Number: 

DAO 207-12

SECTION 1. PURPOSE.

.01 This Order sets forth Department of Commerce (DOC or Department) policies and procedures for Foreign National Visitor and Guest access to Department facilities, resources and activities.

.02 This Order revises the "Foreign National Visitor and Guest Access Program" and renames it to the "Foreign Access Management Program" (FAM). This revised focus acknowledges the increased diversity of foreign participation and the need for updated control measures beyond foreign visitor control to manage present day risks associated with physical and logical access to the Department's facilities and resources.

a. The scope and application of this order are expanded in response to the increased diversity of foreign participation and the need for updated control measures beyond foreign visitor control to manage present day risks associated with physical and logical access to the Department's facilities and resources.

b. Definitions are expanded to reflect new and revised U.S. national security policy issuances regarding classification and access to national security information (Executive Order 13526 and Executive Order 12968), post 9/11 policies for access to federal facilities (HSPD-12), as well policies for the safeguarding of controlled unclassified information (Executive Order 13556).

c. Definitions and policy guidance are updated throughout the DAO to reflect government wide export reform initiatives and revisions to the Export Administration Regulations (EAR), 15 C.F.R. 730-774, and the Commerce Control List (Supplement No. 1 to 15 C.F.R. 774).

d. References are updated to reflect new and revised National and Department level policy issuances promulgated since 2006.

e. Risk Management conventions and methodologies are introduced to facilitate risk-based determinations of access by Foreign Nationals to Department facilities, resources and activities as a basis to foster an acceptable balance between openness and security to support Department mission success.

f. New guidance is introduced for reaching risk-based determinations of access to Department facilities, resources and activities by Foreign Nationals who are citizens or nationals of State Sponsors of Terrorism.

g. New guidance is introduced for the issuance of Federal personal identity verification credentials to Foreign Nationals to enable access to Department facilities, resources, or activities in accordance with HSPD-12 requirements.

h. Bureau and Operating Unit responsibilities are revised to eliminate redundancies and extend delegated authorities wherever reasonable to facilitate efficiencies in FAM program implementation across the Department.

i. Field Servicing Security Office roles and responsibilities are similarly revised to standardize the delivery of effective and efficient security services, guidance and oversight of FAM program implementation across the Department.

j. New guidance is introduced to standardize the minimum data collection requirements for submission of requests for Foreign National access to Department facilities, resources and activities consistent with HSPD-12 and the Paperwork Reduction Act (44 U.S.C. 3501 et seq.) regarding collection of certain information from the public.

.03 The FAM program is designed to enable the broadest cooperation and collaboration with international partners while ensuring compliance with all applicable United States (U.S.) laws and regulations through consistent and effective management of access by Foreign Nationals to Department facilities, resources and activities which are not available to the public.

.04 This Order fosters a balance between openness and security. Because the Department recognizes the value of their contributions to U.S. scientific and technological efforts and other Departmental functions, it offers Foreign National Visitors and Guests access to its facilities, staff and information while engaged in a broad range of collaborative activities. FAM program policy must balance this openness with the necessity to protect classified, Controlled Unclassified Information (CUI), proprietary, or not-for-public release data, information, source-code, software or technology consistent with U.S. laws and regulations.

.05 This Order also provides overarching guidance for Department organizations to effectively implement risk-based FAM concepts to supplement existing safeguards for determinations of physical and logical access to Department facilities, resources and activities by Foreign National Visitors and Guests.

SECTION 2. SCOPE.

This Order applies to all bureaus and operating units within the Department and to all Foreign Nationals visiting, assigned or participating in Department activities as defined by this Order at Department facilities located within and outside the boundaries of the U.S. In accordance with Section 4.01 through Section 4.04, this Order establishes minimum standards for Departmental FAM program implementation regarding data collection, vetting, reporting, and final risk-based determinations of physical access by Foreign Nationals Visitors and Guests to Department facilities, resources, and activities. Risk-based determinations of logical access by Foreign National Guests to Department information systems and resources shall be conducted in accordance with Section 4.05 through Section 4.08 and in a manner consistent with this Order, where applicable.

SECTION 3. DEFINITIONS.

.01 Access - Ability to enter a place or to engage in a Department activity in a way that makes use of Departmental facilities, staff, resources, or information.

.02 Agency Check - For this Order, a procedure whereby a request is made to one or more U.S Government agencies to determine whether information exists on a Foreign National to facilitate an access determination. Examples may include the Federal Bureau of Investigations (FBI), U.S. Department of Homeland Security, and the U.S. Department of State.

.03 Asset - A resource, bought, created, or otherwise defined by its owner, that does or will in the future, provide a monetary, economic or proprietary value or benefit.

.04 Classified Information - Information that is determined pursuant to Executive Order 13526, "Classified National Security Information" or any predecessor order to require protection against unauthorized disclosure in the interest of U.S. national security and is properly marked to indicate its classified status. Access to classified information is restricted by law or regulation to individuals with the necessary security clearance and need-to-know.

