U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Industrial Security Program

Industrial Security

The Office of Security’s (OSY) Industrial Security Program (ISP) supports Department offices and operating units throughout the program and acquisition life cycle when an acquisition effort involves access to Classified National Security Information (CNSI). ISP collaborates with program and contracting personnel to frame the requirements, restrictions, and other safeguards to protect CNSI in accordance with Executive Order 12829, National Industrial Security Program. The ISP office’s mission is to mitigate threats against our cleared industry components by providing guidance, assistance, and training regarding all preparations, documentation, and safeguards required in the acquisition of a classified contract; this begins with the proper execution of the required DD Form 254 Contract Security Classification Specification (DD 254), as required by 32 CFR Part 117 - National Industrial Security Program Operating Manual (NISPOM).

The DD 254, a draft of which is required to accompany all solicitations, outlines security requirements and classification guidance to contractors that have been or may be awarded a classified contract by a Government Contracting Activity (GCA), as referenced in the Commerce Acquisitions Manual (CAM) CAM 1337.70 Personnel Security Requirements. The DD 254 applies to all contracts involving access to CNSI by all U.S. contractors and must be executed prior to the commencement of any work on a classified contract. Please refer to Industrial Security Process Chart and the CAM 1337.70 Personnel Security Requirements for guidance.

Earth with "Global Market Domination Threat" overlaid.

Prior to contract solicitation, one of the following OSY Divisions must be contacted:

  1. For Unclassified Contracts: Contact your bureau's Personnel Security Office (PERSEC) regarding background investigations.
  2. Classified contract: ISP, [email protected], must be consulted.

The ISP has oversight of all classified contracts awarded within the Department as outlined within the Performance Work Statement (PWS), Statement of Work (SOW), or other requirements documents for that specific contract. Requirements documents must clearly state in a justification statement how and why the contractor will require continuous access to CNSI, at what level (Confidential, Secret, Top Secret), to what extent (meetings, direct access to CNSI, or access to classified systems and networks), and which task is associated with access to CNSI. Such requirements include general policies and procedures; reporting; Facility Clearances (FCLs); Personnel Clearances (PCLs); addressing Foreign Ownership, Control, or Influence (FOCI) issues; and subcontracting.


Roles and Responsibilities for Security Requirements

Industrial Security Program (ISP): Only members of the ISP may be designated as a Government Reviewer in the National Industrial Security System (NISS) Increment II (NI2) System. To ensure the proper election of a Government Reviewer, contact [email protected].

Contracting Officer (CO): The CO must have the role of Government Contracting Officer within NI2. This role may not be delegated. The CO is the final authority to release a DD 254 to industry, permitting access to CNSI in the performance of a contract. A CO may delegate the role of Government Certifying Official to a COR in the form of an appointment letter.

Contracting Officer’s Representative (COR): The COR is appointed by the CO for a specific contract. The COR monitors the performance of the contract, ensuring all necessary requirements are being met for the CO as stipulated in the PWS, SOW, or other requirements document. CORs assure the contractor establishes and maintains an FCL and PCLs when access to CNSI is required. CORs communicate the security requirements during the procurement process and contract performance to the company and the ISP. 

Role

NI2 System Designation

Primary Responsibilities

Contracting Officer (CO)

Government Contracting Officer/Government Certifying Official

Serves as the final authority to release the DD Form 254 to industry; Certifies the contractual need for access to Classified National Security Information (CNSI); May delegate the Certifying Official role to the COR via appointment letter.

Contracting Officer’s Representative (COR)

Government Originator

Initiates the Solicitation DD Form 254 in NI2 during pre-solicitation and the Prime DD Form 254 during the award phase; Monitors contractor performance and security compliance; Submits VARs and security violations to the ISP; Manages the validation of the FCL before work begins.

*Industrial Security Specialist (ISP)

Government Reviewer

Exclusive Authority: Only ISP specialists may hold this role; Reviews all DD 254s for regulatory compliance with 32 CFR Part 117; Grants final access approval for classified contracts.

Government Account Manager (GAM)

Government Account Manager

Appointed by the Senior Bureau Procurement Official; Approves and manages NI2 user roles (Originators, Certifiers) within their specific bureau; Verifies user eligibility for system access.

CORs are also responsible for submitting the appropriate documents once the contract has been determined to require access to CNSI in the performance of the contract. The COR ensures the scope of work has been clearly stated within the requirements document outlining the required access to CNSI. Include the access level (Confidential, Secret, Top-Secret, or Sensitive Compartmented Information [SCI]) and to what extent (meetings, direct access to classified material, or access to classified systems) access is required. 

