NATIONAL INDUSTRIAL SECURITY PROGRAM 

OPERATING MANUAL SUPPLEMENT 

 

 

THE UNDER SECRETARY OF DEFENSE 

WASHINGTON, D.C. 203012000 

 

 

 

FOREWORD 

 

December 29, 1994 

 

 

 

 

I am pleased to promulgate this inaugural edition of the Supplement to the National Industrial Security Program 

Operating Manual (NISPOMSUP). It provides the enhanced security requirements, procedures, and options to the 

National Industrial Security Program Operating Manual (NISPOM) for: 

 

Critical Restricted Data (RD) classified at the Secret and Top Secret levels; 

 

Special Access Programs (SAPs) and SAP-type compartmented efforts established and approved by the Executive 

Branch; 

 

Sensitive Compartmented Information (SCI) or other DCI SAP-type compartmented programs under the Director of 

Central Intelligence which protect intelligence sources and methods; and 

 

Acquisition, Intelligence, and Operations and Support SAPs. 

 

This Supplement is applicable to contractor facilities located within the United States, its Trust Territories and 

Possessions. In cases of inconsistencies between the NISPOM (baseline) and this Supplement as imposed by a 

Cognizant Security Agency (CSA), as defined herein, the Supplement will take precedence. 

 

The NISPOM Supplement has been written as a menu of options. Throughout this NISPOMSUP it is understood that 

whenever a security option is specified for a SAP by the Government Program Security Officer (PSO), his or her 

authority is strictly based on the security menu of options originally approved in writing by the CSA, or designee. 

CSAs may delegate such responsibility for the implementation of SAP security policies and procedures. Since SAPs 

have varying degrees of security based on sensitivity and threat, all programs may not have the same requirements. 

When a security option is selected as a contract requirement, it becomes a "shall" or "will" rather than a "may" in this 

document. Bold and italicized print denotes contractor security requirements, except in chapter titles and paragraphs. 

 

The Director of Central Intelligence Directives (DCIDs), which prescribe procedures for the DCI Sensitive 

Compartmented Information (SCI) or other SAP-type DCI programs also set the upper standard of security measures 

for programs covered by this Supplement. DCIDs may be used by any SAP program manager with approval from the 

CSA. Specific security measures that are above the DCIDs (noted by asterisks) shall be approved by the CSA or 

designee. 

 

The provisions of this NISPOMSUP apply to all contractors participating in the administration of programs covered 

by this Supplement. In cases of doubt over the specific provisions, the contractor should consult the PSO prior to 

taking any action or expending program related funds. In cases of extreme emergency requiring immediate attention, 

the action taken should protect the Government's interest and the security of the program from compromise. 

This NISPOMSUP is intended to be a living document. Users are encouraged to submit changes through their CSA 

to the Executive Agent's designated representative at the following address: 

 

          Department of Defense 

          ODTUSD(P)PS 

          ATTN: Director Special Programs 

          The Pentagon, Room 3C285 

          Washington, D.C. 203012200 

 

This NISPOMSUP will be reviewed and updated as necessary, but in any case no more than one year from the date 

of publication. 

 

 

                                      Walter B. Slocombe 

                                      Under Secretary of Defense (Policy) 

 

 

 

 

TABLE OF CONTENTS 

 

 

 

 

CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS 

 

									      Page 

 

Section I . Introduction 	11 I 

Section 2. General Requirements 	121 

Section 3. Reporting Requirements 	131 

 

 

CHAPTER 2. SECURITY CLEARANCES 

 

Section 1. Facility Clearances 	21 I 

Section 2. Personnel Clearances and Access 	221 

 

 

CHAPTER 3. SECURITY TRAINING AND BRIEFINGS 

 

Section 1. Security Training and Briefings 	311 

 

 

CHAPTER 4. CLASSIFICATION AND MARKING 

 

Section I . Classification 	411 

Section 2. Marking Requirements 	421 

 

 

CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION 

 

Section 1. General Safeguarding Requirements .	51l 

Section 2. Control and Accountability 	521 

Section 3. Storage and Storage Equipment 	531 

Section 4. Transmission 	541 

Section 5. Disclosure 	551 

Section 6. Reproduction 	561 

Section 7. Disposition and Retention 	571 

Section 8. Construction Requirements 	581 

 

 

CHAPTER 6. VISITS and MEETINGS 

 

Section I . Visits 	611 

Section 2. Meetings 	621 

 

 

CHAPTER 7. SUBCONTRACTING 

 

Section 1. Prime Contractor Responsibilities 	711 

 

 

CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY 

 

Section 1. Responsibilities 	811 

Section 2. Security Modes 	821 

Section 3. System Access and Operation	831 

Section 4. Networks 	841 

Section 5. Software and Data Files	851 

Section 6. AIS Acquisition, Maintenance, and Release	861 

Section 7. Documentation and Training	871 

 

 

CHAPTER 9. RESTRICTED DATA 

 

Section I . Introduction 	9l 1 

Section 2. Secure Working Areas	921 

Section 3. Storage Requirements 	931 

 

 

CHAPTER 10. INTERNATIONAL SECURITY REQUIREMENTS 

 

 

CHAPTER 11. MISCELLANEOUS 

 

Section 1. TEMPEST 	111 1 

Section 2. Government Technical Libraries	1121 

Section 3. Independent Research and Development 	1131 

Section 4. Operations Security	1141 

Section 5. Counterintelligence (Cl) Support 	1151 

Section 6. Decompartmentations Disposition, and Technology Transfer 	1161 

Section 7. Other Topics 	1171 

 

 

APPENDICES 

 

Appendix A. Definitions 	Al 

Appendix B. AIS Acronyms	BI 

Appendix C. AISSP Outline .	CI 

Appendix D. AIS Certification and Accreditation 	D I 

Appendix E. References .	E I 

 

 

FIGURES 

 

Figure I . SAP Government and Contractor Relationships 	l 12 

 

 

TABLES 

 

Table 1. Clearing and Santization Data Storage................................854 

Table 2. Sanitizing AIS Components................................................855 

 

 

 

Chapter 1 

General Provisions and Requirements 

 

 

Section 1. Introduction 

 

 

 

1100. Purpose. 

 

a. This Supplement provides special security measures to ensure the integrity of SAPs, Critical SECRET Restricted 

Data (SRD), and TOP SECRET Restricted Data (TSRD) and imposes controls supplemental to security measures 

prescribed in the NISPOM for classified contracts. Supplemental measures fall under the cognizance of the DoD, 

DCI, DOE, NRC or other CSA as appropriate. See page 112 for Figure 1, SAP Government and Contractor 

Relationships. Additionally, specific contract provisions pertaining to these measures applicable to associated 

unacknowledged activities will be separately provided. Any Department, Agency, or other organizational structure 

amplifying instructions will be inserted immediately following the applicable security options selected from the 

NISPOMSUP. This will facilitate providing a contractor with a supplement that is overprinted with the options 

selected. 

 

b. Security Options. This Supplement contains security options from which specific security measures may be 

selected for individual programs. The options selected shall be specifically addressed in the Program Security Guide 

(PSG) and/or identified in the Contract. The PSG shall be endorsed by the CSA or his/her designee, establishing the 

program, although, as a rule, the DCIDs sets the upper limits. In some cases, security or sensitive factors may require 

security measures that exceed DCID standards. In such cases, the higher standards shall be listed separately and 

specifically endorsed by the CSA creating the program and may be reflected as an overprint to this Supplement. 

 

1101. Scope. 

 

a. The policy and guidance contained herein and imposed by contract is binding upon all persons who are granted 

access to SAP information. Acceptance of the contract security measures is a prerequisite to any negotiations leading 

to Program participation and accreditation of a Special Access Program Facility (SAPF). 

 

b. The following is restated from the baseline for clarity. If a contractor determines that implementation of any 

provision of this Supplement is more costly than provisions imposed under previous U.S. Government policies, 

standards, or requirements, the contractor shall notify the Cognizant Security Agency. Contractors shad, however, 

implement any such provision within three years from the date of this Supplement, unless a written exception is 

granted by the CSA. The DCIDs apply to all SCI and DCI programs and any other SAP that selects them as the 

program security measures. 

