U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home
  2. Osy
  3. Information Security

Was this page helpful?

Industrial Security

Industrial Security

The Office of Security’s (OSY) Industrial Security Program (ISP) supports Department operating units, bureaus, and offices throughout the program and acquisition life cycle when an acquisition effort involves access to Classified National Security Information (CNSI) or additional access such as Sensitive Compartmented Information (SCI). ISP collaborates with program and contracting personnel to frame the requirements, restrictions, and other safeguards to protect CNSI or SCI in accordance with Executive Order 12829, “National Industrial Security Program” The ISP office’s mission is to mitigate threats again our cleared industry components by providing guidance, assistance, and training regarding all preparations, documentation, and safeguards required in the acquisition of a classified contract; This begins with the proper execution of the required DD Form 254 Contract Security Classification Specification (DD 254) as documented by 32 CFR Part 117 - National Industrial Security Program Operating Manual.

The DD 254, a draft of which is required to accompany all solicitations, outlines security requirements and classification guidance to contractors that have been awarded a classified contract by a Government Contracting Activity (GCA) as referenced in the Commerce Acquisitions Manual (CAM). The DD 254 applies to all contracts involving access to CNSI or SCI by all U.S. contractors and must be executed prior to the commencement of any work on a classified contract. The DD 254 applies to all contracts involving access to CNSI or SCI by all U.S. contractors and must be executed prior to the commencement of any work on a classified contract. Please see the Industrial Security Process Chart for your reference.

IMBED VIDEO

Prior to a contract solicitation, one of the following OSY Divisions must be contacted:

  1. Unclassified contracts: Cognizant bureau's  Personnel Security Office (PERSEC) must be consulted.
  2. Classified contract: ISP OSY_IndustrialSecurity@doc.gov must be consulted.
    • Classified contracts must meet the following criteria:
      • Contractors will require access to CNSI or SCI.
      • Work to be performed must fall within one of the eight categories covered in EO 13526, CNSI, Sec. 1.4. Classification Categories.

The ISP only has purview over classified contracts awarded by the Department of Commerce or outlying bureaus as outlined within the Performance Work Statement (PWS), Statement of Work (SOW), or other requirements documents for that specific contract. Requirements documents must clearly state in a justification statement how and why the contractor will require continuous access to CNSI, at what level (Confidential, Secret, Top Secret), to what extent (meetings, direct access to classified material, or access to classified systems) and which task is associated with access to CNSI. Such requirements include general policies and procedures; reporting; Facility Clearance Levels (FCLs); Personnel Clearance Levels (PCLs); addressing Foreign Ownership, Control, or Influence (FOCI) issues; security training and briefings; classification; marking requirements; safeguarding of CNSI; visits and meetings; subcontracting; and Information System (IS) security. Special requirements must also be addressed to include nuclear-related information, Critical Nuclear Weapon Design Information (CNWDI), intelligence information, Communications Security (COMSEC), North Atlantic Treaty Organization (NATO), and international security requirements.

Facility Clearance 

Classified contracts may only be awarded to companies with an active FCL. FCL status is confirmed by the Defense Counterintelligence and Security Agency (DCSA), which processes, issues, and monitors the continued eligibility of entities for an FCL. A contractor company’s FCL must be equal to or higher than that of the classified contract to be awarded. The contractor company is responsible for acquiring and maintaining an active FCL and for acquiring and maintaining PCLs for all personnel that will access CNSI or SCI as part of a classified contract. If a contractor company does not have an active FCL at the proper level, they may apply to obtain one by following the process outlined on the DCSA Facility Clearance website.

The ISP confirms the FCL status of the candidate company during the pre-solicitation phase of acquisition for the primary or sub-contractors prior to awarding the project. FCL confirmation begins with reviewing the candidate company’s Commercial and Government Entity (CAGE) Code. A CAGE Code is assigned by the Defense Logistics Agency. If a contracting company does not have a CAGE code, they may apply to obtain one by following the process outlined on the System for Awards Management (SAM) website CAGE Codes.

