U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home
  2. Osy
  3. Information Security

Industrial Security Program

Industrial Security

The Office of Security’s (OSY) Industrial Security Program (ISP) supports Department operating units, bureaus, and offices throughout the program and acquisition life cycle when an acquisition effort involves access to Classified National Security Information (CNSI). ISP collaborates with program and contracting personnel to frame the requirements, restrictions, and other safeguards to protect CNSI in accordance with Executive Order 12829, “National Industrial Security Program.” The ISP office’s mission is to mitigate threats against our cleared industry components by providing guidance, assistance, and training regarding all preparations, documentation, and safeguards required in the acquisition of a classified contract; this begins with the proper execution of the required DD Form 254 Contract Security Classification Specification (DD 254), as required by 32 CFR Part 117 - National Industrial Security Program Operating Manual.

The DD 254, a draft of which is required to accompany all solicitations, outlines security requirements and classification guidance to contractors that have been or may be awarded a classified contract by a Government Contracting Activity (GCA), as referenced in the Commerce Acquisitions Manual (CAM) CAM 1337.70 Personnel Security Requirements. The DD 254 applies to all contracts involving access to CNSI by all U.S. contractors and must be executed prior to the commencement of any work on a classified contract. The DD 254 applies to all contracts involving access to CNSI by all U.S. contractors and must be executed prior to the commencement of any work on a classified contract. Please see the Industrial Security Process Chart and the CAM 1337.70 Personnel Security Requirements for your reference.

IMBED VIDEO

Prior to a contract solicitation, one of the following OSY Divisions must be contacted:

  1. Unclassified contracts: Cognizant bureau's Personnel Security Office (PERSEC) must be consulted.
  2. Classified contract: ISP, [email protected], must be consulted.
    • Classified contracts must meet the following criteria:
      • Contractors will require access to CNSI.
      • Work to be performed must fall within one of the eight categories covered in EO 13526, CNSI, Sec. 1.4. Classification Categories.

The ISP has purview over all classified contracts awarded within the Department as outlined within the Performance Work Statement (PWS), Statement of Work (SOW), or other requirements documents for that specific contract. Requirements documents must clearly state in a justification statement how and why the contractor will require continuous access to CNSI, at what level (Confidential, Secret, Top Secret), to what extent (meetings, direct access to classified material, or access to classified systems), and which task is associated with access to CNSI. Such requirements include general policies and procedures; reporting; Facility Clearance Levels (FCLs); Personnel Clearance Levels (PCLs); addressing Foreign Ownership, Control, or Influence (FOCI) issues; and subcontracting.

Roles and Responsibilities for Security Requirements

Industrial Security Program (ISP): Only members of the ISP may be designated as a Government Reviewer in National Industrial Security Program (NISP) Contract Classification System (NCCS). To ensure the proper election of a Government Reviewer, contact [email protected].

Contracting Officer (CO): The CO must have the role of Government Contracting Officer within NCCS. This role may not be delegated. The CO is the final authority to release a DD 254 to industry, permitting access to CNSI in the performance of a contract. A CO may delegate the role of Government Certifying Official to a COR.

Contracting Officer’s Representative (COR): The COR is appointed by the Contracting Officer (CO) for a specific contract. The COR monitors the performance of the contract, ensuring all necessary requirements are being met for the CO as stipulated in the PWS, SOW, or other requirements document. CORs assure the contractor establishes and maintains an FCL and PCLs when access to CNSI is required. CORs communicate the security requirements during the procurement process and contract performance to the company and the ISP. 

CORs are also responsible for submitting the appropriate documents once the contract has been determined to require access to CNSI in the performance of the contract. The COR ensures the scope of work has been clearly stated within the requirements document outlining the required access to CNSI. Include the access level (Confidential, Secret, Top-Secret, or Sensitive Compartmented Information [SCI]) and to what extent (meetings, direct access to classified material, or access to classified systems) access is required. 

CORs require access to NCCS as a Government Originator and, if nominated as the certifying official, the Government Certifying Official role to submit the below:

The COR submits to the ISP the following through NCCS during pre-solicitation, revision, or modification: 

  1. DD-254 originated and submitted through the NCCS to the ISP for review through NCCS.
    1. How to request access to NCCS
      1. Once the Defense Counterintelligence and Security Agency (DCSA) has granted system access, the Government Account Manager will verify roles within NCCS.
    2. Access is managed through the Government Account Manager within each bureau, as nominated by the Senior Bureau Procurement Official.
    3. NCCS Training Materials
  2. Requirements Document (PWS, SOW, etc.) attached within NCCS.
  3. Award document (SF-1449, SF-30, or OF-347) attached within NCCS.

Once the DD 254 is reviewed by the ISP, the DD 254 is routed to the certifying official and then to the CO for release to industry, at which time access may be granted to CNSI, as outlined within the requirements document and DD 254 for a specific classified contract. Classified work may not be performed unless an ISP-executed DD 254 has been received by the COR.

