hours. When a network is involved,the notification must be made within12 hours.

l. Virus and malicious code. Advise Customerin a timely manner of any virus and maliciouscode on an approved AIS.

2. Configuration Management. Participate inthe configuration management process.

3. Designation of Alternates. The ISSR maydesignate alternates to assist in meeting therequirements outlined in the chapter.

c. Special Approval Authority. In addition to theabove responsibilities, the Customer mayauthorize in writing an ISSR to approve specificAIS security actions including:

1. Equipment Movement. Approve anddocument the movement of AIS equipment.

2. Component Release. Approve the release ofsanitized components and equipment inaccordance with Table 2 in 8-501.

3. Stand-alone Workstation and Portable AISApproval. Approve and document newworkstations in accordance with an approved

AIS security plan and the procedures defined inthis document for workstations with identicalfunctionality. Approve and document portableAIS.

4. Dedicated and System High NetworkWorkstation Approval. Approve and documentadditional workstations identical infunctionality to existing workstations on anapproved Local Area Network (LAN) providedthe workstations are not located outside of thepreviously defined boundary of the LAN.

5. Other AIS Component Approval. Approveand document other AIS components identicalin functionality to existing components on anapproved LAN provided the components arenot located outside of the previously definedboundary of the LAN.

6. With the approval of the PSO,the ISSR may delegate specialapproval authority to analternate(s).

8-102. Approval To Process. Prior to usingany AIS to process Customer information,approval will be obtained from theCustomer. The following requirements willbe met prior to approval.

a. AIS Security Program. The Provider will havean AIS security program that includes:

1. An AIS security policy and a formal AISsecurity structure to ensure compliance withthe guidelines specified in this document;

2. An individual whose reportingfunctionalities are within the Provider'ssecurity organization formally named to act asthe ISSR;

3. The incorporation of AISs processingCustomer information into the Provider's


configuration management program. TheProvider's configuration management programshall manage changes to an AIS throughout itslife cycle. As a minimum the program willmanage changes in an AIS's:

Existing corporate configurationmanagement programs may be used,provided control and documentationare adequate to meet therequirements of this chapter. UseSAP format 16 to aid indocumentation and registration ofword processing or personalcomputer data.

(a) Hardware components (data retentive

only).

(b) Connectivity. (external and internal).

(c) Firmware. Firmware will be tracked only

when related to a demonstrated security

deficiency or control feature.

(d) Software.

(e) Security features and assurances.

(f) AISSP.

(g) Test Plan.

4. Control. Each AIS will be assigned to adesignated custodian (and alternate custodian)who is responsible for monitoring the AIS on acontinuing basis. The custodian will ensure thatthe hardware, installation, and maintenance asapplicable conform to appropriaterequirements. The custodian will also monitoraccess to each AIS. Before giving users accessto any such AIS, the custodian will have themsign a statement indicating their awareness ofthe restrictions for using the AIS. These

statements will be maintained on file andavailable for review by the ISSR.

User statements will beaccomplished and maintained inaccordance with paragraph 8-700c.

b. AIS Security Plan (AISSP). The Provider willprepare and submit an AISSP covering AISsprocessing information in a Customer's SpecialAccess Program Facility (SAPF), following theformat in Appendix C. For RD, the Customermay modify the AISSP format.

c. AIS Certification and Accreditation.

1. Certification. Certification is thecomprehensive evaluation of technical andnon-technical security features to establish theextent to which an AIS has met the securityrequirements necessary for it to process theCustomer information. Certification precedesthe accreditation. The certification is basedupon an inspection and test to verify that theAISSP accurately describes the AISconfiguration and operation (See Appendix Cand D). A Certification Report summarizingthe following will be provided to theCustomer:

One Certification Report may beapplicable to multiple AISs providedall variations of configuration andoperation are reviewed and verified.

(a) For the dedicated mode of operation, theprovider must verify that access controls,configuration management, and otherAISSP procedures are functional.

(b) In addition, for System High AIS theISSR will verify that discretionary controlsare implemented.


(c) For compartmented and multilevel AIS,certification also involves testing to verifythat technical security features required forthe mode of operation are functional.Compartmented and multi-level AIS musthave a Technical Evaluation Test Plan thatincludes a detailed description of how theimplementation of the operating systemsoftware, data management systemsoftware, firmware, and related securitysoftware packages will enable the AIS tomeet the Compartmented or MultilevelMode requirements. The plan outlines theinspection and test procedures to be usedto demonstrate this compliance.

2. Accreditation. Accreditation is the formaldeclaration by the Customer that a classifiedAIS or network is approved to operate in aparticular security mode; with a prescribed setof technical and non-technical securityfeatures; against a defined threat; in a givenoperational environment; under a statedoperational concept; with statedinterconnections to other AIS, and at anacceptable level of risk. The accreditationdecision is subject to the certification process.Any changes to the accreditation criteriadescribed above may require a newaccreditation.

An accreditation may apply tomultiple stand-alone AISs, providedall variations of configuration andoperation are reviewed and verified.

d. Interim Approval. The Customer may grant aninterim approval to operate.

Interim approval will be granted forTS/SAR processing only when acritical mission requirement can bedemonstrated.

e. Withdrawal of Accreditation. The Customermay withdraw accreditation if:

1. The security measures and controlsestablished and approved for the AIS do notremain effective.

2. The AIS is no longer required to processCustomer information.

f. Memorandum of Agreement. A Memorandumof Agreement (MOA) is required whenever anaccredited AIS is co-utilized, interfaced, ornetworked between two or more Customers. Thisdocument will be included, as required, by theCustomer.

An MOA is recommended wheneveran AIS is interfaced or networkedbetween two or more providers(contractors).

g. Procedures for Delegated Approvals. ForAISs operating in the dedicated or system highmodes, the Customer may delegate specialapproval authority to the ISSR for additional AISsthat are identical in design and operation. That is:two or more AIS are identical in design andoperate in the same security environment (samemode of operation, process information with thesame sensitivities, and require the same accessesand clearances, etc.). Under these conditions theAISSP in addition to containing the informationrequired by Appendix C shall also include thecertification requirements (inspection and tests)and procedures that will be used to accredit allAISs. The CSA will validate that the certificationrequirements are functional by accrediting thefirst AIS using these certification requirementsand procedures. The ISSR may allow identicalAIS to operate under that accreditation if thecertification procedures are followed and the AISmeets all the certification requirements outline inthe AISSP. The AISSP will be updated with theidentification of the newly accredited AIS and acopy of each certification report will be kept onfile.

Such delegations of approval


authority are based on the PSO’sassessment that an individual ISSR isqualified to make approval decisionson behalf of the PSO in the provider’sfacility.

8-103. Security Reviews.

a. Purpose. Customer AIS Security Reviews areconducted to verify that the Provider's AIS isoperated in accordance with the approved AISSP.

b. Scheduling. Customer AIS Reviews arenormally scheduled at least once every 24 monthsfor Provider systems processing Customerprogram information. The Customer will establishspecific review schedules.

AIS security reviews will bescheduled as part of the generalsecurity review for the entire SAP.

c. Review Responsibilities. During thescheduled Customer AIS Security Review,the Provider will furnish the Customerrepresentative conducting the Review withall requested AIS or networkdocumentation. Appropriate Providersecurity, operations, and managementrepresentatives will be made available toanswer questions that arise during theCustomer AIS Review process.

d. Review Reporting. At the conclusion of theCustomer AIS Review visit, the Customer willbrief the Provider's appropriate security,operations, and management representatives onthe results of the Review and of any discrepanciesdiscovered and the recommend measures forcorrecting the security deficiencies. A formalreport of the Customer AIS Review is provided tothe Provider's security organization no later than30 days after the Review.

e. Corrective Measures. The Provider willrespond to the Customer in writing within 30 daysof receipt of the formal report of deficienciesfound in the Customer AIS Review process. Theresponse will describe the actions taken to correctthe deficiencies outlined in the formal report ofCustomer AIS Review findings. If proposedactions will require an expenditure in funds,approval will be obtained from the ContractingOfficer prior to implementation.


Section 2. Security Modes

8-200. Security Modes-General.

a. AISs that process classified information mustoperate in the dedicated, system high,compartmented, or multilevel mode. Securitymodes are authorized variations in securityenvironments, requirements, and methods ofoperating. In all modes, the integration ofautomated and conventional security measuresshall, with reasonable dependability, preventunauthorized access to classified informationduring, or resulting from, the processing, storage,or transmission of such information, and preventunauthorized manipulation of the AIS that couldresult in the compromise or loss of classifiedinformation.

b. In determining the mode of operation of an AIS,three elements must be addressed: the boundaryand perimeter of the AIS, the nature of the data tobe processed, and the level and diversity of accessprivileges of intended users. Specifically:

1. The boundary of an AIS includes all usersthat are directly or indirectly connected andwho can receive data from the AIS without areliable human review by an appropriatelycleared authority. The perimeter is the extent ofthe AIS that is to be accredited as a singleentity.

2. The nature of data is defined in terms of itsclassification levels, compartments,subcompartments, and sensitivity levels.

3. The level and diversity of access privilegesof its users are defined as their clearance levels,need- to-know, and formal access approvals.

Compartmented and multi-levelmodes of operation are not normallyapproved for SAPs unless a unique

mission requirement justifies theadditional risk inherent in suchconfigurations.

8-201. Dedicated Security Mode.

a. An AIS is operating in the dedicated mode(processing either full time or for a specifiedperiod) when each user with direct or indirectaccess to the AIS, its peripherals, remoteterminals, or remote hosts has all of thefollowing:

1. A valid personnel clearance for allinformation stored or processed on the AIS.

2. Formal access approvals and has executedall appropriate non-disclosure agreements forall the information stored and/or processed(including all compartments, subcompartments,and/or SAPs).

3. A valid need to know for all informationstored on or processed within the AIS.

b. The following security requirements areestablished for AISs operating in the dedicatedmode:

1. Be located in a SAPF.

2. Implement and enforce access procedures tothe AIS.

3. All hard copy output will be handled at thelevel for which the system is accredited untilreviewed by a knowledgeable individual.

4. All media removed from the system will beprotected at the highest classification level ofinformation stored or processed on the systemuntil reviewed and properly marked accordingto procedures in the AIS security plan.


c. Security Features for Dedicated SecurityMode.

1. Since the system is not required to providetechnical security features, it is up to the userto protect the information on the system. Fornetworks operating in the dedicated mode,automated identification and authenticationcontrols are required.

2. For DoD, the Customer may require auditrecords of user access to the system. Suchrecords will include: user ID, start date andtime, and stop date and time. Logs will bemaintained IAW 8-303.

Audit records as specified by thePSO will be maintained for dedicatedmode systems.

d. Security Assurances for Dedicated SecurityMode.

1. AIS security assurances must include anapproach for specifying, documenting,controlling, and maintaining the integrity of allappropriate AIS hardware, firmware, software,communications interfaces, operatingprocedures, installation structures, securitydocumentation, and changes thereto.

2. Examination of Hardware and Software.Classified AIS hardware and software shall beexamined when received from the vendor andbefore being placed into use.

(a) Classified AIS Hardware. Anexamination shall result in assurance thatthe equipment appears to be in goodworking order and have no parts thatmight be detrimental to the secureoperation of the resource. Subsequentchanges and developments which affectsecurity may require additionalexamination.

(b) Classified AIS Software.

(1) Commercially procured software shallbe examined to assure that the softwarecontains no features which might bedetrimental to the security of the classifiedAIS.

(2) Security-related software shall beexamined to assure that the securityfeatures function as specified.

(c) Custom Software or Hardware Systems.New or significantly changed securityrelevant software and hardware developedspecifically for the system shall be subjectto testing and review at appropriate stagesof development.

Automated audit trails will be used tothe maximum extent possible. Wherenot available or where cost-prohibitive, the PSO may approve theuse of manual logs.

8-202. System High Security Mode.

a. An AIS is operating in the system high mode(processing either full time or for a specifiedperiod) when each user with direct or indirectaccess to the AIS, its peripherals, remoteterminals, or remote hosts has all of thefollowing:

1. A valid personnel clearance for allinformation on the AIS.

2. Formal access approval and has signed non-disclosure agreements for all the informationstored and/or processed (including allcompartments and subcompartments).

3. A valid need-to-know for some of theinformation contained within the system.


b. AISs operating in the system high mode, inaddition to meeting all of the securityrequirements, features, and assurances establishedfor the dedicated mode, will meet the following:

1. Security Features for System High Mode

(a) Define and control access betweensystem users and named objects (e.g., filesand programs) in the AIS. Theenforcement mechanism must allowsystem users to specify and control thesharing of those objects by namedindividuals and/or explicitly definedgroups of individuals. The access controlmechanism must, either by explicit useraction or by default, provide that allobjects are protected from unauthorizedaccess (discretionary access control).Access permission to an object by usersnot already possessing access permissionmust only be assigned by authorized usersof the object.

(b) Time Lockout. Where technicallyfeasible, the AIS shall time lockout aninteractive session after an interval of userinactivity. The time interval and restartrequirements shall be specified in the AISSecurity Plan.

Time lockout must be activated aftera maximum of 30 minutes of userinactivity and must automatically logthe user out of the system. Softwaresuch as screen locks or “pause”functions must create audit entries toshow initiation and termination.

(c) Audit Trail. Provide an audit trailcapability that records time, date user ID,terminal ID (if applicable), and file namefor the following events:

(1) Introduction of objects into a user'saddress space (e.g., file open and programinitiation as determined by the Customerand ISSR).

(2) Deletion of objects (e.g., as determinedby the Customer and ISSR).

(3) System log-on and log-off.

(4) Unsuccessful access attempts.

NOTE: Certain categories of system-initiated events create this type ofactivity independent of any useractions. Such events need not belogged. Because such actions can beunique to specific systems, the PSOand ISSR will agree on items to betracked and the AISSP will reflect therequired audits.

(d) Require that memory and storage containno residual data from the previouslycontained object before being assigned,allocated, or reallocated to another subject.

(e) Identification Controls. Each personhaving access to a classified AIS shallhave the proper security clearances andauthorizations and be uniquely identifiedand authenticated before access to theclassified AIS is permitted. Theidentification and authentication methodsused shall be specified and approved in theAIS Security Plan. User access controls inclassified AISs shall include authorization,user identification, and authenticationadministrative controls for assigning theseshall be covered in the AISSP.

(1) User Authorizations. The manager or


supervisor of each user of a classified AISshall determine the requiredauthorizations, such as need-to-know, forthat user.

(2) User Identification. Each system usershall have a unique user identifier andauthenticator.

a) User ID Removal. The ISSRshall ensure the developmentand implementation ofprocedures for the promptremoval of access from theclassified AIS when the needfor access no longer exists.

b) User ID Revalidation. TheAIS ISSR shall ensure that alluser IDs are revalidated atleast annually, andinformation such as sponsorand means of off-line contact(e.g., phone number, mailingaddress) are updated asnecessary.

(f) Authentication. Each user of a classifiedAIS shall be authenticated before access ispermitted. This authentication can bebased on any one of three types ofinformation: something the person knows(e.g., a password); something the personpossesses (e.g., a card or key); somethingabout the person (e.g., fingerprints orvoiceprints); or some combination of thesethree. Authenticators that are passwordsshall be changed at least every six months.

(1) Requirements.

a) Log-on. Users shall berequired to authenticate theiridentities at "log- on" time by

supplying their authenticator(e.g., password, smart card,or fingerprints) inconjunction with their userID.

b) Protection of Authenticator.An Authenticator that is inthe form of knowledge orpossession (password, smartcard, keys) shall not beshared with anyone.Authenticators shall beprotected at a levelcommensurate with theaccreditation level of theClassified AIS.

(2) Additional AuthenticationCountermeasures. Where the operatingsystem provides the capability, thefollowing features shall be implemented:

a) Log-on Attempt Rate.Successive log-on attemptsshall be controlled bydenying access after multiple(maximum of five)unsuccessful attempts on thesame user ID; by limiting thenumber of access attempts ina specified time period; bythe use of a time delaycontrol system; or other suchmethods, subject to approvalby the Customer.

b) Notification to the User.The user shall be notifiedupon successful log-on of:the date and time of the user'slast log-on; the ID of theterminal used at last log-on;and the number ofunsuccessful log-on attemptsusing this user ID since thelast successful log-on. Thisnotice shall require positiveaction by the user to removethe notice from the screen.


(g) The audit, identification, andauthentication mechanisms must beprotected from unauthorizedaccess, modification, or deletion.

c) Security Assurances forSystem High Mode. Thesystem security features forneed-to-know controls willbe tested and verified.Identified flaws will becorrected.

8-203. Compartmented Security Mode.

NOTE: Compartmented securitymode is not normally authorized forSAP activities. Exceptions may bemade by the PSO.

a. An AIS is operating in the compartmented modewhen users with direct or indirect access to theAIS, its peripherals, or remote terminals have allof the following:

1. A valid personnel clearance for access to themost restricted information processed in theAIS.

2. Formal access approval and have signednondisclosure agreements for that informationto which he/she is to have access (some usersdo not have formal access approval for allcompartments or subcompartments processedby the AIS).

3. A valid need-to-know for that informationfor which he/she is to have access.

b. Security Features for Compartmented Mode.In addition to all Security Features and SecurityAssurances required for the System High Mode ofOperation, Classified AIS operating in theCompartmented Mode of Operation shall alsoinclude:

1. Resource Access Controls.

(a) Security Labels. The Classified AIS shallplace security labels on all entities (e.g.,files) reflecting the sensitivity(classification level, classificationcategory, and handling caveats) of theinformation for resources and theauthorizations (security clearances, need-to-know, formal access approvals) forusers. These labels shall be an integral partof the electronic data or media. Thesesecurity labels shall be compared andvalidated before a user is granted access toa resource.

(b) Export of Security Labels. Securitylabels exported from the Classified AISshall be accurate representations of thecorresponding security labels on theinformation in the originating ClassifiedAIS.

2. Mandatory Access Controls. Mandatoryaccess controls shall be provided. Thesecontrols shall provide a means of restrictingaccess to files based on the sensitivity (asrepresented by the label) of the informationcontained in the files and the formalauthorization (i.e., security clearance) of usersto access information of such sensitivity.

3. No information shall be accessed whosecompartment is inconsistent with the sessionlog-on.

4. Support a trusted communications pathbetween itself and each user for initial log-onand verification.

5. Enforce, under system control, a system-generated, printed, and human-readablesecurity classification level banner at the topand bottom of each physical page of systemhard-copy output.


6. Audit these additional events: the routing ofall system jobs and output, and changes tosecurity labels.

7. Security Level Changes. The system shallimmediately notify a terminal user of eachchange in the security level associated with thatuser during an interactive session. A user shallbe able to query the system as desired for adisplay of the user's complete sensitivity label.

c. Security Assurances for CompartmentedMode.

1. Confidence in Software Source. In acquiringresources to be used as part of a ClassifiedAIS, consideration shall be given to the level ofconfidence placed in the vendor to provide aquality product, to support the security featuresof the product, and to assist in the correction ofany flaws.

2. Flaw Discovery. The Provider shall ensurethe vendor has implemented a method for thediscovery of flaws in the system (hardware,firmware, or software) that may have an effecton the security of the AIS.

3. No Read Up, No Write Down. Enforce anupgrade or downgrade principle where all usersprocessing have a system-maintainedclassification; no data is read that is classifiedhigher than the processing session authorized;and no data is written unless its securityclassification level is equal to or lower than theuser's authorized processing securityclassification and all non-hierarchicalcategories are the same.

4. Description of the Security SupportStructure (often referred to as the TrustedComputing Base). The protections andprovisions of the security support structureshall be documented in such a manner to showthe underlying planning for the security of aClassified AIS. The security enforcement

mechanisms shall be isolated and protectedfrom any user or unauthorized processinterference or modification. Hardware andsoftware features shall be provided that can beused to periodically validate the correctoperation of the elements of the securityenforcement mechanisms.

5. Independent Validation and Verification. AnIndependent Validation and Verification teamshall assist in the technical evaluation testing ofa classified AIS and shall perform validationand verification testing of the system asrequired by the Customer.

6. Security Label Integrity. The methodologyshall ensure the following:

(a) Integrity of the security labels;

(b) The association of a security label withthe transmitted data; and

(c) Enforcement of the control features ofthe security labels.

7. Detailed Design of security enforcementmechanisms. An informal description of thesecurity policy model enforced by the systemshall be available.

8-204. Multilevel Security Mode. NOTE:Multilevel Security Mode is not routinelyauthorized for SCI or SAP applications.Exceptions for SCI may be made by theheads of CIA, DIA, or NSA on a case-by-case basis. Exceptions for SAP may be madeby the Customer.

a. An AIS is operating in the multilevel modewhen all of the following statements are satisfiedconcerning the users with direct or indirect accessto the AIS, its peripherals, remote terminals, orremote hosts:


1. Some users do not have a valid personnelclearance for all of the information processedin the AIS. (Users must possess a validCONFIDENTIAL, SECRET, or TOP SECRETclearance.)

2. All users have the proper clearance and havethe appropriate access approval (i.e., signednondisclosure agreements) for that informationto which they are intended to have access.

3. All have a valid need-to-know for thatinformation to which they are intended to haveaccess.

b. Security Features for Multilevel Mode. Inaddition to all security features and securityassurances required for the compartmented modeof operation, classified AIS operating in themultilevel mode of operation shall also include:

1. Audit. Contain a mechanism that is able tomonitor the occurrence or accumulation ofsecurity audible events that may indicate animminent violation of security policy. Thismechanism shall be able to immediately notifythe security administrator when thresholds areexceeded and, if the occurrence oraccumulation of these security relevant eventscontinues, the system shall take the leastdisruptive action to terminate the event.

2. Trusted Path. Support a trustedcommunication path between the AIS andusers for use when a positive AIS-to-userconnection is required (i.e., log-on, changesubject security level). Communications viathis trusted path shall be activated exclusivelyby a user or the AIS and shall be logicallyisolated and unmistakably distinguishable fromother paths. For Restricted Data, thisrequirement is only applicable to multilevelAIS that have at least one uncleared user on theAIS.

3. Support separate operator and administrator

functions. The functions performed in the roleof a security administrator shall be identified.The AIS system administrative personnel shallonly be able to perform security administratorfunctions after taking a distinct auditable actionto assume the security administrative role onthe AIS system. Non-security functions thatcan be performed in the security administrativerole shall be limited strictly to those essentialto performing the security role effectively.

4. Security Isolation. The AIS securityenforcement mechanisms shall maintain adomain for its own execution that protects itfrom external interference and tampering (e.g.,by reading or modification of its code and datastructures). The protection of the securityenforcement mechanisms shall provideisolation and nonconcur circumvention ofisolation functions. For Restricted Data, thisrequirement is only applicable to multilevelAIS that have at least one uncleared user on theAIS.

5. Protection of Authenticator. Authenticatorsshall be protected at the same level as theinformation they access.

c. Security Assurances for Multilevel Mode.

1. Flaw Tracking and Remediation. TheProvider shall ensure the vendor providesevidence that all discovered flaws have beentracked and remedied.

2. Life-Cycle Assurance. The development ofthe Classified AIS hardware, firmware, andsoftware shall be under life-cycle control andmanagement (i.e., control of the Classified AISfrom the earliest design stage throughdecommissioning).

3. Separation of Functions. The functions ofthe AIS ISSR and the Classified AIS managershall not be performed by the same person.


4. Device Labels. The methodology shallensure that the originating and destinationdevice labels are a part of each message headerand enforce the control features of the dataflow between originator and destination.

5. Security Penetration Testing. In addition totesting the performance of the classified AISfor certification and for ongoing testing, thereshall be testing to attempt to penetrate thesecurity countermeasures of the system. Thetest procedures shall be documented in the testplan for certification and for ongoing testing.

6. Trusted Recovery. Provide proceduresand/or mechanisms to assure that, after an AISsystem failure or other discontinuity, recoverywithout a protection compromise is obtained.

7. Covert Channels. A covert channel analysisshall be performed.


Section 3. System Access and Operation

8-300. System Access. Access to the systemwill be limited to authorized personnel.Assignment of AIS access and privilegeswill be coordinated with the ISSR.Authentication techniques must be used toprovide control for information on thesystem. Examples of authenticationtechniques include, but are not limited to:passwords, tokens, biometrics, and smartcards. User authentication techniques andprocedures will be described in the AISSP.

a. User IDs. User IDs identify users in the systemand are used in conjunction with otherauthentication techniques to gain access to thesystem. User IDs will be disabled whenever auser no longer has a need-to-know. The user IDwill be deleted from the system only after reviewof programs and data associated with the ID.Disabled accounts will be removed from thesystem as soon as practical. Whenever possible,access attempts will be limited to five tries. Userswho fail to access the system within theestablished limits will be denied access until theuser ID is reactivated.

b. Access Authentication.

1. Password. When used, system log-onpasswords will be randomly selected and willbe at least six characters in length. The systemlog-on password generation routine must beapproved by the Customer.

Random password generationtechniques will be used whereavailable. When user-generatedpasswords are used, passwordsmust be constructed to resist“dictionary”-based attacks. Thespecific structure will be defined inthe AISSP.

2. Validation. Authenticators must be validatedby the system each time the user accesses theAIS.

3. Display. System log-on passwords must notbe displayed on any terminal or contained inthe audit trail. When the AIS cannot prevent apassword from being displayed (e.g., in a half-duplex connection), an overprint mask shall beprinted before the password is entered toconceal the typed password.