Roles and Responsibilities for Security Requirements

Contracting Officer’s Representative (COR): The COR is appointed by the Contracting Officer (CO) for a specific contract. The COR monitors performance of the contract, ensuring all necessary requirements are being met for the CO as stipulated in the PWS, SOW, or other requirements documents. CORs assure the contractor establishes and maintains an FCL and PCLs when access to CNSI is required. CORs communicate the security requirements during the procurement process and contract performance to the company and the ISP. 

CORs are also responsible for submitting the appropriate documents once the contract has been determined to require access to CNSI in the performance of the contract. The COR ensures the scope of work has been clearly stated within the requirements document outlining the required access to CNSI. Include the access level (Confidential, Secret, Top-Secret, or SCI) and to what extent (meetings, direct access to classified material, or access to classified systems) access is required. 

The COR submits to the ISP the following during pre-solicitation:

  1. OSY Industrial Security Intake Form to OSY_IndustrialSecurity@doc.gov for processing
  2. Draft DD 254 (with assistance from the ISP)
  3. Requirements Document (PWS, SOW, etc.)
  4. Award document (SF-1449, SF-30 or OF-347)

Once the DD 254 is reviewed and approved by the ISP, access will be granted to CNSI or SCI outlined within the requirements document for a specific classified contract. Classified work may not be performed unless an ISP executed DD 254 has been received by the COR.

The ISP or GCA does not execute DD 254s for subcontractors as that is the responsibility of the primary contractor awarding the sub-contract.

Classified Contractor In/Out-Processing Procedures

Herbert C. Hoover Building

In-processing for Unescorted Access to Facilities or Networks:

Personnel Clearance 

In-Processing for Herbert C. Hoover Building

Classified Contractors cannot be processed to perform work on any classified contract until the COR receives an ISP executed DD 254. Contractors and CORs, within NOAA, NIST, and Census, that require a badge, please follow the standard operating procedures at the badging offices within those bureaus.

After contract has been awarded:

  1.  COR completes and submits Contractor Sponsorship Form to OSY_IndustrialSecurity@doc.gov.
  1. The COR submits a Visitor Access Request (VAR) for each contractor initially and annually thereafter.
    1. VAR Template (must be on company letterhead)
      1. VARs contain Personally Identifiable Information and as such shall be protected went sent via email. (How to Protect Personally Identifiable Information)
      2. Include initial and annual CNSI training completion certificate via https://connection.commerce.gov/sites/default/files/nsitraining/story.html or if they do not have connectivity to the DOC network, contact the ISP at OSY_IndustrialSecurity@doc.gov.
      3. Include properly signed Classified Information Nondisclosure Agreement SF-312 (witness required only if a digital PIV or CAC cert is not used).
  2. If the prime contractor awards an additional subcontract to a subcontractor not listed on the original signed DD 254, the COR is responsible for initiating a revised DD 254  through the ISP prior to the new subcontractor being granted access to CNSI.. Prime contractors are responsible to submitting all executed subcontractor DD 254s to ISP and DCSA.

If SCI access is required, an SCI Access request memo must be sent by the COR to SCIRequests@doc.gov after the collateral clearance is granted. An active Top Secret PCL is required for SCI eligibility. The Department  Special Security Office (DSSO) will conduct an indoctrination brief once SCI access is approved. SCI debriefing will be required prior to personnel departure from the contract.

Out-processing:

Complete the HCHB Contractor Out-Processing form and follow the procedures for all out-processing contractors.

  • Notify the ISP, osy_industrialsecurity@doc.gov, of the classified contractor's departure date.
  • For classified contractors with SCI access schedule SCI debriefing, dsso@doc.gov
  • Print the completed form to return to the Security Service Center, HCHB room 1522 or security@doc.gov, and all badges with other government-issued keys and/or access cards. 

For questions regarding classified contracts or the ISP please contact: osy_industrialsecurity@doc.gov.

 

  1. Archives
  2. Accessibility
  3. Agency Financial Report
  4. Comment policy
  5. Digital strategy
  6. Information quality
  7. No Fear Act
  8. Inspector General
  9. Plain language
  10. Privacy policy
  11. Payment Integrity
  12. USA.gov
  13. Vote.gov
  14. Vulnerability Disclosure Policy
  15. Whistleblower Protection
  16. WhiteHouse.gov