Regulations last checked for updates: Nov 26, 2024

Title 32 - National Defense last revised: Nov 18, 2024
§ 2004.1 - Purpose and scope.

(a) This part sets out the National Industrial Security Program (“NISP” or “the Program”) governing the protection of agency classified information released to Federal contractors, licensees, grantees, and certificate holders. It establishes uniform standards throughout the Program, and helps agencies implement requirements in E.O. 12829, National Industrial Security Program, as amended by E.O. 12558 and E.O.13691 (collectively referred to as “E.O. 12829”), E.O. 13691, Promoting Private Sector Cybersecurity Information Sharing, and E.O. 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. It applies to any executive branch agency that releases classified information to current, prospective, or former Federal contractors, licensees, grantees, or certificate holders. However, this part does not stand alone; users should refer concurrently to the underlying executive orders for guidance. ISOO maintains policy oversight over the NISP as established by E.O.12829.

(b) This part also does not apply to release of classified information pursuant to criminal proceedings. The Classified Information Procedures Act (CIPA) (18 U.S.C. Appendix 3) governs release of classified information in criminal proceedings.

(c) Nothing in this part supersedes the authority of the Secretary of Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011, et seq.) (collectively referred to as “the Atomic Energy Act”); the authority of the Director of National Intelligence (or any intelligence community element) under the Intelligence Reform and Terrorism Prevention Act of 2004 (Pub. L. 108-458), the National Security Act of 1947 as amended (50 U.S.C. 401, et seq.), and E.O. 12333 (December 4, 1981), as amended by E.O. 13355, Strengthened Management of the Intelligence Community (August 27, 2004) and E.O. 13470, Further Amendments to Executive Order 12333 (July 30, 2008) (collectively referred to as “E.O. 12333”); or the authority of the Secretary of Homeland Security, as the Executive Agent for the Classified National Security Information Program established under E.O. 13549, Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities (August 18, 2010), or as established by E.O. 13284, Amendment of Executive Orders, and Other Actions, in Connection with the Establishment of the Department of Homeland Security (January 23, 2003). In exercising these authorities, CSAs make every effort to facilitate reciprocity, avoid duplication of regulatory requirements, and facilitate uniform standards.

§ 2004.4 - Definitions that apply to this part.

(a) Access is the ability or opportunity to gain knowledge of classified information.

(b) Agency(ies) are any “Executive agency” as defined in 5 U.S.C. 105; any “Military department” as defined in 5 U.S.C. 102; and any other entity within the executive branch that releases classified information to private sector entities. This includes component agencies under another agency or under a cross-agency oversight office (such as ODNI with CIA), which are also agencies for purposes of this regulation.

(c) Classified Critical Infrastructure Protection Program (CCIPP) is the DHS program that executes the classified infrastructure protection program designated by E.O. 13691, “Promoting Private Sector Cybersecurity Information Sharing.” The Government uses this program to share classified cybersecurity-related information with employees of private sector entities that own or operate critical infrastructure. Critical infrastructure refers to systems and assets, whether physical or virtual, so vital to the United States that incapacitating or destroying such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof. These entities include banks and power plants, among others. The sectors of critical infrastructure are listed in Presidential Policy Directive 21, Critical Infrastructure Security and Resilience (February 12, 2013).

(d) Classified Critical Infrastructure Protection Program (CCIPP) security point of contact (security POC) is an official whom a CCIPP entity designates to maintain eligibility information about the entity and its cleared employees, and to report that information to DHS. The CCIPP security POC must be eligible for access to classified information.

(e) Classified information is information the Government designates as requiring protection against unauthorized disclosure in the interest of national security, pursuant to E.O. 13526, Classified National Security Information, or any predecessor order, and the Atomic Energy Act of 1954, as amended. Classified information includes national security information (NSI), restricted data (RD), and formerly restricted data (FRD), regardless of its physical form or characteristics (including tangible items other than documents).

(f) Cognizance is the area over which a CSA has operational oversight. Normally, a statute or executive order establishes a CSA's cognizance over certain types of information, programs, or non-CSA agencies, although CSAs may also have cognizance through an agreement with another CSA or non-CSA agency or an entity. A CSA may have cognizance over a particular type(s) of classified information based on specific authorities (such as those listed in § 2004.1(c)), and a CSA may have cognizance over certain agencies or cross-agency programs (such as DoD's cognizance over non-CSA agencies as the EA for NISP, or ODNI's oversight (if applicable) of all intelligence community elements within the executive branch). Entities fall under a CSA's cognizance when they enter or compete to enter contracts or agreements to access classified information under the CSA's cognizance, including when they enter or compete to enter such contracts or agreements with a non-CSA agency or another entity under the CSA's cognizance.

