20 May 2004
Source:
http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=32&PART=159a&SECTION=80&YEAR=1999&TYPE=TEXT
--------------------------------------------------------------------------
[Code of Federal Regulations]
[Title 32, Volume 6]
[Revised as of July 1, 2003]
From the U.S. Government Printing Office via GPO Access
[CITE: 32CFR2004.11]
[Page 499-500]
TITLE 32-NATIONAL DEFENSE
CHAPTER XX--INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND
RECORDS ADMINISTRATION
PART 2004--DIRECTIVE ON SAFEGUARDING CLASSIFIED NATIONAL SECURITY INFORMATION--Table of Contents
Sec. 2004.11 Special access programs.
(a) General. The safeguarding requirements of this Directive may be
enhanced for information in Special Access Programs (SAP), established
under the provisions of Section 4.4 of E.O.
[[Page 500]]
12958, by the agency head responsible for creating the SAP. Agency heads
shall ensure that the enhanced controls are based on an assessment of
the value, critical nature, and vulnerability of the information.
(b) Significant interagency support requirements. Agency heads must
ensure that a Memorandum of Agreement/Understanding (MOA/MOU) is
established for each Special Access Program that has significant
interagency support requirements, to appropriately and fully address
support requirements and supporting agency oversight responsibilities
for that SAP.
--------------------------------------------------------------------------
[Code of Federal Regulations]
[Title 32, Volume 1, Parts 1 to 190]
[Revised as of July 1, 1999]
From the U.S. Government Printing Office via GPO Access
[CITE: 32CFR159a.80]
[Page 778]
TITLE 32--NATIONAL DEFENSE
CHAPTER I--OFFICE OF THE SECRETARY OF DEFENSE
PART 159a--INFORMATION SECURITY PROGRAM REGULATION--Table of Contents
Subpart M--Special Access Programs
Sec. 159a.80 Policy.
It is the policy of the Department of Defense to use the security
classification categories and the applicable sections of E.O. 12356 and
its implementing ISOO Directive, to limit access to classified
information on a ``need-to-know'' basis to personnel who have been
determined to be trustworthy. It is further policy to apply the ``need-
to-know'' principle in the regular system so that there will be no need
to resort to formal Special Access Programs. Also, need-to-know control
principles shall be applied within Special Access Programs. In this
context, Special Access Programs may be created or continued only on
specific showing that:
(a) Normal management and safeguarding procedures are not sufficient
to limit ``need-to-know'' or access; and
(b) The number of persons who will need access will be reasonably
small and commensurate with the objective of providing extra protection
for the information invoved.
[Page 778-779]
Sec. 159a.81 Establishment of special access programs.
(a) Procedures for the establishment of Special Access Programs
involving NATO classified information are based
[[Page 779]]
on international treaty requirements (see DoD Directive 5100.55).
(b) The policies and procedures for access to and dissemination of
Restricted Data and Critical Nuclear Weapon Design Information are
contained in DoD Directive 5210.2.
(c) Special Access Programs for foreign intelligence information
under the cognizance of the Director of Central Intelligence, or those
of the National Telecommunications and Information Systems Security
Committee originate outside the Department of Defense. However,
coordination with the DUSD(P) and the Component's central point of
contact is necessary before the establishment or implementation of any
such Programs by any DoD Component. The information required by
Sec. 159a.80(f)(1) will be provided.
(d) Excluding those Programs and that information specified in
paragraphs (a)(1), (2), and (3) of this section, Special Access Programs
shall be established within the Military Departments by:
(1) Submitting to the Secretary of the Department the information
required under Sec. 159a.80(f)(1).
(2) Obtaining written approval from the Secretary of the Department;
(3) Providing to the DUSD(P) notice of the approval; and
(4) Maintaining the information and rationale upon which approval
was granted within the Military Department's central office.
(e) Excluding those Programs and that information in paragraphs
(d)(1), (2), and (3) of this section, Special Access Programs that are
desired to be established in any DoD Component other than the Military
Departments shall be submitted with the information referred to in
Sec. 159a.80(f)(1) to the DUSD(P) for approval.
(f) Upon specific written notice to one of the appropriate DoD
Special Access Program approval officials, receipt of their written
concurrence, protective Special Access Program controls may be applied
to a prospective Special Access Program for up to a 6-month period from
the date of such notice. However, in all instances, the Program must be
terminated as a prospective Special Access Program or formally approved
as a Special Access Program by the end of the 6-month time period.
(g) Unless under DoD Directive S-5210.36 \3\\7\, Special Access
Programs which involve one or more DoD Components, or a DoD Component
and a non-DoD activity, shall be covered by a written agreement which
must document who has the principal security responsibility, who is the
primary sponsor of the Program, and who is responsible for obtaining
Special Access Program approval.
