SUP 5252.204-9400 Contractor Access to Federally Controlled Facilities and/or Unclassified Sensitive Information or Unclassified IT Systems (MAY 2010) Insert the following clause in solicitations and contracts with contractors from the United Kingdom who will be provided classified data or who will develop classified data under the contract
SUP 5252.204-9400 Contractor Access to Federally Controlled Facilities and/or Unclassified Sensitive Information or Unclassified IT Systems (MAY 2010)
- Homeland Security Presidential Directive (HSPD)-12, requires government agencies to develop and implement Federal security standards for Federal employees and contractors. The Deputy Secretary of Defense Directive-Type Memorandum (DTM) 08-006 "DOD Implementation of Homeland Security Presidential Directive -12 (HSPD-12)" dated November 26,2008 (or its subsequent DOD instruction) directs implementation of HSPD-12. This clause is in accordance with HSPD-12 and its implementing directives. This clause applies to contractor employees requiring physical access to any area of a federally controlled base, facility or activity and/or requiring access to a DOD computer/network, to perform certain unclassified both non-sensitive and sensitive duties. It is the responsibility of the command/facility where the work is performed to ensure compliance.
- The requirement to control access to sensitive information applies to all US government IT systems and/or areas where unclassified but sensitive information may be discussed, displayed or maintained. DON policy prescribes that all unclassified data that has not been approved for public release and is stored on mobile computing devises must be treated as sensitive data and encrypted using commercially available encryption technology. Whenever granted access to sensitive information, contractor employees shall follow applicable DOD/DON instructions, regulations, policies and procedures when reviewing, processing, producing, protecting, destroying and/or storing that information. Operational Security (OPSEC) procedures and practices must be implemented by both the contractor and contract employee to protect the product, information, services, operations and missions related to the contract. The contractor shall deSignate an employee to serve as the Contractor's Security Representative. Within three work days after contract award, the contractor shall provide to the Navy Command's Security Manager and the Contracting Officer, in writing, the name, title, address and phone number for the Contractor's Security Representative. The Contractor's Security Representative shall be the primary point of contact on any security matter. The Contractor's Security Representative shall not be replaced or removed without prior notice to the Contracting Officer.
- Non-Sensitive Positions
Contractor employee whose work is unclassified and non-sensitive (e.g., performing certain duties such as lawn maintenance, vendor services, etc ... ) and who require physical access to publicly accessible areas to perform those duties shall meet the following minimum requirements:
- Must be either a US citizen or a US permanent resident with a minimum of 3 years legal residency in the US (as required by The Deputy Secretary of Defense DTM 08-006 or its subsequent DOD instruction) and
- Must have a favorably completed National Agency Check with Written Inquiries (NACI) including a Federal Bureau of Investigation (FBI) fingerprint check prior to installation access.
- To be considered for a favorable trustworthiness determination, the Contractor's Security Representative must submit for all employees each of the following:
- SF-85 Questionnaire for Non-Sensitive Positions
- Two FD-258 Applicant Fingerprint Cards
- Original Signed Release Statements
- The contractor shall ensure each individual employee has a current favorably completed NAC!.
The Contractor's Security Representative shall be responsible for initiating reinvestigations as required. Failure to provide the required documentation at least 30 days prior to the individual's start date shall result in delaying the individual's start date.
- Sensitive Positions
Contractor employee whose duties require accessing a DOD unclassified computer/network, working with sensitive unclassified information (either at a Government or contractor facility), or physical access to a DOD facility must be a US citizen and possess a favorable trustworthiness determination prior to installation access. To obtain a favorable trustworthiness determination, each contractor employee must have a favorably completed National Agency Check with Local Credit Checks (NACLC) which consists of a NACI including a FBI fingerprint check plus credit and law enforcement checks. Each contractor employee applying for a trustworthiness determination is required to complete:
- SF-85 Questionnaire for Non-Sensitive Positions
- Two FD-258 Applicant Fingerprint Cards
- Original Signed Release Statements
- Failure to provide the required documentation at least 30 days prior to the individual's start date shall result in delaying the individual's start date. To maintain continuing authorization for an employee to access a DOD unclassified computer/network, and/or have access to sensitive unclassified information, the contractor shall ensure that the individual employee has a current requisite background investigation. The Contractor's Security Representative shall be responsible for initiating reinvestigations as required and ensuring that background investigations remain current (not older than 10 years) throughout the contract performance period.
- IT Systems Access
When access to IT systems is required for performance of the contractor employee's duties, such employees shall in-process with the Navy Command's Security Manager and Information Assurance Manager upon arrival to the Navy command and shall out-process prior to their departure at the completion of the individual's performance under the contract. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The SAAR-N shall be forwarded to the Navy Command's Security Manager at least 30 days prior to the individual's start date. Failure to provide the required documentation at least 30 days prior to the individual's start date shall result in delaying the individual's start date.
When required to maintain access to required IT systems or networks, the contractor shall ensure that all employees requiring access complete annual Information Assurance (lA) training, and maintain a current requisite background investigation. The Contractor's Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required
- Security Approval Process
The Contractor's Security Representative shall ensure that each individual employee pending assignment shall accurately complete the required forms for submission to the Navy Command's Security Manager. The Contractor's Security Representative shall screen the investigative questionnaires for completeness and accuracy and for potential suitability/security issues prior to submitting the request to the Navy Command's Security Manager. Forms and fingerprint cards may be obtained from the Navy Command's Security Manager. These required items, shall be forwarded to the Navy Command's Security Manager for processing at least 30 days prior to the individual employee's anticipated date for reporting for duty. The Navy Command's Security Manager will review the submitted documentation for completeness prior to submitting it to the Office of Personnel Management (OPM). Suitability/security issues identified by the Navy Command's Security Manager may render the contract employee ineligible for the assignment. A favorable review of the questionnaire and advance fingerprint results are required as an interim measure prior to the contract employee start date. An unfavorable determination made by the Navy Command's Security Manager is final and such a determination does not relieve the contractor from meeting any contractual obligation under the contract.
- If contractor employees already possess a current favorably adjudicated investigation, the Navy Command's Security Manager will use the Visit Authorization Request (VAR) via the Joint Personnel Adjudication System (JPAS). The contractor shall include the IT Position Category per SECNAV M-551 0.30 for each employee deSignated on a VAR. The VAR requires annual renewal for the duration of the employee's performance under the contract.
- The Navy Command's Security Manager will forward the required forms to OPM for proceSSing. Once the investigation is complete, the results will be forwarded by OPM to the DON Central Adjudication Facility (CAF) for a position of trust determination. When a favorable determination is not made, contractor employees shall not be permitted to work on this contract effort and if already working on the contract shall be removed immediately.
- The potential consequences of any requirements under this clause including denial of access for a proposed contractor employee who fails to obtain a favorable trustworthiness determination in no way relieves the contractor from the requirement to execute performance under the contract within the timeframes specified in the contract. Contractors shall plan ahead in processing their employees and subcontractor employees for working in non-sensitive positions, with sensitive information, and/or on Government IT systems. The contractor shall insert this clause in all subcontracts when the subcontractor is permitted to have physical access to a federally controlled facility and/or access to a federally-controlled information system/network and/or access to government information.