Information Security Oversight Office (ISOO)

Frequently Asked Questions

The Information Security Oversight Office (ISOO) logo

New to ISOO?  This page contains answers to some of the questions most frequently asked by security professionals.  If you have a question that is not listed here please visit our individual programs or Contact Us.

Guidance listed on this page pertains only to Federal agencies and applicable contractors and is binding on agency actions as required by law and similar authority. The guidance does not apply to, and is not meant to bind, the public, except as authorized by law or regulation or as incorporated into a contract.

 

What is Classified National Security Information?

In E.O. 13526, section 4.1(f)(3)(B) who determines "standardized electronic formats?" 

​What is the difference between a "confidential human source" and a "human intelligence source?"

Is there a standard procedure for notifying the Archivist in case of reclassification?

According to section 3.3(j)(1)(C) of E.O. 13526, who is responsible for verifying "a specific and independently verifiable event?"

In E.O. 13526, section 3.7(b)(1), how is "timely" defined?

Who do we contact for information on the SF 312, Nondisclosure Agreement?

Are there any circumstances when I might be allowed to take classified documents home with me? 

Who should be the SAO for an agency?

How does Classified Information end up in Private Collections?

How can I identify Classified National Security Information?

How is Classified National Security Information stored and protected?

How is Classified National Security Information transmitted?

How do I file a Mandatory Declassification Review (MDR) request?

How do I find out the MDR Results and Appeal Options?


Marking

What are the requirements for the use of the 50X and 75X exemptions?

What happens to the documents marked 50X-HUM and WMD after 50 years?

What marking goes on the "declassify on" line for derivative documents, if the source document is marked 25X1-Human?

How is a derivative document marked if the source document has no date?

What happens if a document does not have any declassification instructions?

How are dynamic documents portioned marked?

How are documents being declassified remarked?

Can a classification be extended?

If an agency has a current exemption, does it need to be reapproved? 

If a security declassification guide has an instruction to mark certain information for declassification for 25 years, is it from the date of the guide or the date of the document?

If we receive a classified document and notice the classification level is not on the top and bottom of every page is it okay to mark the top and bottom with the appropriate classification level of the document even though we did not create the document?

When were portion markings first required on classified documents?

If individual PowerPoint© slides within a classified presentation have an overall classification of unclassified, is it really necessary to mark the portions as unclassified?

May an agency derivatively classify information from a document prepared/classified by a different agency prior to the effective date of Executive Order 13526 which is not portion marked as would be required under E.O. 13526?


Original Classification Authority (OCA) and Derivative Classification

Is the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)?

Must anyone who creates derivative work be pre-designated as "authorized" to do so and if so, at what level should the training be?

If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI to report, or NRO, or both?

Who can derivatively mark documents?

Who is responsible for providing Original Classification Authority (OCA) training to those designated specifically by the President?


 Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117 and NISPPAC

When did 32 CFR Part 117 become effective??

Where can I find additional information?

Does NISPPAC Industry have a way to reach out to cleared companies?


Questions re: GSA Containers

What is the Government policy for procuring GSA Approved containers for storing US Government classified information?

What is the process if a defense contractor needs to purchase a GSA Approved container

Where can I find additional information with respect to GSA guidance on GSA Approved Containers

What is the process if a defense contractor wants to purchase a GSA container off contract and with company dollars?

Does it mean contractors cannot just buy containers from any vendor? Can contractors buy used containers?

Is there a process to re-certify a GSA approved container that we are unsure of or is missing a label?

Is it acceptable to have preventative maintenance performed instead of replacing the safe?

What is the disposal process for used containers?

Black lettering indicates safes are nearing the end of their expected life. Is there information on when they need to be replaced?

Are older versions of locks previously approved under Federal Specification FF-L-2740B (e.g. X-07, X-08, X-09 still allowed to be used?

Is the DODAAC number issued once to a contractor or is there a different number per contract?

Can we use a cabinet owned by our company from other location?


Express Carriers and National Security System 

What overnight express carriers are authorized for NISP cleared contractors?

What is a "national security system" (NSS)?

Can Secret and Confidential information be transmitted by an overnight delivery service within the U.S. and its Territories?

Where can I get additional information on the NSS, incidents, and spills?

Where can I contact the Committee on National Security Systems (CNSS)?


Executive Order 13526 

What is Classified National Security Information?