.05 Commerce Control List (CCL) - A list of items (commodities, software, and technology) set forth in Supplement No. 1 to 15 C.F.R. 774 of the Export Administration Regulations (EAR), 15 C.F.R. 730-774 (see section 4.09), that are subject to the jurisdiction of the Bureau of Industry and Security (BIS).

.06 Contractor - A non-federal person or company that enters into a lawful contract to provide a product or services to a department or agency requiring routine business access to federally controlled facilities and/or controlled information systems.

.07 Controlled Unclassified Information (CUI) - Information that requires safeguarding or dissemination controls pursuant to Executive Order 13556 "Controlled Unclassified Information" and applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act of 1954, as amended.

.08 Deemed Export - Any release of technology (see Technology definition below) or source code subject to the Export Administration Regulations to a Foreign National within the United States. Such a release is "deemed" to be an export to the Foreign National's most recent country of citizenship or permanent residency. See 15 C.F.R. 734.13(a)(2). This deemed export rule does not apply to citizens of the United States, persons lawfully admitted for permanent residence in the United States, or to other persons who are protected individuals under the Immigration and Nationality Act (See, 8 U.S.C. 1324b(a)(3)).

.09 Departmental Sponsor - A DOC U.S. citizen employee designated in writing as responsible for the security oversight of all activities associated with a foreign visit and for taking all reasonable steps to comply with this Order and bureau implementing instructions to safeguard classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software from unauthorized physical, visual, and logical access by a Foreign National.

.10 Department Activity - A discussion, work, action, or event concerning any Department program, policy, or project that is not intended for public release. A Department Activity does not include the actions that a foreign entity conducts in its own country pursuant to a memorandum of understanding, or similar agreement with a Department entity.

.11 Escort - A Departmental Sponsor or eligible Department U.S. citizen employee delegated responsibility for a specified period to accompany a Foreign National within a facility to ensure compliance with this Order and bureau implementing instructions intended to safeguard classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software from unauthorized physical, visual, or logical access by a Foreign National.

.12 Facility - An educational institution, manufacturing plant, laboratory, vessel, office building or complex of buildings, or any structure or segregable portion thereof located on a site under the control of the Department or of a contractor operating the facility on behalf of the Department.

.13 Field Servicing Security Office - A field office of the Office of Security, or equivalent (i.e., United States Patent and Trademark Office, Office of Security), that provides security services, support, guidance, and program oversight to Department organizations. A Field Servicing Security Office may provide services and support to a single bureau or may provide services and support to multiple Department organizations in a given geographical area.

.14 Foreign National - Any natural person not a citizen or national of the United States. Foreign National is synonymous with "alien" as defined by 8 U.S.C. 1101(a)(3) for the purpose of determining authorized access to federal facilities and resources under Section 4.01 and "foreign person" as defined in the EAR and the International Traffic in Arms Regulations (22 C.F.R. 120.16) for the purpose of determining whether a release to a Foreign National of technology or source code is authorized.

For the purposes of this Order, Foreign Nationals, and certain Protected Persons including Lawful Permanent Residents, refugees, individuals granted asylum and contractors or vendors, are further defined as non-federal employees who are ineligible for appointment in the competitive or excepted service under 5 C.F.R. 731, 732, and 302 respectively, or ineligible for access to classified national security information under Executive Order 12968, "Access to Classified Information".

.15 Foreign Visit - Any access by a Foreign National to a Department facility, asset or resource authorized in accordance with Section 5 and 6 of this Order.

.16 Lawful Permanent Resident - A non-U.S. citizen living in the United States who is granted the right to permanently reside and work in the United States under the Immigration and Nationality Act (See 8 U.S.C. 1101(a) (20)); previously referred to as a Permanent Resident Alien or "green card holder."

.17 National Security - The national defense and foreign relations of the United States.

.18 Open Access Area - Specific area(s) in a Department facility not designated as "public" where sensitive assets are neither visible nor accessible, and which may be accessed by anyone appropriately granted entry to the facility (e.g., the cafeteria on the campus of a facility, where the facility otherwise requires credentialed access). Open Access Area designations are made by the local Facility Manager with the concurrence of the Field Servicing Security Office.

.19 Resources - An asset or productive factor (e.g., property, labor, capital, expertise, information, time, etc.), made available or required to undertake an enterprise, function or task to achieve a desired outcome. This definition includes materials, money, staff, and other assets necessary for effective operation.

.20 Risk Management - Risk management is the business operating convention for identifying, assessing, and communicating risk to organizational mission success and avoiding, accepting, transferring, or controlling risk to a permissible level, considering the cost/benefit result of any mitigation actions taken.

.21 Senior Bureau Official - A senior bureau technical or administrative official who, in conjunction with Operating Units, reviews Departmental Sponsor requests to validate the technical contribution and benefit to the agency mission of the intended collaboration with a Foreign National Guest. Senior Bureau Official duties may be shared with Designated Officials in the Operating Units. The Senior Bureau Official and Designated Officials with shared responsibilities shall be appointed in writing by the Bureau Head or designee to the Director for Security in accordance with section 7.02 of this Order.

.22 Software - A collection of one or more "programs" or "microprograms" fixed in any tangible medium of expression.