4. Sharing. Individual user authenticators (e.g.,passwords) will not be shared by any user.

5. Password Life. Passwords must be changedat least every six months.

6. Compromise. Immediately following asuspected or known compromise of a passwordor Personal Identification Number (PIN) theISSR will be notified and a new password orPIN issued.

7. Group Log-on Passwords. Use of group log-on passwords must be justified and approvedby the Customer. After log-on, grouppasswords may be used for file access.

Group log-on passwords will not beused as the primary method ofauthentication.

c. Protection of Authenticators. Master data filescontaining the user population system log-onauthenticators will be encrypted when practical.Access to the files will be limited to the ISSR anddesignated alternate(s), who will be identified inwriting.

d. Modems. Modems require Customer approval

Springer


prior to connection to an AIS located in aCustomer SAPF.

Unencrypted modems are notnormally authorized for use in a PSOSAPF. Exceptions may be approvedby the PSO.

e. User Warning Notice. The Customer mayrequire log-on warning banners be installed.When technically feasible, the official DoDwarning banner will be used on all AISprocessing special access information.

8-301. System Operation.

a. Processing initialization is the act of changingthe AIS form unclassified to classified, from oneclassified processing level to another, or from onecompartment to another or from one Customer toanother. To begin processing classifiedinformation on an approved AIS the followingprocedures must be implemented:

1. Verify that prior mode termination wasproperly performed.

The ISSR must develop, implement,and monitor procedures that verifyprior mode termination is properlyperformed in accordance with thePSO approved AISSP and that noother previously processed dataremain active on the AIS.

2. Adjust the area security controls to the levelof information to be processed.

3. Configure the AIS as described in theapproved AISSP. The use of logicaldisconnects requires Customer approval.

Logical disconnects may beapproved by the PSO for TS/SARwhen justified. Requests for use

must describe the equipment to beused and the procedures for use, andmust describe the maximum possibleextent of a contamination in the eventof a failure. Logical disconnects forS/SAR and below may be employed,provided the procedures for use areclearly described in the AISSP.

4. Initialize the system for processing at theapproved level of operation with a dedicatedcopy of the operating system. This copy of theoperating system must be labeled andcontrolled commensurate with the securityclassification and access levels of theinformation to be processed during the period.

b. Unattended Processing. Unattended processingwill have open storage approval and concurrencefrom the customer. Prior to unattendedprocessing, all remote input and/or output (I/O)not in approved open storage areas will bephysically or electrically disconnected from thehost CPU. The disconnect will be made in an areaapproved for the open storage. Exceptions are ona case-by-case basis and will require Customerapproval.

c. Processing Termination. Processingtermination of any AIS will be accomplishedaccording to the following requirements.

1. Peripheral Device Clearing. Power down allconnected peripheral devices to sanitize allvolatile buffer memories. Overwriting of thesebuffer areas will be considered by theCustomer on a case-by-case basis.

2. Removable Storage Media. Remove andproperly store removable storage media.

3. Non-removable (Fixed) Storage Media.Disconnect (physically or electrically) allstorage devices with nonremovable storagemedia not designated for use during the nextprocessing period.


4. CPU Memory. Clear or sanitize asappropriate all internal memory includingbuffer storage and other reusable storagedevices (which are not disabled, disconnected,or removed) in accordance with Table 3.

5. Laser Printers. Unless laser printersoperating in SAPFs will operate at the sameclassification level with the same accessapproval levels during the subsequentprocessing period, they will be cleared byrunning three pages of unclassified randomlygenerated text. For SCI, five pages ofunclassified pages will be run to clear theprinter. These pages will not include any blankspaces or solid black areas. Otherwise, nopages need be run through the printer at modetermination.

6. Thermal printers. Thermal printers have athermal film on a spool and take-up reel. Areasin which these types of laser printers arelocated will be either approved for openstorage, or the spools and take-up reels will beremoved and placed in secure storage. Theprinter must be sanitized prior to use at adifferent classification level.

7. Impact-type Printers. Impact-type printers(e.g., dot-matrix) in areas not approved foropen storage will be secured as follows:Remove and secure all printer ribbons ordispose of them as classified trash. Inspect allprinter platens. If any indication of printing isdetected on the platen, then the platen will beeither cleaned to remove such printing orremoved and secured in an approved classifiedcontainer.

8. Adjust area security controls.

8-302. Collocation of Classified andUnclassified AIS.

a. Customer permission is requiredbefore a Provider may collocate

unclassified AIS and classified AIS. Thisapplies when:

1. The unclassified information is to beprocessed on an AIS located in a SAPF, or

2. The unclassified information is resident in adatabase located outside of a SAPF butaccessed from terminals located within theSAPF.

b. AIS approved for processing unclassifiedinformation will be clearly marked forUNCLASSIFIED USE ONLY when locatedwithin a SAPF. In addition the followingrequirements apply:

Unclassified AIS must be approvedby the PSO. Procedures for usingunclassified AISs will be identical tothose specified in the AISSP forclassified processing unless they arespecifically exempted by the PSO.

1. Must be physically separated from anyclassified AIS.

2. Cannot be connected to the classified AIS.

3. Users shall be provided a special awarenessbriefing.

4. ISSR must document the procedures toensure the protection of classified information.

5. All unmarked media is assumed to beclassified until reviewed and verified.

c. Unclassified portable AIS devices are prohibitedin a SAPF unless Customer policy specificallypermits their use. If permitted, the followingprocedures must be understood and followed bythe owner and user:

Unclassified portable AIS pose anextreme risk and will not be


introduced into an SAPF unless aspecific mission requirement existsand prior approval is granted by thePSO.

1. Connection of unclassified portable AIS toclassified AIS is prohibited.

2. Connection to other unclassified AISs maybe allowed provided Customer approval isobtained.

3. Use of an internal or external modem withthe AIS device is prohibited within the SAPF.

4. The Provider will incorporate theseprocedures in the owner's initial and annualsecurity briefing.

5. Procedures for monitoring portable AISdevices within the SAPF shall be outlined ineither the AISSP or the Facility Security Plan.These devices and the data contained thereinare subject to security inspection by the ISSRand the Customer. Procedures will includeprovisions for random reviews of such devicesto ensure that no classified program-specific orprogram-sensitive data is allowed to leave thesecure area. Use of such a device to store orprocess classified information may, at thediscretion of the Customer, result inconfiscation of the device. All persons usingsuch devices within the secure area will beadvised of this policy during securityawareness briefings.

6. Additionally, where Customer policypermits, personally owned portable AISdevices may be used for unclassifiedprocessing only and must follow the previousguidelines.

Personally owned portable AISdevices are prohibited in SAPFs. TheISSR will develop a plan for themanagement and control ofpersonally owned calculators.

8-303. System Auditing.

a. Audit Trails. Audit trails provide achronological record of AIS usage and systemsupport activities related to classified or sensitiveprocessing. In addition to the audit trails normallyrequired for the operation of a stand-alone AIS,audit trails of network activities will also bemaintained. Audit trails will provide records ofsignificant events occurring in the AIS insufficient detail to facilitate reconstruction,review, and examination of events involvingpossible compromise. Audit trails will beprotected from unauthorized access, modification,and deletion. Audit trail requirements aredescribed under mode of operation. Examplesof audit logs and records will beattached to the AISSP asappendices for approval by thePSO.

b. Additional Records and Logs. The followingadditional records or logs will be maintained bythe Provider regardless of the mode of operation.These will include:

1. Maintenance and repair of AIS hardware,including installation or removal of equipment,devices, or components.

2. Transaction receipts, such as equipmentsanitization, release records, etc.

3. Significant AIS changes (e.g., disconnectingor connecting remote terminals or devices, AISupgrading or downgrading actions, andapplying seals to or removing them fromequipment or device covers).

c. Audit Reviews. The audit trails, records, andlogs created during the above activities will bereviewed and annotated by the ISSR (or designee)to be sure that all pertinent activity is properlyrecorded and appropriate action has been taken to


correct anomalies. The Customer will be notifiedof all anomalies that have a direct impact on thesecurity posture of the system. The review will beconducted at least weekly.

d. Record Retention. The Provider will retain themost current 6 to 12 months (Customer Option)of records derived from audits at all times. TheCustomer may approve the periodic use of datareduction techniques to record security exceptionconditions as a means of reducing the volume ofaudit data retained. Such reduction will not resultin the loss of any significant audit trail data.

Audit records will be maintained for12 months. Printed copies need notbe maintained when other storageoptions are available.



Section 4. Networks

8-400. Networks. This section addressesnetwork-specific requirements that are inaddition to the previously stated AISrequirements. Network operations mustpreserve the security requirementsassociated with the AIS's mode of operation.

a. Types of Networks.

1. A unified network is a collection of AISs ornetwork systems that are accredited as a singleentity by a single CSA. A unified network maybe as simple as a small LAN operating indedicated mode, following a single securitypolicy, accredited as a single entity, andadministered by a single ISSR. The perimeterof such a network encompasses all itshardware, software, and attached devices. Itsboundary extends to all its users. A unifiednetwork has a single mode of operation. Thismode of operation will be mapped to the levelof trust required and will address the risk of theleast trusted user obtaining the most sensitiveinformation processed or stored on thenetwork.

2. An interconnected network is comprised ofseparately accredited AISs and/or unifiednetworks. Each self-contained AIS maintainsits own intra-AIS services and controls,protects its own resources, and retains itsindividual accreditation. Each participatingAIS or unified network has its own ISSR. Theinterconnected network must have a securitysupport structure capable of adjudicating thedifferent security policy (implementations) ofthe participating AISs or unified networks. Aninterconnected network requires accreditation,which may be as simple as an addendum to aMemorandum of Agreement (MOA) betweenthe accrediting authorities.

b. Methods of Interconnection.

1. Security Support Structure (SSS) is thehardware, software, and firmware required toadjudicate security policy and implementationdifferences between and among connectingunified networks and/or AISs. The SSS mustbe accredited. The following requirementsmust be satisfied as part of the SSSaccreditation:

(a) Document the security policy enforcedby the SSS.

(b) Identify a single mode of operation.

(c) Document the network securityarchitecture and design.

(d) Document minimum contents of MOAsrequired for connection to the SSS.

2. The interconnection of previously accreditedsystems into an accredited network mayrequire a reexamination of the security featuresand assurances of the contributing systems toensure their accreditations remain valid.

The interconnection of previously-accredited systems into anaccredited network will require areexamination of the AIS securityfeatures, and an update to the AISSPand submission to the PSO forapproval.

(a) Once an interconnected network isdefined and accredited, additionalnetworks or separate AISs (separately


accredited) may only be connectedthrough the accredited SSS.

(b) The addition of components tocontributing unified networks which aremembers of an accredited interconnectednetwork are allowed provided theseadditions do not change the accreditationof the contributing system.

c. Network Security Management. The Providerwill designate an ISSR for each Provider network.The ISSR may designate a Network SecurityManager (NSM) to oversee the security of theProvider's network(s), or may assume thatresponsibility. The ISSR is responsible forcoordinating the establishment and maintenanceof a formal network security program based on anunderstanding of the overall security-relevantpolicies, objectives, and requirements of theCustomer. The NSM is responsible for ensuringday-to-day compliance with the network securityrequirements as described in the AISSP (ascovered below) and this Supplement.

d. Network Security Coordination. Whendifferent accrediting authorities are involved, aMemorandum of Agreement is required to definethe cognizant authority and the securityarrangements that will govern the operation of theoverall network. When two or more ISSRs aredesignated for a network, a lead ISSR will benamed by the Provider(s) to ensure acomprehensive approach to enforce theCustomer's overall security policy.

e. Network Security.

The AISSP must address:1. A description of the network services andmechanisms that implement the networksecurity policy.

2. Consistent implementation of securityfeatures across the network components.

(a) Identification and AuthenticationForwarding. Reliable forwarding of theidentification shall be used between AISswhen users are connecting through anetwork. When identification forwardingcannot be verified, a request for accessfrom a remote AIS shall requireauthentication before permitting access tothe system.

(b) Protection of Authenticator Data. Inforwarding the authenticator informationand any tables (e.g., password tables)associated with it, the data shall beprotected from access by unauthorizedusers (e.g., encryption), and its integrityshall be ensured.

(c) Description of the network and anyexternal connections.

(d) The network security policy includingmode of operation, informationsensitivities, and user clearances.

(e) Must address the internode transfer ofinformation (e.g., sensitivity level,compartmentation, and any special accessrequirements) and how the information isprotected.

(f) Communications protocols and theirsecurity features.

(g) Audit Trails and Monitoring.

(1) If required by the mode of operation,


the network shall be able to create,maintain, and protect from modification orunauthorized access or destruction an audittrail of successful and unsuccessfulaccesses to the AIS network componentswithin the perimeter of the accreditednetwork. The audit data shall be protectedso that access is limited to the ISSR orhis/her designee.

(2) For Restricted Data, methods ofcontinuous on-line monitoring of networkactivities may be included in each networkoperating in the Compartmented SecurityMode or higher. This monitoring may alsoinclude real-time notification to the ISSRof any system anomalies.

(3) For Restricted Data networks operatingin the Compartmented Mode or higher, theCustomer may require the audit trail toinclude the changing of the configurationof the network (e.g., a component leavingthe network or rejoining).

(4) The audit trail records will allowassociation of the network activities withcorresponding user audit trails and records.

(5) Provisions shall be made and theprocedures documented to control the lossof audit data due to unavailability ofresources.

(6) For Restricted Data, the Customer mayrequire alarm features that automaticallyterminate the data flow in case of amalfunction and then promptly notify theISSR of the anomalous conditions.

(h) Secure Message Traffic. Thecommunications methodology for the

network shall ensure the detection oferrors in traffic across the network links.

f. Transmission Security. Protected DistributionSystems or National Security Agency approvedencryption methodologies shall be used to protectclassified information on communication linesthat leave the SAPF. Protected distributionsystems shall be either constructed in accordancewith the national standards or utilize NationalSecurity Agency approved protected distributionsystems.

g. Records. The Customer may require records bemaintained of electronic transfers of data betweenautomated information systems when thosesystems are not components of the same unifiednetwork. Such records may include the identity ofthe sender, identity and location of the receiver,date/time of the transfer, and description of thedata sent. Records are retained according to 8-303.d.

Transaction records will bemaintained for informationelectronically-transferred betweendifferent provider facilities orbetween a provider and the PSOwhen the transaction occurs betweenAISs that are not part of the sameunified network (e.g., stand-alonecomputers with STU III data transfercapability). Logs and procedures foruse will be described in the AISSP.Transfer records for C/SAP orunclassified information are notrequired.



Section 5. Software and Data Files

8-500. Software and Data Files.

a. Acquisition and Evaluation. ISSR approvalwill be obtained before software or data files maybe brought into the SAPF. All software must beacquired from reputable and/or authorized sourcesas determined by the ISSR. The Provider willcheck all newly acquired software or data files,using the most current version and/or available ofvirus checking software and procedures identifiedin the AISSP to improve assurance that thesoftware or data files are free from maliciouscode.

The PSO will be notified of additionsor changes to the software listed inthe AISSP. Updated versions of theAISSP will reflect these changes. TheISSR will implement a procedure toensure that all software introducedinto the SAPF will be controlled andreviewed before use.

b. Protection. Media that may be written to (e.g.,magnetic media) must be safeguardedcommensurate with the level of accreditation ofthe dedicated or system high AIS. Media oncompartmented or multi-level AISs will beprotected commensurate with the level of theoperating session. If a physical write-protectmechanism is utilized, media may be introducedto the AIS and subsequently removed withoutchanging the original classification. The integrityof the write-protection mechanism must beverified at a minimum of once per day byattempting to write to the media. Media whichcannot be changed (e.g., CD read-only media)may be loaded onto the classified system withoutlabeling or classifying it provided it isimmediately removed from the secure area. If thismedia is to be retained in the secure area, it mustbe labeled, controlled, and stored as

unclassified media as required by the Customer.

The ISSR will develop and implementspecialized procedures forcontrolling magnetic media such asvendor software. The procedures willaddress storage, marking,classification, unauthorized copying,creation of working disks, etc., andbe included in the AISSP.

1. System Software. Provider personnel whoare responsible for implementing modificationsto system or security-related software or datafiles on classified AISs inside the SAPF will beappropriately cleared. Software that containssecurity related functions (e.g., sanitization,access control, auditing) will be validated toconfirm that security-related features are fullyfunctional, protected from modification, andeffective.

2. Application Software. Application softwareor data files (e.g., general business software),that will be used by a Provider duringclassified processing, may bedeveloped/modified by personnel outside thesecurity area without the requisite securityclearance with the concurrence of theCustomer.

3. Releasing Software. Software that has notbeen used on an AIS processing classifiedinformation may be returned to a vendor. Ifmedia containing software (e.g., applications)are used on a classified system and found to bedefective, such media may not be removedfrom a SAPF for return to a vendor. Whenpossible, software will be tested prior to itsintroduction into the secure facility.

Vendor software acquired before


implementation of a control programas described in paragraph 8-500b willnot be released until a 100-percentreview of the media is accomplished.

c. Targetability. For SCI and SAP the software,whether obtained from sources outside the facilityor developed by Provider personnel, must besafeguarded to protect its integrity from the timeof acquisition or development through its lifecycle at the Provider's facility (i.e., design,development, operational, and maintenancephases). Uncleared personnel will not have anyknowledge that the software or data files will beused in a classified area, although this may not bepossible in all cases. Before software or data filesthat are developed or modified by unclearedpersonnel can be used in a classified processingperiod, it must be reviewed by appropriatelycleared and knowledgeable personnel to ensurethat no security vulnerabilities or malicious codeexists. Configuration management must be inplace to ensure that the integrity of the softwareor data files is maintained.

d. Maintenance Software. Software used formaintenance or diagnostics will be maintainedwithin the secure computing facility and, eventhough unclassified, will be separately controlled.The AISSP will detail the procedures to be used.

Vendor-supplied maintenancesoftware is a special category ofsoftware that requires additionalprotections. After it is introduced intoa SAPF, this type of software will notbe released. Handling procedures,such as use of classified workingcopies and write-protection features,will be developed by the ISSR andapproved by PSO.

e. Remote Diagnostics. Customer approval will beobtained prior to using vendor-supplied remotediagnostic links for on-line use of diagnosticsoftware. The AISSP will detail the procedures tobe used.

8-501. Data Storage Media. Data storagemedia will be controlled and labeled at theappropriate classification level and accesscontrols of the AIS unless write-protected inaccordance with 8-500.b. Open storageapproval will be required for non-removablemedia.The ISSR must develop andimplement procedures for the controlof data storage media thatdemonstrate a reasonable capabilityto protect the PSO’s data from loss,alteration, or unauthorizeddisclosure. Given the ease and speedwith which classified information canbe copied to unclassified orunmarked media, these proceduresmust encompass all magnetic mediain the SAPF. The procedures will bedescribed in the AISSP.

a. Labeling Media. All data storage media will belabeled in human-readable form to indicate itsclassification level, access controls (if applicable),and other identifying information. Data storagemedia that is to be used solely for unclassifiedprocessing and collocated with classified mediawill be marked as UNCLASSIFIED. Colorcoding (i.e., media, labels) is recommended. Ifrequired by the Customer, all removable mediawill be labeled with a classification labelimmediately after removing it from its factory-sealed container.

Identifying information will includedata that can identify the individualresponsible for the media.Removable media will be labeled onremoval from the factory-sealedcontainer.

b. Reclassification. When the classification of themedia increases to a higher level, replace theclassification label with a higher classification-level label. The label will reflect the highestclassification level, and access controls (ifapplicable) of any information ever stored orprocessed on the AIS unless the media is write-


protected by a Customer-approved mechanism.Media may never be downgraded in classificationwithout the Customer's written approval.

Flexible magnetic media will normallybe destroyed instead of beingdowngraded or declassified. The PSOwill evaluate requests on a case-by-case basis.

c. Copying Unclassified Information from aClassified AIS.

1. The unclassified data will be written tofactory fresh or verified unclassified mediausing approved copying routines and/orutilities and/or procedures as stated in theAISSP. For SCI and SAP, media to be releasedwill be verified by reviewing all data on themedia including embedded text (e.g., headersand footers). Data on media that is not inhuman readable form (e.g., imbedded graphs,sound, video) will be examined for contentwith the appropriate software applications.Data that cannot be reasonably observed in itsentirety will be inspected by reviewing randomsamples of the data on the media.

2. Moving Classified Data Storage MediaBetween Approved Areas. The ISSR willestablish procedures to ensure that data will bewritten to factory-fresh or sanitized media. Themedia will be reviewed to ensure that only thedata intended was actually written and that it isappropriately classified and labeled.Alternatives for special circumstances may beapproved by the Customer. All procedures willbe documented in the AISSP.

d. Overwriting, Degaussing, Sanitizing, andDestroying Media. Cleared and sanitized mediamay be reused within the same classification level(i.e., TS-TS) or to a higher level (i.e., SECRET-TS). Sanitized media may be downgraded ordeclassified with the Customer's approval. Onlyapproved equipment and software may be used tooverwrite and degauss magnetic media containing

classified information. Each action or proceduretaken to overwrite or degauss such media will beverified. Magnetic storage media thatmalfunctions or contains features that inhibitoverwriting or degaussing will be reported to theISSR, who will coordinate repair or destructionwith the Customer. (See Table 2.)

Caution: Overwriting, degaussing, andsanitizing are not synonymous withdeclassification. Declassification is aseparate administrative function.Procedures for declassifying mediarequire Customer approval.

The sanitization, declassification, andrelease of media used to processprogram information may only beauthorized on a case-by-case basisby the PSO and GPM. Various riskfactors, such as the sensitivity andvolume of the data, will be evaluated.If the PSO and GPM determine theinformation contained on the mediais, or was, too sensitive to risk anypossibility of exposure tounauthorized personnel, the media inquestion will be retained under SAPclassification control or destroyed.Only customer-approved equipmentand software may be used tooverwrite and degauss magneticmedia. These products will be testedto assure correct operation beforeeach use, either by inspection or bybuilt-in test devices. These productswill be operated in accordance withthe operating manual supplied by themanufacturer.

1. Overwriting Media. Overwriting is asoftware procedure that replaces the datapreviously stored on magnetic storage mediawith a predefined set of meaningless data.Overwriting is an acceptable method forclearing. Only approved overwriting softwarethat is compatible with the specific hardware


intended for overwriting will be used. Use ofsuch software will be coordinated in advancewith the Customer. The success of theoverwrite procedure will be verified throughrandom sampling of the overwritten media.The effectiveness of the overwrite proceduremay be reduced by several factors:ineffectiveness of the overwrite procedures,equipment failure (e.g., misalignment ofread/write heads), or inability to overwrite badsectors or tracks or information in inter-recordgaps. To clear magnetic disks, overwrite alllocations three (3) times (first time with acharacter, second time with its complement,and the third time with a random character).Items which have been cleared must remain atthe previous level of classification and remainin a secure, controlled environment.

2. Degaussing Media. Degaussing (i.e.,demagnetizing) is a procedure that reduces themagnetic flux to virtual zero by applying areverse magnetizing field. Properly applied,degaussing renders any previously stored dataon magnetic media unreadable and may beused in the sanitization process. Degaussing ismore reliable than overwriting magnetic media.Magnetic media are divided into three types.Type I degaussers are used to degauss Type Imagnetic media (i.e., media whose coercivity isno greater than 350 Oersteds (Oe)). Type IIdegaussers are used to degauss Type IImagnetic media (i.e., media whose coercivity isno greater than 750 Oe). Currently there are nodegaussers that can effectively degauss allType III magnetic media (i.e., media whosecoercivity is over 750 Oe). Some degaussersare rated above 750 Oersteds and their specificapproved rating will be determined prior touse. Coercivity of magnetic media defines themagnetic field necessary to reduce amagnetically saturated material's magnetizationto zero. The correct use of degaussing productsimproves assurance that classified data is nolonger retrievable and that inadvertentdisclosure will not occur. Refer to the currentissue of NSA's Information Systems Security

Products and Services Catalogue (DegausserProducts List Section) for the identification ofdegaussers acceptable for the proceduresspecified herein. These products will beperiodically tested to ensure continuedcompliance with the specification NSA CSSMedia Declassification and DestructionManual NSA 130-2 .

3. Sanitizing Media. Sanitization removesinformation from media such that datarecovery using any known technique oranalysis is prevented. Sanitizing is a two-stepprocess that includes removing data from themedia in accordance with Table 3 andremoving all classified labels, markings, andactivity logs.

4. Destroying Media. Data storage media willbe destroyed in accordance with Customer-approved methods.

5. Releasing Media. Releasing sensitive orclassified Customer data storage media is athree-step process. First, the Provider willsanitize the media and verify the sanitization inaccordance with procedures in this chapter.Second, the media will be administrativelydowngraded or declassified either by the CSAor the ISSR, if such authority has been grantedto the ISSR. Third, the sanitization process,downgrading or declassification, and theapproval to release the media will bedocumented.



Table 2Clearing and Sanitization Data Storage

Type Media Clear Sanitize(a) Magnetic TapeType I a or b a, b, or destroyType II a or b b or destroyType III a or b Destroy

(b) Magnetic Disk PacksType I a, b,or cType II b or cType III Destroy

(c) Magnetic Disk PacksFloppies a, b, or c DestroyBernoulli's a, b, or c DestroyRemovable Hard Disks a, b, or c a, b, c, or destroyNon-Removable Hard Disks c a, b, c, or destroy

(d) Optical DiskRead Only DestroyWrite Once, Read Many (Worm) DestroyRead Many, Write Many c Destroy

These procedures will be performed by or as directed by the ISSR.