Classified national security information is information created or received by an agency of the federal government or a government contractor that would damage national security if improperly released. Since 1940, the President has managed the system of classifying information by executive order (E.O.); the most recent order concerning classified national security information is E.O. 13526, signed by President Obama on December 29, 2009.

Information can only be classified if an official determination is made that its unauthorized release would damage the national security. Levels of classification correspond to levels of supposed damage. E.O. 13526 specifies that information whose release would cause “exceptionally grave damage to the national security” is classified TOP SECRET; information whose release would cause “serious damage” is classified SECRET; CONFIDENTIAL is the lowest category of classified information currently in use. RESTRICTED is an obsolete category that was discontinued in 1953.

Classified information may take any form. Though paper documents are most common, there are classified photographs, maps, motion pictures, videotapes, databases, microfilms, hard drives, CDs, etc. Regardless of medium, classified information requires protection until it is formally declassified.

The Federal Government's current system of marking and controlling security-classified information dates from World War II. Very little pre-1941 information still meets the criteria for continued classification. Only very specific information dating from before 1942 controlled by the National Security Agency regarding signals intelligence, by the United States Secret Service regarding the protection of the President, and by the U.S. Mint concerning the gold bullion depository at Fort Knox remains classified.

 In E.O. 13526, section 4.1(f)(3)(B) who determines "standardized electronic formats?"
An agency head or senior agency official, or with respect to the Intelligence Community, the Director of National Intelligence, makes this determination. 

 What is the difference between a "confidential human source" and a "human intelligence source?"
The two terms are used interchangeably, but "confidential human source" is a term used by the FBI; "human intelligence source" is a term used by the intelligence community.

 Is there a standard procedure for notifying the Archivist in case of reclassification?
Notification of the Archivist would be accomplished in the same manner that official notifications are made to other heads of Executive branch agencies.

 According to section 3.3(j)(1)(C) of E.O. 13526, who is responsible for verifying "a specific and independently verifiable event?"
The OCA decides and sends the information to the Interagency Security Classification Appeals Panel (ISCAP) for approval.

 In E.O. 13526, section 3.7(b)(1), how is "timely" defined?
The Director of the National Declassification Center (NDC) will determine when the referral is made; after which the agency will have one year to adjudicate.

  Who do we contact for information on the SF 312, Nondisclosure Agreement? 
Please direct all questions regarding the SF 312 to SECEA@dni.gov

 Are there any circumstances when I might be allowed to take classified documents home with me?
No.  Classified material must be safeguarded in accordance with the requirements in E.O. 13526, Part 4, Safeguarding; and 32 CFR 2001, Subpart E, Safeguarding.
You must not remove classified material from official premises except to conduct official meetings or conferences, and the material must be returned to safe storage facilities immediately upon the conclusion of the meeting or conference.  Residences are not considered official premises, and you must not remove classified material for reasons of personal convenience or keep it overnight in personal custody.

 Who should be the SAO for an agency?
SAO is a senior official at the Assistant Secretary level or its equivalent who has direct responsibility for ensuring the department or agency efficiently and appropriately complies with all applicable records management statutes, regulations, NARA policy, and the requirements of the Directive.

The SAO must be located within the organization so as to make adjustments to agency practices, personnel, and funding as may be necessary to ensure compliance and support the business needs of the department or agency. A partial list of some current SAO job titles includes:

  • Assistant Secretary
  • Chief of Staff Chief
  • Financial Officer
  • Chief Information Officer
  • Chief Counsel
  • Chief Operating Officer
  • Director of Administration

 Outside of Government Controlled documents 

How does Classified Information end up in Private Collections?

Former government officials and contractors have been known to retain papers containing classified national security information and eventually donate them to private archives. Often, it is not until these records are formally processed that archivists realize a collection contains classified information. If an archive or a library has not received Federal approval to store classified materials, continuing to store the records in an unapproved area could be endangering national security. In these instances, the institution should contact the Information Security Oversight Office (ISOO) at the National Archives and arrange for these records to be securely stored. ISOO will maintain temporary custody of the records through the declassification process.

By contacting ISOO you will be respecting the access restrictions placed on that information by the U.S. government. ISOO, in turn, will respect the rights of your institution to maintain the integrity of collections of donated personal papers.

 How can I identify Classified National Security Information?