.23 State Sponsors of Terrorism - Countries determined by the U.S. Secretary of State to have repeatedly provided support for acts of international terrorism are designated as state sponsors of terrorism pursuant to Section 1754(c) of the Export Control Reform Act, Section 40 of the Arms Export Control Act, and Section 620A of the Foreign Assistance Act.

.24 Technology - As provided in 15 C.F.R. 772.1, Technology means: Information necessary for the "development", "production," "use," operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in the Export Control Classification Numbers (ECCN) on the Commerce Control List that control "technology") of an item. Controlled "technology" is defined in the General Technology Note and in the Commerce Control List. "Technology" may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media, or any other information that is revealed through visual inspection.

.25 Visa - A permit issued to a Foreign National by the U.S. Department of State documenting that the individual is approved to seek entry into the Unites States under a specific immigrant or

nonimmigrant category evidenced by a stamp in the Foreign National's passport or other official documentation showing the entry into the United States and Visa expiration date (e.g. Form I-94).

Final approval for a Foreign National to enter the United States rests with U.S. Customs and Border Protection (CBP) officials at the port-of-entry.

SECTION 4. REFERENCES.

.01 Homeland Security Presidential Directive-12, "Policy for Common Identification Standard for Federal Employees and Contractors' of August 27, 2004

.02 M-05-24, "Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors' of August 5, 2005.

.03 "Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12" of July 31, 2008

.04 "Credentialing Standards Procedures for Issuing Personal Identity Verification Cards under HSPD-12 and New Requirements for Suspension or Revocation of Eligibility for Personal Identity Verification Credentials' of December 15, 2020

.05 "Guidance on Executive Branch-Wide Requirements for Issuing Personal Identity Verification (PIV) Credentials and Suspension Mechanism" of March 2, 2016

.06 Federal Information Processing Standards Publication 201-2, "Personal Identity Verification (PIV) of Federal Employees and Contractors" of August 2013

.07 M-19-17, "Enabling Mission Delivery through Improved Identity, Credential and Access Management" of May 21, 2019

.08 National Institute of Standards and Technology Special Publication 800-53r4, "Security and Privacy Controls for Federal Information Systems and Organizations" of January 2015

.09 Federal Information Processing Standards Publication 199, "Standards for Categorization of Federal Information and Information Systems" of February 2004

.10 Department of Commerce Controlled Unclassified Information (CUI) Policy of August 2019

.11 Department of Commerce Information Technology Security Baseline Policy of June 2019

.12 Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774

.13 Departmental Administrative Order 207-1, "Security Programs" of June 18, 2014

.14 Office of Security "Manual of Security Policies and Procedures"

.15 Departmental Administrative Order 219-1, "Public Communications" of April 30, 2008

SECTION 5. CATEGORIES OF VISITS BY FOREIGN NATIONALS.

.01 Categorization. For the purpose of this Order, Foreign Nationals are categorized for reasons of risk management based on the length of their physical access to a Department facility, their total time of engagement in a Department Activity, or their period of logical access to a non-public Department information system. The length of access is delineated by the date of initial arrival and the date of final departure from a Department facility, the date of commencement and the date of cessation of participation in a Department Activity; or the date of commencement and the date of cessation of any logical access to a non-public Department information system. Access may include any one or combination of all three elements, and these elements are additive to one another.

a. Foreign National Visitors are those individuals accessing Department facilities, assets, activities, or resources for fourteen (14) or fewer calendar days in a consecutive twelve-month (12) period.

b. Foreign National Guests are those individuals accessing Department facilities, assets, activities, or resources for fifteen (15) or more calendar days in a consecutive twelve-month (12) period.

.02 Exceptions:

a. Lawful Permanent Residents or Protected Persons for the purposes of categorization as a Foreign National Visitor or Guest in accordance with this Order. This exception does not extend to the other applicable requirements in the authorities referenced under Section 4.01 through Section 4.11 above, for determinations of physical or logical access by Foreign Nationals (non-federal employee) to Department facilities, resources, or activities unless stipulated otherwise by this Order.

b. Foreign Nationals employed by the Department, as defined by 5 U.S.C. 2105, who reside and work at Department facilities outside of the U.S. for the purposes of categorization as a Foreign National Visitor or Guest in accordance with this Order. This exception does not extend to the applicable requirements of the authorities referenced under Section 4.01 through Section 4.08 above, for determinations of physical or logical access by Foreign Nationals (non-federal employee) to Department facilities, resources, or activities unless stipulated otherwise by this Order.

c. Foreign National diplomats and senior government officials at the ambassadorial or vice-ministerial level or above who visit Department officials for the purpose of high-level policy dialogue. The Departmental Sponsor shall coordinate with the Field Servicing Security Office to determine if a Foreign National meets these criteria. Accompanying staff members or advance teams shall be treated as Visitors or Guests consistent with this Order.

d. Foreign Nationals who visit National Oceanic and Atmospheric Administration ships and aircraft as port or airport officials for the execution of entry and departure requirements (e.g., inspection) as required in compliance with international law. Foreign Nationals making such visits in the performance of their official duties are not identified to the ship or aircraft before arrival. As the host country is not required to identify their officials in advance, Foreign Nationals cannot be granted prior approval by the Field Servicing Security Office.