---------------------------------------------------------------------------
\3\\7\ See footnote 13 to Sec. 159a.33(j).
---------------------------------------------------------------------------
[Excerpt from Sec. 159a.33(j)]
(j) Secure Telecommunications and Information Handling Equipment.
Applicable classification or Controlled Cryptographic Item (CCI)
markings shall be applied to secure telecommunications and information
handling equipment or associated cryptographic components. Safeguarding
and control procedures for classified and CCI equipment and for
safeguarding COMSEC facilities are contained in DoD Instruction 5230.22
\12\a, National Communications Security Committee (NCSC)
Policy Directive 6, DoD Directive C-5200.5 \1\\3\, National
Telecommunications and Information Systems Security Instruction 4001,
and National COMSEC Instruction 4003, 4006, and 4008.
---------------------------------------------------------------------------
\12\a See footnote 1 to Sec. 159a.3.
\13\ Classified document. Not releasable to the public.
---------------------------------------------------------------------------
[End excerpt from Sec. 159a.33(j)]
---------------------------------------------------------------------------
Sec. 159a.82 Review of special access programs.
(a) Excluding those Programs specified in Sec. 159a.81 (a), (b), or
(c), each Special Access Program shall be reviewed annually by the DoD
Component responsible for establishment of the Program. To accommodate
such reviews, DoD Components shall institute procedures to ensure the
conduct of annual security inspections, with or without prior notice,
and regularly scheduled audits by security, contract administration, and
audit organizations. Also, Program managers shall ensure that Special
Access Program activities have undergone a current review by legal
counsel for compliance with law, executive order, regulation, and
national policy. To accomplish such reviews, specially cleared pools of
attorneys may be utilized, but in all cases legal counsel shall be
provided with all information necessary to perform such reviews.
(b) Special Access Programs, excluding those specified in
Sec. 159a.81 (a), (b), or (c), or those required by treaty or
international agreement, shall terminate automatically every 5 years
unless reestablished in accordance with the procedures contained in
Sec. 159a.81.
Sec. 159a.83 Control and central office administration.
(a) Special Access Programs shall be controlled and managed in
accordance with DoD Directive 5205.7 \3\\8\. Each DoD Component shall
appoint a Special Access Program coordinator to establish and maintain a
central office and to serve as a single point of contact for
[[Page 780]]
information concerning the establishment and security administration of
all Special Access Programs established by or existing in the Component.
These officials shall report to the DUSD(P) on the status of DoD Special
Access Programs within the Component to include:
---------------------------------------------------------------------------
\3\\8\ See footnote 1 to Sec. 159a.3.
---------------------------------------------------------------------------
(1) The establishment of a Special Access Program as required by
Sec. 159a.81(d)(3); and
(2) Changes in Program status as required by Sec. 159a.85 (b) or
(c).
(b) Officials serving as single points of contact, as well as
members of their respective staffs and other persons providing support
to Special Access Programs who require access to multiple sets of
particularly sensitive information, shall be subject to a
counterintelligence-scope polygraph examination periodically but not
less than once every 5 years. Additionally, such testing will be subject
to the limitations imposed by Congress. The program for each DoD
Component, as well as requests for waiver, shall be submitted for
approval by the DUSD(P).
Sec. 159a.84 Codewords and nicknames.
Excluding those Programs specified in Sec. 159a.81 (a), (b), and
(c), each Special Access Program will be assigned a classified code
word, or an unclassified nickname, or both. DoD Components other than
Military Departments may request codewords and nicknames from the
DUSD(P) individually or in block. If codewords or nicknames are obtained
in block, however, the issuing Component shall promptly notify the
DUSD(P) upon activitation and assignment.
Sec. 159a.85 Reporting of special access programs.
(a) Report of Establishment. Reports to the Secretary of the
Military Department or the DUSD(P) required under Sec. 159a.81 for
Special Access Programs shall include:
(1) The responsible department, agency, or DoD Component, including
office identification;
(2) The codeword and/or nickname of the Program;
(3) The relationship, if any, to other Special Access Programs in
the Department of Defense or other government agencies;
(4) The rationale for establishing the Special Access Program
including the reason why normal management and safeguarding procedures
for classified information are inadequate;
(5) The estimated number of persons granted special access in the
responsible DoD Component; other DoD Components; other government
agencies; contractors; and the total of such personnel;
(6) A summary statement pertaining to the Program security
requirements with particular emphasis upon those personnel security
requirements governing access to Program information;
(7) The date of Program establishment;
(8) The estimated number and approximate dollar value, if known, of
carve-out contracts that will be or are required to support the Program;
and
(9) The DoD Component official who is the point of contact (last
name, first name, middle initial; position or title; mailing address;
and telephone number).