(g) Cognizant security agencies (CSAs) are the agencies E.O. 12829, sec. 202, designates as having NISP implementation and security responsibilities for their own agencies (including component agencies) and any entities and non-CSA agencies under their cognizance. The CSAs are: Department of Defense (DoD); Department of Energy (DOE); Nuclear Regulatory Commission (NRC); Office of the Director of National Intelligence (ODNI); and Department of Homeland Security (DHS).

(h) Cognizant security office (CSO) is an organizational unit to which the head of a CSA delegates authority to administer industrial security services on behalf of the CSA.

(i) Contracts or agreements are any type of arrangement between an agency and an entity or an agency and another agency. They include, but are not limited to, contracts, sub-contracts, licenses, certificates, memoranda of understanding, inter-agency service agreements, other types of documents or arrangements setting out responsibilities, requirements, or terms agreed upon by the parties, programs, projects, and other legitimate U.S. or foreign government requirements. FOCI mitigation or negation measures, such as Voting Trust Agreements, that have the word “agreement” in their title are not included in the term “agreements” within this part.

(j) Controlling agency is an agency that owns or controls the following categories of proscribed information and thus has authority over access to or release of the information: NSA for communications security information (COMSEC); DOE for restricted data (RD); and ODNI for sensitive compartmented information (SCI).

(k) Entity is a generic and comprehensive term which may include sole proprietorships, partnerships, corporations, limited liability companies, societies, associations, institutions, contractors, licensees, grantees, certificate holders, and other organizations usually established and operating to carry out a commercial, industrial, educational, or other legitimate business, enterprise, or undertaking, or parts of these organizations. It may reference an entire organization, a prime contractor, parent organization, a branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity (referred to as “sub-entities” when necessary to distinguish such entities from prime or parent entities), a specific location or facility, or the headquarters/official business location of the organization, depending upon the organization's business structure, the access needs involved, and the responsible CSA's procedures. The term “entity” as used in this part refers to the particular entity to which an agency might release, or is releasing, classified information, whether that entity is a parent or subordinate organization.

(l) Entity eligibility determination is an assessment by the CSA as to whether an entity is eligible for access to classified information of a certain level (and all lower levels). Eligibility determinations may be broad or limited to specific contracts, sponsoring agencies, or circumstances. A favorable determination results in eligibility to access classified information under the cognizance of the responsible CSA to the level approved. When the entity would be accessing categories of information such as RD or SCI for which the CSA for that information has set additional requirements, CSAs must also assess whether the entity is eligible for access to that category. Some CSAs refer to their favorable determinations as facility security clearances (FCL). A favorable entity eligibility determination does not convey authority to store classified information.

(m) Foreign interest is any foreign government, element of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered, or incorporated under the laws of any country other than the United States or its territories; and any person who is not a United States citizen or national.

(n) Government contracting activity (GCA) is an agency component or subcomponent to which the agency head delegates broad authority regarding acquisition functions. A foreign government may also be a GCA.

(o) Industrial security services are those activities performed by a CSA to verify that an entity is protecting classified information. They include, but are not limited to, conducting oversight reviews, making eligibility determinations, and providing agency and entity guidance and training.

(p) Insider(s) are entity employees who are eligible to access classified information and may be authorized access to any U.S. Government or entity resource (such as personnel, facilities, information, equipment, networks, or systems).

(q) Insider threat is the likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to entity or program information to the extent that the information impacts the entity's or agency's obligations to protect classified information.

(r) Insider threat response action(s) are actions (such as investigations) an agency takes to ascertain whether an insider threat exists, and actions the agency takes to mitigate the threat. Agencies may conduct insider threat response actions through their counterintelligence (CI), security, law enforcement, or inspector general organizations, depending on the statutory authority and internal policies that govern the agency.

(s) Insider threat program senior official (SO) is the official an agency head or entity designates with responsibility to manage, account for, and oversee the agency's or entity's insider threat program, pursuant to the National Insider Threat Policy and Minimum Standards. An agency may have more than one insider threat program SO.