SECTION 6. GENERAL PROVISIONS.

.01 Policy Implementation. The Office of Security, under the authorities granted by Section 4.12, shall supplement this Order through guidance issued under Section 4.13 and other written policy issuances via the Office of Administration, Chief Financial Officer and Assistant Secretary of Administration, as appropriate. Nothing in this Order shall have the effect of, or be construed as, an exception to the responsibilities and authorities of the Director for Security under Section 4.12 or other applicable regulations.

To promote the efficient implementation of this Order, the responsibility to reach determinations of eligibility for access by Foreign Nationals to Department facilities, resources or activities, not otherwise reserved to the bureaus, is delegated by the Director of Security to the Field Servicing Security Office.

.02 Information or Technology/Software/Source Code Release. Department employees and contractors disclosing information in venues where Foreign Nationals are present or have access, shall comply with the requirements of the applicable authorities referenced in Section 4.11 and 4.14 above. In accordance with 15 C.F.R. 734.15(a), of the EAR, technology and source code subject to the EAR may be released to a Foreign National through visual or other inspection that reveals technology or source code subject to the EAR or through oral or written exchange with a Foreign National of technology or source code in the U.S. or abroad. An export of technology or source code is "deemed" to take place when it is released to a Foreign National within the U.S. (deemed export) and a re-export of technology or source code is "deemed" to take place when it is released to a third-country national outside of the U.S. (deemed re-export). Additionally, pursuant to 15 C.F.R. 734.15(b), any act causing the release of technology or software through use of access information (as defined by 15 C.F.R. 772.1) or otherwise, to oneself or another person requires an authorization from the Bureau of Industry and Security to the same extent an authorization would be required to export or re-export such technology or software to that person.

The license requirements for an anticipated release are governed by the specifics of the transaction: the item's classification under the EAR based on its technical specifications, where it is going, (in the case of a release to a Foreign National, a determination of immigration status (most recent country of citizenship or permanent residency), and what it will be used for. Many U.S. commercial exports and re-exports do not require a license, but the analysis of requirements under the EAR must be completed for each specific situation to determine whether the technology or source code at issue is subject to the EAR, and if so, whether its release to a Foreign National requires a license. If the release of technology or source code to a Foreign National that requires a license is anticipated, application must be made to the Bureau of Industry and Security for an export license prior to such release.

.03 Export Controls Considerations. Requests for access to Department facilities, resources or activities made on behalf of Foreign National Guests shall be consistent with the EAR and other U.S. Government authorities. To the extent a release of technology or source code subject to the EAR is contemplated, a determination shall be reached whether such release will require a license from the Bureau of Industry and Security, or other agency. Deemed export and deemed reexport licenses may also be required for such releases in accordance with applicable law. The request for access shall be screened by responsible officials against the Consolidated Screening List which consolidates lists of proscribed persons and entities maintained by the Departments of Commerce, the Treasury and State.

.04 Risk Management. The Department employs risk management as a fundamental precept of FAM program policy governing the protection of facilities, resources, or activities from undue risk of unauthorized access. The application of risk management across the Department enterprise will help protect U.S. national interests, conserve resources, and assist in avoiding or mitigating the effects of emerging or unknown risks.

At the bureau, operating unit, and organizational level, the application of risk management principles will complement strategic and operational planning efforts, policy development, budget formulation, performance evaluation, and reporting processes. Risk management may not preclude adverse events from occurring. However, it enables security initiatives, within a resource constrained environment, to focus on threats expected to bring the greatest harm and employ appropriate countermeasures to mitigate risk to operational mission success.

.05 Foreign National Visitors. Foreign National Visitors shall be registered in accordance with Section 7.06 and be under continuous escort or observation by their designated Departmental Sponsor or delegated escort when accessing Department facilities throughout the duration of the visit. Determinations of Foreign National Visitor status shall be recorded and not exceed a total of fourteen (14) calendar days in a consecutive twelve-month (12) period. If operational and mission needs determine the Foreign National Visitor will exceed the 14 day criteria for categorization, the provisions of 6.06 and categorization of Foreign National Guest in section 5 of this Order become applicable.

.06 Foreign National Guests. Due to visit duration and unique requirements, determinations of physical and logical access to DOC facilities, resources, or activities by Foreign National Guests shall comply with Section 4.01 through Section 4.08 and this Order. The minimum background investigation requirement for Foreign National Guests accessing Department facilities, resources, or activities shall consist of a Special Agreement Check (OFI Form 86C) by the Defense Counterintelligence and Security Agency (DCSA), FBI fingerprint criminal history check, FBI Investigations File (Terrorist Screening Database) name check, and a United States Citizenship and Immigration Services systematic alien verification program check. The minimum background investigation requirement for Foreign National Guests accessing Department facilities, resources, or activities with a minimum of three (3) years residency in the United States within a five-year (5) period is a Tier 1, Questionnaire for Non-Sensitive Position (Standard Form 85) investigation by the serving Federal agency such as the DCSA. The type of background investigation for Foreign National Guests accessing DOC facilities, resources, or activities outside the United States may vary based on standing reciprocity treaties concerning identity and information exchange that exist between the United States and its allies or agency agreements with host nations.