 

1102. Agency Agreement SAP Program Areas. The Government Agency establishing a SAP will designate a 

Program Executive Agent for the administration, security, execution, and control of the SAP. The Program Security 

Officer (PSO), rather than the Facility CSA, will be responsible for security of the program and all program areas. 

 

1103. Security Cognizance. Those heads of Agencies authorized under E.O. 12356 or successor order to create SAPs 

may enter into agreements with the Secretary of Defense that establish the terms of the Secretary of Defense's 

responsibilities for the SAP. When a Department or Agency of the Executive Branch retains cognizant security 

responsibilities for its SAP, the provisions of this Supplement will apply. 

 

1104. Supplement Interpretations AU contractor requests for interpretation of this Supplement will be forwarded to 

the PSO. 

 

1105. Supplement Changes Users of this Supplement are encouraged to submit recommended changes and 

comments through their PSO in concurrence with the baseline. 

 

1106. Waivers and Exceptions The purpose of having a waiver and exception policy is to ensure that deviations from 

established SAP criteria are systematically and uniformly identified to the Government Program Manager (GPM). 

Every effort will be made to avoid waivers to established SAP policies and procedures unless they are in the best 

interest of the Government. In those cases where waivers are required, a request will be submitted to the PSO. As 

appropriate, the PSO, and if necessary the GPM (if a different individual) will assess the request for waiver and 

provide written approval. If deemed necessary, other security measures which address the specific vulnerability may 

be implemented. 

 

1107. Special Access Programs Categories and Types. 

 

a. There are four generic categories of SAPs:  

 

(1) Acquisition SAP (AQSAP);  

 

(2) Intelligence SAP (INSAP);  

 

(3) Operations and Support SAP (OSSAP); and  

 

(4) SCI Programs (SCI  SAP) or other DCI programs which protect intelligence sources and methods. 

 

b. There are two types of SAPs, acknowledged and unacknowledged. An acknowledged SAP is a program which 

may be openly recognized or known; however, specifics are classified within that SAP. The existence of an 

unacknowledged SAP or an unacknowledged portion of an acknowledged program, will not be made known to any 

person not authorized for this information. 

 

 

SAP 

Government/Contractor Relationships 

 

Cognizant Security Agency 

 

Program Executive Agent 

 

Government				Government Program Manager 

 

Program Security Officer 

 

 

Contractor Program Manager 

 

Contractor				Contractor Program Security Officer 

 

Information System 

Security Representative 

 

 

 

 

 

Section 2. General Requirements 

 

1200. Responsibilities. A SAP Contractor Program Manager (CPM) and Contractor Program Security Officer 

(CPSO) will be designated by the contractor. These individuals are the primary focal points at the contractor facility 

who execute the contract. They are responsible for all Program matters. The initial nomination or appointment of the 

CPSO and any subsequent changes will be provided to the PSO in writing. The criteria necessary for an individual to 

be nominated as the CPSO will be provided in the Request for Proposal (RFP). For the purposes of SAPs, the 

following responsibilities are assigned: 

 

a. The CPM is (sometimes the same as, or in addition to a Contract Project Manager) the contractor employee 

responsible for: 

 

(1) Overall Program management. 

 

(2) Execution of the statement of work, contract, task orders and all other contractual obligations. 

 

b. The CPSO oversees compliance with SAP security requirements. 

 

The CPSO will: 

 

(1) Possess a personnel Clearance and Program access at least equal to the highest level of Program classified 

information involved. 

 

(2) Provide security administration and management for his/her organization. 

 

(3) Ensure personnel processed for access to a SAP meet the prerequisite personnel clearance and/or investigative 

requirements specified. 

 

(4) Ensure adequate secure storage and work spaces. 

 

(5) Ensure strict adherence to the provisions of the NISPOM and its Supplement. 

 

(6) When required, establish and oversee a classified material control program for each SAP. 

 

(7) When required, conduct an annual inventory of accountable classified material. 

 

(8) When required, establish a SAPPY 

 

(9) Establish and oversee visitor control Program 

 

(10) Monitor reproduction and/or dedication and destruction capability of SAP information. 

 

(11) Ensure adherence to special communications capabilities within the SAPS. 

 

(12) Provide for initial Program indoctrination of employees after their access is approved; rebrief and debrief 

personnel as required 

 

(13) Establish and oversee specialized procedures for the transmission of SAP material to and from Program element 

 

(14) When required, ensure contractual specific security requirement such as TEMPEST, Automated Information 

System (ADS), and Operations Security (OPSEC) arc accomplished 

 

(15) Establish security training and briefings specifically tailored to the unique requirements of the SAP. 

 

1201. *Standard Operating Procedures (SOP). The CPSO may be required to prepare a comprehensive SOP to 

implement the security policies and requirements for each SAP. When required, SOPs will address and reflect the 

contractor's method of implementing the PSG. Forward proposed SOPs to the PSO for approval. SOPs may be a 

single plan or series of individual documents each addressing a security function. Changes to the SOP will be made 

in a timely fashion, and reported to the PSO as they occur. 

 

1202. Badging. Contractors performing on Programs where all individuals cannot be personally identified, may be 

required to implement a PSO approved badging system. 

 

1203. Communications Security (COMSEC). Classified SAP information will be electronically transmitted only by 

approved secure communications channels authorized by the PSR 

 

1204. *Two Person Integrity (TPI) Requirement. 

The TPI rule may be required and exercised only with the Program CSA approval. This requirement does not 

apply to those situations where one employee with access is left alone for brief periods of time, nor dictate that those 

employees will be in view of one another. 

 

1205. Contractors Questioning Perceived Excessive Security Requirements. All personnel are highly encouraged to 

identify excessive security measures that c. they believe have no added value or are cost excessive and should report 

this information to their industry contracting officer for subsequent reporting through contracting channels to the 

appropriate GPM/PSO. The GPM/PSO will respond through appropriate channels to the contractor questioning the 

security requirements. 

 

1206. Security Reviews. 

 

a. General. The frequency of Industrial Security Reviews (e.g., Reviews, evaluations, and security surveys) is 

determined by the NISPOM and will be conducted by personnel designated by the CSA. 

 

b. Joint Efforts. In certain cases, an individual Program may be a joint effort of more than one component of the U.S. 

Government or more than one element of the same component. In such a case, one element will, by memorandum of 

agreement, take the lead as the Cognizant Security Agency and may have security review responsibility for the 

Program facility. In order to ensure the most uniform and efficient application of security criteria, review activities at 

contractor facilities will be consolidated to the greatest extent possible. 

 

Prime Contractor Representative. A security representative from the prime contractor may be present and participate 

during reviews of subcontractors, but cannot be the individual appointed by the CSA to conduct security reviews 

specified in paragraph 1206a. 

 

d. Review Reciprocity. In order to ensure the most uniform and efficient application of security reviews, review 

reciprocity at contractor facilities will be considered whenever possible. 

 

e. Contractor Reviews. When applicable, the U.S. Government may prescribe the intervals that the contractor will 

review their systems. 

 

f. Team Reviews. Team Reviews may be conducted by more than one PSO based on mutual consent and cooperation 

of both the Government and the contractor. 

 

Section 3. Reporting Requirements 

 

1300. General. All reports required by the NISPOM will be made through the PSO. In those instances where the 

report affects the baseline facility clearance or the incident is of a personnel security clearance nature, the report will 

also be provided to the Facility CSA. In those rare instances where classified program information must be included 

in the report, the report will be provided only to the PSO, who will sanitize the report and provide the information to 

the CSA, if appropriate. 

 

a Adverse Information. Contractors will report to  the PSO any information which may adversely  reflect on the 

Program briefed employee's ability to properly safeguard classified Program information. 

 

b. SAP Non Disclosure Agreement (NDA). A report  will be submitted to the PSO on an employee who refuses to 

sign a SAP NDA. 

 

c. Change in Employee Status. A written report of all  changes in the personal status of SAP indoctrinated personnel 

Will be provided to the PSO. In addition to those changes identified in NISPOM sub paragraph l302c., include 

censure or probation arising from an adverse personnel action, and revocation, or suspension downgrading of a 

security clearance or Program access for reasons other than security administration purposes. 

 

d. Employees Desiring Not to Perform on SAP Classified Work. A report will be made to the PSO upon notification 

by an accessed employee or an employee for whom access has been requested that they no longer wish to perform on 

the SAP. Pending further instructions from the PSO, the report will be destroyed in 30 days. 

