(a) The executive agent (EA) for NISP is the Secretary of Defense. The EA:
(1) Provides industrial security services for agencies that are not CSAs but that release classified information to entities. The EA provides industrial security services only through an agreement with the agency. Non-CSA agencies must enter an agreement with the EA and comply with EA industrial security service processes before releasing classified information to an entity;
(2) Provides services for other CSAs by agreement; and
(3) Issues and maintains the National Industrial Security Program Operating Manual (NISPOM) in consultation with all affected agencies and with the concurrence of the other CSAs.
(b) The NISPOM sets out the procedures and standards that entities must follow during all phases of the contracting process to safeguard any classified information an agency releases to an entity. The NISPOM requirements may apply to the entity directly (i.e., through FAR clauses or other contract clauses referring entities to the NISPOM) or through equivalent contract clauses or requirements documents that are consistent with NISPOM requirements.
(c) The EA, in consultation with all affected agencies and with the concurrence of the other CSAs, develops the requirements, restrictions, and safeguards contained in the NISPOM. The EA uses security standards applicable to agencies as the basis for developing NISPOM entity standards to the extent practicable and reasonable.
(d) The EA also facilitates the NISPOM coordination process, which addresses issues raised by entities, agencies, ISOO, or the NISPPAC, including requests to create or change NISPOM security standards.
(a) Agency categories and general areas of responsibility. Federal agencies fall into three categories for the purpose of NISP responsibilities:
(1) CSAs. CSAs are responsible for carrying out NISP implementation within their agency, for providing NISP industrial security services on behalf of non-CSA agencies by agreement when authorized, and for overseeing NISP compliance by entities that access classified information under the CSA's cognizance. When the CSA has oversight responsibilities for a particular non-CSA agency or for an entity, the CSA also functions as the responsible CSA;
(2) Non-CSA agencies. Non-CSA agencies are responsible for entering agreements with a designated CSA for industrial security services, and are responsible for carrying out NISP implementation within their agency consistently with the agreement, the CSA's guidelines and procedures, and this regulation; or
(3) Agencies that are components of another agency. Component agencies do not have itemized responsibilities under this regulation and do not independently need to enter agreements with a CSA, but they follow, and may have responsibilities under, implementing guidelines and procedures established by their CSA or non-CSA agency, or both.
(b) Responsible CSA role. (1) The responsible CSA is the CSA (or its delegated CSO) that provides NISP industrial security services on behalf of an agency, determines an entity's eligibility for access, and monitors and inspects an entity's NISP implementation.
(2) In general, the goal is to have one responsible CSA for each agency and for each entity, to minimize the burdens that can result from complying with differing CSA procedures and requirements.
(i) With regard to agencies, NISP accomplishes this goal by a combination of designated CSAs and agreements between agencies and CSAs.
(ii) With regard to entities, CSAs strive to reduce the number of responsible CSAs for a given entity as much as possible. To this end, when more than one CSA releases classified information to a given entity, those CSAs agree on which is the responsible CSA. However, due to certain unique agency authorities, there may be circumstances in which a given entity is under the oversight of more than one responsible CSA.
(3) Responsible CSA for agencies:
(i) In general, each CSA serves as the responsible CSA for classified information that it (or any of its component agencies) releases to entities, unless it enters an agreement otherwise with another CSA.
(ii) DoD serves as the responsible CSA for DHS with the exception of the CCIPP, based on an agreement between the two CSAs.
(iii) DoD serves as the responsible CSA on behalf of all non-CSA agencies, except CSA components, based on E.O. 12829 and its role as NISP EA.
(iv) ODNI serves as the responsible CSA for CIA.
(4) Responsible CSA for entities: When determining the responsible CSA for a given entity, the involved CSAs consider, at a minimum: retained authorities, the information's classification level, number of contracts requiring access to classified information, location, number of Government customers, volume of classified activity, safeguarding requirements, responsibility for entity employee eligibility determinations, and any special requirements.
(5) Responsible CSAs may delegate oversight responsibility to a cognizant security office (CSO) through CSA policy or by written delegation. The CSA must inform entities under its cognizance if it delegates responsibilities. For purposes of this rule, the term CSA also refers to the CSO.
(c) CSA responsibilities. (1) The CSA may perform GCA responsibilities as its own GCA.
(2) As CSA, the CSA performs or delegates the following responsibilities:
(i) Designates a CSA senior agency official (SAO) for NISP;
(ii) Identifies the insider threat program senior official (SO) to the Director, ISOO;
(iii) Shares insider threat information with other CSAs, as lawful and appropriate, including information that indicates an insider threat about entity employees eligible to access classified information;
(iv) Acts upon and shares—with security management, GCAs, insider threat program employees, and Government program and CI officials—any relevant entity-reported information about security or CI concerns, as appropriate;
(v) Submits reports to ISOO as required by this part; and
(vi) Develops, coordinates, and provides concurrence on changes to the NISPOM when requested by the EA.