Determinations of logical access to Department information resources by Foreign National Guests are reserved to the bureaus and shall be made under circumstances determined to yield tangible benefit to the mission success of the bureau and in the best interest of the Department in accordance with Section 4.05 through Section 4.08.

.07 Foreign Nationals from State Sponsors of Terrorism. Risk-based determinations of physical access to Department facilities by Foreign National Visitors who are citizens or nationals of State Sponsors of Terrorism are permitted at the discretion of the Field Servicing Security Office during regular business hours when the visit is confined to designated open access spaces or when associated with organized events predetermined to be open to the public.

a. Approved Foreign National Visitors who are citizens or nationals of State Sponsors of Terrorism shall be recorded in accordance with Section 7.06 and be under continuous escort or observation by their designated Departmental Sponsor or delegated escort throughout the duration of the visit.

b. Requests for access to Department facilities by Foreign National Guests with citizenship or nationality from State Sponsors of Terrorism are not authorized unless the Foreign National Guest has been lawfully admitted into the United States under a valid visa, or for permanent residence, and successfully processed under the provisions of Section 6.06, (See Section 7.08 regarding appeal of "Denial or Revocation of Access").

.08 Credential Issuance. Issuance of personal identity verification credentials or facility access control badges to Foreign Nationals to enable access to Department facilities, resources, or activities shall be based upon a favorable adjudication of all regulatory, investigative, and risk management standards enumerated by the authorities referenced in Section 4.01 through Section 4.06 of this Order.

a. Compliance with these standards is intended to ensure that Federal Personal Identity Verification (PIV) credential issuance to an individual does not create undue risk, when the individual is ineligible for appointment in the competitive or excepted service under 5 C.F.R. Parts 731, 732, and 302 respectively, or ineligible for access to classified national security information under Executive Order 12968, such as Foreign National Guests (see Section 5.01b above). The Personal Identity Verification-Interoperable (PIV-I) credential is the alternative credential standard for issuance to Foreign National Guests granted physical or logical access to Department facilities, resources or activities for greater than 179 cumulative days. The PIV-I credential shall not be issued to Foreign National Guests prior to satisfactory completion and favorable adjudication of the required background investigation. When a Foreign National Guest (non-federal employee) occupies a position which is certified by position risk designation with equivalent suitability or fitness for federal employment, and satisfies the minimum U.S. residency and background investigative requirements of Section 6.06 above, bureaus may emulate the pre-appointment process for Federal employees to issue an interim PIV-I credential in support of mission needs pending completion and final adjudication of the required background investigation.

b. Implementation of risk-based procedures consistent with Section 4.13 and this Order for the issuance of temporary facility access control badges to Foreign Nationals not meeting the physical or logical access requirements for PIV-I credential issuance is reserved to the bureaus. Foreign Nationals accessing Department facilities, resources or activities outside the contiguous United States, may, under unique circumstances, be issued an alternative credential at the discretion of the senior United States agency official with jurisdiction over the facility.

.09 Awareness Training. The Office of Security may provide training and other services (e.g., Departmental Sponsor/Escort and Defensive Foreign Travel) as appropriate to communicate FAM and supporting program awareness training standards for use across the Department. Upon request, the Field Servicing Security Office can provide tailored FAM or specified threat awareness briefings to senior officials or select audiences.

SECTION 7. BUREAU, OPERATING UNIT, AND ORGANIZATION RESPONSIBILITIES.

.01 FAM Program Implementation. Consistent with this Order, bureau implemented FAM program procedures shall supportoperational mission objectives andrisk-based determinations by the Office of Security for physical and logical access by Foreign National Visitors and Guests to Department facilities, resources and activities. Risk Management (See Section 6.04) entails analysis of information gathered from applicable forms and bureau specific factors in accordance with Section 4 references, including results of major considerations listed in Section 7.05 and input from the Field Servicing Security Office to reach informed risk-based determinations. Moreover, Bureau implementing instructions must not diminish the requirements of this Order. Requests for waivers or exemptions to specific aspects of this Order shall be submitted in writing by the Bureau Head to the Director for Security, Office of Security, for approval.

.02 Senior Bureau Official or Designated Official. Bureaus shall formally designate in writing a senior technical or administrative official, and alternate(s). Copies of the Senior Bureau Official or Designated Official designations shall be provided to the Office of Security when effective and/or upon request.

The Senior Bureau Official or Designated Official, in conjunction with the bureau's operating units, reviews requests for access submitted by Departmental Sponsors to ensure these requests include a complete description of the proposed collaboration requiring Foreign National Guest access to Departmental facilities, staff and information. The Senior Bureau Official or Designated Official must consider whether the sponsoring office has documented that the value gained from the proposed collaborative effort is compatible with the need to protect classified, CUI, proprietary, not for-public release data, information, technology, source code or software, and when appropriate, shall endorse the request as demonstrating that the proposed access provides a tangible benefit to the mission success of the bureau and is in the best interest of the Department.