 

e. *Foreign Travel. The PSO may require reports of all travel outside the continental United States, Hawaii, Alaska 

and the U.S. possessions (i.e., Puerto Rico) except some day travel to border areas (i.e., Canada, Mexico) for 

Program accessed personnel. Such travel is to be reported to the CPSO, and retained for he life of the 

Contract/Program travel. Travel by Program briefed individuals into or through countries determined by the CSA as 

high risk areas, should not be undertaken without prior notification. A supplement to the report outlining the type and 

extent of contact with foreign nationals, and any attempts to solicit information or establish a continuing relationship 

by a foreign national may be required upon completion of travel. 

 

F. Arms Control Thread Visits. The CPM and PSO will be notified in advance of any Arms Control Treaty V site 

Such reports permit the GPM and PSO to assess potential impact on the SAP activity and effectively provide 

guidance and assistance. 

 

g. Litigation. Litigation or pubic proceedings which may involve a SAP will be reported. These include legal 

proceedings and/or administrative actions in which the prime contractor, subcontractors, or Government 

organizations and their Program briefed individuals are a named party. The CPSO will report to the PSO any 

litigation actions that may pertain to the SAP, to include the physical environments, facilities or personnel or as 

otherwise directed by the GPM. 

 

1301. Security Violations and Improper Handing of Classified Information. Requirements of the NISPOM baseline 

pertaining to security violation are applicable, except that ad communications will be appropriately made through 

Program Security Channels within 24 hours of discovery to the PSA The PSO must promptly advise the Facility 

CSA in all instances where national security concerns would impact on collateral security programs or clearances of 

individuals under the cognizant of the Facility CSA. 

 

a. Security Violations and Infractions 

 

(l) Security Violation. A security violation is any incident that involves the loss, compromise, or suspected 

compromise of classified information. Security violations will be immediately reported within 24 hours to the PSO. 

 

(2) Security Infraction. A security infraction is any other incident that is not in the best interest of security that does 

not involve the loss, compromise, or suspected compromise of classified information. Security infractions will be 

documented and mate available for review by the PSO during visits. 

 

Inadvertent Disclosure. An inadvertent disclosure is the involuntary unauthorized access to classified SAP 

information by an individual without SAP access authorization. Personnel determined to have had unauthorized or 

inadvertent access to classified SAP information (l) should be interviewed to determine the extent of the exposing, 

and (2) may be requested to complete an Inadvertent Disclosure Oath. 

 

(1) If during emergency response situations, guard personnel or local emergency authorities (e.g., police, medical, 

fire, etc.) inadvertently gain access to Program material, they should be interviewed to determine the extent of the 

exposure. If circumstances warrant, a preliminary inquiry will be conducted. When in doubt, contact the PSO for 

advice. 

 

(2) Refusal to sign an inadvertent disclosure oath will be reported by the CPSO to the PSO. 

 

(3) Contractors shall report ad unauthorized disclosures involving RD or Formerly Restricted Data (FRD) to 

Department of Energy (DOE) or Nuclear Regulatory Commission (NRC) through their CSA. 

 

 

 

Chapter 2 

Security Clearances 

 

 

Section 1. Facility Clearances 

 

 

 

2100. General. Contractors will possess a Facility Security Clearance to receive, generate, use, and store classified 

information that is protected in SAPs. 

 

a. If a facility clearance has already been granted, the SAP Program Executive Agent may carve in the Facility CSA. 

The agreement entered into by the Secretary of Defense (SECDEF) with the other CSA's will determine the terms of 

responsibility for the Facility CSA with regard to SAP programs. Due to the sensitivity of some SAPs, the program 

may be carved out by the Executive Agent designated by the CSA. 

 

b. The CPSO shall notify the PSO of any activity which affects the Facility Security Clearance, (FCL). 

 

c. In certain instances, security and the sensitivity of the project may require the contract and the association of the 

contractor with the Program CSA be restricted and kept at a classified level. The existence of any unacknowledged 

effort, to include its SAPF, will not be released without prior approval of the PSO. 

 

2101. CoUtilization of SAPF. If multiple SAPs are located within a SAPF, a Memorandum of Agreement (MOA) 

shall be written between government program offices defining areas of authorities and responsibilities. The first SAP 

in an area shall be considered to be the senior program and therefore the CSA for the zone unless authority or 

responsibility is specifically delegated in the MOA. The MOA shall be executed prior to the introduction of the 

second SAP into the SAPF. 

 

2102. Access of Senior Management of finials. Only those Senior Management of finials requiring information 

pertaining to the SAP shall be processed SAP access. 

 

2103. Facility Clearances for Multi-facility Organizations 

 

a. When cleared employees are located at uncleared locations, the CPSO may designate a cleared management 

official at the uncleared location who shall: 

 

(1) Process classified visit requests, conduct initial or recurring briefings for cleared employees, and provide written 

confirmation of the briefing to the CPSO. 

 

(2) Implement the reporting requirements of the NISPOM and this Supplement for all cleared employees and furnish 

reports to the CPSO for further submittal to the CSA. 

 

(3) Ensure compliance with all applicable measures of the NISPOM and this Supplement by all cleared employees at 

that location. 

 

b. If a cleared management official is not available at the uncleared location, the CPSO (or designee) shall conduct 

the required briefing during visits to the uncleared location or during employee visits to the location or establish an 

alternative procedure with CSA approval. 

 

Section 2. Personnel Clearances and Access 

 

2200. General. This section establishes the requirements for the selection, processing, briefing, and debriefing of 

contractor personnel for SAPs. 

 

2201. Program Accessing Requirements and Procedure 

 

a. The individual will have a valid need-to-know (NTK) and will Materially and directly contribute to the Program. 

 

b. The individual will possess a minimum of a current, final SECRET security clearance or meet the investigative 

criteria required for the level of access. If a person's periodic reinvestigation (PR) is outside the five-year scope and 

all other access processing is current and valid, the PSO may authorize e access. However, the individual will be 

immediately processed for either a Single Scope Background Investigation (SSBI) or National Agency Check with 

Credit (NACC) as required by the level of clearance or as otherwise required by the contract. 

 

c. The contractor will nominate the individual and provide a description of the NTK justification. The CPM will 

concur with the nomination and verify Program contribution by signature on the Program Access Request (PAR). 

The CPSO will complete the PAR and review it for accuracy ensuring a required signatures are present. The CPSO 

signature verifies that the security clearance and investigative criteria are accurate, and that these criteria satisfy the 

requirements of the Program. Information regarding the PAR may be electronically submitted. While basic 

information shall remain the same, signatures may not be required. The receipt of the PAR package via a pre-

approved channel shall be considered sufficient authentication that the required approvals have been authenticated 

by the CPSO and contractor program manager.	 

 

d. Access Criteria and Evaluation recess In order to eliminate those candidates who clearly will not meet the scope 

for access and to complete the Personnel Security Questionnaire (PSQ), access evaluation may be required. In the 

absence of written instructions from the contracting activity, the evaluation process will conform to the following 

guidelines: 

 

(1) Evaluation criteria will not be initiated at the contractor level unless both the employee and contractor agree. 

 

(2) Contractors will not perform access evaluation for other contractors. 

 

(3) Access evaluation criteria will be specific and will not require any analysis or interpretation by the contractor. 

Access evaluation criteria will be provided by the government as required. 

 

(4) Those candidates eliminated during this process will be advised that access processing has terminated. 

 

e. Submit a Letter of Compelling Need or other documentation when requested by the PSO. 

 

f. Formats required for the processing of a SAP access fall into two categories: those required for the conduct of the 

investigation and review of the individual's eligibility, and those that explain or validate the individual's NTK. These 

constitute the PAR package. The PAR package used for the access approval and NTK verification will contain the 

following: the PAR and a recent (within 90 days) PSQ reflecting pen and ink changes, if any, signed and dated by the 

nominee. 

 

g. Once the PAR package has been completed, the CPSO will forward the candidate's nomination package to the 

PSO for review: 

 

(1) The PSO will review the PAR package and determine access eligibility. 

 

(2) Access approval or denial will be determined by the GPM and/or access approval authority. 

 

(3) The PSO will notify the contractor of access approval or denial. 