The ISP or GCA does not execute DD 254s for subcontractors as that is the responsibility of the primary contractor awarding the sub-contract. All DD 254s for sub-contracting must be submitted through NCCS.

Roles within NCCS:

  1. Government Account Manager (GAM): GAMs will be appointed by each Senior Bureau Procurement Official to approve and manage NCCS roles within their bureau once NCCS access has been granted.
     
  2. Originators: This role initiates the DD 254 through NCCS, to include assigning the reviewing authority (ISP only) and certifying official. CORs and Assistant Contracting Officer Representatives (ACORs) will typically be responsible for initiating all DD 254s as Originators. Each GAM will appoint and manage all Originators for their bureau.
     
  3. Certifiers: COs and CORs will typically be responsible for certifying all DD 254s once the security requirements for the applicable contract have been reviewed and signed an ISP Reviewer. Each GAM will appoint and manage all Certifiers for their bureau.
     
  4. Reviewers: Only Industrial Security Specialists within the ISP of the Office of Security’s Information Security Division may be assigned or sign a DD 254 as reviewer.      

Many resources are available on the DCSA NCCS website and the Department Industrial Security Commerce Connection website. For a PowerPoint with instructions for general account requestors please review “How to Access NCCS.”

Facility Clearance 

Classified contracts may only be awarded to companies with an active FCL. FCL status is confirmed by the DCSA, which processes, issues, and monitors the continued eligibility of entities for an FCL. A contractor company’s FCL must be equal to or higher than that of the requirements of the classified contract to be awarded. The contractor company is responsible for acquiring and maintaining an active FCL and for acquiring and maintaining PCLs for all personnel that will access CNSI as part of a classified contract. If a contractor company does not have an active FCL at the proper level, they may apply to obtain one by following the process outlined on the DCSA Facility Clearance website.

The ISP confirms the FCL status of the candidate company during the pre-solicitation phase of acquisition for the primary or sub-contractors prior to awarding the project. FCL confirmation begins with reviewing the candidate company’s Commercial and Government Entity (CAGE) Code. A CAGE Code is assigned by the Defense Logistics Agency. If a contracting company does not have a CAGE code, they may apply to obtain one by following the process outlined on the System for Awards Management (SAM) website.

Herbert C. Hoover Building

Classified Contractor In/Out-Processing Procedures

In-processing for Unescorted Access to Facilities or Networks

Classified Contractors cannot be processed to perform work on any classified contract until the COR receives an ISP-executed DD 254. Contractors and CORs, within NOAA, NIST, and Census, that require a badge (PIV or CAC), please follow the standard operating procedures at the badging offices within those bureaus.

After contract has been awarded:

  1. The COR completes and submits the Contractor Sponsorship Form to [email protected].
  2. The COR submits a Visitor Access Request (VAR) for each contractor initially and annually thereafter.
    1. VAR Template (must be on company letterhead)
      1. VARs contain Personally Identifiable Information and, as such, shall be protected when sent via email. (How to Protect Personally Identifiable Information)
      2. Include the initial and annual CNSI training completion certificate via https://connection.commerce.gov/sites/default/files/nsitraining/story.html or, if they do not have connectivity to the DOC network, contact the ISP at [email protected].
      3. Include the properly executed Classified Information Nondisclosure Agreement SF-312 with only the last four digits of the subject's social security number listed (a witness is required only if a digital PIV or CAC cert is not used).
  3. If the prime contractor awards an additional subcontract to a subcontractor not listed on the original signed DD 254, the COR is responsible for initiating a revised DD 254 through the ISP prior to the new subcontractor being granted access to CNSI. Prime contractors are responsible for submitting all executed subcontractor DD 254s to ISP and DCSA.

If SCI access is required, an SCI access request memo must be sent by the COR to [email protected] after the collateral clearance is granted. An active Top-Secret PCL is required for SCI eligibility. The Department Special Security Office (DSSO) will conduct an indoctrination brief once SCI access is approved. SCI debriefing will be required prior to personnel departure from the contract.

Out-processing:

Complete the HCHB Contractor Out-Processing form and follow the procedures for all out-processing contractors.

  • Notify the ISP, [email protected], of the classified contractor's departure date.
  • For classified contractors with SCI access, schedule an SCI debriefing, [email protected]
  • Submit the completed form to return to the Security Service Center, HCHB room 1522 or [email protected], and all badges with other government-issued keys and/or access cards. 

For questions regarding classified contracts or the ISP, please contact: [email protected].

 

  1. Archives
  2. Agency Financial Report
  3. Comment policy
  4. Digital strategy
  5. Information quality
  6. No Fear Act
  7. Inspector General
  8. Plain language
  9. Privacy policy
  10. Payment Integrity
  11. Section 508 Accessibility Statement
  12. USA.gov
  13. Vote.gov
  14. Vulnerability Disclosure Policy
  15. Whistleblower Protection
  16. WhiteHouse.gov