There are three basic tests that you can apply to determine whether a document contains classified information:

  • The information should concern the national security of the U.S. government. If the document was created by a private organization or a state government agency, it may contain classified national security information only if the organization or agency was serving as an agent of the Federal Government. Defense contractors and research laboratories are obvious examples. Also, the information should not concern personal, private, or purely political issues. Over the decades, many documents have been stamped “Confidential” not because they would damage national security if released, but to indicate some other type of sensitivity. When in doubt, consider the document classified.
  • There should be a classification marking on the top and bottom of every page of the document. Very old documents may have markings only on the top of the first page. In more recent documents, individual paragraphs may also be marked with markings like “(S)” for Secret or “(C)” for Confidential.
  • The document should not be marked as declassified. A declassification marking should look like an official stamp that indicates the name and office of the person who authorized the declassification action. A copy of a declassified document from the National Archives and Records Administration should include a marking that includes a project number starting with “NND” or “NW.”

While these are the primary means of identifying classified information, those who suspect they have classified materials in their collections should also be careful to examine documents for:

  • “Restricted Data” and “Formerly Restricted Data” markings. These designations of categories refer to all data concerning the design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy. Despite the misleading nature of the phrase “Formerly Restricted Data,” documents with this marking remain sensitive and must be protected.
  • Unmarked Classified National Security Information. Records of national security officials should be reviewed and handled carefully, as the classification marking requirements were not always executed on informal records such as handwritten notes. In all cases, it is the sensitivity of the information that determines classification. An unmarked, handwritten page can just as easily contain classified national security information as a document containing classification markings. When in doubt, treat handwritten notes concerning intelligence, military, diplomatic, or emergency planning matters as classified national security information.
  • Declassification Dates. Some documents may have been originally marked with a date on which the document may be declassified. These dates are useful in determining the relative sensitivity of the information contained in the document, but occasionally these markings are erroneous or invalid. Remember that regardless of markings, only a U.S. government declassification authority can declassify classified information.
  • Foreign Government Information. Foreign governments routinely share classified information with the U.S. government. Foreign government information received by a U.S. government agency with a promise of non-disclosure should remain protected, but in some cases information may be declassified and released. Many foreign markings resemble U.S. markings.
  • Controlled Unclassified Information. Federal agencies have designated some types of information as requiring a degree of control that does not rise to the level as that for information that would damage national security if released. These types of markings include “For Official Use Only,” “Limited Official Use,” or “Sensitive but Unclassified.” These types of markings do not designate classified national security information. Archivists processing papers containing U.S. Government information should not release out for social security numbers for living people, health care information, and other personal information collected from private citizens.
  • Closed Congressional Information. Archivists processing the papers of former congressmen should be aware that the rules of the U.S. Senate and the House of Representatives restrict public access to certain types of closed committee and investigative records, regardless of whether they contain classified national security information, for up to 50 years.
  • Codeword Information. Since World War II, when the British used the word “Ultra” to designate intelligence obtained by cracking the German Enigma encryption machine, the most sensitive types of information of the U.S. government has been identified by special codewords. These include intercepts of encoded enemy radio signals, information about satellite reconnaissance programs, and human intelligence programs. If you see words like “Umbra,” “Talent-Keyhole,” “Ruff,” or “Gamma” on records also carrying a “Secret” or “Top Secret” classification marking, you should realize that you have in your collections something particularly damaging to national security if improperly released, regardless of the age of the records.

 How is Classified National Security Information stored and protected?

If you discover classified materials in your collection and your institution does not have federally approved secure storage, immediately remove the records from public review and restrict access to as few staff members as possible. Until they are ready for transmittal to ISOO, the records should be locked in a safe, filing cabinet, or other secure areas.

 How is Classified National Security Information transmitted?

Transmittal requirements for classified materials vary depending on the classification level of the information they contain. In all instances, the use of street side mailboxes is prohibited.

CONFIDENTIAL materials may be sent via U.S. Postal Service certified, first class, express, or registered mail or government courier service.

SECRET materials may ONLY be sent via U.S. Postal Service express or registered mail or government courier service.

When mailing materials to ISOO, please adhere to the following guidelines:

Wrap the body of records in opaque paper. Heavy brown paper or brown mailing envelopes are best. CONFIDENTIAL and SECRET materials may be wrapped together.

Seal all seams with filament tape.