 

(4) Subcontractors may submit the PAR package to the prime. The prime will review and concur on the PAR and 

forward the PAR and the unopened PSQ package to the PSO. 

 

h. SCI access will follow guidelines established in DCID 1/14. 

 

2202. Supplementary Measures and Polygraph. 

 

a Due to the sensitivity of a Program or criticality of information or emerging technology, a polygraph may be 

required. The polygraph examination will be conducted by a properly trained, certified, U.S. Government Polygraph 

Specialist. If a PR is outside the 5 year investigative scope, a polygraph may be used as an interim basis to grant 

access until completion of the PR. 

 

b. There are three categories of polygraph: Counterintelligence (CI), Full Scope (CI and life style), and Special 

Issues Polygraph (SIP). The type of polygraph conducted will be determined by the CSA. 

 

2203. Suspension and Revocation. All PSO direction to contractors involving the suspension or revocation of an 

employee's access will be provided in writing and if appropriate, through the contracting officer. 

 

2204. Appeal Process. The CSA will establish an appeal process. 

 

2205. Agent of the Government. The Government may designate a contractor nominated employee as an Agent of 

the Government on a case-by-case basis. Applicable training and requirements will be provided by the Government 

to contractors designated as Agents of the Government. 

 

2206 Access Roster or List. Current access rosters of Program briefed individuals are required at each contractor 

location. They should be properly protected and maintained in accordance with the PSG. The access roster should be 

continually reviewed and reconciled for any discrepancies. The data base or listing may contain the name of the 

individual organization, position, billet number (if applicable), level of access, social security number, military 

rank/grade or comparable civilian rating scheme, and security clearance information. Security perssonel required for 

adequate security oversight will not count against the billet structure. 

 

Chapter 3 

Security Training and Briefings 

 

 

Section 1. Security Training and Briefings 

 

 

 

3100. General. Every Special Access Program (SAP) will have a Security Training and Briefing Program. As a 

minimum, SAP indoctrinated personnel will be provided the same or similar training and briefings as outlined in the 

baseline NISPOM. In addition, CPSOs responsible for SAPs at contractor facilities will establish a Security 

Education Program to meet any specific or unique requirements of individual special access programs Topics which 

will be addressed, if appropriate to the facility or the SAP(s), include: 

 

a. Security requirements unique to SAPs; 

 

b. Protection of classified relationships; 

 

c. Operations Security (OPSEC); 

 

d. use of nicknames and code words; 

 

e. use of special transmission methods; 

 

f. Special test range security procedures; 

 

g. Procedures for unacknowledged SAP security. An unacknowledged SAP will require additional security training 

and briefings, beyond that required in the baseline. Additional requirements will be specified in the Contract Security 

Classification Specification and will address steps necessary to protect sensitive relationships, locations, and 

activities. 

 

h. Specific procedures to report fraud, waste, and abuse. 

 

i. Computer security education that is to include operational procedures, threats, and vulnerabilities. 

 

j. Writing unclassified personnel appraisals and reviews. 

 

k. Third Party Introductions. The purpose of the Third Party Introduction is to provide a clearance and/or access 

verification to other cleared personnel. The introduction is accomplished by a briefed third party, who has 

knowledge of both individual's access. 

 

3101. Security Straining. The CPSO will ensure that the following security training measures arc implemented: 

 

a. Initial Program Security Indoctrination. Every individual accessed to a SAP will be given an initial indoctrination. 

The briefing will clearly identify the information to be protected, the reasons why this information requires 

protection, and the need to execute a ADA. The individual will he Property briefed concerning the security 

requirements for the Program, understand their particular security responsibilities, and will sign a ADA. This 

indoctrination is in addition to any other briefing required for access to collateral classified or company proprietary 

information. It will be the responsibility of the PSO to provide to the contractor information as to what will be 

included in the initial indoctrination to include fraud, waste, and abuse reporting procedures. 

 

b. Professionalized AIS training may be required of all contractor Information Systems Security Representatives 

(ISSRs) to ensure that these individuals have the appropriate skills to perform their job functions in a competent and 

cost-effective manner. This training will be made available by the CSA. The training should consist of, but not be 

limited to, the following criteria: 

 

( I ) Working knowledge of all applicable and national CSA regulations and policies including those contained in 

this supplement; 

 

(2) Use of common Information Security (INFOSEC) practices and technologies; 

 

(3) AIS certification testing procedures; 

 

(4) Use of a risk management methodology; 

 

(5) Use of configuration management methodology. 

 

3102. Unacknowledged Special Access Programs 

(SAP). Unacknowledged SAPs require a significantly 

greater degree of protection than acknowledged SAPs. 

Special emphasis should be placed on: 

 

a. why the SAP is unacknowledged; 

 

b. Classification of the SAP; 

 

c. Approved communications system; 

 

d. Approved transmission systems; 

 

e. Visit procedures; 

 

f. Specific program guidance. 

 

3103. Refresher Briefings. Every accessed individual will receive an annual refresher briefing from the CPSO to 

include the following, as a minimum: 

 

a. Review of Program unique security directives or guidance; 

 

b. Review of those elements contained in the original NDA. 

 

Note. The PSO may require a record to be maintained of this training. 

 

3104. Debriefing and/or Access Termination. Persons briefed to SAPs Will be debriefed by the CPSO or his 

designee. The debriefing will include as a minimum a reminder of each individual's responsibilities according to the 

ADA which states that the individual has no Program or Program related material in his/her possession, and that 

he/she understands his/her responsibilities regarding the disclosure of classified Program information. 

 

a. Debriefings should be conducted in a SAPF, Sensitive Compartmented Information Facility (SCIF), or other 

secure area when possible, or as authorized by the PSO. 

 

b. Procedures for debriefing will be arranged to allow each individual the opportunity to ask questions and d. receive 

substantive answers from the debriefer. 

 

c. Debriefing Acknowledgments will be used and executed at the time of the debriefing and include the following: 

 

(1) Remind the individual of his/her continuing obligations agreed to in the SAP ADA. 

 

(2) Remind the individual that the NDA is a legal contract between the individual and the U.S. Government. 

 

(3) Advise that all classified information to include Program information is now and forever the property of the U.S. 

Government. 

 

(4) Remind the individual of the penalties for espionage and unauthorized disclosure as contained in Sties. 18 and 50 

of the U.S. Code. The briefer should have these documents available for handout upon request. Require the 

individual to sign and agree that questions about the ADA have been answered and that Sties 18 and 50 (U.S. Codes) 

were made available and understood. 

 

(5) Remind the individual of his/her obligation not to discuss, publish, or otherwise reveal information about the 

Program. The appearance of Program information in the public domain does not constitute a de facto release from 

the continuing secrecy agreement. 

 

(6) Advise that any future questions or concerns regarding the Program (e.g., solicitations for information, approval 

to publish material based on Program knowledge and/or experience) will be directed to the CPSO. The individual 

will be provided a telephone number for the CPSO or PSO. 

 

(7) Advise that each provision of the agreement is severable ie, if one provision is declared unenforceable, all others 

remain in force. 

 

(8) Emphasize that even though an individual signs a Debriefing Acknowledgment Statement, he/she is never 

released from the original NDA/secrecy agreement unless specifically notified in writing. 

 

Verify the return of any and all SAP classified material and unclassified Program sensitive material and identify all 

security containers to which the individual had access. 

 

e. When debriefed for cause, include a brief statement as to the reason for termination of access and notify the PSO. 

In addition the CPSO will notify all agencies holding interest in that person's clearance/ accesses. 

 

f. The debriefer will advise persons who refuse to sign a debriefing acknowledgment that such refusal could affect 

future access to special access programs and/ or continued clearance eligibility. It could be cause for administrative 

sanctions and it will be reported to the appropriate Government Clearance Agency. 

 

g. Provide a point of contact for debriefed employees to report any incident in the future which might affect the 

security of the Program. 

 

3105. Administrative Debriefings. Efforts to have all Program briefed personnel sign a Debriefing Acknowledgment 

Statement may prove difficult. If attempts to locate an individual either by telephone or mail are not successful, the 

CPSO should prepare a Debriefing Acknowledgment Statement reflecting the individual was administratively 

debriefed. The Debriefing Acknowledgment Statement will be forwarded to the PSO. The CPSO will check to 

ensure that no Program material is charged out to, or in the possession of these persons. 