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser

c. Overwrite all locations with a character, its complement, then with a random character. Verifythat all sectors have been overwritten and that no new bad sectors have occurred. If new badsectors have occurred during classified processing, this disk must be sanitized by method a or bdescribed above. Use of the overwrite for sanitization must be approved by the Customer.

NOTE: For hand-held devices (e.g., calculators or personal directories), sanitization is dependentupon the type and model of the device. If there is any question about the correct sanitizationprocedure, contact the manufacturer or the Customer. In general, sanitization is accomplished asfollows: Depress the "CLEAR ENTRY" and the "CLEAR MEMORY" buttons, remove thebattery for several hours, and remove all associated magnetic media and retain it in the SAPF ordestroy. In some models there are special-purpose memories and key-numbered memories, aswell as "register stacks." Caution will be taken to clear all such memories and registers. This maytake several key-strokes and may require the use of the operator's manual. Test the hand helddevice to ensure that all data has been removed. If there is any question, the device will remain inthe SAPF or be destroyed.



Table 3Sanitizing AIS Components

TYPE PROCEDURE

Magnetic Bubble Memory a, b, or cMagnetic Core Memory a, b,or dMagnetic Plated Wire d or eMagnetic-Resistive Memory Destroy

Solid State Memory Components

Random Access Memory (RAM) (Volatile) f, then jNonvolatile RAM (NOVRAM) lRead Only Memory (ROM) Destroy (see k)Programmable ROM (PROM) Destroy (see k)Erasable Programmable ROM (EPROM) g, then d and jElectronically Alterable PROM (EAPROM) h, then d and jElectronically Erasable PROM (EEPROM) i, then d and jFlash EPROM (FEPROM) i, then d and jThese procedures will be performed by or as directed by the ISSR.

a. Degauss with a Type I degausser.b. Degauss with a Type II degausser.c. Overwrite all locations with any character.d. Overwrite all locations with a character, its complement, then with a random character.e. Each overwrite will reside in memory for a period longer than the classified data resided.f.Remove all power, including batteries and capacitor power supplies, from RAM circuit board.g. Perform an ultraviolet erase according to manufacturer's recommendation, but increase time

requirements by a factor of 3.h. Pulse all gates.i.Perform a full chip erase. (See Manufacturer's data sheet.)j.Check with Customer to see if additional procedures are required.k. Destruction required only if ROM contained a classified algorithm or classified data.l. Some NOVRAM are backed up by a battery or capacitor power source; removal of this source is

sufficient for release following item f procedures. Other NOVRAM are backed up by EEPROMwhich requires application of the procedures for EEPROM (i.e., i, then d and j).

Springer



Section 6. AIS Acquisition, Maintenance, and Release

8-600. AIS Acquisition, Maintenance, andRelease.

a. Acquisition. AISs and AIS components that willprocess classified information will be protectedduring the procurement process from directassociation with the Customer's program. Whenrequired by the Customer, protective packagingmethods and procedures will be used while suchequipment is in transit to protect againstdisclosure of classified relationships that mayexist between the Customer and the Provider.

b. Maintenance Policy. The Provider will discussmaintenance requirements with the vendor beforesigning a maintenance contract. The Customermay require that AISs and AIS components usedfor processing Customer information will beprotected during maintenance from directassociation with the Customer's program.

1. Cleared maintenance personnel are thosewho have a valid security clearance and accessapprovals commensurate with the informationbeing processed. Complete sanitization of theAIS is not required during maintenance bycleared personnel, but need-to-know will beenforced. However, an appropriately clearedProvider individual will be present within theSAPF while a vendor performs maintenance toensure that proper security procedures arebeing followed. Maintenance personnelwithout the proper access authorization andsecurity clearance will always be accompaniedby an individual with proper security clearanceand access authorization and never left alone ina SAPF. The escort shall be approved by theISSR and be technically knowledgeable of theAIS to be

repaired.

2. Prior to maintenance by a person requiringescort, either the device under maintenanceshall be physically disconnected from theclassified AIS (and sanitized before and aftermaintenance) or the entire AIS shall besanitized before and after maintenance. When asystem failure prevents clearing of the systemprior to maintenance by escorted maintenancepersonnel, Customer-approved procedures willbe enforced to deny the escorted maintenancepersonnel visual and electronic access to anyclassified data that may be contained on thesystem.

3. All maintenance and diagnostics should beperformed in the Provider's secure facility. AnyAIS component or equipment released fromsecure control for any reason may not bereturned to the SAPF without the approval ofthe ISSR. The Customer may require that apermanent set of procedures be in place for therelease and return of components. Theseprocedures will be incorporated into theAISSP.

The AISSP will include proceduresfor the release and return of AIScomponents.

c. Maintenance Materials and Methods.

1. Unclassified Copy of Operating System. Aseparate, unclassified, dedicated formaintenance copy of the operating system (i.e.,a specific copy other than the copy(s) used inprocessing Customer information), includingany micro-coded floppy disks or cassettes thatare integral to the operating system, will beused whenever maintenance is done byuncleared personnel. This copy will be labeled"UNCLASSIFIED-FOR MAINTENANCE


USE ONLY." Procedures for an AIS using anonremovable storage device on which theoperating system is resident will be consideredby the Customer on a case-by-case basis.

Maintenance software for systemswith fixed disks or other devices thatmake sanitizing unfeasible will beclassified at the level of the systemand brought into control.

2. Vendor-supplied Software and/or Firmware.Vendor-supplied software and/or firmwareused for maintenance or diagnostics will bemaintained within the secure computingfacility and stored and controlled as thoughclassified. If permitted by the Customer, theISSR may allow, on a case-by-case basis, therelease of certain types of costly magneticmedia for maintenance such as disk head-alignment packs.

3. Maintenance Equipment and Components.All tools, diagnostic equipment, and otherdevices carried by the vendor to the Provider'sfacility will be controlled as follows:

(a) Tool boxes and materials belonging to avendor representative will be inspected bythe assigned escort before the vendorrepresentative is permitted to enter thesecure area.

(b) The ISSR will inspect any maintenancehardware (such as a data scope) and makea best technical assessment that thehardware cannot access classified data.The equipment will not be allowed in thesecure area without the approval of theISSR.

(c) Maintenance personnel may bring kitscontaining component boards into thesecure facility for the purpose of swapping

out component boards that may be faulty.Any component board placed into anunsanitized AIS will remain in the securityfacility until proper release procedures arecompleted. Any component board thatremains in the kit and is not placed in theAIS may be released from the securefacility.

(d) Any communication devices withtransmit capability belonging to the vendorrepresentative or any data storage medianot required for the maintenance visit willbe retained outside the SAPF for return tothe vendor representative upon departurefrom the secure area.

4. Remote Diagnostic Links. Remotediagnostic links require Customer approval.Permission for the installation and use ofremote diagnostic links will be requested inadvance and in writing. The detailedprocedures for controlling the use of such alink or links will have the written approval ofthe Customer prior to implementation.

d. Release of Memory Components and Boards.Prior to the release of any component from anarea used to process or store Customerinformation, the following requirements will bemet in respect to coordination, documentation,and written approval. This section applies only tocomponents identified by the vendor or othertechnically knowledgeable individual as havingthe capability of retaining user addressable dataand does not apply to other items (e.g., cabinets,covers, electrical components not associated withdata), which may be released without reservation.For the purposes of this document, a memorycomponent is considered to be the LowestReplaceable Unit (LRU) in a hardware device.Memory components reside on boards, modules,and sub-assemblies. A board can be a module ormay consist of several modules andsubassemblies. Unlike media sanitization,


clearing may be an acceptable method ofsanitizing components for release (see 8-501,Table 3). Memory components are specificallyhandled as either volatile or nonvolatile asdescribed below.

1. Volatile Memory Components. Memorycomponents that do not retain data afterremoval of all electrical power sources, andwhen reinserted into a similarly configuredAIS do not contain residual data, areconsidered volatile memory components.Volatile components may be released onlyafter accomplishing the following steps:

(a) Maintain a record of the equipmentrelease indicating that all componentmemory is volatile and that no dataremains in/on the component when poweris removed.

(b) Equipment release procedures must bedeveloped by the ISSR and stated in theAISSP.

2. Nonvolatile Memory Components. Memorycomponents that do retain data when all powersources are disconnected are nonvolatilememory components. Nonvolatile memorycomponents defined as read only memory(ROM), programmable ROM (PROM), orerasable PROM (EPROM) that have beenprogrammed at the vendor's commercialmanufacturing facility are considered to beunalterable in the field and may be released.Customized components of this nature thathave been programmed with a classifiedalgorithm or classified data will be destroyed.All other nonvolatile components may bereleased after successful completion of theprocedures outlined in 8-501, Table 3. Failureto accomplish these procedures will require theISSR to coordinate with the Customer for adetermination of releasability. Nonvolatilecomponents shall be released only after

accomplishing the following steps:

(a) Maintain a record of the equipmentrelease indicating the procedure used forsanitizing the component, who performedthe sanitization, and who it was releasedto.

(b) Equipment release procedures must bedeveloped by the ISSR and stated in theAISSP. The record will be retained for 12months.

All nonvolatile memory componentswill require the ISSR to coordinatewith the PSO in advance to determinethe releasability.

3. Inspecting AIS Equipment. All AISequipment designated for release will beinspected by the ISSR. This review will ensurethat all media including internal disks havebeen removed.

8-601. Test Equipment. The Provider willdetermine the capability of individual testinstruments to collect and processinformation. If necessary, the manufacturerwill be asked to provide this information. Adescription of the capabilities of individualtest equipment will be provided to theCustomer. Security requirements are basedon concerns about the capability of theequipment to retain sensitive or classifieddata. Test equipment with nonvolatile fixedor removable storage media will complywith the requirements of this Supplementand be approved by the Customer forintroduction and use in the SAPF. Testequipment with no data retention and nosecondary storage does not requireCustomer approval.



Section 7. Documentation and Training

8-700. Documentation and Training.

a. Provider Documentation. The Provider willdevelop, publish, and promulgate a corporate AISsecurity policy, which will be maintained on fileby the ISSR.

b. Security Documentation. The Provider willdevelop and maintain security-relateddocumentation which are subject to review by theCustomer as follows:

1. AISSP. Prepare and submit to the Customerfor approval an AISSP in accordance withCustomer guidance that covers each AIS whichwill process information for the Customer.This plan will appropriately reference all otherapplicable Provider security documentation. Inmany cases, an AISSP will include informationthat should not be provided to the general userpopulation. In these cases, a separate usersecurity guide will be prepared to include onlythe security procedures required by the users.

2. Physical Security Accreditation. Maintain onfile the physical security accreditationdocumentation that identifies the date(s) ofaccreditation, and classification level(s) for thesystem device locations identified in theAISSP, and any open storage approvals.

3. Processing Approval. Maintain on file theCustomer's processing approval (i.e., interimapproval or accreditation) that specifies thedate of approval, system, system location,mode of operation, and classification level forwhich the AIS is approved.

4. Memorandum of Agreement. Maintain on

file a formal memorandum of agreementsigned by all Customers having dataconcurrently processed by an AIS or attachedto the network.

5. AIS Technical Evaluation Test Plan. As aprerequisite to processing in thecompartmented or multilevel mode, developand submit a technical evaluation test plan tothe Customer for approval. The technicalevaluation test plan will provide a detaileddescription of how the implementation of theoperating system software, data managementsystem software, and related security softwarepackages will enable the AIS to meet thecompartmented or multilevel moderequirements stated herein. The test plan willalso outline the test procedures proposed todemonstrate this compliance. The results of thetest will be maintained for the life of thesystem.

6. Certification Report. The CertificationReport will be maintained for the life of thesystem.

c. System User Training and Awareness. AllAIS users, custodians, maintenance personnel,and others whose work is associated with theCustomer will be briefed on their securityresponsibilities. These briefings will be conductedby the Provider. Each individual receiving thebriefing will sign an agreement to abide by thesecurity requirements specified in the AISSP andany additional requirements initiated by theCustomer. This security awareness training willbe provided prior to the individual being grantedaccess to the classified AIS and at least annuallythereafter. The awareness training will cover thefollowing items and others as applicable:


1. The security classifications andcompartments accessible to the user and theprotection responsibilities for each. If the useris a privileged user, discuss additionalresponsibilities commensurate with thoseprivileges;

2. Requirements for controlling access to AISs(e.g., user IDs, passwords and passwordsecurity, the need-to-know principle, andprotecting terminal screens and printer outputfrom unauthorized access) ;

3. Methods of securing unattended AISs suchas checking print routes, logging off the hostsystem or network, and turning the AIS off;

4. Techniques for securing printers such asremoving latent images from laser drums,cleaning platens, and locking up ribbons;

5. Caution against the use of government-sponsored computer resources for unauthorizedapplications;

6. The method of reporting security-relatedincidents such as misuse, violations of systemsecurity, unprotected media, improper labeling,network data spillage, etc.;

7. Media labeling, including classificationlabels, data-descriptor labels, placement oflabels on media, and maintenance of labelintegrity;

8. Secure methods of copying and verifyingmedia;

9. Methods of safeguarding media, includingwrite protection, removal from unattendedAISs, and storage;

10. Methods of safeguarding hard-copy output,including marking, protection during printing,and storage;

11. Policy on the removal of media;

12. Methods of clearing and sanitizing media;

13. Procedures for destroying and disposing ofmedia, printer ribbons, and AIS circuit boardsand security aspects of disposing of AISs;

14. Methods of avoiding viruses and othermalicious code including authorized methodsof acquiring software, examining systemsregularly, controlling software and media, andplanning for emergencies. Discuss the use ofrecommended software to protect againstviruses and steps to be taken when a virus issuspected;

15. AIS maintenance procedures including thesteps to be taken prior to AIS maintenance andthe user's point-of-contact for AIS maintenancematters;

16. Any special security requirements withrespect to the user's AIS environment includingconnections to other AIS equipment ornetworks;

17. The use of personally owned electronicdevices within the SAPF;

18. Any other items needed to be covered forthe specific Customer's program.

The ISSR will maintain a record oftopics presented and names ofpersonnel receiving the training.


Chapter 9Restricted Data

Section 1. Introduction

9-100. General. This chapter of theNISPOMSUP addresses those supplementalsecurity requirements for SECRETRestricted Data (SRD) and TOP SECRETRestricted Data (TSRD) information whichhave been identified as being sufficientlysensitive to necessitate security standardsabove and beyond those mandated by theNISPOM baseline document. Hereafterthese are referred to as Critical SRD orTSRD. CONFIDENTIAL RD and allclassification levels of Formerly RestrictedData shall be protected in accordance withthe requirements in the NISPOM baselinedocument. In addition to those requirementsin Chapter 9 of the NISPOM, this chapterprescribes the supplemental requirements forthe protection of Critical SRD and TSRDinformation. Neither the NISPOM nor theNISPOMSUP are to be construed to apply tothe safeguarding requirements for SpecialNuclear Material, Nuclear Explosive LikeAssemblies, or Nuclear Weapons.SAPs that use Critical Secret/RD/FRDand Top Secret/RD/FRD material willprotect those data in accordance withthis chapter and any MOA or MOUestablished with the RD/FRD-cognizant security agency.

9-101. Requirements. Under the authorityof the Atomic Energy Act of 1954, theSecretary of Energy, using his/her authorityover Restricted Data, may issue orders,guides, and manuals concerning protectionof Restricted Data. These issuances serve asthe basis for government-wideimplementation procedures. However, theseprocedures of other agencies have not been

endorsed by DOE. As a result of changes inthe world situation, these policy issuancesare currently under review by the JointDOE/DOD Nuclear Weapons InformationAccess Authorization Review Group. Untilthe Review Group's recommendations areapproved as policy by the Secretary ofEnergy, DOD contractors will continue toprotect Critical SRD and TSRD inaccordance with established contractualprovisions. A revision of this chapter will bedeveloped and promulgated following theresults of the Joint DOE/DOD NuclearWeapons Information Access AuthorizationReview Group. Nothing in this paragraphalters or abridges the authority of theSecretary of Energy under the AtomicEnergy Act of 1954, as amended. DODcontracts awarded in the interim perioddealing with the physics of nuclear weaponsdesign, as specified in 9-101.a through 9-101.i, will be reviewed by technicallyqualified representatives to determine if thecontract involves the above specifiedCritical SRD or TSRD information. If so,this chapter's requirements will be includedin the contractual document. DOEtechnical experts will be available to provideadvice and assistance upon request bycontracting agency representative. Shouldthe results of the Joint DOE/DOD NuclearWeapons Information Access AuthorizationReview Group modify the informationspecified in 9-101.a through 9-101.i, theaffected contracts may be amended. ForDOE contractors, Restricted Data willcontinue to be protected in accordance withthe Department of Energy's 5600 seriesSafeguards and Security orders until the

Springer


Review Group's recommendations areapproved as policy by the Secretary ofEnergy and this chapter is revised toconform to the new policy.

a. Theory of operation (hydrodynamic and nuclear)or completed design of thermonuclear weapons ortheir unique components. This definition includesspecific information about the relative placementof components and their functions with regard toinitiating and sustaining the thermonuclearreaction.

b. Theory of operation or complete design offission weapons or their unique components. Thisdefinition includes the high explosive system withits detonators and firing unit, pit system, andnuclear initiating system as they pertain toweapon design and theory.

c. Manufacturing and utilization information whichreveals the theory of operation or design of thephysics package.

d. Information concerning inertial confinementfusion which reveals or is indicative of weapondata.

e. Complete theory of operation, complete orpartial design information revealing sensitivedesign features or information on energyconversion of a nuclear directed energy weapon.Sensitive information includes but is not limitedto the nuclear energy converter, energy director,or other nuclear directed energy system orcomponents outside the envelope of the nuclearsource but within the envelope of the nucleardirected energy weapon.

f. Manufacturing and utilization information andoutput characteristics for nuclear energyconverters, directors, or other nuclear directed

energy weapon systems or components outsidethe envelope of the nuclear source and which donot comprehensively reveal the theory ofoperation, sensitive design features of the nucleardirected energy weapon or how the energyconversion takes place.

g. Nuclear weapon vulnerability assessmentinformation concerning use control systems thatreveals an exploitable design feature, or anexploitable system weakness or deficiency, whichcould be expected to permit the unauthorized useor detonation of a nuclear weapon.

h. Detailed design and functioning information ofnuclear weapon use control systems and theircomponents. Includes actual hardware anddrawings that reveal design or theory ofoperation. This also includes use controlinformation for passive and active systems as wellas for disablement systems.

i. Access to specific categories of noise andquieting information, fuel manufacturingtechnology and broad policy or program directionassociated with Naval Nuclear Propulsion Plantsas approved by the Naval Nuclear PropulsionProgram CSA.

9-102.

a. Contractors shall establish protective measuresfor the safeguarding of Critical SRD and TSRDin accordance with the requirements of thischapter. Where these requirements are notappropriate for protecting specific types or formsof material, compensatory provisions shall bedeveloped and approved by the CSA, with theconcurrence of DOE, as appropriate. Nothing inthis NISPOMSUP shall be construed tocontradict or inhibit compliance with the law orbuilding codes.


b. Access to Restricted Data shall be limited topersons who possess appropriate accessauthorization, or PCL, and who require suchaccess (need-to-know) in the performance ofofficial duties (i.e., have a verifiable need-to-know). For access to TOP SECRET RestrictedData, an individual must possess an active Qaccess authorization, or a final TOP SECRETPCL, based on a SSBI. For access to CriticalSECRET Restricted Data, as defined in 9-101.athrough 9-101.i, an individual must possess anactive Q access authorization, or final TOPSECRET or SECRET PCL, based on a SSBI.Controls shall be established to detect and deterunauthorized access to Restricted Data.



Section 2. Secure Working Areas

9-200. Secure Working Areas.

a. General. When not placed in approved storage,Critical SRD and TSRD must be maintained inapproved Secured Working Areas, and beconstantly attended to by, or under the control of,a person or persons having the proper accessauthorization, or PCL, and a need- to-know, whoare responsible for its protection.

b. Requirements. Secure Working Areaboundaries shall be defined by physical barriers(e.g., fences, walls, doors). Protective personnelor other measures shall be used to controlauthorized access through designated entryportals and to deter unauthorized access to thearea. A personnel identification system (e.g.,security badge) shall be used as a control measurewhen there are more than 30 persons per shift.Entrance/Exit inspections for prohibited articlesand/or Government property may be conductedby protective personnel. When access to a SecureWorking Area is authorized for a person withoutappropriate access authorization or need-to-know,measures shall be taken to prevent compromise ofclassified matter. Access to safeguards andsecurity interests within a Secure Working Area,when not in approved storage, is controlled by thecustodian(s) or authorized user(s). Means shall beused to detect unauthorized intrusion appropriateto the classified matter under protection.

9-201. Barriers.

Physical barriers shall be used todemarcate the boundaries of a SecureWorking Area. Permanent barriers shall beused to enclose the area, except duringconstruction or transient activities, when

temporary barriers may be erected.Temporary barriers may be of any heightand material that effectively impede accessto the area.

a. Walls. Building materials shall offerpenetration resistance to, and evidence of,unauthorized entry into the area. Constructionshall meet local building codes. Walls thatconstitute exterior barriers of Security Areasshall extend from the floor to the structuralceiling, unless equivalent means are used.

1. When transparent glazing material is used,visual access to the classified material shallbe prevented by the use of drapes, blinds, orother means.

2. Insert-type panels (if used) shall be such thatthey cannot be removed from outside the areabeing protected without showing visualevidence of tampering.

b. Ceilings and Floors. Ceilings and floors shallbe constructed of building materials that offerpenetration resistance to, and evidence of,unauthorized entry into the area. Constructionshall meet local building codes.

c. Doors. Doors and door jambs shall provide thenecessary barrier delay rating required by theapplicable procedure. As a minimum,requirements shall include the following:

1. Doors with transparent glazing materialmay be used if visual access is not a securityconcern; however, they shall offer penetrationresistance to, and evidence of, unauthorizedentry into the area.


2. A sight baffle shall be used if visual accessis a factor.

3. An astragal shall be used where doors usedin pairs meet.

4. Door louvers, baffle plates, or astragals,when used, shall be reinforced and immov-able from outside the area being protected.

d. Windows. The following requirements shall beapplicable to windows:

1. When primary reliance is placed onwindows as physical barriers, they shall offerpenetration resistance to, and evidence of,unauthorized entry into the area.

2. Frames shall be securely anchored in thewalls, and windows shall be locked from theinside or installed in fixed (nonoperable)frames so the panes are not removable fromoutside the area being protected.

3. Visual barriers shall be used if visualaccess is a factor.

e. Unattended Openings.

1. Physical protection features shall beimplemented at all locations where stormsewers, drainage swells, and site utilitiesintersect the fence perimeter.

2. Unattended openings in security barriers,which meet the following criteria, mustincorporate compensatory measures such assecurity bars: greater than 96 inches square(619.20 square centimeters) in area andgreater than 6 inches (15.24 centimeters) inthe smallest dimension; and located within 18feet (5.48 meters) of the ground, roof, or ledgeof a lower Security Area; or located 14 feet(4.26 m) diagonally or directly oppositewindows, fire escapes, roofs, or other open-

ings in uncontrolled adjacent buildings; orlocated 6 feet (1.83 m) from uncontrolledopenings in the same barrier.



Section 3. Storage Requirements

9-300. General.

Custodians and authorized users of CriticalSRD and TSRD are responsible for theprotection and control of such matter.

9-301. TSRD Storage.

TOP SECRET Restricted Data thatis not under the personal controlof an authorized person shall bestored within a security repositorylocated within a Secure WorkingArea with CSA approvedsupplementary protectionconsistent with Chapter 5-307.aand 5-307.b of the NISPOMbaseline. Authorized repositoriesare as follows:

a. In a locked, General Services Administration-approved security container.

b. In a vault or vault-type room.

9-302. Critical SRD Storage.

Critical SRD shall be stored in a mannerauthorized for Top Secret Restricted Datamatter or in one of the following ways:

a. In a locked General Services Administration-approved security container located within aSecure Working Area.

b. In a General Services Administration-approvedsecurity container, not located within a SecureWorking Area, under supplemental protection(i.e., intrusion detection system protection orprotective patrol).

c. In a steel filing cabinet, not meeting GeneralServices Administration requirements, butapproved for use prior to the date of this

NISPOMSUP, which may continue to be useduntil there is a need for replacement. It shall beequipped with a minimum of either anUnderwriter Laboratories Group 1, built-in,changeable combination lock or a lock thatmeets Federal Specification FF-P-110"Padlock, Changeable Combination." Steelfiling cabinets located within a Secure WorkingArea shall be under approved supplementalprotection (i.e., intrusion detection systemprotection or protective patrol). If the steel filingcabinet is not located within a Secure WorkingArea, it shall be under intrusion detectionsystem protection.



Chapter 10International Security Requirements

Section 1. International Security

10-100. International Security.

International security information that isrequired by a SAP or is SAP-related willconform to the NISPOM as directed by thePSO.

International Security Considerations

a. Normally, programs start foreigndisclosure and security planning atthe beginning of the acquisitionprocess and systematically applydecisions throughout the life cycle.When a program is identified forinternational cooperation orforeign sale, consider andincorporate, as appropriate, allapplicable National DisclosurePolicy and technology transferpolicy guidelines.

b. For policy guidance and thedevelopment of a TechnologyAssessment/Control Plan (TA/CP),Memorandum of Agreement,Security Manual, and SOP for allinternational programs(research/development, FMS, jointcooperation, and acquisition),contact the PSO.