CORs require access to NI2 as a Government Originator and, if nominated, as the Certifying Official or Government Certifying Official role to submit the below:

COR submits to the ISP the following through NI2 during pre-solicitation, prior to award, revision, or modification: 

  1. DD 254 originated and submitted through the NI2 to the ISP for final access approval.
  2. General Platform Access and NI2 Role Registration
    • Once the Defense Counterintelligence and Security Agency (DCSA) has granted system access, the Government Account Manager will verify roles within NI2.
    • Access is managed through the Government Account Manager within each bureau, as nominated by the Senior Bureau Procurement Official.
    • NI2 Training Materials
  3. Requirements Document (PWS, SOW, etc.) attached within NI2.
  4. Award document (SF-1449, SF-30, or OF-347) attached within NI2.

Once DD 254 is reviewed by the ISP, DD 254 is routed to the Certifying Official and then to the CO for release to industry, at which time access may be granted to CNSI, as outlined within the requirements document and DD 254 for a specific classified contract. Classified work may not be performed unless an ISP-executed DD 254 has been received by the COR.

The ISP or Government Contracting Activity (GCA) does not execute DD 254s for subcontractors as that is the responsibility of the primary contractor awarding the sub-contract. All DD 254s for sub-contracting must be submitted through NI2 prior to subcontract personnel being onboarded.

Many resources are available on the DCSA NI2 website and the Department Industrial Security Commerce Connection website.


Facility Clearance 

Classified contracts may only be awarded to companies with an active Facility Clearance (FCL). FCL status is confirmed by the DCSA, which processes, issues, and monitors the continued eligibility of entities for an FCL. The contractor’s FCL must be at the same or higher classification level as the contract requirements. The contractor company is responsible for acquiring and maintaining an active FCL and for acquiring and maintaining PCLs for all personnel that will access CNSI as part of a classified contract. If a contractor company does not have an active FCL at the proper level, they may apply to obtain one by following the process outlined on the DCSA Facility Clearance website. Additional safeguarding levels are required when CNSI will be accessed at the contractor company’s location and must be equal to or higher than that of the CNSI to be accessed.

The ISP confirms the FCL status of the candidate company during the pre-solicitation phase of acquisition for the primary or sub-contractors prior to contract award. FCL confirmation begins with reviewing the candidate company’s Commercial and Government Entity (CAGE) code. A CAGE code is assigned by the Defense Logistics Agency. If a contractor company does not have a CAGE code, they may apply to obtain one by following the process outlined at SAM.gov (System for Award Management). A valid CAGE code is not confirmation that a valid FCL exists.


Classified Contractor In/Out-Processing Procedures

In-processing for Unescorted Access to Facilities or Networks

Classified Contractors cannot be processed to perform work on any classified contract until the COR receives an ISP-executed and CO released DD 254.

  • HCHB Contractors: Follow the procedures below.
  • NOAA, NIST, and Census Contractors: Do not use the HCHB forms below. Please follow the standard operating procedures at your specific bureau's badging office.

After contract has been awarded:

Step 1: Sponsorship & Visitor Access Request (VAR)

  • Sponsorship: COR submits the Contractor Sponsorship Form to [email protected].
  • VAR: COR submits a VAR for each contractor (Initial and Annual).
    • Note: The VAR must be on company letterhead. [Link to VAR Template]
    • Security Warning: VARs contain PII. You must protect them using Kiteworks or by password-protecting the PDF (send the password in a separate email).

Step 2: Training & NDA

  • Training: Submit the DOC initial/annual CNSI training certificate.
    • If Classified Contractor has not yet received a PIV or CAC enabling systems access to the Department of Commerce, the training certificates below from the Center for Development of Security Excellence (CDSE) or Security Training, Education, and Professionalization Portal (STEPP) are required:
  • SF-312: Submit the SF 312 Classified Information Nondisclosure Agreement.
    • Crucial: Only the Rev. 12/2023 or superseding edition is accepted.
    • Limit PII: List only the last four digits of the SSN.

NOTE: Prime contractors are responsible for submitting all executed subcontractor DD 254s to ISP and DCSA.

If Sensitive Compartmented Information (SCI) access is required, an SCI access request memo must be sent by the COR to [email protected] after the collateral clearance is granted. An active Top Secret PCL is required for SCI eligibility. The Department Special Security Officer (DSSO) or Bureau Special Security Representative will conduct an indoctrination briefing once SCI access is approved. SCI debriefing will be required prior to personnel departure from the contract.

Out-processing:

Complete the HCHB Contractor Out-Processing Form and SF 312 debrief, then follow the procedures for all out-processing contractors.

  • Notify the ISP, [email protected], of the Classified Contractor's departure date.
  • For Classified Contractors with SCI access, schedule an SCI debriefing, [email protected]
  • Submit the completed form to return to the Security Service Center, HCHB room 1522 or [email protected], and all badges with other government-issued keys and/or access cards. 

For questions regarding classified contracts or the ISP, please contact: [email protected].