 

3106 . Recognition and Award Program. Recognition and award programs could be established to single out those 

employees making significant contributions to Program contractor security. If used, CPSOs will review award write-

ups to ensure recommendations do not contain classified information. 

 

 

Chapter 4 

Classification and Markings 

 

 

Section 1. Classification 

 

 

 

Challenges to Classification All challenges to SAP classified information and/or material shall be forwarded through 

the CPSO to the PSO to the appropriate Government contracting activity. All such challenges shall remain in 

Program channels. 

 

Section 2. Marking Requirements 

 

4200. General. Classified material that is developed under a SAP will be market and controlled in accordance with 

the NISPOM, this Supplement, the Program Security Classification Guide, and other Program guidance as directed 

by the PSO. 

 

4201. Additional Provisions and Controls. The PSO may specify additional markings to be applied to SAP working 

papers based on the sensitivity and criticality of the Program, when approved by the CSA. 

 

4202. Engineer's Notebook An engineer's notebook is a working record of continually changing Program technical 

data. It should NOT include drafts of correspondence, reports, or other materials. The outer cover and first page will 

be marked with the highest classification level contained in the notebook. Portion marking or numbering is not 

required. Other requirements pertaining to these notebooks may be imposed by the PSO. 

 

4203. Cover Sheets- Cover sheets will be applied to SAP documents when the documents are created or distributed 

NOTE: CODE WORDS WILL NOT BE PRINTED ON THE COVER SHEETS. The unclassified nickname, 

digraph, or trigraph may be used. 

 

42W. Warning Notices. Generally, Program classified marking and transmission requirements will follow this 

Supplement. Transmission of Program or Program related material will be determined by the PSO. Besides the 

classifications markings, inner containers will be marked: 

 

"TO BE OPENED ONLY BY:" followed by the name of the individual to whom the material is sent. A receipt may 

be required. Apply the following markings on the bottom center of the front of the inner container: 

 

WARNING 

 

THIS PACKAGE CONTAINS CLASSIFIED U.S. GOVERNMENT INFORMATION. TRANSMISSION OR 

REVELATION OF THIS INFORMATION IN ANY MANNER TO AN UNAUTHORIZED PERSON IS 

PROHIBITED BY TITLE 18, U.S. CODE, SECTION 798 (OR TITLE 42, SECTION XX FOR RD OR FRD 

MATERIAL). IF FOUND, PLEASE DO NOT OPEN. "CALL COLLECT" THE FOLLOWING NUMBERS, (area 

code) (number) (PSO/CPSO work number) DURING WORKING HOURS OR (area code) (number) (PSO/CPSO) 

AFTER WORKING HOURS. 

 

Chapter 5 

 

Safeguarding Classified Information 

 

 

Section 1. General Safeguarding Requirements 

 

 

 

5100. General. Classified and unclassified sensitive SAP material must be stored in SAP CSA approved facilities 

only. Any deviations must have prior approval of the SAP CSA or designee. 

 

Section 2. Control and Accountability 

 

5.200. General Contractors shall develop and maintain a system that enables control of SAP classified information 

and unclassified Program sensitive information for which the contractor is responsible. 

 

5201. Accountability. Accountability of classified SAP material shall be determined and approved in writing by the 

CSA or designee at the time the SAP is approved A separate accountability control system may be required for each 

SAP. 

 

5202. Annual Inventory. An annual inventory of accountable SAP classified material may be required. The results of 

the inventory and any discrepancies may be required to be reported in writing to the PSO. 

 

5203. Collateral classified material required to support a SAP contract may be transferred within SAP controls. 

Transfer will be accomplished in a manner that will not compromise the SAP or any classified information. The PSO 

will provide oversight for collateral classified material maintained in the SAP Collateral classified material generated 

during the performance of a SAP contract may be transferred from the SAP to the contractor's collateral classified 

system. The precautions required to prevent compromise will be approved by the PSO. 

 

Section 3. Storage and Storage Equipment 

 

(not further supplemented) 

 

 

Section 4. Transmission 

 

5400. General. SAP classified material shall be transmitted outside the contractor's facility in a manner that prevents 

loss or unauthorized access. 

 

5401. Preparation. AU classified SAP material will be prepared, reproduced, and packaged by Program briefed 

personnel in approved Program facilities. 

 

5402. Couriers The PSO through the CPSO will provide tailed courier instructions to couriers when hand carrying 

SAP material. The CPSO will provide the courier with an authorization letter. Report any travel anomalies to the 

CPSO as soon as practical. The CPSO will notify the PSO. 

 

5403. Secure Facsimile and/or Electronic Transmission. Secure facsimile and/or electronic transmission encrypted 

communications equipment may be used for the transmission of Program classified information. 

 

When secure facsimile and/or electronic transmission is permitted, the PSO or other Government cognizant security 

reviewing activity will approve the system in writing. Transmission of classified Program material by this means may 

be receipted for by an automated system generated message that transmission and receipt has been accomplished. For 

TOP SECRET documents a receipt on the secure facsimile may be required by the PSO. 

 

5404. U.S. Postal Mailing. A U.S. Postal mailing channel, when approved by the PSO, may be established to ensure 

mail is received only by appropriately cleared and accessed personnel. 

 

5 405. TOP SECRET Transmission. TOP SECRET (TS) SAP was be transmitted via secure data transmission or via 

Defense Courier Service unless other means have been authorized by the PSO. 

 

Section 5. Disclosure 

 

5500. Release of Information. Public release of SAP information is not authorized without written authority from the 

Government as provided for in U.S. Code, Titles 10 and 42. Any attempt by unauthorized personnel to obtain 

Program information and sensitive data will be reported immediately to the Government Program Manager (GPM) 

through the PSO using approved secure communication channels. 

 

Section 6. Reproduction 

 

5. General. Program material will be reproduced on equipment specifically designated by the CPSO and may require 

approval by the PSO. The CPMs and CPSOs may be required to prepare written reproduction procedures. 

 

., 

 

5C01. The PSO or designee may approve reproduction of TS material. 

 

Section 7. Disposition and Retention 

 

5700. Disposition. CPSOs may be required to inventory, dispose of, request retention, or return for disposition all 

classified SAP related material (including AIS media) at contract completion and/or close-out. Request for proposal 

(RFP), solicitation, or bid and proposal collateral classified and unclassified material contained in Program files will 

be reviewed and screened to determine appropriate disposition (ie., destruction, request for retention). Disposition 

recommendations by categories of information or by document control number, when required, Will be submitted to 

the PSO for concurrence. Requests for retention of classified information (SAP and non SAP) will be submitted to 

the Contracting of peer, through the PSO for review and approval. Requirements for storage and control of materials 

approved for retention will be approved by the PSO. 

 

5701. Retention of SAP Material. The contractor may be required to submit a request to the Contracting Officer 

(CO), via the PSO, for authority to retain classified material beyond the end of the contract performance period. The 

request will also include any retention of Program related material. The contractor will not retain any Program 

information unless specifically authorized in writing by the Contracting Officer. Storage and control requirements of 

SAP materials will be approved by the PSO. 

 

5702. Destruction Appropriately indoctrinated personnel shall ensure the destruction of classified SAP data. The 

CSA or designee may determine that two persons are required for destruction. Non-accountable waste and 

unclassified SAP material may be destroyed by a single Program briefed employee. 

 

Section 8. Construction Requirements 

 

5800. General. Establishing a Special Access Pro g. gram Facility (SAPF). Prior to commencing work on a SAP, the 

contractor may be required to establish an approved SAPF to afford protection for Program classified information 

and material. Memorandums of Agreement (MOA) are required prior to allowing SAPs with a. different CSAs to 

share a SAPS. 

 

5801. Special Access Program Facility. 

 

a. A SAPF is a program area, room, group of rooms, building, or an enclosed facility accredited by the PSO where 

classified SAP Program business is conducted. SAPFs will be afforded personnel access control to preclude entry by 

unauthorized personnel. Non-accessed persons entering a SAPF will be escorted by an indoctrinated person. 

 

b. A Sensitive Compartmented Information Facility (SCIF) is an area, room, building, or installation that is 

accredited to store, use, discuss, or electronically process SCI. The standard and procedures for a SCIF are stated in 

DCIDs 1/19 and l/21. 