Chapter 11Miscellaneous

Section 1. TEMPEST

11-100. TEMPEST Requirements. Whencompliance with TEMPEST standardsis required for a contract, theGPM/PSO will issue specific guidancein accordance with current nationaldirectives that afford consideration torealistic, validated, local threats, costeffectiveness, and zoning.

NOTE: For DoD purposes, EMSECmeans TEMPEST.

a. Each department or agency hasappointed Certified TEMPESTTechnical Authorities (CTTAs) whomust conduct and validate allTEMPEST countermeasure reviewsby the National Policy.

b. The program security officer,with guidance from a CTTA, shalldetermine if a review is requiredand direct the completion of aTEMPEST RequirementsQuestionnaire.

c. If a review is required, a CTTAwill determine if the equipment,system, or facility has a TEMPESTrequirement, and if so, willrecommend the most cost effectivecountermeasure which will containcompromising emanations withinthe inspectable space. Theinspectable space is defined as thethree dimensional space

surrounding equipment that

processes National SecurityInformation (NSI) within whichTEMPEST exploitation is notconsidered practical or wherelegal authority to identify and/orremove a potential TEMPESTexploitation exists.

d. Only those TEMPESTcountermeasures recommendedby CTTA and authorized by theprogram manager or contractingauthority should be implemented.The processing of SpecialCategory NSI or the submission ofinformation for a TEMPESTcountermeasure review does notimply a requirement to implementTEMPEST countermeasures.TEMPEST countermeasures whichmay be recommended by CTTAinclude, but are not limited to:

1. The use of shieldedenclosures or architecturalshielding;

2. The use of equipment whichhave TEMPEST profiles orTEMPEST zones which matchthe inspectable space, distance,or zone respectively; and

3. The use of RED/BLACKinstallation guidance as providedby reference (c).


e. Telephone line filters, powerfilters, and non-conductivedisconnects are not required forTEMPEST purposes unlessrecommended by a CTTA as partof a TEMPEST countermeasurerequirement. Telephone linedisconnects, not to be confusedwith telephone line filters, may berequired for non-TEMPESTpurposes.



Section 2. Government Technical Libraries

11-200. SAP information will not be sent tothe National Defense TechnicalInformation Center or the U.S. Departmentof Energy Office of Scientific andTechnical Information.



Section 3. Independent Research and Development

11-300. General. The use of SAPinformation for a contractor IndependentResearch and Development (IR&D) effortwill occur only with the specific writtenpermission of the Contracting Officer.Procedures and requirements necessary forsafeguarding SAP classified informationwhen it is incorporated in a contractor'sIR&D effort will be coordinated with thePSO.

Only authorized GovernmentContracting Officers may approvecontractors to conduct SAPindependent research anddevelopment (IR&D). A letter definingthe authority to conduct IR&D, a DDForm 254, and an appropriateNISPOMSUP selector andclassification guide will be providedto each contractor. Contractors whoare conducting, or who desire toconduct SAP IR&D under thissection, but who have not obtainedproper authority, must contact theappropriate contracting authority.

11-301. Retention of SAP ClassifiedDocuments Generated Under IR&DEfforts. With the permission of theContracting Officer, the contractor may beallowed to retain the classified materialgenerated in connection with a classifiedIR&D effort. The classified documents maybe required to be sanitized. If necessary, theGovernment agency will provide thecontractor assistance in sanitizing thematerial to a collateral or unclassified level(i.e., by reviewing and approving thematerial for release).


The Program Offices for determiningsanitization and releasibility of SAPIR&D documents are identified in thecontracts letter and DD Form 254.

11-302. Review of Classified IR&DEfforts. IR&D operations anddocumentation that contain SAP classifiedinformation will be subject to review in thesame manner as other SAP classifiedinformation in the possession of thecontractor.

These reviews normally will beconducted at the same time asreviews of other SAPs at that activity.

The Program Office/PSO will approvesubcontracts before they are issuedfor IR&D efforts.



Section 4. Operations Security

11-400. Special Access Programs mayrequire unique Operations Security(OPSEC) plans, surveys, and activities to beconducted as a method to identify, define,and provide countermeasures tovulnerabilities. These requirements may bemade part of the contractual provisions.


Provide an OPSEC orientation tonewly assigned personnel. Cover theactivity OPSEC program, designatedessential elements of friendlyinformation (EEFI), OPSEC lessonslearned, and the OPSEC role. IncludeOPSEC in annual refresher training.Include common OPSECvulnerabilities, significance ofunclassified data, tactical deception,new lessons learned, and otherOPSEC subjects that are deemedappropriate.



Section 5. Counterintelligence (CI) Support

11-500. Counterintelligence (CI) Support.Analysis of foreign intelligence threats andrisks to Program information, material,personnel, and activities may be undertakenby the Government Agency. Resultinginformation that may have a bearing on thesecurity of a SAP will be provided by theGovernment to the contractor whencircumstances permit. Contractors may useCI support to enhance or assist securityplanning and safeguarding in pursuit ofsatisfying contractual obligations. Requestsshould be made to the PSO.


11-501. Countermeasures. Securitycountermeasures may be required for SAPsto protect critical information, assets, andactivities. When OPSEC countermeasuresare necessary, they will be made a part ofthe contract provisions and costimplementation may be subject tonegotiation. Countermeasures may be activeor passive techniques, measures, systems, orprocedures implemented to prevent orreduce the timely effective collection and/oranalysis of information which would revealintentions or capabilities (e.g., traditionalsecurity program measures, electroniccountermeasures, signature modification,operational and/or procedural changes,direct attack against and neutralization ofthreat agents and/or platforms, etc.).


When conditions warrant, the PSOmay require a TSCM survey of aSAPF for approval or reaccreditationof a previously used facility.


Section 6. Decompartmentation, Disposition, andTechnology Transfer

11-600. Every scientific paper, journalarticle, book, briefing, etc., pertaining to aSAP and prepared by personnel currentlyor previously briefed on the SAP that isproposed for publication or presentationoutside of the SAP will be reviewed by thePSO and a Program-briefed Public AffairsOfficer (PAO) if available. Any release willbe by the GPM. Often SAP-unique "tools"such as models, software, technology, andfacilities may be valuable to other SAPs.Some information, material, technology, orcomponents may not be individuallysensitive. If information or materials can besegregated and disassociated from the SAPaspects of the Program, decompartmentationand release of the information and/ormaterials may be approved to support U.S.Government activities. The information andmaterials proposed for release will remainwithin the Program Security Channelsuntil authorized for release.

11-601. Procedures. The followingprocedures apply to the partial or fulldecompartmentation, transfer (either toanother SAP or collateral Program), anddisposition of any classified information,data, material(s), and hardware or softwaredeveloped under a SAP contract orsubcontract (SCI information will behandled within SCI channels).

a. Decompartmentation. Prior todecompartmenting any classified SAPinformation or other material(s) developedwithin the Program, the CPSO will obtain thewritten approval of the GPM.Decompartmentation initiatives at a Programactivity will include completion of aDecompartmentation or Transfer ReviewFormat Include supporting documentation thatwill be submitted through the PSO to the GPM.

Changes, conditions and stipulations directed bythe GPM will be adhered to. Approval ofProgram decompartmentation and allsubsequent transfers will be in writing.

b. Technology Transfer. Technologies may betransferred through established and approvedchannels in cases where there would be a netbenefit to the U.S. Government and Programinformation is not exposed or compromised. TheContracting Officer is the approval authority fortechnology transfers.

1. Contractor Responsibilities. CPSOs willensure that technologies proposed for transferreceive a thorough security review. Thereview will include a written certification thatall classified items and unclassified Program-sensitive information have been redactedfrom the material in accordance withsanitization procedures authorized by theGPM. A description of the sanitizationmethod used and identification of the officialwho accomplished the redaction willaccompany the information or material(s)forwarded to the GPM for review andapproval.

2. Government Responsibilities. Thecontracting officer's representative (COR),PSO, and GPM will make every attempt toreview requests expeditiously. Requests will besubmitted at least thirty (30) working daysprior to the requested release date. This isparticularly important when requestingapproval for Program-briefed personnel tomake non-Program related presentations atconferences, symposia, etc.



Section 7. Other Topics

11-700. Close-out of a SAP. At theinitiation of a contract close-out,termination or completion of the contracteffort, the CPSO will consider actions fordisposition of residual hardware, software,documentation, facilities, and personnelaccesses. Security actions to close-outProgram activities will prevent compromiseof classified Program elements or otherSAP security objectives. The contractor maybe required to submit a termination plan tothe Government. The master classifiedmaterial accountability record (log orregister) normally will be transferred to thePSO at Program close-out.


11-701. Special Access Program SecureCommunications Network. SAPs may usea SAP secure communications and/or datanetwork linking the GPM and/or contractorswith associated technical, operational, andlogistic support activities for securecommunications.


11-702. Patents. Patents involving SAPinformation will be forwarded to theGPM/PSO for submission to the PatentsOffice. The PSO will coordinate withGovernment attorneys and the PatentOffice for submission of the patent.

11-703. Telephone Security. The PSO willdetermine the controls, active or inactive, tobe placed on telecommunication lines.SAPFs accredited for discussion orelectronic processing will comply withDCID 1/21 and Telephone Security Group(TSG) standards as determined by the PSO.

See 11-701 for overall requirements.

11-704. Treaty Guidance.

Treaty Guidance. DoD SAPs will besubject to an increasing number ofvarious international arms controltreaty verification or confidence andsecurity building measures, many ofwhich will impose a significantburden on program securityconcerns. SAPs will not be exemptedfrom on-site inspections, overflights,or other intrusive activities involvingmultinational inspection teams.Therefore, SAPs must ensure thatthey are in compliance with treatyprovisions, and they must participatein the preparation of ComponentCompliance and ImplementationPlans so that the methodology ofthose plans adequately complementsSAP program protection interests.SAP facility personnel should workwith their SAP component treatyassistance team to ensure theirequities will be protected during aninspection or other verificationactivity.

Each service entity must also ensureSAPs are included in thatcomponent’s treaty inspectionnotification systems. Individual SAPfacilities must establish an internalnotification system to ensure that keypersonnel are advised of impendinginspections.

a. Arms Control TreatyImplementation. DoD Directive


2060.1 provides that theimplementation and complianceresponsibilities for SAPs must beaccomplished under thecognizance of the DoD SAPOversight Committee in a mannerconsistent with the SAP PolicyDirective, DoD Directive O-5205.7.The SAP Policy Directive providesthat program access to DoD SAPsis controlled by the sponsoringDoD Component, unless theSecretary or Deputy Secretary ofDefense has directed otherwise.Implementation of arms controltreaties may require physicalaccess to special access programfacilities. Access to programinformation by internationalinspectors or U.S. personnelsupporting inspection activitiesshould not be necessary and maynot be permitted without thespecific approval of the affectedcomponent. Any inspection orverification issue directly related toSAPs must be decided within theSAP chain of command andadministered by the appropriateComponent-level SAP centraloffice. Denial of access to theinspection team will only beconsidered if a SAP facility cannotbe adequately prepared to protectprogram material, and access tothat SAP space would compromisethe program. In this case, aprepositioned access denialjustification, approved by theComponent-level SAP centraloffice, is required.

b. Arms Control Treaty InspectionBackground. SAPs, because oftheir enhanced security posture,

normally are handled separatelyfrom traditional securityrequirements. As noted above,DoD SAP facilities will not beexempted from arms controlverification activities by foreigninspection teams. Thus, SAPsmust be prepared to protectclassified information and equitieswhile inspections are beingconducted at or near theirfacilities. Programs conductingsensitive work outdoors, eventemporarily, also must be preparedfor the possibility of “open skies”overflights or other verificationactivities to which they might beexposed.

c. General Guidance. EachComponent-level SAP centraloffice should develop anInspection Readiness Plan (IRP)that provides general backgroundinformation on treaty verificationactivities affecting SAPs andprocedures for safeguarding SAPinformation while demonstratingtreaty compliance. The IRP is atool that should be used to helpfacilities prepare for an on-siteinspection, overflight, or any otherarms control verification activity.This general plan should provideadequate guidance for the majorityof SAPs that do not have hardwareconcerns. Facilities that requireadditional program-specificpreparation should develop anannex to the IRP specifyingdetailed procedures. If assistanceis required, the SAP securitymanager should contact theComponent-level SAP centraloffice. Preparation for an on-site


inspection should be based onprocedures for non-clearedvisitors. The objective ofpreparation for an on-siteinspection of any SAP facility is toblend SAP security infrastructureinto the local facility’s profile to theextent possible. Most importantly,all procedures should beestablished using low-cost,common-sense measures,consistent with program securityrequirements. The Component-level SAP central office isresponsible for ensuring that plansare in place and have appropriatemanagement concurrence orapproval.

d. Inspection Preparation Plans.The Chemical WeaponsConvention (CWC) allows for on-site inspections by an internationalinspection team (IIT) on a recurringbasis at declared facilities. Inaddition, intrusive challengeinspections can be conductedanytime, anywhere at anundeclared facility (government orindustrial, worldwide). The CWCintentionally limits the timebetween notification and arrival ofthe IIT. Therefore, preparation timewill be short. Plans must be inplace in advance that detail how toprotect classified information whilean inspection is being conductedthroughout the facility. The SAPsecurity manager must beprepared to execute these plansimmediately upon notification ofan inspection. The SAP securitymanager should be familiar withthe overall facility’s complianceand implementation plans to

ensure that those efforts do notundermine established SAP armscontrol procedures andpreparation activities. Plansprepared for CWC also could beused as a model for other types ofon-site inspections or otherverification activities. Plans shouldaddress, inter alia, the following:

1. Notification chains (who willreceive notification, who elsemust be notified?).

2. Treaty points-of-contact andalternates (including 24-hourtelephone numbers).

3. Up-to-date facility floor plansand facility layouts.

4. Specific steps and measuresto be taken to protect securityand proprietary interests.

e. Managed Access. “Managedaccess” is an OPSEC methodologyused to restrict inspection teamexposure to facility sensitivitieswhile demonstrating compliance.Managed access procedures mustbe examined for each treaty oragreement, but generallyencompass standard sanitizationprocedures: shrouding of displays,shapes, and equipment; de-energizing of computer systems;clean-desk policy; removal ofproject specific photographs;route and time control; proposingalternate means of verificationsuitable to your program/facilitysuch as sampling on the perimeterof the facility; recommendingchanges to the inspectionschedule; random selective


access; etc. Moving classifiedhardware to another storagelocation also may be an alternativefor some programs. Component-level SAP central offices shall beprepared upon notification toaddress within the SAP chain ofcommand any potential issueswhere managed access may beinsufficient to protect programinterests or demonstratecompliance with treatyrequirements.

f. On-Site Inspection Assistance. Inmost cases, a treaty-knowledgeable representative fromthe OSD-level SAP central office orthe cognizant Component-levelSAP central office should be on-site within the first 24 hours afternotification of an impendinginspection. The SAP treatyrepresentative will be a member ofthe on-site inspection team (i.e.,Base Assistance Team or TigerTeam). When more than one SAPcentral office representative ispresent, early coordination amongthem will establish which one isaccountable for each program.Each component is accountablefor SAPs that it sponsors, unlessrelieved of that responsibility bythe Secretary or Deputy Secretaryof Defense. The responsible SAPcomponent representative willconduct liaison between the SAPsecurity manager and the U.S.Host Team to support theinspection. That individual will alsoprovide treaty guidance andinspection preparation assistancefor the facility, based on thepreparation plan previously

developed by the facility orProgram Office. The SAP securitymanager should meet with thisindividual as soon as possibleafter the arrival of therepresentative at the facility.

g. Counterintelligence. The SAPsecurity manager may request theComponent-level SAP centraloffice to assist with obtainingvulnerability assessments,security counter-measuressupport, and other counter-intelligence or program protectionsupport.



FOR OFFICIAL USE ONLYA-1

Appendix ADefinitions

Access Approval Authority. Individualresponsible for final access approval and/ordenial determination.

Access Evaluation. The process ofreviewing the security qualificationsof employees.

Access Roster. A database or listing ofindividuals briefed to a special accessprogram.

Access Termination. The removal of anindividual from access to SAP or otherProgram information.

Accountability. Assigning of a documentcontrol number (including copy #) which isused to establish individual responsibilityfor the document and permits traceabilityand disposition of the document.

Accrediting Authority. A Customer officialwho has the authority to decide on acceptingthe security safeguards prescribed or who isresponsible for issuing an accreditationstatement that records the decision to acceptthose safeguards.

Acknowledged Special Access Program. ASAP whose existence is publiclyAcknowledged.

Acquisition Special Access Program (AQ-SAP). A special access program establishedprimarily to protect sensitive research,development, testing, and evaluation

(RDT&E) or procurement activities insupport of sensitive military and intelligencerequirements.

Adjudication Authority. Entity whichprovides adjudication for eligibility oraccess.

Agent of the Government. A contractoremployee designated in writing by theGovernment Contracting Officer who isauthorized to act on behalf of theGovernment.

AIS Media Control System. A systemof procedures, approved by the PSO,which provide controls over use,possession, and movement ofmagnetic media in SAPFs. Theprocedures must insure all magneticmedia (classified and unclassified)are adequately protected to avert theunauthorized use, duplication, orremoval of the media. The mediamust be secured in limited accesscontainers or labeled with the identifyof the individual responsible formaintaining the material.

Authentication. a. To establish the validityof a claimed identity. b. To provideprotection against fraudulent transactions byestablishing the validity of message, station,individual, or originator.

Automated Information System (AIS). Ageneric term applied to all electroniccomputing systems. AISs are composed ofcomputer hardware (i.e., automated dataprocessing (ADP) equipment and associateddevices that may include communicationequipment), firmware, operating systems,


and other applicable software. AISs collect,store, process, create, disseminate,communicate, or control data orinformation.

Billets. A determination that in order tomeet need-to-know criteria, certain SAPsmay elect to limit access to a predeterminednumber of properly cleared employees.Security personnel do not count against thebillet system.

Boundary. The boundary of an AIS ornetwork includes all users that are directlyor indirectly connected and who can receivedata from the system without a reliablehuman review by an appropriately clearedauthority.

Certification. A statement to an accreditingauthority of the extent to which an AIS ornetwork meets its security criteria. Thisstatement is made as part of and in supportof the accreditation process.

Clearing. The removal of information fromthe media to facilitate continued use and toprevent the AIS system from recoveringpreviously stored data. However, the datamay be recovered using laboratorytechniques. Overwriting and degaussing areacceptable methods of clearing media.

Codeword. A single classified wordassigned to represent a specific SAP orportions thereof.

Collateral Information. Collateralinformation is National Security Informationcreated in parallel with Special AccessInformation under the Provisions of E.O.12356 (et al) but which is not subject to the

added formal security protection requiredfor Special Access Information (stricteraccess controls, need-to-know,compartmentation, stricter physical securitystandards, etc).

Compelling Need. A requirement forimmediate access to special programinformation to prevent failure of the missionor operation or other cogent reasons.

Control. A process which allows anorganization to regulate materialwithout providing full documentaccountability.

Contractor/Command Program SecurityOfficer (CPSO). An individual appointedby the contractor who performs the securityduties and functions for Special AccessPrograms.

Contractor/Command Program Manager(CPM). A contractor-designated individualwho has overall responsibility for all aspectsof a Program.

Counterintelligence Awareness. A state ofbeing aware of the sensitivity of classifiedinformation one possesses, collaterallyaware of the many modes of operation ofhostile intelligence persons and otherswhose interests are inimical to the UnitedStates while being able to recognizeattempts to compromise one's information,and the actions one should take, when onesuspects he has been approached, to impartthe necessary facts to trainedcounterintelligence personnel.

Customer. The Government organizationthat sponsors the processing.


Data Integrity. a. The state that exists whencomputerized data is the same as that in thesource documents and has not been exposedto accidental or malicious alteration ordestruction. b. The property that data has notbeen exposed to accidental or maliciousalteration or destruction.

Debriefing. The process of informing aperson his need-to-know for access isterminated.

Declassification (Media). An administrativestep that the owner of the media takes whenthe classification is lowered toUNCLASSIFIED. The media must beproperly sanitized before it can bedowngraded to UNCLASSIFIED.

Degauss. a. To reduce the magnetization tozero by applying a reverse (coercive)magnetizing force, commonly referred to asdemagnetizing, or b. To reduce thecorrelation between previous and presentdata to a point that there is no knowntechnique for recovery of the previous data.

Degausser. An electrical device or hand-held permanent magnet assembly thatgenerates a coercive magnetic force fordegaussing magnetic storage media or othermagnetic material.

Degaussing (Demagnetizing). Procedureusing an approved device to reduce themagnetization of a magnetic storage mediato zero by applying a reverse (coercive)magnetizing force rendering any previouslystored data unreadable and unintelligible.

Digraph and/or Trigraph. A two and/orthree-letter acronym for the assignedCodeword or nickname.

Disclosure Record. A record of names anddates of initial access to any Programinformation.

e.g. For example (exempli gratia).

Eligibility. A determination that a personmeets personnel security standards foraccess to Program material.

EPROM. A field-programmable read-onlymemory that can have the data content ofeach memory cell altered more than once.An EPROM is bulk-erased by exposure to ahigh-intensity ultraviolet light. Sometimesreferred to as a reprogrammable read-onlymemory.

EEPROM. Abbreviation for electricallyerasable programmable read-only memory.These devices are fabricated in much thesame way as EPROMs and, therefore,benefit from the industry's accumulatedquality and reliability experience. As thename implies, erasure is accomplished byintroducing electrical signals in the form ofpulses to the device, rather than by exposingthe device to ultraviolet light. Similarproducts using a nitride NMOS process aretermed EAROMS (for electrically alterableread-only memory).

EMSEC. For DoD purposes, EMSECmeans TEMPEST.

Government Program Manager (GPM).The senior Government Program official


who has ultimate responsibility for allaspects of the Program.

Handle Via Special Access ControlChannels Only (HVSACO). HVSACOis a protective marking, (similar toFor Official Use Only), used withinSAP control channels. It is used toidentify CLASSIFIED orUNCLASSIFIED information whichrequires protection in Special Accesschannels. When HVSACO is used tohelp identify classified SAPinformation, the material will beprotected in accordance with thesecurity requirements of theindividual SAP or the higheststandard where more than one SAPis included.

i.e. That is (id est).

Inadvertent Disclosure. A set ofcircumstances or a security incident inwhich a person has had involuntary accessto classified information to which theindividual was or is not normally authorized.

Indoctrination. An initial indoctrinationand/or instruction provided each individualapproved to a SAP prior to his exposureconcerning the unique nature of Programinformation and the policies, procedures,and practices for its handling.

Information Systems SecurityRepresentative (ISSR). The Provider-assigned individual responsible for the on-site security of the AIS(s) processing infor-mation for the Customer.

Joint Use Agreement. A written agreementsigned by two or more accreditingauthorities whose responsibility includesinformation processed on a common AIS ornetwork. Such an agreement defines acognizant security authority and the securityarrangements that will govern the operationof the network.

Letter of Compelling Need (LOCN). Aletter, signed by the Security Officerand Program Manager, used to justifyor offset the risk related to accessingan individual who does not fully meetaccess criteria. The LOCN describesthe benefit to the specific SAP bydescribing the candidate’s uniquetalent, particular expertise, orcritically-needed skill.

Memorandum of Agreement (MOA). Anagreement, the terms of which are delineatedand attested to by the signatories thereto.MOA and MOU (Memorandum ofUnderstanding) are used interchangeably.

Network. A computing environment withmore than one independent processorinterconnected to permit communicationsand sharing of resources.

Nicknames. A combination of two separateunclassified words assigned to represent aspecific SAP or portion thereof.

Nonvolatile Memory Components.Memory components that do retain datawhen all power sources are disconnected.

Object Reuse. The reassignment to somesubject of a medium (e.g., page frame, disksector, magnetic tape) that contained one ormore objects. To be securely reassigned,


such media will contain no residual datafrom the previously contained object(s).

Office Information System (OIS). An OISis a special purpose AIS oriented to wordprocessing, electronic mail, and othersimilar office functions. An OIS is normallycomprised of one or more central processingunits, control units, storage devices, userterminals, and interfaces to connect thesecomponents.

Operations Security (OPSEC). Theprocess of denying adversariesinformation about friendlycapabilities and intentions byidentifying, controlling, andprotecting indicators associated withplanning and conducting militaryoperations and other activities.

Other Identifiers. i.e., SAR and SAP.

Overwrite (Re-recording) Verification.An approved procedure to review, display,or check the success of an overwriteprocedure, or b. The successful testing anddocumentation through hardware andrandom hard-copy readout of the actualoverwritten memory sectors.

Perimeter. The perimeter of an AIS ornetwork is the extent of the system that is tobe accredited as a single system.

Peripheral Devices. Any device attached tothe network that can store, print, display, orenhance data (e.g., disk and/or tape, printerand/or plotter, an optical scanner, a videocamera, a punched-card reader, a monitor, orcard punch).

Personal Computer System (PC). A PC isa system based on a microprocessor andcomprised of internal memory (ROMs andRAMs), input and/or output, and associatedcircuitry. It typically includes one or moreread/write device(s) for removable magneticstorage media (e.g., floppy diskettes, tapecassettes, hard disk cartridges), a keyboard,CRT or plasma display, and a printer. It iseasily transported and is primarily used ondesk tops for word processing, databasemanagement, or engineering analysisapplications.