(3) As a responsible CSA, the CSA also performs or delegates the following responsibilities:
(i) Determines whether an entity is eligible for access to classified information (see § 2004.32);
(ii) Allocates funds, ensures appropriate investigations are conducted, and determines entity employee eligibility for access to classified information (see § 2004.36);
(iii) Reviews and approves entity safeguarding measures, including making safeguarding capability determinations (see § 2004.38);
(iv) Conducts periodic security reviews of entity operations (see § 2004.26) to determine that entities: effectively protect classified information provided to them; and follow NISPOM (or equivalent) requirements;
(v) Provides and regularly updates guidance, training, training materials, and briefings to entities on:
(A) Entity implementation of NISPOM (or equivalent) requirements, including: responsibility for protecting classified information, requesting NISPOM interpretations, establishing training programs, and submitting required reports;
(B) Initial security briefings and other briefings required for special categories of information;
(C) Authorization measures for information systems processing classified information (except DHS) (see § 2004.40);
(D) Security training for security officers (or CCIPP POCs) and other employees whose official duties include performing NISP-related functions;
(E) Insider threat programs in accordance with the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs; and
(F) Other guidance and training as appropriate;
(vi) Establishes a mechanism for entities to submit requests for waivers to NISPOM (or equivalent) provisions;
(vii) Reviews, continuously analyzes, and adjudicates, as appropriate, reports from entities regarding events that:
(A) Impact the status of the entity's eligibility for access to classisfied information;
(B) Impact an employee's eligibility for access;
(C) May indicate an employee poses an insider threat;
(D) Affect proper safeguarding of classified information; or
(E) Indicate that classified information has been lost or compromised;
(viii) Verifies that reports offered in confidence and so marked by an entity may be withheld from public disclosure under applicable exemptions of the Freedom of Information Act (5 U.S.C. 552);
(ix) Requests any additional information needed from an entity about involved employees to determine continued eligibility for access to classified information when the entity reports loss, possible compromise, or unauthorized disclosure of classified information; and
(x) Posts hotline information on its website for entity access, or otherwise disseminates contact numbers to the entities for which the CSA is responsible.
(d) Non-CSA agency head responsibilities. The head of a non-CSA agency that is not a CSA component and that releases classified information to entities, performs the following responsibilities:
(1) Designates an SAO for the NISP;
(2) Identifies the insider threat program SO to ISOO to facilitate information sharing;
(3) Enters into an agreement with the EA (except agencies that are components of another agency or a cross-agency oversight office) to act as the responsible CSA on the agency's behalf (see paragraph (a)(1)(ii) of this section);
(4) Performs, or delegates in writing to a GCA, the following responsibilities:
(i) Provides appropriate education and training to agency personnel who implement the NISP;
(ii) Includes FAR security requirements clause 52.204-2, or equivalent (such as the DEAR clause 952.204-2), and a contract security classification specification (or equivalent guidance) into contracts and solicitations that require access to classified information (see § 2004.30); and
(iii) Reports to the appropriate CSA adverse information and insider threat activity pertaining to entity employees having access to classified information.
(a) Responsible CSAs oversee and analyze entity activity to ensure entities implement an insider threat program in accordance with the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (via requirements in the NISPOM or its equivalent) and guidance from the CSA. CSA oversight responsibilities include, but are not limited to:
(1) Verifying that entities appoint insider threat program SOs;
(2) Requiring entities to monitor, report, and review insider threat program activities and response actions in accordance with the provisions set forth in the NISPOM (or equivalent);
(3) Providing entities with access to data relevant to insider threat program activities and applicable reporting requirements and procedures;
(4) Providing entities with a designated means to report insider threat-related activity; and
(5) Advising entities on appropriate insider threat training for entity employees eligible for access to classified information.
(b) CSAs share with other CSAs any insider threat information reported to them by entities, as lawful and appropriate.
(a) The responsible CSA conducts recurring oversight reviews of entities' NISP security programs to verify that the entity is protecting classified information and is implementing the provisions of the NISPOM (or equivalent). The CSA determines the scope and frequency of reviews. The CSA generally notifies entities when a review will take place, but may also conduct unannounced reviews at its discretion.
(b) CSAs make every effort to avoid unnecessarily intruding into entity employee personal effects during the reviews.
(c) A CSA may, on entity premises, physically examine the interior spaces of containers not authorized to store classified information in the presence of the entity's representative.
(d) As part of a security review, the CSA:
(1) Verifies that the entity limits entity employees with access to classified information to the minimum number necessary to perform on contracts requiring access to classified information.
(2) Validates that the entity has not provided its employees unauthorized access to classified information;
(3) Reviews the entity's self-inspection program and evaluates and records the entity's remedial actions; and
(4) Verifies that the GCA approved any public release of information pertaining to a contract requiring access to classified information.
(e) As a result of findings during the security review, the CSA may, as appropriate, notify:
(1) GCAs if there are unfavorable results from the review; and
(2) A prime entity if the CSA discovers unsatisfactory security conditions pertaining to a sub-entity.
(f) The CSA maintains a record of reviews it conducts and the results. Based on review results, the responsible CSA determines whether an entity's eligibility for access to classified information may continue. See § 2004.32(g).