(10) A security plan and appropriate security classification guide
and notification that a proper DD Form 254, ``Contract Security
Classification Specification,'' has been issued to contractors
participating in the Program.
(b) Annual Reports. DoD Component annual reports from other than the
Military Departments to the DUSD(P) shall be submitted not later than
January 31 of each year, showing the changes in information provided
under paragraph (a) of this section, as well as the date of last review.
Annual reports shall reflect actual rather than estimated numbers of
carve-out contracts and persons granted access and shall summarize the
results of the inspections and audits required by Sec. 159a.82(a).
Reports from the Military Departments which have approval authority will
summarize the required reviews which have been conducted during the year
by the central offices, to include details and numbers of carve-out
contracts associated with approved Special Access Programs and their
overall security posture and numbers
[[Page 781]]
of approved Programs by type. Additionally, the Military Department
Secretaries authorized to approve such Programs shall furnish a name
listing, by unclassified nickname if practicable, or approved Special
Access Programs under their cognizance, and they will report any changes
to the listing as they occur pursuant to the notification requirements
of Sec. 159a.81(d)(3), that is, additions, deletions, and corrections to
the DUSD(P). The effective date of information in the annual reports
shall be December 31.
(c) Termination Reports. The DUSD(P) shall be notified upon
termination of a Special Access Program.
Sec. 159a.86 Accounting for special access programs.
Each of the central offices which must be identified in accordance
with Sec. 159a.83(a) shall maintain a complete listing of currently
approved DoD Special Access Programs which encompasses the information
outlined in Sec. 159a.85(a). These listings shall be readily available
to the DUSD(P) or his designated representatives.
Sec. 159a.87 Limitations on access.
Access to data reported under this subpart shall be limited to the
DUSD(P) and the minimum number of properly indoctrinated staff necessary
to perform the functions assigned the DUSD(P) herein. Access may not be
granted to any other person for any purpose without the approval of the
DoD Components sponsoring the Special Access Programs concerned.
Sec. 159a.88 ``Carve-Out'' contracts.
(a) The Secretaries of the Military Departments and the DUSD(P), or
their designees, shall ensure that, in those Special Access Programs
involving contractors, special access controls are made applicable by
legally binding instruments.
(b) To the extent necessary for DIS to execute its security
responsibilities with respect to Special Access Programs under its
security cognizance, DIS personnel shall have access to all information
relating to the administration of these Programs.
(c) Excluding those Programs specified in Sec. 159a.81(c), the use
of ``carve-out'' contracts that relieve the DIS from inspection
responsibility under the Defense Industrial Security Program is
prohibited unless:
(1) Such contract supports a Special Access Program approved and
administered under Sec. 159a.81;
(2) Mere knowledge of the existence of a contract or of its
affiliation with the Special Access Program is classified information;
and
(3) Carve-out status is approved for each contract by the Secretary
of a Military Department, the Director, NSA, the DUSD(P), or their
designees.
(d) Approval to establish a ``carve-out'' contract must be requested
from the Secretary of a Military Department, or designee(s), the
Director, NSA, or designee(s), or in the case of other DoD Components,
from the DUSD(P). Approved ``carve-out'' contracts shall be assured the
support necessary for the requisite protection of the classified
information involved. The support shall be specified through a system of
controls that shall provide for:
(1) A written security plan, oral waivers of which are prohibited
except in critical situations that must be documented as soon as
possible after the fact.
Note: The plan must identify that DD Forms 254 have been distributed
to the Defense Investigative Service as outlined in DoD Directive
5205.7.
(2) Professional security personnel at the sponsoring DoD Component
performing security inspections at each contractor's facility which
shall be conducted, at a minimum, with the frequency prescribed by
paragraph 4-103 of DoD 5220.22-R;
(3) ``Carve-out'' contracting procedures;
(4) A central office of record; and
(5) An official to be the single point of contact for security
control and administration. DoD Components other than the Military
Departments and NSA shall submit such appropriate rationale and security
plan along with requests for approval to the DUSD(P).
(e) An annual inventory of carve-out contracts shall be conducted by
each DoD Component which participates in Special Access Programs.
[[Page 782]]
(f) This subsection relates back to the date of execution for each
contract to which carve-out contracting techniques are applied. The
carve-out status of any contract expires upon termination of the Special
Access Program which it supports.
Sec. 159a.89 Oversight reviews.
(a) DUSD(P) shall conduct oversight reviews, as required, to
determine compliance with this subpart.
(b) Pursuant to statutory authority, the Inspector General,
Department of Defense, shall conduct oversight of Special Access
Programs.
------------------------------------------------------------------------