 

c. SAPFs accredited prior to implementation of this Supplement will retain accreditation until no longer required or 

re-certification is required due to major modification of the external perimeter, or changes to the Intrusion Detection 

System (IDS), which affects the physical safeguarding capability of the facility 

 

d. Physical security standards will be stated in the Government's RFP RFQ, contract, or other pre-contract or 

contractual document. 

 

e. The need-to-know (NTK) of the SAP effort may warrant establishment of multicompartments within the same 

SAPF. 

 

f. *There may be other extraordinary or unique circumstances where existing physical security standards are 

inconsistent with facility operating requirements, for example, but not limited to, research and test facilities or 

production lines. Physical security requirements under these circumstances will be established on a case-by-case 

basis and approved by the PSO/Contracting Officer, as appropriate. (Note: as approved by the CSA at establishment 

of the SAP.) 

 

The PSO will determine the appropriate security countermeasures for discussion areas. 

 

5802. Physical Security Criteria Standards 

 

DCID 1/21 standards may apply to a SAPF when one or more of the following criteria are applicable: 

 

(1) State-of-the-art technology as determined by CSAs to warrant enhanced protection. 

 

(2) Contractor facility is known to be working on specific critical technology. 

 

(3) Contractor facility is one of a few (3 or less) known facilities to have the capability to work on specific critical 

technology. 

 

(4) TOP SECRET or SECRET material is maintained in open storage. 

 

(5) A SAPF is located within a commercial building, and the contractor does not control all adjacent spaces. 

 

(6) SCI or Intelligence Sources and methods are involved. 

 

(7) Contractors or technologies known to be a target of foreign intelligence services (E7IS). 

 

b. The NISPOM baseline closed area construction requirements with Sound Transmission Class (STC) in accordance 

with DCID l/21, Annex E and intrusion alarms in accordance with Annex B. DCID 1/21 may apply to a SAPF when 

one of the following criteria are applicable. 

 

( l ) Not state-of-the-art technology and the technology is known to exist outside U.S. Government control. 

 

(2) The SAP is a large-scale weapon system production program. 

 

(3) No open storage of Confidential SAP material in a secure working area unless permitted by the PSO on a case-

by-case basis. 

 

(4) A SAPF located within a controlled access area. 

 

(5) Intelligence related activities. 

 

c. The PSO may approve baseline closed area construction requirements as an additional option for some SAP 

program areas. 

 

5803. SAP Secure Working Area The PSO may approve any facility as a SAP Secure Working Area. Visual and 

sound protection may be provided by a mix of physical construction, perimeter control, guards, and/or indoctrinated 

workers. 

 

5804. Temporary SAPF. The PSO may accredit a temporary SAPF. 

 

5805. Guard Response. 

 

a. Response to alarms will be in accordance with DCID 1/21, or 

 

b. The NISPOM 

 

c. Response personnel will remain at the scene until released by the CPSO or designated representative. 

 

NOTE: The CPSO will immediately provide notification to the PSO if there is evidence of forced entry, with a 

written report to the following within 72 hours. 

 

5806. Facility Accreditation. 

 

a. Once a facility has been accredited to a stated level by a Government Agency, that accreditation should be 

accepted by any subsequent agency. 

 

b. For purposes of Co-Utilization, costs associated with any security enhancements in a SCIF or SAPF above 

preexisting measures may be negotiated for reimbursement by the contractor's contracting officer or designated 

representative. Agreements will be negotiated between affected organizations. 

 

c. If a previously accredited SAPF becomes inactive for a period not to exceed one year the SAP accreditation will 

be reinstated by the gaining accrediting agency provided the following is true: 

 

(l) The threat in the environment surrounding the SAPF has not changed; 

 

(2) No modifications have been made to the SAPF which affect the level of safeguarding; 

 

(3) The level of safeguarding for the new Program is comparable to the previous Program; 

 

(4) The SAPF has not lost its SAP accreditation integrity and the contractor has maintained continuous control of the 

facility. 

 

(5) A technical surveillance countermeasure survey (TSCM) may be required. 

 

NOTE: Previously granted waivers are subject to negotiation. 

 

5807. Prohibited Items. Items that constitute a threat to the security integrity of the SAPF (e.g., cameras or recording 

devices) are prohibited unless authorized by the PSO. All categories of storage media entering and leaving the 

SAPFs may require the PSO or his/her designated representative approval. 

 

Chapter 6 

Visits and Meetings 

 

 

Section 1. Visits 

 

 

 

6100. General. A visit certification request for ad r Program visits wag be made prior to a visit to a Program facility. 

When telephone requests are made, a secure telephone should be used whenever possible. Visit requests will be 

handled exclusively by the cognizant CPSO or designated representative. The GPM or PSO or his/her designated 

representative will approve all visits between Program activities. However, visits between a prime contractor ant the 

prime's subcontractors ant approved associates will be approved by the CPSO. Twelvemonth visit requests are not 

authorized unless approved by the PSO. 

 

6101. Visit Request Procedures. All visit requests was be sent only via approved channels. In addition to the 

NISPOM, the following additional information for visits to a SAPF wall include: 

 

a. Name and telephone number of individual (not organization) to be visited; 

 

b. Designation of person as a Program courier when applicable; ant 

 

c. Verification (e.g., signature) of the CPSO or designate representative that the visit request information is correct. 

 

6102. Termination and/or Cancellation of a Visit Request. If a person is debriefed from the Program prior to 

expiration of a visit certification, or if cancellation of a current visit certification is otherwise appropriate, the 

CPSO/FSO or his/her designated representative will immediately notify all recipients of the cancellation or 

termination of the visit request. 

 

6103. Visit Procedures. 

 

a. Identification of Visitors. An official photograph if identification such as a valid driver's license is required. 

 

b. Extension. When a visit extends past the date on the visit certification, a new visit request is not required if the 

purpose remains the same as that stated on the current visit request to a specific SAPF. 

 

c. Rescheduling. When a rescheduled visit occurs after a visit request has been received, the visit certification will 

automatically apply if the visit is rescheduled within thirty days and the purpose remains the same. 

 

d. Hand carrying. It is the responsibility of the host CPSO to contact the visitor's CPSO should the visitor plan to 

hand-carry classified material. CPSOs will use secure means for notification. In emergency situations where secure 

communications are not available, contact the PSO for instructions. When persons return to their facility with SAP 

material, they will relinquish custody of the material to the CPSO or designated representative. Arrangement will be 

made to ensure appropriate overnight storage and protection for material returned after close of business. 

 

6104. Collateral Clearances and Special Access rap gram Visit Requests. Collateral clearances and SAP accesses 

may be required in conjunction with the SAP visit. If access to collateral classified information is required outside 

the SAPF, then the CPSO can certify clearances and accesses as required within the facility. Certification will be 

based on the SAP visit request received by the CPSO. The CPSO will maintain the record copy of the visit 

certification. SCI visit certification will be forwarded through appropriate SCI channels. 

 

6105. Non Program Briefed Visitors. In instances where entry to a SAPF by non-Program briefed personnel is 

required (e.g., maintenance, repair), they will complete and sign a visitor's record and will be escorted by a Program 

briefed person at all times. Sanitization procedures will be implemented in advance to ensure that personnel 

terminate classified discussions and other actions and protect SAP information whenever a non-briefed visitor is in 

the area. If maintenance is required of a classified device, the uncleared maintenance person shall be escorted by a 

Program briefed, technically knowledgeable individual. Every effort should be made to have a technically 

knowledgeable Program briefed person as an escort. 

 

6106. Visitor Recorder *The PSO may require the CPSO to establish a Program visitor's record. This record will be 

maintained inside the SAPS, and retention may be required. 

 

Section 2. Meetings 

 

(not further supplemented) 

 

 

Chapter 7 

Subcontracting 

 

 

Section 1. Prime Contracting Responsibilities 

 

 

 

7100. General. This section addresses the responsibilities and authorities of prime contractors concerning the release 

of classified SAP information to subcontractors. Prior to any release of classified information to a prospective 

subcontractor, the prime contractor will determine the scope of the bid and procurement effort. Prime contractors 

will use extreme caution when conducting business with non-Program briefed subcontractors to preclude the release 

of information that would divulge Program related (classified or unclassified Program sensitive) information. 