(t) Key managers and officials (KMO) are the senior management official (or authorized executive official under CCIPP), the entity's security officer (or security POC under CCIPP), the insider threat program senior official, and other entity employees whom the responsible CSA identifies as having authority, direct or indirect, to influence or decide matters affecting the entity's management or operations, its contracts requiring access to classified information, or national security interests. They may include individuals who hold majority ownership interest in the entity (in the form of stock or other ownership interests).

(u) Proscribed information is information that is classified as top secret (TS) information; communications security (COMSEC) information (excluding controlled cryptographic items when un-keyed or utilized with unclassified keys); restricted data (RD); special access program information (SAP); or sensitive compartmented information (SCI).

(v) Security officer is a U.S. citizen employee the entity designates to supervise and direct security measures implementing NISPOM (or equivalent; such as DOE Orders) requirements. Some CSAs refer to this position as a facility security officer (FSO). The security officer must complete security training specified by the responsible CSA, and must have and maintain an employee eligibility determination level that is at least the same level as the entity's eligibility determination level.

(w) Senior agency official for NISP (SAO for NISP) is the official an agency head designates to direct and administer the agency's National Industrial Security Program.

(x) Senior management official (SMO) is the person in charge of an entity. Under the CCIPP, this is the authorized executive official with authority to sign the security agreement with DHS.

(y) Sub-entity is an entity's branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity. Sub-entities fall under the definition of “entity,” but this part refers to them as sub-entities when necessary to distinguish such entities from prime contractor or parent entities. See definition of “entity” in paragraph (k) of this section for more context.

§ 2004.10 - Responsibilities of the Director, Information Security Oversight Office (ISOO).

The Director, ISOO:

(a) Implements E.O. 12829, including ensuring that:

(1) The NISP operates as a single, integrated program across the executive branch of the Federal Government (i.e., such that agencies that release classified information to entities adhere to NISP principles);

(2) A responsible CSA oversees each entity's NISP implementation in accordance with § 2004.22;

(3) All agencies that contract for classified work include the Security Requirements clause, 48 CFR 52.204-2, from the Federal Acquisition Regulation (FAR), or an equivalent clause, in contracts that require access to classified information;

(4) Those agencies for which the Department of Defense (DoD) serves as the CSA or provides industrial security services have agreements with DoD defining the Secretary of Defense's responsibilities on behalf of their agency;

(5) Each CSA issues directions to entities under their cognizance that are consistent with the NISPOM insider threat guidance;

(6) CSAs share with each other, as lawful and appropriate, relevant information about entity employees that indicates an insider threat; and

(7) CSAs conduct ongoing analysis and adjudication of adverse or relevant information about entity employees that indicates an insider threat.

(b) Raises an issue to the National Security Council (NSC) for resolution if the EA's NISPOM coordination process cannot reach a consensus on NISPOM security standards (see § 2004.20(d)).

§ 2004.11 - CSA and agency implementing regulations, internal rules, or guidelines.

(a) Each CSA implements NISP practices in part through policies and guidelines that are consistent with this regulation, so that agencies for which it serves as the CSA are aware of appropriate security standards, engage in consistent practices with entities, and so that practices effectively protect classified information those entities receive (including foreign government information that the U.S. Government must protect in the interest of national security).

(b) Each CSA must also routinely review and update its NISP policies and guidelines and promptly issue revisions when needed (including when a change in national policy necessitates a change in agency NISP policies and guidelines).

(c) Non-CSA agencies may choose to augment CSA NISP policies or guidelines as long as the agency policies or guidelines are consistent with the CSA's policies or guidelines and this regulation.

§ 2004.12 - ISOO review of agency NISP implementation.

(a) ISOO fulfills its oversight role based, in part, on information received from NISP Policy Advisory Committee (NISPPAC) members, from on-site reviews that ISOO conducts under the authority of E.O. 12829, and from any submitted complaints and suggestions. ISOO reports findings to the responsible CSA or agency.

(b) ISOO reviews agency policies and guidelines to ensure consistency with NISP policies and procedures. ISOO may conduct reviews during routine oversight visits, when a problem or potential problem comes to ISOO's attention, or after a change in national policy that impacts agency policies and guidelines. ISOO provides the responsible agency with findings from these reviews.

authority: Section 102(b)(1) of E.O. 12829 (January 6, 1993), as amended by E.O. 12885 (December 14, 1993), E.O. 13691 (February 12, 2015), and section 4 of E.O. 13708 (September 30, 2015)
source: 83 FR 19951, May 7, 2018, unless otherwise noted.
cite as: 32 CFR 2004.1