Address the package to:

Director, Information Security Oversight Office
National Archives and Records Administration
700 Pennsylvania Avenue NW, Room 100
Washington, DC 20408

Provide a return address.

Label the front and back of the package with the highest classification marking of the documents it contains.

Wrap the entire package ONCE MORE in opaque paper.

Again, address the package to the Director of ISOO as indicated above and provide a return address.

On this outer wrapper, do NOT write the classification level of the materials contained within.

Again, seal all seams with filament tape.

TOP SECRET materials may NOT be sent via U.S. mail and may only be transmitted by authorized government courier service. ISOO can make the necessary arrangements on your institution’s behalf.

ISOO staff will give more detailed instructions regarding the shipment of classified records and regarding the temporary retention of records by ISOO pending declassification.

 How do I file a Mandatory Declassification Review (MDR) request?

If ISOO determines that the records provided require declassification review by equity-holding agencies, a non-governmental repository will be encouraged to file a Mandatory Declassification Review (MDR) request. The request should come in the form of a formal letter to the Director of ISOO explaining that the institution is filing an MDR for those records furnished to ISOO for temporary custody. ISOO will then contact all equity-holding agencies and provide them with copies of the records for their review.

 How do I find out the MDR Results and Appeal Options?

ISOO will communicate the results once all agencies have completed their reviews or after one year’s time, whichever comes first. If an institution is not satisfied with the results of an agency’s review, it may appeal the agency’s initial determination. If an agency or agencies fail to review the records within a year, ISOO will notify the requesting institution of its right to appeal directly to the Interagency Security Classification Appeals Panel (ISCAP) for a final determination on the records’ classification status..

Marking

 What are the requirements for the use of the 50X and 75X exemptions?
E.O. 13526, Section 3.3(h)(2) allows for agencies to seek the exemption of specific information from automatic declassification at 50 years in “extraordinary cases.” Records containing information exempted from declassification under this provision will be automatically declassified on December 31 of the year 75 years from the date of origin of those records, unless an agency seeks the exemption of specific information from automatic declassification at 75 years.

Section 3.3(h)(3) allows for agencies to seek the exemption of specific information from automatic declassification at 75 years. Proposals to seek an exemption at 50 or 75 years, shall be submitted to the Director of ISOO, serving as Executive Secretary of the ISCAP, 1 year before the information is subject to automatic declassification.

  • Exemptions require ISCAP approval prior to use.
  • Require a date or event. (50X1-HUM and 50X2-WMD are the only exemptions that can be used without a date)
  • Must be included in agency declassification guide.

Example of requesting a 75X1 or 75X6 exemption:

  1. Description of Information: The identity of senior officials of foreign governments who provided intelligence information to the U.S. about those governments, with the expectation of confidentiality, between 1935 and 1942.
  2. Explanation of Exemption: The declassification the identity of this confidential human source would prevent the U.S. Intelligence Community from collecting intelligence from confidential human sources, and would cause serious harm to the diplomatic relations of the U.S. Government if relationship of those officials to the U.S. Government at that time is not known by the current governments of those nations.
  3. Date or Event for Declassification: Declassify no later than 90 years after the date of the record containing the exempted information.

 What happens to the documents marked 50X-HUM and WMD after 50 years?
50X HUM and WMD are already exempted at 50 years and subject to automatic declassification at 75 years. They may be exempted beyond 75 years if the exemption is approved by the ISCAP.

 What marking goes on the "declassify on" line for derivative documents, if the source document is marked 25X1-Human?
 “50X1-HUM”

 How is a derivative document marked if the source document has no date?
Mark the document 25 years from the date of the creation of the derivative document.

 What happens if a document does not have any declassification instructions?
Try to go back to the document originator and obtain the declassification information. If the information can not be traced, review for declassification at 25 years from the creation of the document.

 How are dynamic documents portioned marked?
Portion mark the sections or portions that you can, and the overall marking of the document. If a section or portion can not be marked, it can not be used a derivative source document.

 How are documents being declassified remarked?
The only documents "allowed" to be remarked are those being requested for FOIA, MDR or other public access, and that are still in control of the agency. Do not remark any documents that are subject to automatic declassification or that have been accessioned to the National Archives.  For guidance on remarking declassified documents, refer to the ISOO Marking Book.

 Can a classification be extended?
Only an OCA with jurisdiction over the information may extend the duration of classification for up to 25 years from the date of the origin of the document. In cases where an extension is made, the “Declassify On” line shall be revised to include the new declassification instructions and shall include the identity of the person authorizing the extension and the date of the action.