.03 Open Access Spaces. Field Servicing Security Offices and Facility Managers shall coordinate to designate open access spaces and locations that do not require Foreign National Visitors or Guests to pass through an internal facility access control point, and in which unescorted access will not enable unauthorized access to classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software. All designations of open access spaces and locations shall be documented in writing, formally promulgated, maintained for review, and reinforced by inclusion in annual awareness training.

.04 Departmental Sponsor Responsibilities. The Departmental Sponsor is accountable for the security oversight of assigned Foreign National Visitors and Guests. The Office of Security Espionage Indicators/Departmental Sponsor Training must be successfully completed, and annually thereafter, to qualify and maintain eligibility to act as a Departmental Sponsor. A completion certificate shall be forwarded to the Field Servicing Security Office prior to submission of any visit requests. Departmental Sponsors may sponsor no more than five (5) Guests. Requests to exceed this number shall be approved through the Departmental Sponsor's supervisor and Field Servicing Security Office. The Departmental Sponsor is responsible for taking all reasonable steps within their span of control to ensure that the conduct of, and activities for, their Foreign National Visitor or Guest are appropriate for the Federal workplace and comply with this Order. "Span of control" is generally understood to be the optimal number of personnel that a manager can oversee at any time before productivity and effectiveness are negatively affected.

a. The Departmental Sponsor shall complete the DOC Foreign National Request Form A, or equivalent automated business application, for all Foreign National Visitors. The Department Sponsor shall complete the DOC Foreign National Request Form A and B , or equivalent automated business application, for all Foreign National Guests. For Foreign National Guests, the Departmental Sponsor shall complete a Certification of Conditions and Responsibilities for the Departmental Sponsor of Foreign National Guests (Attachment 1) and obtain Supervisor and Senior Bureau Official or Designated Official endorsement prior to forwarding the certification to the Field Servicing Security Office for action and record retention. Field Servicing Security Offices may deny access to a Foreign National if the Departmental Sponsor fails to provide complete and accurate information in advance of a visit.

b. The Departmental Sponsor shall also:

• 1) Comply with all requirements for access approval and conduct, including providing timely, complete, and accurate information regarding the visit to the Field Servicing Security Office.

  2) Ensure that all Foreign National Guests meet with the Field Servicing Security Office to complete the Certification of Conditions and Responsibilities for a Foreign National Guest (Attachment 2) within three days of arrival if the Field Servicing Security Office is co-located. If the Field Servicing Security Office is not co-located, the sponsor shall brief the Foreign National Guest on the contents of the document, and ensure the certification is signed, dated, and forwarded to the Field Servicing Security Office within three days of arrival.

  3) Take all reasonable steps to ensure a Foreign National Visitor or Guest is given access only to information necessary for the successful completion of the defined visit.

  4) Prior to the arrival of a Foreign National Guest, ensure all personnel assigned within the applicable program or workspace, are informed of the Guest's role, duration of visit, scope of authorized physical and logical access, and procedures for reporting unauthorized or questionable activity.

  5) Take all reasonable steps to prevent physical, visual, and logical access to classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software by a Foreign National Visitor or Guest. Exceptions may occur when written disclosure authorization is obtained from the information owner or originator permitting access to controlled information, or when necessary, a license is issued to the sponsoring bureau by the Bureau of Industry and Security in accordance with the EAR for releases to Foreign Nationals of technology or source code that is subject to the EAR, or by other U.S. Government agencies with appropriate jurisdiction.

  6) Take all reasonable steps to ensure that a Foreign National Visitor or Guest does not engage in unauthorized use of personal communication, photographic, recording, or other electronic devices in those areas of Departmental facilities where classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software is present, and generally ensure that such electronic devices are not used without explicit authorization. (See Section 7.11).

  7) Immediately report suspicious activities or anomalies involving Foreign National Visitors or Guests to the Field Servicing Security Office.

  8) Promptly notify the Field Servicing Security Office if there is a change to the arrival or departure date of a Foreign National Visitor or Guest.

  9) Prior to the departure of a Foreign National Guest, ensure any personal identity verification credentials, facility access control badges, keys, tokens, permits, government furnished equipment, etc., issued or loaned to the Guest for use in the conduct of official business are returned for accountability or final disposition in accordance with bureau out-processing or check-out policy and procedures.

.05 Field Servicing Security Office. The Field Servicing Security Office is immediately responsible to the Office of Security for the delivery of effective security services, guidance, and oversight consistent with this Order in direct support of their servicing bureau or operating unit. The Field Servicing Security Office shall apply a risk-based methodology to approve routine Foreign National Visitor and Guest access requests. Major considerations include:

a. The Foreign National's country of citizenship, dual citizenship, any lawful permanent residence, and birth.

b. The accuracy and timeliness of the visit request as well as the sufficiency of the Departmental Sponsor input and Senior Bureau Official /Designated Official endorsement of proposed Foreign National Guest physical and logical access to DOC facilities, resources or activities.

c. Identified risk associated with the proposed physical and logical access by the Foreign National to DOC facilities, resources, or activities.

d. The necessity for written disclosure authorization or export license for information, technology, or software to which the Foreign National may have physical, visual, or logical access.

e. The Departmental Sponsor's span of control and record of compliance with this Order.

f. The security status of the DOC facility as indicated by existing physical and logical access controls established in compliance with DOC and Federal regulations and standards.

g. The proposed arrival and visit duration.