 

7101. Determining Clearance Status of Prospective Subcontractors All prospective subcontractor personnel will have 

the appropriate security clearance and meet the investigative criteria as specified in this Supplement prior to being 

briefed into a SAS! The eligibility criteria will be determined in accordance with the NISPOM and this Supplement. 

For acknowledged Programs, in the event a prospective subcontractor does not have the appropriate security 

clearances, the prime contractor will request that the cognizant PSO initiate the appropriate security clearance action. 

A determination will be made in coordination with the PSO as to the levels of facility clearance a prospective 

subcontractor facility has for access to classified information and the storage capability level. 

 

7102. Security Agreements and Briefings. In the pre-contract phase, the prime contractor will fully advise the 

prospective subcontractor (prior to any release of SAP information) of the procurement's enhanced special security 

requirements. Arrangements for subcontractor Program access will be pre-coordinated with the PSO. When 

approved by the PSO, the prime contractor CPSO will provide Program indoctrinations and obtain NDAs from the 

subcontractors. A security requirements agreement will be prepared that specifically addresses those enhanced 

security requirements that apply to the subcontractor. The security requirements agreement may include the 

following elements, when applicable: 

 

a. General Security Requirements. 

 

b. Reporting Requirements.  

c. Physical and/or Technical Security Requirements.  

d. Release of Information.  

e. Program Classified Control or Accountability.  

f. Personnel Access Controls.  

g. Security Classification Guidance.  

h. Automated Information System.  

i. Security Audits and Reviews.  

j. Program Access Criteria. 

k. Subcontracting. ,.  

l. Transmittal of Program Material. 

m. Storage.  

n. Testing and/or Manufacturing. 

o. Program Travel.  

p. Finances.  

q. Sanitization of Classified Material.  

r. Security Costs and Charging Policy.  

s. Fraud, Waste, and Abuse Reporting 

t. Test Planning. 

u. OPSEC.  

v. TEMPEST. 

 

7103. Transmitting Security Requirements 

Contract Security Classification Specifications prepared by the Prime contractor will be coordinated with the 

GPM/PSO and contracting of dicer prior to transmitting to the shone  Contract Security Classification Specifications 

prepared by the prime contractor will be forwarded to the GPM/PSO and contracting officer for coordinator and 

signature. 

 

Chapter 8 

Automated Information Systems (AIS) 

 

 

Section 1. Responsibilities 

 

 

 

8100. Introduction 

 

a. Purpose and Scope. This chapter addresses the protection and control of information processed on AIS. This entire 

chapter is contractor required and is not an option. The type is not bold or italicized, because it would include the 

complete chapter. AISs typically consist of computer hardware, software, and/or firmware configured to collect, 

create, communicate, compute, disseminate, process, store, or control data or information. This chapter specifies 

requirements and assurances for the implementation, operation, maintenance, and management of secure AIS used in 

support of SAP activities. Prior to using an AIS or AIS network for processing U.S. Government, Customer, or 

Program information, the Contractor/ Provider will develop an AIS Security Plan (AISSP) as described herein and 

receive written Customer authorization to process Customer information. Such authorization to process requires 

approval by the Customer. The Provider will also assign an Information System Security Representative (ISSR) to 

support the preparation of these documents and to subsequently manage AIS security on-site for the Customer's 

program. After the AISSP is approved by the Customer, the Provider will thereafter conform to the plan for all 

actions related to the Customer's program information. This information includes the selection, installation, test, 

operation, maintenance, and modification of AIS facilities, hardware, software, media, and output. 

D. 

b. Requirements. The AISSP selected menu upgrades to the NISPOM baseline will be tailored to the Provider's 

individual AIS configuration and processing operations. Alternatives to the protective measures in this Supplement 

may be approved by the Customer after the Provider demonstrates that the alternatives are reasonable and necessary 

to accommodate the Customer's needs. Prior to implementation, the Provider will coordinate any envisioned changes 

or enhancements with the Customer. Approved changes will be included in the AISSP. Any verbal approvals will 

subsequently be documented in writing. The information and guidance needed to prepare and obtain approval for the 

AISSP is described herein. 

 

c. Restrictions. No personally owned AISs will be used to process classified information. 

 

8101. Responsibilities. 

 

The Customer is the Government organization responsible for sponsoring and approving the classified and/or 

unclassified processing. The Provider is the Contractor who is responsible for accomplishing the processing for the 

Customer. The Information System Security Representative (ISSR) is the Provider assigned individual responsible 

for on-site AIS processing for the Customer in a secure manner. 

 

Provider Responsibilities. The Provider will take those actions necessary to meet with the policies and requirements 

outlined in this document. The provider will: 

 

(l) Publish and promulgate a corporate AIS Security Policy that addresses the classified processing environment. 

 

(2) Designate an individual to act as the ISSR. 

 

(3) Incorporate AISs processing Customer information as part of a configuration management program. 

 

(4) Enforce the AIS Security Policy. 

 

' ISSR Responsibilities. The Provider designated ISSR has the following responsibilities: 

 

(l) AIS Security Policy. Implement the AIS Security Policy. 

 

(2) AIS Security Program. Coordinate the establishment and maintenance of a formal AIS Security Program to 

ensure compliance with this document: 

 

(a)AIS Security Plan (AISSP). Coordinate the preparation of an AISSP in accordance with the outline and 

instructions provided in this document. After Customer approval, the AISSP becomes the controlling security 

document for AIS processing Customer information. Changes affecting the security of the AIS must be approved by 

the Customer prior to implementation and documented in the AISSP. 

 

(b)AIS Technical Evaluation Test Plans. For systems operating in the compartmented or multilevel modes, prepare 

an AIS Technical Evaluation Test Plan in coordination with the Customer and applicable security documents. 

 

(c)Certification. Conduct a certification test in accordance with 8102, c. and provide a 

certification report.	c. 

 

(d)Continuity of Operations Plan (COOP). When contractually required, coordinate the development and 

maintenance of an AIS COOP to ensure the continuation of information processing capability in the event of an AIS 

related disaster resulting from fire, flood, malicious act, human error, or any other occurrence that might adversely 

impact or threaten to impact the capability of the AIS to process information. This plan will be referenced in the 

AISSP. 

 

(e)Documentation. Ensure that all AIS security related documentation as required by this chapter is current and is 

accessible to properly authorized individuals. 

 

(f) Customer Coordination. Coordinate all reviews, tests, and AIS security actions. 

 

(g)Auditing. Ensure that the required audit trails are being collected and reviewed as stated in 8303. 

 

(h)Memorandum of Agreement. As applicable, ensure that Memoranda of Agreement are in place for AISs 

supporting multiple Customers. 

 

(1) Compliance Monitoring. Ensure that the system is operating in compliance with the AISSP. 

 

(j) AIS Security Education and Awareness. Develop an ongoing AIS Security Education and Awareness Program. 

 

(k)Abnormal Occurrence. Advise Customer in a timely manner of any abnormal event that affects the security of an 

approved AIS. 

 

(l) Virus and malicious code. Advise Customer in a timely manner of any virus and malicious code on an approved 

AIS. 

 

(3) Configuration Management. Participate in the configuration management process. 

 

(4) Designation of Alternates. The ISSR may designate alternates to assist in meeting the requirements outlined in 

the chapter. 

 

Special Approval Authority. In addition to the above responsibilities, the Customer may authorize in writing an ISSR 

to approve specific AIS security actions including: 

 

(l) Equipment Movement. Approve and document the movement of AIS equipment. 

 

(2) Component Release. Approve the release of sanitized components and equipment in accordance with Tables I 

and 2 in 850l. 

 

(3) Standalone Workstation and Portable AIS Approval. Approve and document new workstations in accordance 

with an approved AIS security plan and the procedures defined in this document for workstations with identical 

functionality. Approve and document portable AIS. 

 

(4) Dedicated and System High Network Workstation Approval. Approve and document additional workstations 

identical in functionality to existing workstations on an approved Local Area Network (LAN) provided the 

workstations are not located outside of the previously defined boundary of the LAN. 

 

(5) Other AIS Component Approval. Approve and document other AIS components identical in functionality to 

existing components on an approved LAN provided the components are not located outside of the previously defined 

boundary of the LAN. 