 If an agency has a current exemption, does it need to be reapproved? 

All current 25-year and 50-year exemptions should be updated with the ISCAP.

 If a security declassification guide has an instruction to mark certain information for declassification for 25 years, is it from the date of the guide or the date of the document?
The "25 years" denotes 25 years from the date of document creation, not the date of the security classification guide.

 If we receive a classified document and notice the classification level is not on the top and bottom of every page is it okay to mark the top and bottom with the appropriate classification level of the document even though we did not create the document?
Yes, you should go ahead and mark the document properly, but you should also let the sender know so that they can mark the original document properly.

 When were portion markings first required on classified documents?

E.O. 11652, Classification and Declassification of National Security Information and Material, June 8, 1972, signed by Richard Nixon

The following rules shall apply to classification of information under this order:
(A) Documents in General. Each classified document shall show on its face its classification and whether it is subject to or exempt from the General Declassification Schedule. It shall also show the office of origin, the date of preparation and classification and, to the extent practicable, be so marked as to indicate which portions are classified, at what level, and which portions are not classified in order to facilitate excerpting and other use. Material containing references to classified materials, which references do not reveal classified information, shall not be classified.

E.O. 12065, National Security Information, June 28, 1978, signed by Jimmy Carter

1.504 In order to facilitate excerpting and other uses, each classified document shall, by marking or other means, indicate clearly which portions are classified, with the applicable classification designation, and which portions are not classified.  The Director of the Information Security Oversight Office may, for good cause, grant and revoke waivers of this requirement for specified classes of documents or information.

 If individual PowerPoint© slides within a classified presentation have an overall classification of unclassified, is it really necessary to mark the portions as unclassified?

When you are marking a classified document, it is critical that all portions be appropriately marked so as to avoid any confusion about the classification of each portion.  32 CFR 2001.21(c) states that each portion...shall be marked to indicate which portions are classified and which portions are unclassified.  This remains true regardless of the overall classification of that page.  If you were to take an unmarked portion out of one briefing and place that portion into another briefing, and there is no accompanying marking, you have created a classification problem.

 May an agency derivatively classify information from a document prepared/classified by a different agency prior to the effective date of Executive Order 13526 which is not portion marked as would be required under E.O. 13526?

There is an inherent responsibility to go back to the originating agency and request proper markings.  If this is not possible, then the document cannot be used as a source document for other derivatively classified documents and must contain a statement stating so.

 Original Classification Authority (OCA) and Derivative Classification

Is the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)?
There is no intent to allow an OCA to extend classification for another 25 years. This clause relates to the information initially classified for less than 25 years. An OCA may extend the classification up to 25 years from the date of origin of the document. For example, on a document created on April 13, 2005, with a declassification date of April 13, 2015, an OCA may extend the duration of classification up to April 13, 2030.

 Must anyone who creates derivative work be pre-designated as "authorized" to do so and if so, at what level should the training be?
No, there is no requirement in E.O. 13526 (the Order) to "pre-designate" an individual. Every agency determines the degree of training required with guidance that is provided in 32 CFR Part 2001.70.

 If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI to report, or NRO, or both?
 The agency that delegates the authority reports the delegation.

 Who can derivatively mark documents?
Anyone who has a security clearance and access to classified information as part of their job or who is working in a classified environment has derivative authority. They must also have the required derivative training.

 Who is responsible for providing Original Classification Authority (OCA) training to those designated specifically by the President?

Those who are responsible to the Senior Agency Official for the implementation of the program should provide the required training to the OCAs and everyone else in the organization.


Frequently Asked Questions GSA Containers

GSA GLOBAL SUPPLY DOCUMENT 

 What is the Government policy for procuring GSA Approved containers for storing US Government classified information? 

The Government wide policy is documented in Information Security Oversight Office (ISOO) Notice 2014-02. New containers can only be purchased through the GSA process. They cannot be purchased from third party vendors, refurbishers, or sales boards such as E:Bay. Containers for storage of classified storage can be transferred or sold from one cleared program to another either within a company or between two separate companies. The concern is that containers that leave a cleared contractor or Government control may be accessed by someone with bad intentions and compromised, so those containers may not be used. Information on the procurement process can be located at the following web sites: https://www.gsa.gov/buying-selling/purchasing-programs/requisition-programs/gsa-global-supply/national-stock-numbers/security-containers/ordering-procedures-for-security-containers and https://www.archives.gov/files/isoo/notices/notice-2014-02.pdf

 What is the process if a defense contractor needs to purchase a GSA Approved container? 