The Field Servicing Security Office shall provide, consistent with Section 6.09, recurring FAM program training tailored to servicing bureau or operating mission needs to inform personnel on matters of Foreign National access and related security issues. The Field Servicing Security Office may conduct, consistent with Section 7.13, announced and unannounced on-site reviews of servicing bureau or operating unit FAM program implementation.

.06 Information and Submission Requirements by Category of Foreign National. The following chart establishes the minimum data collection requirements for submission of Foreign National Visitor and Guest access requests to the Field Servicing Security Office consistent with this Order, the DOC Foreign National Request Form A and B, 27 Stat. 395 and 31 Stat. 1039 (which relate to the Research Associate Program at the National Institute of Standards and Technology); and all existing applicable Department policies, regulations, and directives regarding the tracking and security processing of Foreign National Visitors and Guests for access to Department facilities, resources or activities.

Category	Visitor 14 or fewer calendar days	Guest 15 or more calendar days
Advanced Notice Required	As soon as the information is received but no later than one full business day prior to the visit	30 calendar days prior to access
Information Required (same for both categories)	Visitor Registration: Full name Gender Date and place of birth Passport number Visa (Form I-94) number (if available) Issuing country of citizenship Country(ies) of dual citizenship (if any) Country of current residence (if different from issuing country) Foreign sponsoring organization/entity Sponsoring bureau Purpose of visit (or renewal) Facility name and location Arrival date Departure date Departmental Sponsor and Alternate contact information: Name, Telephone number, and Email address	Special Agreement Check (OFI-86C) or Tier 1 Investigation (SF85) Full name Gender Date and place of birth Passport number Visa (Form I-94) number (if available) Issuing country of citizenship Country(ies) of dual citizenship (if any) Country of current residence (if different from issuing country) Foreign sponsoring organization/entity Dates of U.S. residency (last 5 years) Sponsoring bureau Purpose of visit (or renewal) Facility name and location Arrival date Departure date Departmental Sponsor and Alternate contact information: Name, Telephone number, and Email address

.07 Approvals. Upon satisfactory completion of all investigation requirements, the Field Servicing Security Office shall conclude a risk-based adjudication of Foreign National Visitor and Guest access requests consistent with this Order and provide timely notification of the result to the requesting Departmental Sponsor. Background reinvestigations of Foreign National Guests for the purposes of PIV-I credential renewal shall be at the discretion of the Office of Security. Department Sponsors requesting agreement renewals for Foreign National Guests shall submit the renewal request in accordance with the requirements identified in Section 7.06 to the Field Servicing Security Office prior to the expiration of the current agreement or approval.

.08 Denial or Revocation of Access. The Field Servicing Security Office may withhold final approval of a Foreign National visit if the request fails to satisfy the requirements of Section 7.06. The Field Servicing Security Office may withdraw a favorable adjudication for justified cause, violation, or recurring noncompliance with this Order. The Field Servicing Security Office shall review alleged violations of this Order to determine if corrective action is necessary or whether other administrative or disciplinary action may be warranted under the provisions of DAO 202-751, "Discipline." In the event of denial of access, the Senior Bureau Official or Designated Official may appeal, on behalf of the Bureau, to the Director for Security who will determine whether the benefits of a proposed visit justify the risk.

.09 Escort Requirements. Departmental Sponsors may, consistent with this Order, delegate escort authority for a defined period to an eligible Department U.S. citizen employee. To be eligible, and document understanding and acceptance of escort responsibilities, escorts must complete the Office of Security Departmental Sponsor Training and submit the certificate of completion to the Field Servicing Security Office. During regular business hours, and at Field Servicing Security Office discretion, Foreign National Visitors may be permitted unescorted access when the visit is confined to designated open access spaces or when associated with events predetermined to be open to the public (Section 6.07 applies when escorting citizens or nationals of State Sponsors of Terrorism). Unescorted access must not enable unauthorized access to classified, CUI,proprietary, or not-for-public release data, information, technology, source code or software.

Foreign National Guests shall be under continuous escort or observation when accessing Department facilities. During regular business hours, and when issued personal identity verification credentials in accordance with Section 6.08, Foreign National Guests may be permitted unescorted access within assigned work and designated open access spaces. Unescorted access by Foreign National Guests beyond their assigned work and designated open access spaces is only permitted upon approval of Limited Unescorted Access.

.10 Limited Unescorted Access. To be eligible for Limited Unescorted Access, Foreign National Guests must have been already endorsed by the Senior Bureau Official or Designated Official. Upon Department Sponsor request for limited unescorted access, Foreign National Guests issued personal identity verification credentials may be granted Limited Unescorted Access to specified areas of a Department facility following a favorable risk-based determination by the Field Servicing Security Office and approval of the Senior Bureau Official or Designated Official.