Program Access Request (PAR). A formalrequest used to nominate an individual forProgram access.

Program Channels or Program SecurityChannels. A method or means expresslyauthorized for the handling or transmissionof classified or unclassified SAPinformation whereby the information isprovided to indoctrinated persons.

Program Executive Agent. The highestranking military or civilian individualcharged with direct responsibility for theProgram and usually appoints theGovernment Program Manager.

Program Material. Program material andinformation describing the service(s)provided, the capabilities developed, or theitem(s) produced under the SAP.

Program Security Officer (PSO). TheGovernment official who administers thesecurity policies for the SAP.

Program Sensitive Information.Unclassified information that is associated


with the Program. Material or informationthat, while not directly describing theProgram or aspects of the Program, couldindirectly disclose the actual nature of theProgram to a non-Program-briefedindividual.

Provider. The Contractor or Government-support organization (or both) that providesthe process on behalf of the Customer.

Sanitizing. The removal of informationfrom the media or equipment such that datarecovery using any known technique oranalysis is prevented. Sanitizing shallinclude the removal of data from the media,as well as the removal of all classifiedlabels, markings, and activity logs. Properlysanitized media may be subsequentlydeclassified upon observing theorganization's respective verification andreview procedures.

SAP Central Office. Office within DoDor military department responsiblefor establishment and application ofregulations, oversight, and securitypolicy for Special Access Programs.

Secure Working Area. An accreditedfacility or area that is used for handling,discussing and/or processing, but not storageof SAP information.

Security Director. Senior individualthat is responsible for the overallsecurity management of SAP withinthat activity.

Security level. A clearance or classificationand a set of designators of special accessapprovals; i.e., a clearance and a set of

designators of special access approval or aclassification and a set of such designators,the former applying to a user, the latterapplying, for example, to a computer object.

Security Officer. When used alone,includes both Contractor ProgramSecurity Officers and activity securityofficers at government facilities.

Security Policy. The set of laws, rules, andpractices that regulate how an organizationmanages, protects, and distributes sensitiveinformation. A complete security policy willnecessarily address many concerns beyondthe scope of computers andcommunications.

Security Profile. The approved aggregate ofhardware/ software and administrativecontrols used to protect the system.

Security Testing. A process used todetermine that the security features of asystem are implemented as designed andthat they are adequate for a proposedapplication environment. This processincludes hands- on functional testing,penetration testing, and verification. Seealso: Functional Testing, PenetrationTesting, Verification.

Sensitivity Label. A collection ofinformation that represents the security levelof an object and that describes the sensitivityof the data in the object. A sensitivity labelconsists of a sensitivity level (classificationand compartments) and other requiredsecurity markings (e.g., Codewords,handling caveats) to be used for labelingdata.


Sensitive Activities. Sensitive activities arespecial access or Codeword programs,critical research and development efforts,operations or intelligence activities, specialplans, special activities, or sensitive supportto the customer or customer contractors orclients.

Sensitive Compartmented Information(SCI). SCI is classified informationconcerning or derived from intelligencesources and methods or analytical processesthat is required to be handled within aformal control system established byDirector of Central Intelligence.

Sensitive Compartmented InformationFacility (SCIF). SCIF is an area, room(s),building installation that is accredited tostore, use, discuss, or electronically processSensitive Compartmented Information(SCI). The standards and procedures for aSCIF are stated in DCIDs 1/19 and 1/21.

Special Access Program Facility (SAPF).A specific physical space that has beenformally accredited in writing by thecognizant PSO which satisfies the criteriafor generating, safeguarding, handling,discussing, and storing CLASSIFIED and/orUNCLASSIFIED Program information,hardware, and materials.

Special Program Document ControlCenter. The component's activity assignedresponsibility by the ISSR for themanagement, control, and accounting of alldocuments and magnetic media received orgenerated as a result of the special programactivity.

NOTE: the ISSR is responsible formagnetic media. The CPSO isresponsible for overall documentmedia.

Stand-Alone AIS. A stand-alone AIS mayinclude desktop, laptop, and notebookpersonal computers, and any other hand-heldelectronic device containing classifiedinformation. Stand-alone AISs by definitionare not connected to any LAN or other typeof network.

System. An assembly of computer and/orcommunications hardware, software, andfirmware configured for the purpose ofclassifying, sorting, calculating, computing,summarizing, transmitting and receiving,storing, and retrieving data with a minimumof human intervention.

Temporary Help/Job Shopper. Anindividual employed by a clearedcompany whose services areretained by another cleared companyor Government activity performing onSAP contracts and providingrequired services (e.g. computer,engineering, administrative supportetc…) under a classified contractualagreement. This individual will haveaccess to SAP material only atlocations designated by the utilizingactivity.

Trigraph. (See Digraph and/or Trigraph.)

Trojan Horse. A computer program with anapparently or actually useful function thatcontains additional (hidden) functions thatsurreptitiously exploit the legitimateauthorizations of the invoking process to the


detriment of security (for example, making a"blind copy" of a sensitive file for thecreator of the Trojan horse).

Trusted Computer System. A system thatemploys sufficient hardware and softwareintegrity measures to allow its use forprocessing simultaneously a range ofsensitive or classified information.

Trusted Path. A mechanism by which aperson at a terminal can communicatedirectly with the trusted computing base.This mechanism can only be activated bythe person or the trusted computing base andcannot be imitated by untrusted software.

Two-Person Integrity. A provision thatprohibits one person from working alone.

Unacknowledged Special AccessProgram. A SAP with protective controlsthat ensures the existence of the Program isnot Acknowledged, affirmed, or madeknown to any person not authorized for suchinformation. All aspects (e.g., technical,operational, logistical, etc.) are handled inan unacknowledged manner.

Users. Any person who interacts directlywith an AIS or a network system. Thisincludes both those persons who areauthorized to interact with the system andthose people who interact withoutauthorization (e.g., active or passivewiretappers).

Vendor. The manufacturer or sellers of theAIS equipment and/or software used on thespecial program.

Virus. Malicious software. A form of Trojanhorse that reproduces itself in otherexecutable code.

Volatile Memory Components. Memorycomponents that do not retain data afterremoval of all electrical power sources andwhen reinserted into a similarly configuredAIS do not contain residual data.

Waived SAP. An UnacknowledgedSAP to which access is extremelylimited in accordance with thestatutory authority of Section 119e of10 U.S.C. Unacknowledged SAPprotections also apply to WaivedSAPs.

Working Paper(s). A draft classifieddocument, portion of a classifieddocument and material accumulatedor created while preparing a finisheddocument.

Workstation. A high-performance,microprocessor- based platform that usesspecialized software applicable to the workenvironment.


FOR OFFICIAL USE ONLYB-1

Appendix BAIS Acronyms

Many computer security-related acronyms are used in this Supplement. These acronyms, afterfirst being defined, are used throughout this document to reduce its length. The acronyms used inthis document are defined below:

AIS Automated Information SystemAISSP AIS Security Plan

CM Configuration ManagementCCB Configuration Control BoardCPU Central Processing UnitCRT Cathode Ray Tube (Monitor Screen Tube)CSA Cognizant Security Agency (Customer)

DAC Discretionary Access ControlDCID Director of Central Intelligence DirectiveDoD Department of Defense

E.O. Executive OrderEPROM Erasable Programmable Read-Only MemoryEAPROM Electrically Alterable Programmable Read-Only MemoryEEPROM Electrically Erasable Programmable Read-Only Memory

I/O Input and/or OutputISSR Information System Security Representative

K Thousand (kilo)

LAN Local Area NetworkLOGON Log On

MAC Mandatory Access ControlMODEM Modulator and/or Demodulator

NCSC National Computer Security CenterNSA National Security Agency

OMB Office of Management and Budget

PC Personal Computer (i.e., desktop, laptop, notebook, or hand-heldcomputer)PL Public Law

FOR OFFICIAL USE ONLYB-2

PROM Programmable Read-Only Memory

RAM Radar Absorbing MaterialsRAM Random Access MemoryRAS Radar Absorbing StructuresROM Read Only Memory

SAN Separately Accredited NetworkSAP Special Access ProgramSAPF Special Access Program FacilitySCI Sensitive Compartmented InformationSD Security DirectorSTD Standard

TA/CP Technical Assessment/Control PlanTS Top Secret

USER ID User Identification

FOR OFFICIAL USE ONLYC-1

Appendix CAISSP Outline

This outline provides the basis for preparing an AIS Security Plan (AISSP). The annotatedoutline, with prompts and instructions, will assist ISSRs in preparing a plan that includesnecessary overviews, descriptions, listings, and procedures. It will also assist in covering therequirements contained in this NISPOM Supplement. In preparing the AISSP, any informationthat does not appropriately fit under a subtitle may be placed under a main title. For example, ahardware list or references to a hardware list will be placed under the 4.0 AIS HARDWAREheading. For changes to an existing plan that do not require revision of the entire plan, providename and date of the plan to be modified, date of changes on each page, and cross reference tothe plan's applicable paragraph numbers. (For changes, only the change pages with the applicableplan name and date need to be sent to the CSA.)

Table Of Contents

1.0 INTRODUCTION

1.1 Administration

1.2 Purpose and Scope

2.0 SAPF DESCRIPTION

2.1 Physical Environment

2.2 Floor Layout

2.3 SAPF Access

3.0 AIS DESCRIPTION

3.1 General Information

3.2 Configuration and Connectivity

3.3 User Access and Operation

3.4 Audit Trail

4.0 AIS HARDWARE

4.1 Labeling Hardware

4.2 Maintenance Procedures

4.3 Hardware Sanitization and Destruction

4.4 Hardware Transport and Release

4.5 Hardware Control and Audit Trails

5.0 AIS SOFTWARE

5.1 Authorized Software

5.2 Software Procedures

6.0 DATA STORAGE MEDIA

6.1 Labeling and Storing Media

6.2 Media Sanitization and Destruction

6.3 Media Transport and Release

6.4 Media Control

7.0 AIS SECURITY AWARENESS

8.0 GLOSSARY OF TERMS


1.0 INTRODUCTION

This section will describe the purpose and scope of the AISSP. It may include any topicintended to help the reader understand and appreciate the purpose of the AISSP. Pertinentbackground information may also be presented to provide clarity.

1.1 Security Administration.

Provide the name and date of this plan and indicate whether it is an original or revisedplan.Specify the cognizant Customer Program Office whose activity the AIS will support andthe contract number(s), if applicable.

Specify the Provider's name and address. Identify the location of the AIS equipment(including the building and room numbers(s)).

Provide the names of the Provider's program manager, ISSR, alternate(s). Also providetheir secure and unsecure telephone numbers and their normal office hours.

Provide an organizational structure showing the name and title of all security managementlevels above the ISSR.

Provide joint-use information if applicable.

1.2 Purpose and Scope.

The plan will describe how the Provider will manage the security of the system. Describethe purpose and scope of this AIS.

2.0 SAPF DESCRIPTION.

This section will provide a physical overview of the AIS SAPF (including itssurroundings) that is used to secure the Customer's program activities. It will includeinformation about the secure environment required to protect the AIS equipment, software,media, and output.


2.1 Physical Environment.

State whether the SAPF is accredited or approved to process and store classifiedinformation, who accredited or approved it, the security level, and when approved. Statewhether the SAPF is approved for open or closed storage.

Specify whether the storage approval is for hard disk drives, diskettes, tapes, printouts, orother items.

State whether the approval includes unattended processing.

2.2 Floor Layout.

Provide a floor plan showing the location of AIS equipment and any protected wire lines.(This may be included in a referenced appendix.) The building and room number(s) willmatch the information provided in the hardware listing (see 4.0).

2.3 SAPF Access.

Describe procedures for controlling access to the AIS(s) to include: after hours access,personnel access controls, and procedures for providing access to uncleared visitors (e.g.,admitting, sanitizing area, escorting).

2.4 TEMPEST.

If applicable, describe TEMPEST countermeasures.

3.0 AIS DESCRIPTION

This section will provide a detailed description of the system and describe its securityfeatures and assurances.

Describe variances and exceptions.

3.1 General Information


Provide a system overview and description.

Specify clearance level, formal access (if appropriate), and need-to-know requirements thatare being supported.

Identify the data to be processed including classification levels, compartments, and specialhandling restrictions that are relevant.

State the mode of operations.

Indicate the AIS's usage (in percent) that will be dedicated to the Customer's activity (e.g,periods processing).

3.2 Configuration and Connectivity.

Specify whether the AIS is to operate as a stand-alone system, as a terminal connected to amainframe, or as a network.

Describe how the AIS or network is configured. If a network, specify whether it is aunified network or interconnected network. Describe the security support structure andidentify any specialized security components and their role.

Identify and describe procedures for any connectivity to the AIS(s). Indicate whether theconnections are to be classified or unclassified systems.

Provide a simplified block diagram that shows the logical connectivity of the majorcomponents (this may be shown on the floor layout if necessary-see 2.2). For AISsoperating in the compartmented or multilevel modes an information flow diagram will beprovided.

If applicable, discuss the separations of classified and unclassified AISs within the SAPF.

Indicate whether the AIS is configured with removable or nonremovable hard disk drives.

Describe the configuration management program. Describe the procedures to ensurechanges to the AIS require prior coordination with the ISSR.

3.3 User Access and Operation.

Describe the AIS operation start-up and shut-down (mode termination). Provide anyunique equipment clearing procedures.


Discuss all AIS user access control (e.g., log-on ID, passwords, file protection, etc.).

Identify the number of system users and the criteria used to determine privileged access.

If the mode is other than dedicated, discuss those mechanisms that implement DAC andMAC controls.

Discuss procedures for the assignment and distribution of passwords, their frequency ofchange, and the granting of access to information and/or files.

Indicate whether AIS operation is required 24 hours per day.

Discuss procedures for after hours processing. State whether the AIS(s) are approved forunattended processing.

Discuss procedures for marking and controlling AIS printouts.

Discuss remote access and operations requiring specific approval by the CSA.

Discuss procedures for incident reporting.

3.4 Audit Trails.

If applicable, discuss the audit trails used to monitor user access and operation of the AISand the information that is recorded in the audit trail. State whether user access audit trailsare manual or automatic.

Identify the individual who will review audit trails and how often.

Describe procedures for handling discrepancies found during audit trails reviews.

4.0 AIS HARDWARE

This section will describe the AIS hardware that supports the Customer's program. Thissection will provide a listing of the AIS hardware and procedures for its secure control,operation, and maintenance.

Provide a complete listing of the major hardware used to support the Customer's programactivities. This list may be in tabular form located either in this section or a referencedappendix. The following information is required for all major AIS hardware:nomenclature, model, location (i.e., building/room number), and manufacturer.

Provide a description of any custom-built AIS hardware.


Indicate whether the AIS hardware has volatile or nonvolatile memory components.Specifically, identify components that are nonvolatile.

If authorized, describe procedures for using portable devices for unclassified processing.

Identify the custodian(s) for AISs.

4.1 Labeling Hardware.

Describe how the AIS hardware will be labeled to identify its classification level (e.g.,classified and unclassified AISs collocated in the same secure area).

4.2 Maintenance Procedures.

Describe the maintenance and sanitization procedures to be used for maintenance or repairof defective AIS hardware by inappropriately cleared personnel.

4.3 Hardware Sanitization and Destruction.

Describe the procedures or methods used to sanitize and or destroy AIS hardware (volatileor nonvolatile components).

4.4 Hardware Movement.

Describe the procedures or receipting methods used to release and transport the AIShardware from the SAPF.

Describe the procedures or receipting methods for temporarily or permanently relocatingthe AIS hardware within the SAPF.

Describe the procedures for introducing hardware into the SAPF.

4.5 Hardware Control and Audit Trails.

Describe all AIS hardware maintenance logs, the information recorded on them, who isresponsible for reviewing them, and how often.


5.0 AIS SOFTWARE

This section will provide a listing of all the software that supports the Customer's program.It will also provide procedures for protecting and using this software.

5.1 Authorized Software.

Provide a complete listing of all software used to support the Customer's programactivities. This list may be in tabular form and may be located either in the section or in areferenced appendix. The listing will also include security software (e.g., audits software,anti-virus software), special-purpose software (e.g., in-house, custom, commercialutilities), and operating system software. The following information is required for AISsoftware: software name, version, manufacturer, and intended use or function.

5.2 Software Procedures.

Indicate whether a separate unclassified version of the operating system software will beused for maintenance.

Describe the procedures for procuring and introducing new AIS software to supportprogram activities.

Describe the procedures for evaluating AIS software for security impacts.

Describe procedures for protecting software from computer viruses and malicious code andfor reporting incidents.

6.0 DATA STORAGE MEDIA

This section provides a description of the types of data storage media to be used in theCustomer's program and their control.

6.1 Labeling and Storing Media.

Describe how the data storage media will be labeled (identify the classification level andcontents).


Discuss how classified and unclassified data storage media is handled and secured in theSAPF (e.g., safes, vaults, locked desk).

6.2 Media Clearing, Sanitization, and Destruction.

Describe the procedures or methods used to clear, sanitize, and destroy the data storagemedia.

6.3 Media Movement.

Describe the procedures (or receipting methods) for moving data storage media into andout of the SAPF.

Describe the procedures for copying, reviewing, and releasing information on data storagemedia.

6.4 Media Control.

Describe the method of controlling data storage media.

7.0 AIS SECURITY AWARENESS PROGRAM

Discuss the Provider's security awareness program.

Indicate that the AIS users are required to sign a statement acknowledging that they havebeen briefed on the AIS security requirements and their responsibilities.

8.0 GLOSSARY OF TERMS

FOR OFFICIAL USE ONLYD-1

Appendix DAIS Certification and Accreditation

A. CERTIFICATION

The ISSR, working jointly with the Customer, is responsible for coordinating andsupporting the certification process. The ISSR is responsible for certifying, orcoordinating the certification of, the AIS or network. Certification, which is aprerequisite for accreditation, is accomplished as follows:

1. Identify operational requirements, define the Mode of Operation, and identify applicable securityrequirements, in accordance with this document and applicable documents referenced herein.

2. Conduct a Risk Management Review to identify risks and needed countermeasures and specify additionalsecurity requirements (countermeasures) based on the review.

3. Prepare an AISSP. Refine the plan throughout the certification process.

4. Conduct a test and inspection to establish the extent to which the AIS performs the security functionsneeded to support the mode of operation and security policy for the system as outlined in the AISSP. TheCustomer will require a written certification report.

5. Operating in the compartmented or multilevel mode requires the development of an AIS TechnicalEvaluation Plan. After Customer concurrence, accomplish testing as described herein. AIS security testingprovides assurance to the Customer that the subject AIS(s) or network(s) meets the security requirements foroperating in the compartmented or multilevel mode. Such testing is a prerequisite for Customer accreditation.

a. Coordination Scheduling and Testing. The security test may be jointly conducted by the Provider and theCustomer.

b. Testing Prerequisite. The Provider-developed AIS Technical Evaluation Test Plan will be coordinated and/orapproved by the customer.

B. ACCREDITATION

Accreditation is the Customer's authorization and approval for an AIS or network to processsensitive data in an operational environment. The Customer bases the accreditation on the resultsof the certification process. Following certification, the Customer reviews the risk assessment,employed safeguards, vulnerabilities, and statement of level of risk and makes the accreditationdecision to accept risk and grant approval to operate; grant interim approval to operate (IATO)and fix deficiencies; or to shut-down, fix deficiencies, and recertify.

FOR OFFICIAL USE ONLYE-1

Appendix EReferences

1. U.S. Government Publications

OMB Circular Management of Federal Information Resources

A-130 Appendix III, Security of Federal AISs

PL-99-474 Computer Fraud and Abuse Act of 1986

PL-100-235 Computer Security Act of 1987

EO 12333 United States Intelligence Activities

EO 12356 National Security Information

EO 12829 National Industrial Security Program

2. National Telecommunications & Information Systems Security (NTISS) Publications

COMPUSEC/1-87 Security Guideline

NTISSAM Advisory Memorandum on Office Automation

NTISSI 300 National Policy on Control of Compromising Emanations

NTISSI 7000 TEMPEST Countermeasures for Facilities

NTISSIC 4009 National Information Systems Security (INFOSEC) Glossary

NACSIM 5000 TEMPEST Fundamentals

NACSIM 5201 TEMPEST Guidelines for Equipment/System Design Standard

NACSIM 5203 Guidelines for Facility Design and Red/Black Installation

NACSIM 7002 COMSEC Guidance for ADP Systems

3. National Computer Security Center (NCSC) Publications (The Rainbow Series)

NCSC-WA-002-85 Personal Computer Security Considerations

NCSC-TG-001 A Guide to Understanding Audit in Trusted Systems [Tan Book]

NCSC-TG-002 Trusted Product Evaluation - A Guide for Vendors [Bright Blue Book]


NCSC-TG-003 A Guide to Understanding Discretionary Access Control in Trusted

Systems

[Orange Book]

NCSC-TG-004 Glossary of Computer Security Terms [Aqua Book]

NCSC-TG-005 Trusted Network Interpretation [Red Book]

NCSC-TG-006 A Guide to Understanding Configuration Management in Trusted

Systems [Orange

Book]

NCSC-TG-007 A Guide to Understanding Design Documentation in Trusted Systems

[Burgundy

Book]

NCSC-TG-008 A Guide to Understanding Trusted Distribution in Trusted Systems

[Lavender

Book]

NCSC-TG-009 Computer Security Subsystem Interpretation of the Trusted Computer

System

Evaluation Criteria [Venice Blue Book]

NCSC-TG-011 Trusted Network Interpretation Environments Guideline-Guidance for

Applying

the Trusted Network Interpretation [Red Book]

NCSC-TG-013 Rating Maintenance Phase Program Document [Pink Book]

NCSC-TG-014 Guidelines for Formal Verification Systems [Purple Book]

NCSC-TG-015 A Guide to Understanding Trusted Facility Management [Brown Book]

NCSC-TG-017 A Guide to Understanding Identification and Authentication in Trusted

Systems

[Lt. Blue Book]

NCSC-TG-018 A Guide to Understanding Object Reuse in Trusted Systems [Lt. Blue

Book]

NCSC-TG-019 Trusted Product Evaluation Questionnaire [Blue Book]


NCSC-TG-020A Trusted UNIX Working Group (TRUSIX) Rationale for Selecting

Access Control

List Features for the UNIX System [Gray Book]

NCSC-TG-021 Trusted Database Management System Interpretation [Lavender Book]

NCSC-TG-022 A Guide to Understanding Trusted Recovery [Yellow Book]

NCSC-TG-025 A Guide to Understanding Data Remanence in Automated Information

Systems

[Green Book]

NCSC-TG-026 A Guide to Writing the Security Features User's Guide for Trusted

Systems [Peach

Book]

NCSC-TG-027 A Guide to Understanding Information System Security Officer

Responsibilities

for Automated Information Systems [Turquoise Book]

NCSC-TG-028 Assessing Controlled Access Protection [Violet Book]

NCSC C-Technical Computer Viruses: Prevention, Detection, and Treatment Report-

001

NCSC C-Technical Integrity in Automated Information Systems (Sept. 91) Report 79-

91

NCSC C-Technical The Design and Evaluation of INFOSEC Systems: The Report 32-

92 Computer Security Contribution to the Composition Discussion

4. Department of Defense Publications

NSA/CSS Media Declassification and Destruction Manual

Manual 130-2 Contractor Guidelines for AIS Processing of NSA SCI

DoD 5200.28-M Automated Information System Security Manual

DoD 5200.28 DoD Trusted Computer System Evaluation Criteria

DoD 5220.22-M National Industrial Security Program Operating Manual

CSC-STD-002-85 DoD Password Management Guidelines [Green Book]


CSC-STD-003-85 Guidance for Applying the DoD Trusted Computer System

Evaluation Criteria in

Specific Environments [Yellow Book]

CSC-STD-004-85 Technical Rationale Behind CSC-STD-003-85: Computer Security

Requirements

[Yellow Book]

CSC-STD-005-85 DoD Magnetic Remanence Security Guideline [NSA] Information

Systems

Security Products and Services Catalogue

NSA/CSS -Section 5, Degaussing Level Performance Test Procedures Spec. L14-4-A55

5. Director of Central Intelligence Directives

DCID 1/7 Security Controls on the Dissemination of Intelligence Information,

[For Official

Use Only]

DCID 1/14 Minimum Personnel Security Standards and Procedures Governing

Eligibility for

Access to Sensitive Compartmented Information [Unclassified]

DCID 1/16 Security Policy for Uniform Protection of Intelligence Processed in

Automated

Information Systems and Networks [SECRET]

DCID 1/16 Security Manual for Uniform Protection of Intelligence (Supplement)

Processed in Automated Information Systems and Networks [SECRET]

(Supplement to DCID 1/16)

DCID 1/19 DCI Security Policy Manual for SCI Control Systems

[UNCLASSIFIED]

DCID 1/20 Security Policy Concerning Travel and Assignment of Personnel With

Access to

Sensitive Compartmented Information (SCI) [UNCLASSIFIED]


DCID 1/21 Manual for Physical Security Standards for Sensitive Compartmented

Information

Facilities (SCIFs) [For Official Use Only]

DCID 1/22 Technical Surveillance Countermeasures [CONFIDENTIAL]

DCID 3/14-1 Information Handling Committee [Unclassified]

DCID 3/14-5 Annex B, Intelligence Community Standards for Security Labeling of

Removable

ADP Storage Media [Unclassified]

6. Legislation, Directive, and Standards

Atomic Energy Act of 1954, as amended

National Security Act of 1947

National Security Decision Directive 298, "Operations Security"Telephone Security Group standards

FOR OFFICIAL USE ONLYF-1

APPENDIX FSPECIAL ACCESS PROGRAM FORMATS

Section 1-General

1. Users obtain all blank SAP formats from the servicing PSO.2. Users are responsible for all costs relating to the format’s preparation

program, to include the procurement and maintenance of necessaryhardware and software.