The contractor ordering process is detailed in documents at the above link.

 What is the process if a defense contractor wants to purchase a GSA container off contract and with company dollars?

Contractors who need to purchase GSA Approved containers need to follow the process detailed in the ordering procedures even if the purchase is being made with company money.\

 Does it mean contractors cannot just buy containers from any vendor? Can contractors buy used containers?

Information Security Oversight Office (ISOO) Notice 2012-04 does not allow the use of used or refurbished containers. All new containers for US Government contractors must be purchased through the specified process. https://www.archives.gov/files/isoo/notices/notice-2012-04.pdf

 Is there a process to re-certify a GSA approved container that we are unsure of or is missing a label?
https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock/GSA_SEI_Main.html

 Where can I find additional information with respect to GSA guidance on GSA Approved Containers?

The General Services Administration, Interagency Committee on Security Equipment (GSA/IACSE) and the General Services Administration provides the following clarification regarding “black label” containers that have a manufacture date outside of those set forth in the phase-out plan found in ISOO NOTICE 2021-01.

 Is it acceptable to have preventative maintenance performed instead of replacing the safe?

Yes. Allowable maintenance is identified in Federal Standard 809, paragraph 4.2. This does include allowing the replacement of the lock. FED STD 809 can be found at the following web address: https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock/Documents/DirectivesandGuidance.html

 What is the disposal process for used containers?

Minimum disposal instructions can be found at the following web address:
https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services 

 Black lettering indicates safes are nearing the end of their expected life. Is there information on when they need to be replaced?

Federal Standard 809D, Section 5, states once a black label GSA-approved security file cabinet is neutralized, it shall not be repaired (Table 1, page 8). It is important to note that the term “neutralized” means the cabinet was locked in the closed condition and it was opened using one of the four neutralization methods described in Federal Standard 809D, Section 6. Per the new “DO NOT REPAIR” statement in Federal Standard 809D, Table 1, once a black-label security file cabinet has been neutralized, it cannot be repaired and put back in service protecting classified information. GSA-approved black label security file cabinets that remain in service protecting classified information should continue to be periodically inspected and maintained as described in Federal Standard 809D, Section 4. Specifically, the following routine maintenance and repair procedures can be accomplished on a black-label security file cabinet: • The combination lock can be replaced. • The drawer suspensions can be replaced or repaired. • The drawer handles and springs can be replaced or adjusted. • Periodic adjustments (drawer head, thumb latches etc.) and bolt tightening can be accomplished as required.

 Are older versions of locks previously approved under Federal Specification FF-L-2740B (e.g. X-07, X-08, X-09 still allowed to be used?

All locks previously approved under Federal Specifications are still allowed to be used. Be aware that the X-07, X-08, and the early X-09 locks have exceeded their expected life and should be considered for replacement.

 If we had a lock that failed and we need to replace it how do we find an authorized locksmith to replace the lock?

Information on locksmiths who have completed the GSA Safe and Vault Technicians course can be found on the DoD Lock program web page at: https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html

 Is the DODAAC number issued once to a contractor or is there a different number per contract?

According to PGI251.102-70 a DoDAAC is assigned to a contractor for use per the contract number and is unique to that contract. It expires 24 months beyond contract closeout. DoDAACs are assigned by contract number.

 Can we use a cabinet owned by our company from another location?

Yes, Containers can be transferred within a company.


Frequently Asked Questions re: National Security Information

 What carriers are approved by the NISP as overnight carriers? 

GSA’s Multiple Award Schedule (MAS) no longer includes UPS (contract number GS-23F-0282L). This impacts any orders or blanket purchasing agreements an agency had placed or intended to place with UPS under that particular contract.

Agencies are still authorized to use UPS under another valid Government contract:  DoD/USTRANSCOM’s Next Generation Delivery Services (NGDS) program.  NGDS is a GSA-delegated, OMB mandatory-use program for small parcel delivery services.  It has current contracts with UPS and FedEx that satisfy the requirements of 32 CFR 2001.46(c)(2)(ii) for overnight delivery of Confidential and Secret classified information.  For Federal users to get more information on the NGDS program, its rates, and shipper’s guide, see https://hallways.cap.gsa.gov/app/#/gateway/transportation-logistics-services.