A request for Limited Unescorted Access shall:

a. Define the applicable program or project scope and objectives.

b. Identify assigned and contiguous workspaces of a facility, and periods of access by the Foreign National Guest necessary to accomplish program or project objectives.

c. Include a statement by the Departmental Sponsor that 1) the proposed access has been weighed against the risk of the Foreign National Guest's physical, visual, or logical access to classified, CUI, proprietary, not-for-public release data, information, technology, source code or software and 2) that such access would provide a tangible benefit to bureau mission success and would be in the best interest of the Department, and 3) any required disclosure or licensing authorizations from the U.S. Government are obtained prior to such access.

Unrestricted access to Department facilities by Foreign National Guests is not authorized. Escort is required outside any parameters exceeding a Limited Unescorted Access authorization or this Order.

.11 Use of Electronic Devices. Foreign Nationals may not use communication, photographic, recording, or other electronic devices in areas of Department facilities where classified, CUI, proprietary, or not-for-public release data, information, technology, source code or software is present without the explicit authorization obtained on their behalf by their Departmental Sponsor and the Field Servicing Security Office in accordance with Federal law and Department policy. The Departmental Sponsor and the Field Servicing Security Office shall process requests for prior approval of Foreign National use of electronic devices and any information obtained thereof from pertinent offices and/or officials, which may include but is not limited to other agencies, operating units, building management, information, privacy, public affairs, legal, and security offices. These devices include, but are not limited to, cell phones, still or video cameras, laptops, pagers, smart phones/watches, tablets, activity monitors, flash drives, etc. Additionally, upon approval, Departmental Sponsors must take all reasonable steps to ensure that adequate measures are in place to protect against collection of said data, information, or technology before authorizing use of such devices. If adequate measures are not in place to do so, Departmental Sponsors must ensure that Foreign Nationals turn-off all such devices upon entry to an area where said data, information, equipment, technology, or software is present. Departmental Sponsors must remain aware of all use of such devices throughout the duration of a visit. Guidance concerning adequate protective measures may be obtained from the Field Servicing Security Office.

.12 Export Licenses. Approval of Foreign National Visitor or Guest access under this Order does not substitute for a license issued by the Bureau of Industry and Security in accordance with the EAR for any released of technology or source code subject to the EAR, or other U.S. Government agency with appropriate jurisdiction.

.13 On-site Reviews. The Office of Security shall conduct announced and unannounced on-site reviews and inspections to ensure compliance with this Order.

.14 Debriefing. The Office of Security may conduct, consistent with its authorities under DAO 207-1, "Security Programs," a debriefing of the Departmental Sponsor or other employees of the Department, before, or upon the departure of, select Foreign National Visitors or Guests.

.15 Violations. Violations of any provision contained within this Order shall be reported to the Field Servicing Security Office immediately, followed by a preliminary report within seven business days of the incident or discovery of the violation. Violation reports must contain the following information:

a. Name of the individual(s) involved

b. Date(s) of the violation

c. Identity of the facility/platform, workspace, information or equipment accessed, (include location address and facility/platform number)

d. Summary of the violation

e. Name of individual(s) filing the report

f. Description of on-site corrections made and/or actions taken to mitigate security weakness or vulnerability pending final resolution of report findings.

• 1) Failure to submit a timely violation report may, at the discretion of the Field Servicing Security Office, result in the suspension of access for the individual(s) involved pending receipt of the report.

  2) Visit renewals, agreement extensions, or personal identity verification credential reissuance shall not be processed for Foreign Nationals cited for any violation of this Order until all report findings are favorably resolved by the Field Servicing Security Office. The Field Servicing Security Office will provide their determination to the Department Sponsor within seven days of receipt of the violation report.

  3) Departmental Sponsors demonstrating negligence of their responsibilities or who violate the

  provisions of this Order shall have their authorization suspended until successful completion of remedial training and all report findings are favorably resolved by the Field Servicing Security Office.

  4) Interim or conditional access approval for individuals cited for any violation of this Order shall not be granted until all violation report findings are favorably adjudicated by the Field Servicing Security Office.

  5) Failure to comply with the requirements of the EAR must be reported to the Bureau of Industry and Security in accordance with 15 C.F.R. 764.4 or 15 C.F.R. 764.5 of the EAR. Failure to obtain any required deemed export or reexport licenses may constitute violations of 15 C.F.R. 764.2 of the EAR.

The Office of Security shall maintain a database accessible by Field Servicing Security Offices which provides a means of capturing and securely storing identifying data for all Foreign National Visitors and Guests to which this Order applies in accordance with applicable Government-wide and Department Privacy Act systems of records.

SECTION 8. RECORDS.

The Office of Security shall maintain a database accessible by Field Servicing Security Offices which provides a means of capturing and securely storing identifying data for all Foreign National Visitors and Guests to which this Order applies in accordance with applicable Government-wide and Department Privacy Act systems of records.

SECTION 9. EFFECT ON OTHER ORDERS.

This Order supersedes Department Administrative Order 207-12, dated April 12, 2006.

Signed by: Director for Security

Approved by: Acting Chief Financial Officer and Assistant Secretary for Administration

Attachments:

Attachment 1 - Certification of Conditions and Responsibilities for Departmental Sponsors of Foreign National Guests

Attachment 2 - Certification of Conditions and Responsibilities for a Foreign National Guest