3. This APP column reflects applicability:

A – Air Force only

4. Formats are available in DOS Windows FormFlow. Upon request, formatsmay be provided in DOS graphic form for import in Macintosh systems.

Section 2 – SAP FORMAT EXHIBIT

NUMBER TITLE DATE APP

SAP Format 1 Program Access Request 1 Jul 93SAP Format 2 Special Access Program Indoctrination AgreementSAP Format 2a Special Access Program Indoctrination Agreement

(Polygraph Supplement)SAP Format 3 Request for Facility Clearance Action 1 Jan 91 ASAP Format 4 SENIOR STAR Airlift Request 18 Jun 92 ASAP Format 5 Inadvertent Disclosure Statement 1 Jan 91SAP Format 6 Notification of Foreign Travel 1 Jan 91SAP Format 7 Visit Authorization Request 2 Jan 91SAP Format 7L Technical Visit Request 12 Jul 93SAP Format 8 TSCM Request 4 Jan 93SAP Format 9 Request for Files Check 2 Jan 91 ASAP Format 10 Secure Communication Request 18 Jan 92 ASAP Format 11 Subcontractor Status Report 1 Jan 91SAP Format 12 Waiver Request from Security Criteria 1 Jan 91SAP Format 13 Subcontractor/Supplier Data Sheet 1 Jan 91SAP Format 14 ReservedSAP Format 15 Facsimile Transmittal-Classified (Optional) 1 Jan 91SAP Format 16 Word Processor and Personal Computer Data Sheet 1 Jan 91SAP Format 17 Refresher Training Record 1 Dec 93SAP Format 18 ReservedSAP Format 19 Special Scope Security Review Report 4 Jan 93SAP Format 20 Foreign Relative or Associate Interview 1 Sep 94SAP Format 21 Computer System User Acknowledgment 31 Mar 95SAP Format 22 ReservedSAP Format 23a SAP Annual Awards Program (Activity) 5 Oct 95 ASAP Format 23i SAP Annual Awards Program (Individual) 5 Oct 95 ASAP Format 24 Agent of the Government (Appointment) 2 Jan 96SAP Format 25 Agent of the Government (Oath) 2 Jan 96SAP Format 26 ReservedSAP Format 27 Foreign ContactSAP Format 28 Courier Designations and Instructions

Springer

APPENDIX G - SECURITY DOCUMENTATION RETENTION


G-1

IF RECORDSARE ORPERTAIN TO

CONSISTING OF /WHICH ARE

MAINTAINEDBY

DISPOSITION /DESTROY

Security OfficerAppointments

Letters, Approvals, Forms All Destroy When Replaced orSuperseded

Plans Emergency Procedures,Security OperatingInstructions, Tests,Manufacturing, SAPFormats 26, etc.

Contractor

PMO

PSO

Upon Termination ofProgram

Forward to PSO

One Year After ProgramTermination

Training Records Security EducationAttendance, ComputerListings, and SAP Formats17

All When Individual isDeaccessed

Exercise Reports Of Emergency Plans andGuard Responses

All Destroy After TwoConsecutive Reviews

EMSEC Reports Surveys All Destroy When FacilityBecomes Unoccupied

Adverse InformationReports

Required byNISPOM/NISPOM Suppl orOther Gov’t Directives

All Destroy Five Years AfterIndividual is Deaccessed

Contract SecurityClassificationInspections

DD Forms 254 Contractor

PSO

PMO

Destroy Five Years AfterContract is CompletedDestroy Five Years AfterContract is CompletedRetain Permanently

Visits Visitor Requests, SAPFormats 7, 7I, 7U

Visitor Logs

All Destroy After One Year

Destroy After Seven Years

Accreditations Of Program Facilities whichInclude Facility Checklistsand Open StorageAuthorizations

Contractor

PSO

Destroy When FacilityBecomes Superseded orUnoccupiedDestroy One Year AfterDecertification

Waivers Security Criteria, SAPFormats 12

Contractor

PSO/PMO

Destroy When Program isTerminatedDestroy Five Years AfterProgram is Terminated

Alarm Test Records AF Forms 2530 All Destroy After One SecurityReview Cycle


G-2

Document ControlRecords

Receipts

Mail Receipts/Logs

Master Document Listings

Destruction Certificates

Top SecretRegisters/Control Records

All Destroy After Five Years

Destroy After Two Years

Destroy When Supersededor No Longer NeededIAW DoD 5200.1-R

IAW DoD 5200.1-R

Access Approvals Received From SPA Contractor

PSO/PMO

Attach to PAR

Destroy Five Years AfterProgram is Terminated

Access Lists Information Copies

Master Copy Prepared byOriginator

PSO/PMO

All

Destroy When New List isReceivedDestroy After Five Years

Audit Reports Top Secret Inventories

Top Secret Computer Audits

All Destroy Two Years AfterCompleted or After PSOInspection, Whichever isLaterDestroy After One SecurityReview Cycle

Briefing Statements(SAP Formats 2, 2A,21)

Including Pre-Briefings,Indoctrinations andDebriefings

Contractor

PSO/PMO

Forward to PSO UponDebriefingDestroy Five Years AfterProgram is Terminated, orIAW Agency Directives

Foreign TravelReports

SAP Format 6 All Destroy Five Years AfterProgram is Terminated

InadvertentDisclosureStatements

SAP Format 5 All Destroy Five Years AfterProgram is Terminated

Program AccessRequests (PAR) -(SAP Formats 1, 1A,9, 20)

Approved for Access

Disapproved for Access

All

Contractor

PSO/PMO

Destroy After Five Years

Destroy Upon Receipt ofDisapprovalForward to AdjudicatorWho Retains Permanently

Request to TransferDocuments toAnother Program

Approved PSO/PMO

Contractor


Destroy When AssociatedDocuments Are Destroyed

Security Policy Directive or ProvideInterpretation

Contractor

PSO/PMO

Destroy One Year AfterProgram is TerminatedRetain Permanently


G-3

Security ReviewReports (SAPFormats 19) onChecklists

Annual Self-Review

Reviews Conducted by PSO

Subcontractor Reviews

All

ContractorPSO/PMO

Contractor

Destroy After One Year, ButMaintain al Least TwoReportsDestroy After Three YearsDestroy After Five Years


Top Secret AccessRecords

AF Forms 144 or Equivalent All Destroy Two Years AfterCorresponding Documentis Destroyed

Inspection Reports After Duty Hour Inspectionsand Safe Check Records

Entry/Exit Checks

All Destroy at End of EachMonth

Destroy After PSOInspection

SubcontractorDocumentation

Requests to ContactIncluding SAP Format 13

Trip Reports

Contractor

PSO/PMO

All

Destroy One Year AfterProgram is CompletedDestroy One Year AfterProgram is TerminatedDestroy Two Years AfterTrip is Made

SecurityClassificationGuides

Master

Copies

PSO/PMO

Contractor

Retain PermanentlyDestroy One Year AfterProgram is Terminated

Technical SecurityCountermeasuresSurveys

Including SAP Format 8 All Destroy After Next Report isReceived

Inquiries Security Violations All Destroy After Two YearsInvestigations Compromises/Suspected

Compromises/ DocumentLosses

All Destroy Five Years AfterProgram is Terminated

Recurring Reports SAR Program ContractSecurity Report

Subcontractor StatusReports (SAP Format 11)

All

Contractor

PSO/PMO

Destroy After One Year

Destroy One Year AfterProgram is Terminated

Destroy After Three YearsSATRAN Reports All Destroy When No Longer

NeededProgramManagementDirectives

PMO Retain Permanently

CourierDesignations

All Destroy After One Year


G-4

CommunicationRequests

Secure Comm/FAX - (SAPFormat 10)

Contractor

PSO

Destroy One Year AfterEquipment is InstalledDestroy Five Years AfterProgram is Terminated

Circle (A, B)Investigations

Logs of Same Contractor Destroy One Year AfterProgram is Terminated

Personnel SecurityInvestigations

DDFM 1879/SF 86 All Destroy When Individual isDeaccessed

Memorandums ofUnderstanding(MOU)/Memorandums of Agreement(MOA)

By Government Agencies Contractor

PSO

Destroy When Facility is NoLonger UsedDestroy Five Years AfterProgram is Terminated

Building Checks Conducted by Guards Contractor Destroy After One Year

Reports ofEspionage,Sabotage, orSubversion

All Retain Permanently

Reports of HostileContacts

All Retain Permanently

Shipment TamperingReports

All Destroy One Year AfterProgram is Terminated

Media InformationAttempts

Including Releases(Approved/Non-approved)


ClassificationChanges

Contractor

PSO/PMO

Destroy After Information isIncluded in SecurityClassification GuideRetain Permanently

Requests for TopSecret Reproduction

All Incorporated intoDocument Control Records

Threats/ThreatAssessments

Provided by GovernmentInvestigative Agencies

All Destroy when Threat isEliminated or After FiveYears, Whichever is Sooner

ProgramTermination

Associated Documentation Contractor

PSO/PMO

Destroy Five Years AfterProgram is TerminatedRetain Permanently

Listing of Names,Codes andConvenienceNumbers


Mark as Appropriate - ________ Special Access RequiredMark as Appropriate - ________ UNCLASSIFIEDMark as Appropriate - ________ U-HVSACO

PROGRAM ACCESS REQUEST1. Program Name

2. Access Level 3. Billet Position YES NO

Billet Number:

4. Last Name, First Name, MI

5. Rank/Grade 6. SSN-

7. Date of Birth (YYMMDD)

8. State/Country of Birth

9.

Military Government Civilian Contractor

10. Date Needed (YYMMDD)

11. Position Description/Job Title

12. Full Time Temporary (Period of access)

Part Time

13. Organization/Company Name

14. Assignment/Job Location (City and State) 15. Command/Facility ID Code

16. Security Clearance 17. Granted By 18. Date Granted

19. Investigation Type 20. Conducted By 21. Date Completed

22. Security Investigation Status

In Progress Not Started (See Remarks) Current

23. Central Adjudication Review (When Required)

Conducted By Concur Non-Concur 24. Justification (_________________) include the percentage of time to be spent supporting the program. CONTINUE ON SEPARATE SHEET IF NECESSARY Classification

25. REQUESTOR (Functional Manager)

Typed Name/Title/Organization Signature Concur

o Non-Concur

Date

26. ACTIVITY SECURITY MANAGER (Government or Contractor)

Typed Name/Title/Organization Signature Concur

o Non-Concur

Date

27. GOVERNMENT/CONTRACTOR PROGRAM MANAGERTyped Name/Title/Organization Signature Concur

o Non-Concur

Date

ADDITIONAL COORDINATION (As Required by the Specific Program)

28. Typed Name/Title/Organization Signature Concur

o Non-Concur

Date


o Non-Concur

Date


o Non-Concur

Date

31. PSOTyped Name/Title/Organization Signature 32. DCII (OK or Referred

to CAO on YYMMDD) Concur

o Non-Concur

Date

33. FINAL APPROVAL AUTHORITYTyped Name/Title/Organization Signature o Approved

o Non-Approved

Date

34. Remarks/Restrictions CONTINUE ON SEPARATE SHEET IF NECESSARY 35. Attachments: Not Required Attached

Standard Form 86

Local Files Check (DCII)

Foreign Association Questionnaire

Other (LOC)

Derived From:Derived On:

SAP Format 1, “Program Access Request”, 1 July 93 PREVIOUS EDITIONS ARE OBSOLETE

*NOTICE: The Privacy Act 5, U.S.C. 522a, requires that federal agencies inform individuals, at the time information is solicited from them, whether the disclosure ismandatory or voluntary, by what authority such information is solicited, and what uses will be made of the information. You are hereby advised that authority forsoliciting you Social Security Account Number (SSAN) is Executive Order 9397. Your SSAN will be used to identify you precisely when it is necessary to 1) certifythat you have access to the information indicated above, or 2) determine that your access to the information indicated has been terminated.

63(&,$/�$&&(66�352*5$0�,1'2&75,1$7,21�$*5((0(17

$Q�$JUHHPHQW�%HWZHHQ��DQG�WKH�8QLWHG�6WDWHV�1DPH��3ULQWHG�RU�7\SHG��/DVW��)LUVW��0LGGOH�,QLWLDO�

�� ,�KHUHE\�DFFHSW�WKH�REOLJDWLRQV�FRQWDLQHG�LQ�WKLV�$JUHHPHQW�LQ�FRQVLGHUDWLRQ�RI�P\�EHLQJ�JUDQWHG�DFFHVV�WR�LQIRUPDWLRQ�RU�PDWHULDOV�SURWHFWHG�ZLWKLQ�6SHFLDO$FFHVV� 3URJUDPV�� KHUHLQDIWHU� UHIHUUHG� WR� LQ� WKLV� $JUHHPHQW� DV� 6$3� LQIRUPDWLRQ� �6$3,�� ,� KDYH� EHHQ� DGYLVHG� WKDW� 6$3,� LQYROYHV� RU� GHULYHV� IURP� DFTXLVLWLRQ�LQWHOOLJHQFH��RU�RSHUDWLRQV�DQG�VXSSRUW�DFWLYLWLHV��DQG�LV�FODVVLILHG�RU�LV�LQ�WKH�SURFHVV�RI�D�FODVVLILFDWLRQ�GHWHUPLQDWLRQ�XQGHU�WKH�VWDQGDUGV�RI�([HFXWLYH�2UGHU��RU�RWKHU�([HFXWLYH�2UGHU�RU�VWDWXWH��,�XQGHUVWDQG�DQG�DFFHSW�WKDW�E\�EHLQJ�JUDQWHG�DFFHVV�WR�6$3,��VSHFLDO�FRQILGHQFH�DQG�WUXVW�VKDOO�EH�SODFHG�LQ�PH�E\�WKH�8QLWHG6WDWHV�*RYHUQPHQW�

�� ,�KHUHE\�DFNQRZOHGJH�WKDW�,�KDYH�UHFHLYHG�D�VHFXULW\�LQGRFWULQDWLRQ�FRQFHUQLQJ�WKH�QDWXUH�DQG�SURWHFWLRQ�RI�6$3,��LQFOXGLQJ�WKH�SURFHGXUHV�WR�EH�IROORZHG�LQDVFHUWDLQLQJ�ZKHWKHU� RWKHU� SHUVRQV� WR� ZKRP� ,� FRQWHPSODWH� GLVFORVLQJ� WKLV� LQIRUPDWLRQ� RU�PDWHULDO� KDYH� EHHQ� DSSURYHG� IRU� DFFHVV� WR� LW�� DQG� ,� XQGHUVWDQG� WKHVHSURFHGXUHV��,�XQGHUVWDQG�WKDW�,�PD\�EH�UHTXLUHG�WR�VLJQ�VXEVHTXHQW�DJUHHPHQWV�XSRQ�EHLQJ�JUDQWHG�DFFHVV�WR�GLIIHUHQW�FDWHJRULHV�RI�6$3,��,�IXUWKHU�XQGHUVWDQG�WKDWDOO�P\�REOLJDWLRQV�XQGHU�WKLV�$JUHHPHQW�FRQWLQXH�WR�H[LVW�ZKHWKHU�RU�QRW�,�DP�UHTXLUHG�WR�VLJQ�VXFK�VXEVHTXHQW�DJUHHPHQWV�

�� ,� KDYH�EHHQ�DGYLVHG� WKDW� WKH�XQDXWKRUL]HG�GLVFORVXUH��XQDXWKRUL]HG� UHWHQWLRQ��RU�QHJOLJHQW�KDQGOLQJ�RI�6$3,�E\�PH� FRXOG� FDXVH� LUUHSDUDEOH� LQMXU\� WR� WKH8QLWHG�6WDWHV�RU�EH�XVHG�WR�DGYDQWDJH�E\�D�IRUHLJQ�QDWLRQ��,�KHUHE\�DJUHH�WKDW�,�ZLOO�QHYHU�GLYXOJH�DQ\WKLQJ�PDUNHG�DV�6$3,�RU�WKDW�,�NQRZ�WR�EH�6$3,�WR�DQ\RQH�ZKRLV�QRW�DXWKRUL]HG�WR�UHFHLYH�LW�ZLWKRXW�SULRU�ZULWWHQ�DXWKRUL]DWLRQ�IURP�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�GHSDUWPHQW�RU�DJHQF\��KHUHLQDIWHU�'HSDUWPHQW�RU�$JHQF\�� WKDWDXWKRUL]HG�P\�DFFHVV�HV�� LGHQWLILHG�RQ� WKH� UHYHUVH�� WR�6$3,�� ,� XQGHUVWDQG� WKDW� LW� LV�P\� UHVSRQVLELOLW\� WR� FRQVXOW�ZLWK� DSSURSULDWH�PDQDJHPHQW� DXWKRULWLHV� LQ� WKH'HSDUWPHQW�RU�$JHQF\�WKDW�ODVW�DXWKRUL]HG�P\�DFFHVV�WR�6$3,��ZKHWKHU�RU�QRW�,�DP�VWLOO�HPSOR\HG�E\�RU�DVVRFLDWHG�ZLWK�WKDW�'HSDUWPHQW�RU�$JHQF\�RU�D�FRQWUDFWRUWKHUHRI��LQ�RUGHU�WR�HQVXUH�WKDW�,�NQRZ�ZKHWKHU�LQIRUPDWLRQ�RU�PDWHULDO�ZLWKLQ�P\�NQRZOHGJH�RU�FRQWURO�WKDW�,�KDYH�UHDVRQ�WR�EHOLHYH�PLJKW�EH�6$3,��RU�UHODWHG�WR�RUGHULYHG�IURP�6$3,��LV�FRQVLGHUHG�E\�VXFK�'HSDUWPHQW�RU�$JHQF\�WR�EH�6$3,��,�IXUWKHU�XQGHUVWDQG�WKDW�,�DP�DOVR�REOLJDWHG�E\�ODZ�DQG�UHJXODWLRQ�QRW�WR�GLVFORVH�DQ\FODVVLILHG�LQIRUPDWLRQ�RU�PDWHULDO�LQ�DQ�XQDXWKRUL]HG�IDVKLRQ�

�� ,Q�FRQVLGHUDWLRQ�RI�EHLQJ�JUDQWHG�DFFHVV�WR�6$3,�DQG�RI�EHLQJ�DVVLJQHG�RU�UHWDLQHG�LQ�D�SRVLWLRQ�RI�VSHFLDO�FRQILGHQFH�DQG�WUXVW�UHTXLULQJ�DFFHVV�WR�6$3,��,KHUHE\�DJUHH�WR�VXEPLW�IRU�VHFXULW\�UHYLHZ�E\�WKH�'HSDUWPHQW�RU�$JHQF\�WKDW�DXWKRUL]HG�P\�DFFHVV�HV��LGHQWLILHG�RQ�WKH�UHYHUVH��WR�VXFK�LQIRUPDWLRQ�RU�PDWHULDO��DQ\ZULWLQJ�RU�RWKHU�SUHSDUDWLRQ�LQ�DQ\�IRUP��LQFOXGLQJ�D�ZRUN�RI�ILFWLRQ��WKDW�FRQWDLQV�RU�SXUSRUWV�WR�FRQWDLQ�DQ\�6$3,�RU�GHVFULSWLRQ�RI�DFWLYLWLHV�WKDW�SURGXFH�RU�UHODWH�WR6$3,�RU� WKDW� ,� KDYH� UHDVRQ� WR� EHOLHYH� DUH� GHULYHG� IURP�6$3,�� WKDW� ,� FRQWHPSODWH� GLVFORVLQJ� WR� DQ\� SHUVRQ� QRW� DXWKRUL]HG� WR� KDYH� DFFHVV� WR�6$3,� RU� WKDW� ,� KDYHSUHSDUHG�IRU�SXEOLF�GLVFORVXUH��,�XQGHUVWDQG�DQG�DJUHH�WKDW�P\�REOLJDWLRQ�WR�VXEPLW�VXFK�SUHSDUDWLRQV�IRU�UHYLHZ�DSSOLHV�GXULQJ�WKH�FRXUVH�RI�P\�DFFHVV�WR�6$3,�DQGWKHUHDIWHU��DQG�,�DJUHH�WR�PDNH�DQ\�UHTXLUHG�VXEPLVVLRQV�SULRU�WR�GLVFXVVLQJ�WKH�SUHSDUDWLRQ�ZLWK��RU�VKRZLQJ�LW�WR��DQ\RQH�ZKR�LV�QRW�DXWKRUL]HG�WR�KDYH�DFFHVV�WR6$3,�� ,� IXUWKHU�DJUHH� WKDW� ,�ZLOO� QRW�GLVFORVH� WKH�FRQWHQWV�RI� VXFK�SUHSDUDWLRQ� WR�DQ\�SHUVRQ�QRW�DXWKRUL]HG� WR�KDYH�DFFHVV� WR�6$3,�XQWLO� ,� KDYH� UHFHLYHG�ZULWWHQDXWKRUL]DWLRQ�IURP�WKH�'HSDUWPHQW�RU�$JHQF\�WKDW�DXWKRUL]HG�P\�6$3�DFFHVV�HV��LGHQWLILHG�RQ�WKH�UHYHUVH��

�� ,� XQGHUVWDQG� WKDW� WKH� SXUSRVH� RI� WKH� UHYLHZ� GHVFULEHG� LQ� SDUDJUDSK� �� LV� WR� JLYH� WKH� 8QLWHG� 6WDWHV� D� UHDVRQDEOH� RSSRUWXQLW\� WR� GHWHUPLQH� ZKHWKHU� WKHSUHSDUDWLRQ�VXEPLWWHG�SXUVXDQW�WR�SDUDJUDSK��VHWV�IRUWK�DQ\�6$3,��,�IXUWKHU�XQGHUVWDQG�WKDW�WKH�'HSDUWPHQW�RU�$JHQF\�WR�ZKLFK�,�KDYH�PDGH�D�VXEPLVVLRQ�ZLOO�DFWXSRQ�LW��FRRUGLQDWLQJ�ZLWKLQ�WKH�6$3�FRPPXQLW\�ZKHQ�DSSURSULDWH��DQG�PDNH�D�UHVSRQVH�WR�PH�ZLWKLQ�D�UHDVRQDEOH�WLPH��QRW�WR�H[FHHG��ZRUNLQJ�GD\V�IURP�GDWH�RIUHFHLSW�

�� ,�KDYH�EHHQ�DGYLVHG�WKDW�DQ\�EUHDFK�RI�WKLV�$JUHHPHQW�PD\�UHVXOW�LQ�WKH�WHUPLQDWLRQ�RI�P\�DFFHVV�WR�6$3,��UHPRYDO�IURP�D�SRVLWLRQ�RI�VSHFLDO�FRQILGHQFH�DQGWUXVW� UHTXLULQJ�VXFK�DFFHVV��RU� WHUPLQDWLRQ�RI�RWKHU� UHODWLRQVKLSV�ZLWK�DQ\�'HSDUWPHQW�RU�$JHQF\� WKDW�SURYLGHV�PH�ZLWK�DFFHVV� WR�6$3,�� ,Q�DGGLWLRQ�� ,� KDYH�EHHQDGYLVHG�WKDW�DQ\�XQDXWKRUL]HG�GLVFORVXUH�RI�6$3,�E\�PH�PD\�FRQVWLWXWH�YLRODWLRQV�RI�8QLWHG�6WDWHV�FULPLQDO�ODZV��LQFOXGLQJ�WKH�SURYLVLRQV�RI�6HFWLRQV��DQG��7LWOH��8QLWHG�6WDWHV�&RGH��DQG�RI�6HFWLRQ��D��7LWOH��8QLWHG�6WDWHV�&RGH��1RWKLQJ�LQ�WKLV�$JUHHPHQW�FRQVWLWXWHV�D�ZDLYHU�E\�WKH�8QLWHG�6WDWHV�RI�WKHULJKW�WR�SURVHFXWH�PH�IRU�DQ\�VWDWXWRU\�YLRODWLRQ�

�� ,�XQGHUVWDQG�WKDW�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�PD\�VHHN�DQ\�UHPHG\�DYDLODEOH�WR�LW�WR�HQIRUFH�WKLV�$JUHHPHQW�LQFOXGLQJ��EXW�QRW�OLPLWHG�WR��DSSOLFDWLRQ�IRU�DFRXUW�RUGHU�SURKLELWLQJ�GLVFORVXUH�RI�LQIRUPDWLRQ�LQ�EUHDFK�RI�WKLV�$JUHHPHQW��,�KDYH�EHHQ�DGYLVHG�WKDW�WKH�DFWLRQ�FDQ�EH�EURXJKW�DJDLQVW�PH� LQ�DQ\�RI� WKH�VHYHUDODSSURSULDWH�8QLWHG�6WDWHV�'LVWULFW�&RXUWV�ZKHUH�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�PD\�HOHFW�WR�ILOH�WKH�DFWLRQ��&RXUW�FRVWV�DQG�UHDVRQDEOH�DWWRUQH\V�IHHV�LQFXUUHG�E\�WKH8QLWHG�6WDWHV�*RYHUQPHQW�PD\�EH�DVVHVVHG�DJDLQVW�PH�LI�,�ORVH�VXFK�DFWLRQ�

�� ,�XQGHUVWDQG�WKDW�DOO�LQIRUPDWLRQ�WR�ZKLFK�,�PD\�REWDLQ�DFFHVV�E\�VLJQLQJ�WKLV�$JUHHPHQW�LV�QRZ�DQG�ZLOO�UHPDLQ�WKH�SURSHUW\�RI�WKH�8QLWHG�6WDWHV�*RYHUQPHQWXQOHVV�DQG�XQWLO�RWKHUZLVH�GHWHUPLQHG�E\�DQ�DSSURSULDWH�RIILFLDO�RU�ILQDO�UXOLQJ�RI�D�FRXUW�RI�ODZ��6XEMHFW�WR�VXFK�GHWHUPLQDWLRQ��,�GR�QRW�QRZ��QRU�ZLOO�,�HYHU��SRVVHVVDQ\�ULJKW�� LQWHUHVW��WLWOH��RU�FODLP�ZKDWVRHYHU�WR�VXFK�LQIRUPDWLRQ��,�DJUHH�WKDW�,�VKDOO�UHWXUQ�DOO�PDWHULDOV�WKDW�PD\�KDYH�FRPH�LQWR�P\�SRVVHVVLRQ�RU�IRU�ZKLFK�,�DPUHVSRQVLEOH�EHFDXVH�RI�VXFK�DFFHVV��XSRQ�GHPDQG�E\�DQ�DXWKRUL]HG�UHSUHVHQWDWLYH�RI�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�RU�XSRQ�WKH�FRQFOXVLRQ�RI�P\�HPSOR\PHQW�RURWKHU�UHODWLRQVKLS�ZLWK�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�HQWLW\�SURYLGLQJ�PH�DFFHVV�WR�VXFK�PDWHULDOV��,I�,�GR�QRW�UHWXUQ�VXFK�PDWHULDOV�XSRQ�UHTXHVW��,�XQGHUVWDQG�WKLVPD\�EH�D�YLRODWLRQ�RI�6HFWLRQ��7LWOH��8QLWHG�6WDWHV�&RGH�

�� 8QOHVV�DQG�XQWLO� ,�DP�UHOHDVHG� LQ�ZULWLQJ�E\�DQ�DXWKRUL]HG�UHSUHVHQWDWLYH�RI� WKH�'HSDUWPHQW�RU�$JHQF\�WKDW�SURYLGHG�PH�WKH�DFFHVV�HV��LGHQWLILHG�RQ�WKHUHYHUVH��WR�6$3,��,�XQGHUVWDQG�WKDW�DOO�FRQGLWLRQV�DQG�REOLJDWLRQV�LPSRVHG�XSRQ�PH�E\�WKLV�$JUHHPHQW�DSSO\�GXULQJ�WKH�WLPH�,�DP�JUDQWHG�DFFHVV�WR�6$3,��DQG�DW�DOOWLPHV�WKHUHDIWHU�

�� (DFK� SURYLVLRQ� RI� WKLV� $JUHHPHQW� LV� VHYHUDEOH�� ,I� D� FRXUW� VKRXOG� ILQG� DQ\� SURYLVLRQ� RI� WKLV� $JUHHPHQW� WR� EH� XQHQIRUFHDEOH�� DOO� RWKHU� SURYLVLRQV� RI� WKLV$JUHHPHQW�VKDOO�UHPDLQ�LQ�IXOO�IRUFH�DQG�HIIHFW��7KLV�$JUHHPHQW�FRQFHUQV�6$3,�DQG�GRHV�QRW�VHW�IRUWK�VXFK�RWKHU�FRQGLWLRQV�DQG�REOLJDWLRQV�QRW�UHODWHG�WR�6$3,�DVPD\�QRZ�RU�KHUHDIWHU�SHUWDLQ�WR�P\�HPSOR\PHQW�E\�RU�DVVLJQPHQW�RU�UHODWLRQVKLS�ZLWK�WKH�'HSDUWPHQW�RU�$JHQF\�

�� ,�KDYH�UHDG�WKLV�$JUHHPHQW�FDUHIXOO\�DQG�P\�TXHVWLRQV�� LI�DQ\��KDYH�EHHQ�DQVZHUHG� WR�P\�VDWLVIDFWLRQ�� ,�DFNQRZOHGJH� WKDW� WKH�EULHILQJ�RIILFHU�KDV�PDGHDYDLODEOH�6HFWLRQV��DQG��RI�7LWOH��8QLWHG�6WDWHV�&RGH�� DQG�6HFWLRQ� ��D�� RI� 7LWOH� ��8QLWHG�6WDWHV�&RGH��DQG�([HFXWLYH�2UGHU� �� DVDPHQGHG��VR�WKDW�,�PD\�UHDG�WKHP�DW�WKLV�WLPH��LI�,�VR�FKRRVH�

��)RUPDW��³6SHFLDO�$FFHVV�3URJUDP�,QGRFWULQDWLRQ�$JUHHPHQW´

�� ,�KHUHE\�DVVLJQ�WR�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�DOO�ULJKWV��WLWOH�DQG�LQWHUHVW��DQG�DOO�UR\DOWLHV��UHPXQHUDWLRQV��DQG�HPROXPHQWV�WKDW�KDYH�UHVXOWHG��ZLOO�UHVXOW�RU�PD\�UHVXOW�IURP�DQ\�GLVFORVXUH��SXEOLFDWLRQ��RU�UHYHODWLRQ�QRW�FRQVLVWHQW�ZLWK�WKH�WHUPV�RI�WKLV�$JUHHPHQW�

�� 7KHVH� UHVWULFWLRQV� DUH� FRQVLVWHQW� ZLWK� DQG� GR� QRW� VXSHUVHGH�� FRQIOLFW� ZLWK�� RU� RWKHUZLVH� DOWHU� WKH� HPSOR\HH� REOLJDWLRQV�� ULJKWV�� RU� OLDELOLWLHV� FUHDWHG� E\([HFXWLYH�2UGHU��6HFWLRQ��RI�7LWOH��8QLWHG�6WDWHV�&RGH��JRYHUQLQJ�GLVFORVXUHV�WR�&RQJUHVV��6HFWLRQ��RI�7LWOH��8QLWHG�6WDWHV�&RGH��DV�DPHQGHG�E\WKH�0LOLWDU\�:KLVWOHEORZHU�3URWHFWLRQ�$FW��JRYHUQLQJ�GLVFORVXUH�WR�&RQJUHVV�E\�PHPEHUV�RI�WKH�0LOLWDU\��6HFWLRQ��E��RI�7LWOH��8QLWHG�6WDWHV�&RGH��DV�DPHQGHGE\�WKH�:KLVWOHEORZHU�3URWHFWLRQ�$FW��JRYHUQLQJ�GLVFORVXUHV�RI�LOOHJDOLW\��ZDVWH��IUDXG��DEXVH�RU�SXEOLF�KHDOWK�RU�VDIHW\�WKUHDWV��WKH�,QWHOOLJHQFH�,GHQWLWLHV�3URWHFWLRQ�$FW�RI�� 86&��HW� VHT�� JRYHUQLQJ� GLVFORVXUHV� WKDW� FRXOG� H[SRVH� FRQILGHQWLDO�*RYHUQPHQW� DJHQWV�� DQG� WKH� VWDWXWHV�ZKLFK� SURWHFW� DJDLQVW� GLVFORVXUH� WKDW�PD\FRPSURPLVH�WKH�QDWLRQDO�VHFXULW\��LQFOXGLQJ�6HFWLRQ��DQG��RI�7LWOH��8QLWHG�6WDWHV�&RGH��DQG�6HFWLRQ��D��RI�7LWOH��8QLWHG�6WDWHV�&RGH�7KH�GHILQLWLRQV��UHTXLUHPHQWV��REOLJDWLRQV��ULJKWV��VDQFWLRQV�DQG�OLDELOLWLHV�FUHDWHG�E\�VDLG�([HFXWLYH�2UGHU�DQG�OLVWHG�VWDWXWHV�DUH�LQFRUSRUDWHG�LQWR�WKLV�$JUHHPHQW�DQGDUH�FRQWUROOLQJ�

�� 7KLV�$JUHHPHQW�VKDOO�EH�LQWHUSUHWHG�XQGHU�DQG�LQ�FRQIRUPDQFH�ZLWK�WKH�ODZ�RI�WKH�8QLWHG�6WDWHV�

�� ,�PDNH�WKLV�$JUHHPHQW�ZLWKRXW�DQ\�PHQWDO�UHVHUYDWLRQ��SXUSRVH�RI�HYDVLRQ��DQG�LQ�DEVHQFH�RI�GXUHVV�

�� 6LJQDWXUH�� 'DWH

7KH�H[HFXWLRQ�RI�WKLV�$JUHHPHQW�ZDV�ZLWQHVVHG�E\�WKH�XQGHUVLJQHG�ZKR�DFFHSWHG�LW�RQ�EHKDOI�RI�WKH�8QLWHG�6WDWHV�*RYHUQPHQW�DV�D�SULRU�FRQGLWLRQ�RI�DFFHVV�WR�6SHFLDO$FFHVV�3URJUDP�LQIRUPDWLRQ�

:,71(66�DQG�$&&(37$1&(�� 6LJQDWXUH�� 'DWH

6(&85,7<�%5,(),1*��'(%5,(),1*�$&.12:/('*0(17

��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB

��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBB�6SHFLDO�$FFHVV�3URJUDPV�E\�,QLWLDOV�2QO\�

��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��661��6HH�1RWLFH�%HORZ��3ULQWHG�RU�7\SHG�1DPH��2UJDQL]DWLRQ

��%5,()��'DWHBBBBBBBBBBBBBBBB

,�KHUHE\�DFNQRZOHGJH�WKDW�,�ZDV�EULHIHG�RQ�WKH�DERYH�6$3�V��

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6LJQDWXUH�RI�,QGLYLGXDO�%ULHIHG

��'(%5,()��'DWHBBBBBBBBBBBBBBBB

+DYLQJ� EHHQ� UHPLQGHG� RI� P\� FRQWLQXLQJ� REOLJDWLRQ� WR� FRPSO\� ZLWK� WKHWHUPV�RI� WKLV�$JUHHPHQW�� ,� KHUHE\� DFNQRZOHGJH� WKDW� ,�ZDV� GHEULHIHG� RQWKH�DERYH�6$3�V��

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��6LJQDWXUH�RI�,QGLYLGXDO�'HEULHIHG

,�FHUWLI\�WKDW�WKH�EULHILQJ�SUHVHQWHG�E\�PH�RQ�WKH�DERYH�GDWH�ZDV�LQ�DFFRUGDQFH�ZLWK�UHOHYDQW�6$3�SURFHGXUHV�

��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��6LJQDWXUH�RI�%ULHILQJ�'HEULHILQJ�2IILFHU��661��6HH�1RWLFH�%HORZ�

��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB��3ULQWHG�RU�7\SHG�1DPH��2UJDQL]DWLRQ��1DPH�DQG�$GGUHVV�

127,&(��7KH�3ULYDF\�$FW��8�6�&��D��UHTXLUHV�WKDW�IHGHUDO�DJHQFLHV�LQIRUP�LQGLYLGXDOV��DW�WKH�WLPH�LQIRUPDWLRQ�LV�VROLFLWHG�IURP�WKHP��ZKHWKHU�WKH�GLVFORVXUH�LV�PDQGDWRU\�RU�YROXQWDU\�

E\�ZKDW�DXWKRULW\�VXFK�LQIRUPDWLRQ�LV�VROLFLWHG��DQG�ZKDW�XVHV�ZLOO�EH�PDGH�RI�WKH�LQIRUPDWLRQ��<RX�DUH�KHUHE\�DGYLVHG�WKDW�DX WKRULW\�IRU�VROLFLWLQJ�\RXU�6RFLDO�6HFXULW\�$FFRXQW�1XPEHU

�661��LV�([HFXWLYH�2UGHU��<RXU�661�ZLOO�EH�XVHG�WR�LGHQWLI\�\RX�SUHFLVHO\�ZKHQ�LW�LV�QHFHVVDU\�WR��FHUWLI\�WKDW�\RX�KDYH�DFFHVV�WR�WKH�LQIRUPDWLRQ�LQGLFDWHG�DERYH��GHWHUPLQH�WKDW

\RXU�DFFHVV�WR�WKH�LQIRUPDWLRQ�LQGLFDWHG�KDV�WHUPLQDWHG��RU��FHUWLI\�WKDW�\RX�KDYH�ZLWQHVVHG�D�EULHILQJ�RU�GHEULHILQJ��$OWKRXJK�GLVFORVXUH�RI�\RXU�661�LV�QRW�PDQGDWRU\��\RXU�IDLOXUH�WR�GR

VR�PD\�LPSHGH�VXFK�FHUWLILFDWLRQV�RU�GHWHUPLQDWLRQV�

)RUPDW��³6SHFLDO�$FFHVV�3URJUDP�,QGRFWULQDWLRQ�$JUHHPHQW´

SPECIAL ACCESS PROGRAM INDOCTRINATION AGREEMENT (POLYGRAPH SUPPLEMENT)

SECTION 1 - IDENTIFICATION DATA

Name (LAST, First, MI) SSAN

Organization/Company Job Position/Title/Grade

Clearance and Date of Clearance Access Authority (Letter, Message, or Name Identification)

SECTION II - PREBRIEFING AGREEMENT

PART 1 - PREBRIEFING AGREEMENT

I understand that the briefing I am to receive, discloses information controlled in a special security system referred toas Special Access Program Information which is self-contained and administered directly by the sponsoringDepartment of Defense agency.

PART 2 - POLYGRAPH AGREEMENT

I further understand that by accepting access to this Special Access Program Information, I may be required to and Iwill voluntarily take a polygraph examination which will be limited to counterintelligence and/or counterespionagequestions.

PART 3 - PREBRIEFING AND POLYGRAPH ACKNOWLEDGMENTS

I agree to the stipulations contained in the above agreements prior to receiving a program/project specific briefing.

Signature of Individual Date

The execution of these Agreements was witnessed be the undersigned who accepted it on behalf of the United StatesGovernment as a prior condition of access to Special Access Information.

WITNESSING OFFICIAL:

Signature Date

SAP FORMAT 2a. “Special Access Program Indoctrination Agreement (Polygraph Supplement)

DO NOT Use Previous Editions

(CLASSIFY THIS FORMAT ONLY WHEN REQUIRED BY THE PROGRAM SECURITY DIRECTIVE)

WARNING: Do NOT Place Classified Information on this Form

Request for Facility Clearance Action

From: Date:

To: (PSO)

Establish “covered” facility clearance

TOP SECRET SECRET CONFIDENTIAL

Change in level of facility clearance

From To

Confirm Carve-Out

Contractor IdentityName of Facility

Address

CAGE

Specific Location of Carve-Out

Contract Number

Points of ContactContractor POC Secure Phone

Government POC Secure Phone

PSO Endorsement

Program Management Endorsement

SAP Format 3, “Request for Facility Clearance Action”, 1 Jan 1991

CONFIDENTIAL (When Filled In)Special Access Required - ___________________________

Special Access Required - ___________________________CONFIDENTIAL (When Filled In)

Date/Time: / Control # Precedence

From: Office Symbol Phone #

To: SAF/AQLE (703) 979-2407 (Mode 6)

Program:

Subject: SENIOR STAR Airlift Request (U)

Itinerary (fill in most important time block; remainder will be completed by AMC)

LOCATION REQUESTED DATE REQUESTED TIME (LOCAL)

DEP

ARR

LOCATION REQUESTED DATE REQUESTED TIME (LOCAL)

DEP

ARR

Passengers (If O-7 or civilian equivalent, include title)

RANK NAME RANK NAME

Boxes/Cargo (Number, size and approximate weight. boxes must fit in a safe drawer for emergency storage.)

NUMBER SIZE WEIGHT

Points of ContactLOCATION NAME PHONE NUMBER

SAF/AQL (703) 697-9650/6174

AMC CP (618) 256-2981/5970

Derived From: xxxDeclassify On: xxx

Sent By:

SAP Format 4, “SENIOR STAR Airlift Request”, 18 Jun 1992 DO NOT Use Previous Edition

UNCLASSIFIED / Handle Via Special Access Channels Only

UNCLASSIFIED / Handle Via Special Access Channels Only

INADVERTENT DISCLOSURE STATEMENT

1. Information from a class of Defense information, the source of which cannot be disclosed, hasbeen either discussed with you or exposed to your view. This disclosure was unintentional;therefore it is necessary to acquaint you with the laws on the subject, and for you to execute thisstatement binding you to secrecy in connection with any information you may have gained fromthe disclosure.

2. The importance of safeguarding this information cannot be overemphasized. The time limit forsafeguarding of such information NEVER expires. You are directed to avoid all references to theexistence of this information or words which identify it.

3. Although you inadvertently gained information not intended for you, your signature below doesNOT constitute an indoctrination of clearance or access to such information.

STATEMENT

I hereby affirm that I have read and fully understand the letter of instructions formaintaining the security of defense information. I certify that I shall never divulge anyinformation which I may have learned from my having been exposed to thisinformation, nor will I reveal to any person whomsoever, my knowledge of theexistence of such information. I further certify that I shall never attempt to gain accessto such information henceforth. I understand that transmission or revelation of thisinformation in any manner to an unauthorized person is punishable under U.S. CodeTitle 18, Sections 793 and 794.

Signature Organization/Firm and Location

Printed Name Date

Witnessed this day of , .

Signature of Witness

SAP Format 5, “Inadvertent Disclosure Statement”, 1 Jan 1991

(When Filled In)

UNCLASSIFIED/HANDLE VIA SPECIAL ACCESS CHANNELS ONLY

SAP Form 6, “Notification of Foreign Travel”, 1 Jan 1991

Notification of Foreign Travel

To: PERSONNEL SECURITY MANAGER (Please do not list organization on this line)

1. BACKGROUND:

a. Travel outside of the United States is a matter of security interest in view of the clearances youhold. Such travel includes points in Canada, the Caribbean, Mexico, and Europe, as well as moredistant places.

b. Knowledge of your whereabouts is needed primarily for personal protection and as a guide inlocating you should an official search be required. Your itinerary should be adhered to as closelyas possible.

c. If major changes are made or if your estimated return date is extended by 24 hours or more,please advise Security accordingly to forestall any unnecessary concern as to your whereabouts.Contact Security upon your return for a debriefing. Any incidents of an intelligence nature whichmay have occurred must be reported.

2. Please complete the following information (paragraph 2a-d) and read paragraph 3a-j, Foreign TravelBriefing. Sign, date and return to Security at least thirty (30) days prior to your departure. When youreturn, arrange to complete paragraph 4, Foreign Travel Debriefing.

a. THIS TRAVEL IS OFFICIAL PERSONAL

b. Name (Last, First, MI) Social Security Number

Home Address Home Telephone

Organization Work Telephone

c. PERSON WHO KNOWS YOUR PLANS AND WHEREABOUTS:

Name (Last, First, MI) Home Telephone

Home Address Work Telephone

d. DESTINATION ITINERARY: If more than one foreign country is to be visited, list countries inscheduled order of visit, together with all side trips and stop-overs.

Place Date(s) Carrier Contacts

Expected date of return to the US

Traveler’s Signature Date

Security Concur

(When Filled In)

UNCLASSIFIED/HANDLE VIA SPECIAL ACCESS CHANNELS ONLY

SAP Form 6, “Notification of Foreign Travel”, 1 Jan 1991

3. As you prepare to travel outside of the United States, you may find yourself traveling to or through acountry whose interests are inimical to those of the U.S. First and foremost, it is important that you bereminded of the continuing need to safeguard the classified information you carry around in your head andthe broadening efforts of foreign intelligence services around the world. Second, this briefing is to impart anumber of helpful tips so you can avoid situations which could cause you delay, embarrassment, or to bearrested while traveling.

a. Don’t mention, discuss or even imply involvement in special or classified projects or activities.b. Never take sensitive or classified material outside of the U.S. without written approval from the

PSO.c. Avoid moral indiscretions or illegal activity which could lead to compromise or blackmail.d. Don’t accept letters, photographs, material or information to be smuggled out of the country.e. Be careful of making statements which could be used for propaganda purposes. Don’t sign

petitions, regardless of how innocuous they may appear.f. Remember that all mail is subject to censorship. Be careful not to divulge personal or business

matters which could be used for exploitation or propaganda purposes.g. Never attempt to photograph military personnel or installations or other restricted/controlled areas.h. Beware of overly friendly guides, interpreters, waitresses, hotel clerks, etc., whose intentions may

go beyond being friendly.i. Carefully avoid any situation which, in your best judgment, would provide a foreign service with the

means for exerting coercion or blackmail.j. Report to Security upon your return for debriefing. Incidents of an intelligence nature or foreign

national contact must be reported.

Receipt and contents acknowledged:

_Signature of Traveler Date Signature of Organization Travel Monitor

4. After you return, please arrange with your Organization Travel Monitor/security person to complete thedebriefing below:

Foreign Travel DebriefingTo be completed after you return

a. Did you deviate from the itinerary you provided prior to your departure? Yes No

b. Did you have contact with anyone under circumstances you would consider assuspicious or unusual?

Yes No

c. If you answered “YES” to either of the above questions, explain on attached sheet.

Interview conducted by Date



Date/Time: Control No. Precedence

From: Office Symbol. Phone#

To:

Info:

Subject: Visit Notification

1. (C/SAR) The following individual(s) will visit

on date(s) indicated for the purpose of .

Point(s) of contact is/are

(U)

Name

(U)

SSAN

(U)

Clearance &Investigation

(C/SAR)

Program /Level of Access

(U/HVSACO)

Date(s) of Visit

/ / -

/ / -

/ / -

/ / -

/ / -

/ / -

/ / -

/ / -

2. (U) Visit is approved by Date:

PRIVACY ACT STATEMENTAUTHORITY: 10 U.S.C. 3101 & EO 9397

PRINCIPAL PURPOSE: For granting visit approval to a classified program facilty and to authorize access toprogram material.

ROUTINE USE: To record visit approval. Use of SSAN is necessary to make positive identification of theindividual and records.

Disclosure is voluntary; failure to provide the information and SSAN could result in approval being denied.

Derived From:Declassify On:

Sent By:

SAP Format 7, “Visit Notification”, 2 Jan 1991

CLASSIFICATION (When Filled In)__________________Special Access Required - __________________

Special Access Required - ___________________________

CLASSIFICATION (WHEN FILLED IN) - _____________________

Section I - FAX Transmittal Data

Date/Time: / Control No. Precedence

From: Office Symbol. Phone#

To:

Info:

Subject: Technical Visit Request (U)

Section II - Briefing Data

1. Subject/Title of Original Information

2. Master Library DCN

3. Briefer: (Name/Company) /

4. Sponsor: (Name/Agency) /

5. Requestor: (Name/Company) /

5. Phone Number: (Requestor/STU III)

7. Justification (Classification - ______________)

Section III - Individuals Receiving Briefing

(U)

Name

(U)

SSAN

(U)

Clearance &Investigation

(C/SAR)

Program /Level of Access

(U/HVSACO)

Date(s) of Visit

/

/

/

/

/

Section IV - Coordination/Approval

8. Requestor Security: (Signature) (Date)

9. Sponsor Security: (Signature) (Date)

10. Requestor Notified: (Name of Person & Means of Notification) (Date)

PRIVACY ACT STATEMENTAUTHORITY: 10 U.S.C. 3101 and EO 9397PRINCIPAL PURPOSE: For granting visit approval to a classified program facilty and to authorize access to program

material.ROUTINE USE: To record visit approval. Use of SSAN is necessary to make positive identification of the individual

and records.Disclosure is voluntary; failure to provide the information and SSAN could result in approval being denied.

11. Special Procedures: Derived From:Declassify On:

SAP Format 7L, “Technical Visit Request”, 12 Jul 1993

SECRET (When Filled In)Special Access Required - ___________________________

Special Access Required - ___________________________SECRET (When Filled In)

TSCM Request (U)

(Date of Request)

(U) Facility (Organization/Company Name)

(U) Street (Complete Address)

(U) City State ZIP

(S/SAR) Bldg Numbers Total Number Requests (Program Areas) (Submit a Separate Request for Each Facility)

(S/SAR) Room Numbers sq. ft. (Program Areas) (Total Sq. Ft.)

(S/SAR) Date All Construction Completed (If Applicable)

(S/SAR) Date All Equipment/Furnishing in Place (Equipment Must Be Operational)

(U) Highest Classification Level (S/SAR) Desired Date

(S/SAR) Date of Last Survey File No (If Known) (If Known)

(U) Gov’t Security Manager Work Phone (SAF/AQ)

Home Phone

(U) Facility POC Work Phone (Security Manager)

Home Phone

(U) Alternate POC Work Phone (Alternate Security Manager)

Home Phone

(S/SAR) Reason Survey Needed

(Signature of In-Place Security Manager) (Signature of Gov’t Program Security Officer)

(U) Note: At a minimum, include a sketch or building diagram. When available, submit blueprints. Include overallarea/facility maps. Clearly outline program areas on submitted documents. Also provide information regardingphysical characteristics such as construction, types and locations of equipment (computers, alarms, radioequipment), windows and any other factor potentially affecting security. Preferred method of receipt is on 8 1/2” x 11”paper. Use of this size may require copy reduction. If not feasible, forward attachments separately.