Cleared NISP contractors should contact their Government Contracting Activity (GCA) for approval to utilize the NGDS contract for overnight delivery of Confidential and Secret classified information in accordance with 32 CFR 117.15(f)(3), as there are NGDS requirements that the GCA must ensure are met.  

If an agency is not able to utilize delivery services under the NGDS program, the agency may use another approved vendor for overnight delivery of Confidential and Secret classified information.  USPS and FedEx have current contracts for delivery services under GSA’s MAS 492110 schedule.  Although these vendors meet the requirement in 32 CFR 2001.46(c)(2)(ii) to use a GSA-approved vendor, they have not been vetted under this schedule to determine if they meet the additional requirements for classified delivery services outlined in 32 CFR 2001.46(c)(2)(ii).  Before placing an order against the MAS, the agency must therefore vet the vendor to ensure it meets these additional regulatory requirements.  Cleared NISP contractors will also need to make sure the supplier meets requirements in 32 CFR 117.15(f)(3).  For more information on MASs, see https://www.gsa.gov/buying-selling/purchasing-programs/gsa-schedule


 What is a "national security system" (NSS)?

44 USC 3552 (b)(6)(A), Federal Information Security Management Act  of 2014 (FISMA), Public Law 113-283, December 18, 2014, defines a "national security system" as:

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, (i) the function, operation, or use of which:

(I) Involves intelligence activities;

(II) Involves cryptologic activities related to national security;

(II) Involves command and control of military forces;

(IV) Involves equipment that is an integral part of a weapon or weapon system; or

(V) Subject to subparagraph B, is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

(B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

 Can Secret and Confidential information be transmitted by an overnight delivery service within the U.S. and its Territories? 
Yes. Agency heads may, when a requirement exists for overnight delivery within the U.S. and its Territories, authorize the use of the current holder of the General Services Administration contract for overnight delivery of information for the Executive Branch [Ref. Section 2001.46 (c)(2) of 32 C.F.R. Part 2001].

Overnight Express Carriers: These overnight express carriers below meet the requirements outlined In 32 CFR Part 2001 for Federal Executive Branch and the requirements established in DoD Manual 5220.22, NISPOM for cleared contractors for the shipment of CONFIDENTIAL AND SECRET MATERIAL.

Federal Express

USPS *(see note 1)

 

*Note 1: Sender must verify that the zip code which the package is destined that USPS provides overnight Express services

**Note 2: Please ensure that classified packages are delivered to a person vice dropped off without a signature.

At this time, USPS registered mail is the only authorized way to send collateral secret and below information through the U.S. postal service requiring a signature. Do not send any classified material without first ensuring the package will be delivered with the required signature.

 Where can I get additional information on the NSS, incidents, and spills?

See Federal Incident Reporting Guidelines

 Where can I contact the Committee on National Security Systems (CNSS)?

See Committee on National Security Systems 


 Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117 and NISPPAC

 When did 32 CFR Part 117 become effective?

32 CFR Part 117 became effective February 24, 2021, and authorizes the contractor no more than six months to comply with changes from the effective date of the rule, which is August 24, 2021.  

 Where can I find additional information?

To assist in implementing the NISPOM Rule and help those not familiar with the rule's new format, the Defense Counterintelligence Security Agency (DCSA) released a cross-reference tool.  This tool maps the DoD 5220.22-M format to the appropriate location within the NISPOM Rule.  The tool can be found on the Center for Development of Security Excellence (CDSE) website at https://www.cdse.edu/documents/toolkits-fsos/32CFR_Part117_NISPOM_Rule_Cross_Reference_Tool.xlsx

 Does NISPPAC Industry have a way to reach out to cleared companies?

 Check out the Industry NISPPAC Newsletter- What's New with the Industry NISPPAC


What is the Purpose of the NDC?

The NDC will shorten the amount of time that it takes to declassify a document.

Who Established the NDC?

The authority for the NDC is Section 3.7 of Executive Order 13526, which was signed by President Obama on December 29, 2009.

Where Can I Go to Learn More?

For additional information, visit NDC. or send a comment, question or concern to NDC@nara.gov. Additionally, you can visit the NDC blog.

Top