DERIVED FROM: DOWNGRADE TO CONFIDENTIAL/SAR UPON COMPLETION OF TSCM ACTIVITYDECLASSIFY ON:

SAP Format 8, “TSCM Request”, 4 Jan 1993

UNCLASSIFIED - Handle Via Special Access Channels Only

UNCLASSIFIED - Handle Via Special Access Channels Only

Date/Time: / Control No. Precedence

From: Phone#

Name of Servicing Government PSO: ______________________________________________________

To: SAF/AQ Central Adjudications Facility

Subject: Request for Files Check

Request a files check be conducted on the following personnel:

Name (U)

SSAN

(U)

Level(C/SAR)

A/D

/ /

/ /

/ /

/ /

/ /

/ /

/ /

/ /

2. (U) Visit is approved by Date:

PRIVACY ACT STATEMENTAUTHORITY: 10 U.S.C. 8012; 44 U.S.C. 3101 and EO 9397

PRINCIPAL PURPOSE: For granting visit approval to a classified program facilty and to authorize access toprogram material.

ROUTINE USE: To record visit approval. Use of SSAN is necessary to make positive identification of theindividual and records.

Disclosure is voluntary; failure to provide the information and SSAN could result in approval being denied.

Derived From:Declassify On:

Sent By:

SAP Format 9, “Request for Files Check”, 2 Jan 1991

___________________________________(Classification

SAP Format 10, “Secure Communications Request”, 18 Jun 1992 DO NOT Use Previous Edition(Preparation Instructions On Reverse)

___________________________________(Classification) (Unclassified Until Filled In)

SECURE COMMUNICATIONS REQUEST

From: Date:

To:

Thru:

SECTION I - GENERAL INFORMATION

1. Name of Program:

2. Company/Agency :

3. Building Number: Room Number:

4. Street Address:

5. City/State/Zip Code:

6. Points of Contact:

7. Phone Numbers:

SECTION II - SERVICE REQUIRED

8. Service:

9. Key Level:

10. Required Operational Date:

11. Justification:

SECTION III - VALIDATION

12. Contractor Security Manager: Date: (Signature)

13. Government Security Manager: Date: (Signature)

14. Program Security Officer: Date: (Signature)

15. RFS Number:

16. Telephone Service Gov’t office w/sterile lines Gov’t office providing own support Contractor facility w/sterile lines Contractor facility w/non-sterile lines

17. Communications Special Projects Manager: Concur Non-Concur Date:

Derived From: (Signature) Declassify On:

The following instructions provide a detailed description of the information required to complete this form. Each entryhas been numbered to permit ease in completion.

TO: Route through the Government Program Manager and then to the Program Security Officer (PSO). Failure tofollow this sequence results in rejection of this request.

1. Whenever possible, provide the specific program name, rather than a study or a project number.

2 thru 5. Be specific and provide accurate information. Make sure changes in this information between the time therequest is submitted and the service provided are reported to the PSO to permit relay to the installers.

6. Two POCs are required. POCs should be the persons who have been previously assigned as the primary andalternate COMSEC managers for existing locations, or those persons who will be COMSEC managers for the newlocation.

7. When possible, provide existing STU III secure phone numbers.

8. Provide details (which includes the following) for each type of service:

STU III - Provide quantity of phones required, whether single or multi-line versions are needed (multi-lineinstruments are designed top operate on a 1A2 key system), and state what type of devices are required orplanned to be used on the data port. Requests for facsimile service supported by a STU III may be combinedwith one STU III request.

FAXNET (Facsimile supported as a closed net using KG-84a Crypto) - Identify the net which you will be requiredto communicate with. If a new net is being established, a separate form must be prepared for each requirement.Identify the number of locations anticipated to be activated in the net over the next two years.

KG Support for Computer dial-ups, high-speed links, etc. - Provide a complete description of the intendedinstallation, to include wiring diagrams showing signal connections to the KG on both the red and black side.The customer provides the installation support of all of the other components of the system, with the exceptionof the COMSEC. The customer also installs the appropriate cabling from the customer equipment to the point ofinstallation for the COMSEC.

9. Enter SCI, Top Secret, or Secret. Bear in mind for Top Secret or SCI keys to be issued, personnel with theappropriate clearances must be available.

10. The following minimum lead times have been established as a guide which may vary depending upon the typeof service requested and are obtained from the communications community from the time they receive the requestfrom the PSO. (Allow extra time to process the request within your own channels):

Equipment or Keying Material Support Only - 90 days

Requests Requiring Leasing 9.6kb Data Service or Business Telephone Service to Support a GovernmentLocation - 90 days

Requests Requiring the Lease of Services Greater than 9.6kb to Support a Government Location - 120 days

11. Be specific. Government Program and Security Managers use this information to validate the request.

12. Applies only to contractor requests.

13. Channel all requests through the appropriate Program Manager prior to submission to the PSO.

14 thru 16. For PSO use only. Separate instructions have been provided.

16. Contractors provide the leased telephone services for their requirements. “Sterile” (foreign exchange) service isnormally required. The PSO may permit a large contractor to use standard commercial service, but the PSO mustsign a waiver assuming the risk. Contact the PSO for further information.

For Government locations, unless sterile lines are required, the customer arranges for telephone service supportfrom the local base. If sterile lines are required, the PSO validates such need and requests the service on this form.DO NOT route telephone service through the base switchboard.


SAP Format 11, “Subcontractor Status Report”, 1 Jan 1991 Attachment ___ Yes ___ No


SUBCONTRACTOR STATUS REPORT (U) 1st Tier 2nd Tier 3rd Tier

1. Company/Address 2. Sterile Address

3. Prime 4. Convenience Code

5. Facility Clearance 6. Facility Code

7. Telephone 8. Sterile Phone

9. Number of Personnel Briefed: Ceiling Total Level I Level II Level III Level IV

10. Product/Service

11. Program/Project Classification Level

12. CSM 13. PM

14. Prime Security Rep 15. Prime Procurement Rep

16. Secure Phone # 17. Secure Fax Yes No

18. Storage Authority 19. Contract Value

20. DD Form 254 Date 21. Security Plan Date

22. Date of Last Insp 23. Rating

24. Classified Holdings (Update Yearly)Confidential Secret Top Secret

25. Status

26. Additional Remarks

CLASSIFICATION NOTICE: Classification based onrelationships and products.

Derived From: Derived On:

____________________________________________(Classification)

Special Access Required - __________________________

SAP Format 12, “Waiver Request From Security Criteria”, 1 Jan 1991 Derived From:Declassify On:

Special Access Required

_________________________________________________Classification

Waiver Request From Security Criteria (U)

Date

1. Request Number 2. Expiration Date

3. From Thru To

4. Type Request (check one) Facility Equipment Procedural

Equivalent Other

5. REFERENCE Directive # Paragraph #

6. Affected Area/Function

7. Brief Description of Specific Requirement

8. Brief Description of Deficiency

9. Proposed Corrective Action

10. Justification

11. Compensatory Measures

12. Estimated Cost of Correction

13. Estimated Correction Date

____________________________________________(Classification)

Special Access Required - __________________________

SAP Format 12, “Waiver Request From Security Criteria”, 1 Jan 1991 Derived From:Declassify On:

Special Access Required

_________________________________________________Classification

14. Requester Coordination

Office Name Initials_______________________ ___________________________________ ___________________________________ ___________________________________ ___________________________________ ___________________________________ ____________

___________________________ ____________________________________ ________Name of Program Manager Signature Date

___________________________ ____________________________________ ________Name of Security Manager Signature Date

15. Reviewing Official Coordination & Recommendation

Approval ______________________________ Disapproval _____________________

Comments ______________________________________________________________

Name of Reviewing Official __________________________________________________

Activity Represented _______________________________________________________

Signature _______________________________________________________________

16. Approval Authority Coordination

Approved ______________________________ Disapproved_____________________

Comments ______________________________________________________________

Signature _______________________________________________________________

17. Additional Information from Previous Page as Required (Indicate Item #)

CLASSIFY AS APPROPRIATE

SAP Format 13, “Subcontractor/Supplier Data Sheet”, 1 Jan 1991

SUBCONTRACTOR/SUPPLIER DATA SHEET (U)

1. Prime Contractor Subcontractor/supplier

Address

2. Initial Meeting

Date Attended By

Location

3. Type of Procurement: Sole Source Yes No

4. Product Classification

5. Subcontractor/Supplier Data

DoD Facility Clearance Level Date Granted

DoD Storage Level CAGE

Other Contracts with Prime

Approx Percentage of Firm’s Business Project Number/Name

6. Cover Story

7. Subcontractor/Supplier Contracts Sterile Phone Numbers

Program Management

Technical

Contracts

Security

8. Sterile Address

Name

Address City State Zip

9. Secure Communication Voice Fax

10. Proposed Work Area/Location

11. Proposed Personnel Program Accesses

Level I Level II Level III Level IV

12. Proposed Program Classified Storage

Storage NOT Approved Storage Containers

Level Approved Class VI

13. Remarks

CLASSIFICATION NOTICE: Classification based oncompilation of special security procedures.

Derived From: Derived On:


SAP Format 15, “Facsimile Transmittal Form - Classified”, 1 Jan 1991Page 1 of ___

Date/Time: / Control # Precedence

From: Office Symbol Phone #

To:

Info:

Subject:

Reference:

COVER ONLY: COVER PLUS: Derived From:

SENT BY: Declassify On:


SAP Format 15, “Facsimile Transmittal Form - Classified”, 1 Jan 1991Page 1 of ___

WORD PROCESSOR AND PERSONAL COMPUTER DATA SHEET

Initial Submission System Number: Facility:

Configuration Change Date Submitted: Room:

Addition Deletion Date Approved: User:

Recertification Date Implemented: Custodian:

Level of Classified Processing: Mode of Operations:

Percentage Used for Classified: Hours of Operation:

Equipment

(I/O Devices)

Manufacturer Model

Name

Serial

Number

Seal

Number

Keyboard

Mouse

Monitor

System Unit

Disk Drive

Printer

Operating System:

Application Software

Storage Media

Internal Memory (RAM)

Communications Capabilities & Disconnects

Summary of System Use:

PSO Signature

Date

SAP Format 16, “Word Processor and Personal Computer Data Sheet”, 1 Jan 1991

Unclassified - Handle Via Special Access Channels Only

(File in Individual Personnel Records)UNCLASSIFIED - HANDLE VIA SPECIAL ACCESS CHANNELS ONLY

Refresher Training RecordFor CY

This format provides for documentation of annual refresher training. This training may be accomplishedthroughout the year or at one session. The “COMPUTER SECURITY” listing is mandatory if the individualuses a computer.

Mandatory Topics Covered Date Completed Programs/Projects(Convenience Codes May Be Used)

Foreign Intelligence Techniques

Threat Reporting

Effects of Unauthorized Disclosure

Program Vulnerabilities/Threat & OPSEC

Adverse Information Reporting

Reporting Fraud, Waste & Abuse

Derivative Classification & Marking

Telephone Security/STU IIIs

Security Inspection Common Problems

Computer Security Videos/Films Shown

AIS Operating Procedures

Audit Trails

Logs, Forms & Receipts

Media Protection

Use of System

Copyright Laws & Licensing Agreements

Other Topics Covered Personal Status(Optional)

Visitor Procedures I was provided an opportunity to review my

Document Control DoD Personnel Security Questionnaire and

report/change any previously unreported

personal status changes.

Individual’s Initials :

Printed Name Organization/Firm

Signature Location

____________________________________

Security Education Manager (SEM) or Instructor

SAP Format 17, “Refresher Training Record”, 1 Dec 1993


Special Access Required - ___________________________CONFIDENTIAL (When Filled In) Page _____ of _____

Special Access Program Review Report Date

Section I - General Information1. Name of Activity

2. Address

3. Management

PM

Security Guide Date

Major Program

4. Type of Activity Government Prime

Associate Sub

Cost

SM

PSO

6. Scope of Activity Possession COMSEC

5. Review Dates Access Only Graphic ArtsPrevious

From

To

Dormant Commercial Carrier

7. Number of Persons Accessed 8. Number of DocumentsLV1

LV2

LV3

LV4

Total

CONF

SECRET

TS

LV4

Total

Section II - Review Data9. Type Complete Re-Review Partial Close Out Unannounced10. Overall Rating Superior Satisfactory Marginal Unsatisfactory

11. Deficiencies No Deficiencies FindingNo.

Deviations COS

12. Names of Reviewers Time Expended

13. Personnel Outbriefed Section III - Elements of Review

Code Functional Area Rating Code Functional Area RatingManagement H Physical

B Security I Access Control C Personnel Secrurity

K Transmission E Marking L Security F Reproduction Contracting G Destruction N Force

Special Emphasis Item:

Section IV - Report Processing14. Corrective Action Report 15. Respond To 16. Distribution

Required → Not Required ↓

Derived From: Declassify:

SAP Format 19, “Special Access Program Review Report”, 4 Jan 1993



Section V - Synopsis

Code Section VI - Deficiencies



Code Section VI - Deficiencies (continued)



Code Section VI - Deficiencies (continued)

17. Name of Review Team Chief

Signature of Review Team Chief Date

18. Name of Reviewing Official

Signature of Reviewing Official Date



Foreign Relative or Associate Interview

Interviewee’s Name :

Interviewee’s SSAN : Date of Interview :

Name of Relative or Associate :

Relationship : Citizenship :

Current Address :

City/Country :

Has the relative or associate ever visited the U.S.? Port of Entry :

When and for how long?

Frequency?

Most recent visit?

What is the relative’s or associate’s line of work? (If government employee, determine level: local, national, etc.)

Initial contact date/circumstances?

Frequency of interviewee’s contact with relative or associate?

When/where did the last contact occur? (letter, phone call, in person, etc.)

Interviewee’s reaction to any undue interest in his/her job?

Does or would the interviewee provide significant support? (If so, what type?)

Interviewee’s bond with, affection for, or obligation to the relative or associate?

Would the relative’s or associates welfare and safety be of significant concern (hostage situation)?

Interviewee’s reaction to such a situation?

Remarks :

Security Representative’s Signature and Date:

SAP Format 20, “Foreign Relative or Associate Interview”, 1 Sep 1994

NOTICE: The Privacy Act, 5 U.S.C. 522a, requires that federal agencies inform individuals, at the time information is solicited from them, whether thedis-Closure is mandatory or voluntary, by what authority such information is solicited, and what uses will be made of the information. You are herebyadvised thatAuthority for soliciting your Social Security Account Number (SSAN) is Executive Order 9397. Your SSAN will be used to identify you precisely when itis necessary to 1) certify that you have access to the information indicated above, or 2) determine that you access to the information indicated has beenterminated.

(Use additional sheets for Remarks, as needed)

Computer System UserAcknowledgement Statement

I understand that as a computer system user, it is my responsibility to comply with all securitymeasures necessary to prevent unauthorized disclosure, modification, or destruction of information. Ihave read the computer system standard operating procedures for the system(s) to which I haveaccess and agree to:

1. Protect and safeguard information in accordance with the System Operating Procedures.

2. Sign all logs, forms and receipts as required.

3. Escort personnel not on the access list for the environment in such manner as to prevent their access todata which they are not entitled to view.

4. Protect all media used on the system by properly classifying, labeling, controlling transmitting and destroyingit in accordance with security requirements.

5. Protect all data viewed on the screens and/or hardcopies at the highest classification level of the dataprocessed unless determined otherwise by the data owner.

6. Notify the System Security Custodian of all security violations, unauthorized use, and when I no longer havea need to access the system (i.e., transfer, termination, leave of absence, or for any period of extended non-use).

7. Use of the system is for the purpose of performing assigned organizational duties, never personal businessand I will not introduce, process, calculate, or compute data on these systems except as authorizedaccording to these procedures.

8. Comply with all software copyright laws and licensing agreements.

Initial Certification

Printed Name of User Signature of User

Printed Name of Custodian Signature of Custodian

Organization/Firm Date

Annual Recertification

Signature of User Date Signature of User Date




SAP Format 21 “Computer System User Acknowledgement Statement” 31 Mar 1995

Nomination for SAP Security Education Award - ActivityName/Address of Organization/Activity:

Description of Security Education Program:

Statement of Accomplishments:

Effectiveness of Accomplishments:

Supporting Evidence of Effectiveness:

SAP Format 23a, “Awards Program Nomination (Activity)” 5 Oct 1995

Nomination for SAP Security Education Award - IndividualName/Address of Organization/Activity:

Job Description:

Statement of Accomplishments:

Effectiveness of Accomplishments:

Supporting Evidence of Effectiveness:

SAP Format 23i, “Awards Program Nomination (Individual)” 5 Oct 1995

Letter of Appointment

To:

Company:

Subject to your acceptance and execution of the Oath of Confidentiality attachedhereto, you are hereby appointed an Agent of the United States Government for the Program. This appointment is for the limited purpose ofreviewing Personnel security Questionnaires (PSQs), Security Questionnaires (SQs),and Program Access Request packages (PARs) for accuracy, completeness, andobvious disqualifying factors.

For the limited purposes of this agency you are obligated to treat personnelinformation as data protected by the Privacy Act (5 U.S. Code 552a) for all employeesof your parent company whose questionnaires you review. Disclosure of personalinformation to any person not authorized to receive it may subject you to sanctions,including criminal penalties, provided by the Privacy Act, and to appropriateadministrative and civil remedies.

Should you decline to accept, or refuse to execute the Oath of Confidentialityattached hereto, you should consider this tender of appointment to be canceled.

Program Security Officer

SAP Format 24, “Agent of the Government (Appointment)” 2 Jan 1996

Acceptance of Appointmentand Oath of Confidentiality

I, , the undersigned, do hereby accept appointment as anAgent of the United States Government for the Program forthe limited purpose of reviewing Personnel Security Questionnaires (PSQs), SecurityQuestionnaires (SQs) and Program Access Request packages (PARs) for accuracy,completeness, and obvious disqualifying factors revealed in the PSQs, SQs or PARs.

I acknowledge that in accepting this appointment as an Agent of the Government, Iagree that I will not disclose to any person, not lawfully entitled to received it within thescope of this employment or agency with the U.S. Government, personal informationrevealed on the PSQs, SQs or PARs I review. I also acknowledge, accept and agreethat I will not use or reveal personal information to anyone except for the purposesstated herein.

I further acknowledge that by virtue of this appointment, I am bound by the provisions ofthe Privacy Act (5 U.S. Code 552a), including its criminal penalties for wrongfuldisclosure of information contained in protected records. I have been informed thatPSQs, SQs and PARs are records protected by the Privacy Act.

Signature and Date

Appointing Official

Signature and Date

, Typed Name and Title

SAP Format 25, “Agent of the Government (Oath)” 2 Jan 1996

Format 27 "Foreign Contact Form"

FOREIGN CONTACT FORM

To:

From:

Name Employee Number Social Security Number

Telephone Number

Instructions:

• Please answer the following questions listed below to the best of your ability.• For further information or questions, contact Program Security.

1. Full name of Non-U.S. citizen contact: (include maiden name or aliases if appropriate. Ifpossible, provide name in both English and Native language characters.)

2. Date of Birth (or approximate age if DOB is unknown), place of birth (city, country):

3. Citizenship:

4. Current address:

5. Occupation/Employer:

6. Known since/how did you meet:

7. Last contact date/plans for future contact:

8. Description of type of relationship:

NOTE: If responding “YES” on questions below, please provide details in the remarks section at thebottom of this form.

Format 27 "Foreign Contact Form"

9. YES NO Are you aware of any known political/military/intelligence activities of the contact or their relatives?

10. YES NO Is this contact witting of your Government involvement? (If yes, please note how and why)

11. YES NO Do you have any relatives or friends from the same country as the contact?

12. YES NO Did the individual ask what type of work you do? What was yourresponse?

13. YES NO Did the contact express on interest in any topics or technologies?

14. YES NO Did you discuss your involvement in U.S. Government related activities?

15. YES NO Did the contact offer to arrange any special treatment for you?

16. YES NO Did the contact offer to pay for anything (i.e., meals, gifts)?

17. YES NO Have you received any gifts from this person?

18. YES NO Did you exchange business cards, telephone numbers or addresses?(Please attach a copy to this form)

COMMENTS:

PRIVACY ACT STATEMENT

Notice: The above information is protected by provisions of the Privacy Act, 5 U.S.C. 522a. You are herebyadvised that authority for soliciting your Social Security Account Number (SSAN) is Executive Order 9397.Your SSAN will be used to identify you precisely when it is necessary to certify that you have access to theinformation indicated above. Although disclosure is not mandatory, your failure to do so may impedecertification or determinations.

Format 28 "Courier Designations and Instructions"

DESIGNATION AND COURIER INSTRUCTIONS

A. Maintain constant custody of the material from receipt until delivery. Never allow the material out of your sight or physical contact.

B. Place all material in a locked briefcase of normal appearance or a strong, locked carry-on bag. Based on the volume of material, use additional couriers as necessary (a minimum of two couriers is required for Top Secret; one for secret and below).

C. Do not schedule on overnight stop. Remain in the airport terminal if a connecting flight is part of your itinerary.

D. Do not consume alcoholic beverages.

E. Pre-plan travel routes. Include alternate routes. In unfamiliar areas, mark and use maps.

F. Transiting airport security checkpoints:

1. Before departure, obtain a courier authorization letter. Do not show this letter toairport security unless specifically asked. Also display military or company ID cardswhen asked.

2. When two couriers are used, one courier passes through the checkpoint and waits for the second courier to transfer the package through the x-ray machine. The second courier passes through the checkpoint after material has been received by the firstcourier.

3. Only open your briefcase if airport security asks you to do so.

4. If airport security asks you to open the document package, produce your courier letter and identification card. Inform security personnel that you are couriering classifieddata and that the package cannot be opened. If security personnel do not accept thisexplanation, contact the Airport Security Manager and explain the situation.

5. If airport security, Airport Security Managers, airline officials, or anyone insists on opening the document package, refuse and cancel your trip.

G. Emergency situations:

1. In case of any emergency en route emergency or if paragraph F5 applies, immediatelycontact your Security Officer. After receiving such notification, Activity and Contractor Security Officers must immediately contact the Program Security Officer.

2. In the event of a skyjacking, do not reveal your courier assignment. Use commonsense. Do not attempt to hide the material or dispose of it. Leave it in your briefcase.If anyone insists on opening your briefcase, do not argue or physically attempt to stopthem. Notify Airport Security Managers on your release as soon as possible.

3. If a bomb threat occurs while you are on board an aircraft, present your courier letterand identification card to Customs, FAA, or Federal agents. Explain your situation andpermit x-ray or electronic scanning. If any of these officials insist on opening the sealeddocument package, ask that they do so in a segregated area, away from other individualsor passengers. Remain with them when the package is opened. After the search is completed, obtain the names, agency, and telephone numbers of the searching individuals. Immediately supply this information to your Security Manager. NOTE: Security officials will defensively debrief these individuals as necessary. Do not conduct the debriefings yourself.

4. If you are forced to abandon a trip because of failure to make connections, sickness, etc.,

Format 28 "Courier Designations and Instructions"

keep the material in constant personal contact. If a motel is required, rent only one room for the two-person courier team (if male-female team, rent adjoining rooms). Havemeals delivered to the room. Contact the Security Manager for instructions and possiblelocations where the material may be taken and deposited.

5. If there is a vehicle mishap en route, e.g. a breakdown or accident, contact the SecurityManager at both your departure and destination points. Explain the general nature andimportance of your business travel to law enforcement officials. Display your courier letter and identification card. If these officials insist on opening the document package or seizing it, do not physically resist. Obtain names, badge numbers, and telephone numbers, and ask to talk to superior officers. Explain the situation to the superiors andask them if they will allow you to put them in contact with the Program Security Officer. If conditions warrant, one of the couriers should remain with the vehicle, whilethe other travels the shortest distance possible to obtain assistance.

H. If you arrive at your destination after working hours, make prior arrangements to secure the material in an approved SAP facility. If your are delayed or unable to reach your contact at the destination point, notify your Security Manager. If you are unable to contact the Security Manager at either the delivery or departure point, proceed to the facility or activity and attempt to obtain telephone numbers of persons you positively know are program-accessed. Ask them to assist you in contacting security personnel. Do not leave your package with non- accessed personnel or within non-program areas. As a last resort, keep the material within your control.

I. Be cautious while in telephone booths, public restrooms, cafeterias, and similar areas to ensure that your briefcase is not switched or stolen. Stay out of these areas as much as possible. While on board the aircraft, place your briefcase under the seat in front of you; do not place it in the overhead storage compartment.

J. Always require and obtain a receipt for the material at the point of departure and point of orgin.

ENDORSEMENT

I have read the instructions above and will fully comply with these instructions. Iunderstand the seriousness of this mission and am aware of the extreme detrimentaleffects on this mission and am aware of the extreme detrimental effects on the nationalsecurity that would result should the material I am couriering be compromised. I furtherunderstand that should my negligence result in a compromise or loss, disciplinary may betaken. I am aware that transmission or revelation (by loss or any method) of this information to unauthorized persons could subject me to prosecution under the EspionageLaw (U.S.) Code, Title 18, Sections 793, 794, and 798) or other applicable statutes and, ifconvicted, could result in up to a 10-year sentence in prison or a $10,000 fine, or both.

Name of courier (1) (Type or Print Signature of Courier (1) Date

Name of courier (2) (Type or Print) Signature of Courier (2) Date

Name of Security Officer Signature of Security Officer Date