 

8102. Approval To Process. 

Prior to using any AIS to process Customer information, approval will be obtained from the Customer. The 

following requirements will be met prior to approval. 

 

a. AIS Security Program. The Provider will have an AIS security program that includes: 

 

(1) An AIS security policy and a formal AIS security structure to ensure compliance with the guidelines specified in 

this document; 

 

(2) An individual whose reporting functionalities are within the Provider's security organization formally named to 

act as the ISSR; 

 

(3) The incorporation of AISs processing Customer information into the Provider's configuration management 

program. The Provider's configuration management program shall manage changes to an AIS throughout its life 

cycle. As a minimum the program will manage changes in an AIS's: 

 

(a) Hardware components (data retentive only) 

 

(b)Connectivity (external and internal) 

 

(c) Firmware 

 

(d) Software 

 

(e) Security features and assurances 

 

 (f) AISSP 

 

 (g)Test Plan 

 

(4) Control. Each AIS will be assigned to a designated custodian (and alternate custodian) who is responsible for 

monitoring the AIS on a continuing basis. The custodian will ensure that the hardware, installation, and maintenance 

as applicable conform to appropriate requirements. The custodian will also monitor access to each AIS. Before 

giving users access to any such AIS, the custodian will have them sign a statement indicating their awareness of the 

restrictions for using the AIS. These statements will be maintained on file and available for review by the ISSR. 

 

b. AIS Security Plan (AISSP). The Provider will prepare and submit an AISSP covering AISs processing 

information in a Customer's Special Access Program Facility (SAPF), following the format in Appendix C. For RD, 

the Customer may modify the AISSP format. 

 

c. AIS Certification and Accreditation. 

 

(1) Certification. Certification is the comprehensive evaluation of technical and non-technical security features to 

establish the extent to which an AIS has met the security requirements necessary for it to process the Customer 

information. Certification precedes the accreditation. The certification is based upon an inspection and test to verify 

that the AISSP accurately describes the AIS configuration and operation (See Appendix C and D). A Certification 

Report summarizing the following will be provided to the Customer: 

 

(a)For the dedicated mode of operation, the provider must verify that access controls, configuration management, 

and other AISSP procedures are functional. 

 

(b)In addition, for System High AIS the ISSR will verify that discretionary controls are implemented. 

 

(c) For compartmented and multilevel AIS, certification also involves testing to verify that technical security features 

required for the mode of operation are functional. Compartmented and multilevel AIS must have a Technical 

Evaluation Test Plan that includes a detailed description of how the implementation of the operating system 

software, data management system software, firmware, and related security software packages will enable the AIS to 

meet the Compartmented or Multilevel Mode requirements. The plan outlines the inspection and test procedures to 

be used to demonstrate this compliance. 

 

(2) Accreditation. Accreditation is the formal declaration by the Customer that a classified AIS or network is 

approved to operate in a particular security mode; with a prescribed set of technical and non-technical security 

features; against a defined threat; in a given operational environment; under a stated operational concept; with stated 

interconnections to other AIS; and at an acceptable level of risk. The accreditation decision is subject to the 

certification process. Any changes to the accreditation criteria described above may require a new accreditation. 

 

d. Interim Approval. The Customer may grant an interim approval to operate. 

 

e. Withdrawal of Accreditation. The Customer may withdraw accreditation if: 

 

(l) The security measures and controls established and approved for the AIS do not remain effective. 

 

(2) The AIS is no longer required to process Customer information. 

 

f. Memorandum of Agreement. A Memorandum of Agreement (MOA) is required whenever an accredited AIS is co-

utilized, interfaced, or networked between two or more Customers. This document will be included, as required, by 

the Customer. 

 

g. Procedures for Delegated Approvals. For AISs operating in the dedicated or system high modes, the Customer 

may delegate special approval authority to the ISSR for additional AISs that are identical in design and operation. 

That is: two or more AIS are identical in design and operate in the same security environment (same mode of 

operation, process information with the same sensitivities, and require the same accesses and clearances, etc). Under 

these conditions the AISSP in addition to containing the information required by Appendix C shall also include the 

certification requirements (inspection and tests) and procedures that will be used to accredit all AlSs. The CSA will 

validate that the certification requirements are functional by accrediting the first AIS using these certification 

requirements and procedures. The ISSR may allow identical AIS to operate under that accreditation if the 

certification procedures are followed and the AIS meets all the certification requirements outline in the AISSP. The 

AISSP will be updated with the identification of the newly accredited AIS and a copy of each certification report will 

be kept on file. 

 

8103. Security Reviews. 

 

a. Purpose. Customer AIS Security Reviews are conducted to verify that the Provider's AIS is operated in accordance 

with the approved AISSP. 

 

b. Scheduling. Customer AIS Reviews are normally scheduled at least once every 24 months for Provider systems 

processing Customer program information. The Customer will establish specific review schedules. 

 

c. Review Responsibilities. During the scheduled Customer AIS Security Review, the Provider will furnish the 

Customer representative conducting the Review with all requested AIS or network documentation. Appropriate 

Provider security, operations, and management representatives will be made available to answer questions that arise 

during the Customer AIS Review process. 

 

Review Reporting. At the conclusion of the Customer AIS Review visit, the Customer will brief the Provider's 

appropriate security, operations, and management representatives on the results of the Review and of any 

discrepancies discovered and the recommend measures for correcting the security deficiencies. A formal report of 

the Customer AIS Review is provided to the Provider's security organization no later than 30 days after the Review. 

 

Corrective Measures. The Provider will respond to the Customer in writing within 30 days of receipt of the formal 

report of deficiencies found in the Customer AIS Review process. The response will describe the actions taken to 

correct the deficiencies outlined in the formal report of Customer AIS Review findings. If proposed actions will 

require an expenditure in funds, approval will be obtained from the Contracting Officer prior to implementation. 

 

Section 2. Security Modes 

 

8200. Security Modes-GeneraL 

 

a. AISs that process classified information must operate in the dedicated, system high, compartmented, or b. 

multilevel mode. Security modes are authorized variations in security environments, requirements, and methods of 

operating. In all modes, the integration of automated and conventional security measures shall, with reasonable 

dependability, prevent unauthorized access to classified information during, or resulting from, the processing, 

storage, or transmission of such information, and prevent unauthorized manipulation of the AIS that could result in 

the compromise or loss of classified information. 

 

b. In determining the mode of operation of an AIS, three elements must be addressed: the boundary and perimeter of 

the AIS, the nature of the data to be processed, and the level and diversity of access privileges of intended users. 

Specifically: 

 

(1) The boundary of an AIS includes all users that c. are directly or indirectly connected and who can 

receive data from the AIS without a reliable human review by an appropriately cleared authority. The perimeter is 

the extent of the AIS that is to be accredited as a single entity. 

 

(2) The nature of data is defined in terms of its classification levels, compartments, subcompartments, and sensitivity 

levels. 

 

(3) The level and diversity of access privileges of its users are defined as their clearance levels, need-to-know, and 

formal access approvals. 

 

8Z201. Dedicated Security Mode. 

 

a An AIS is operating in the dedicated mode (processing either full time or for a specified period) when each user 

with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts has all of the following: 

 

(1) A valid personnel clearance for all information stored or processed on the AIS. 

 

(2) Formal access approvals and has executed all appropriate nondisclosure agreements for all the information stored 

and/or processed (including all compartments, subcompartments, and/or SAPs). 

 

(3) A valid need to know for all information stored on or processed within the AIS. 

 

The following security requirements are established for AISs operating in the dedicated mode: 

 

(1) Be located in a SAPF. 

 

(2) Implement and enforce access procedures to the AIS. 

 

(3) All hard copy output will be handled at the level for which the system is accredited until reviewed by a 

knowledgeable individual. 

 

(4) All media removed from the system will be protected at the highest classification level of information stored or 

processed on the system until reviewed and properly marked according to procedures in the AIS security plan. 

 

Security Features for Dedicated Security Mode. 

 

b Since the system is not required to provide technical security features, it is up to the user to protect the information 

on the system. For networks operating in the dedicated mode, automated identification and authentication controls 

are required. 

 

(2) For DoD, the Customer may require audit records of user access to the system. Such records will include: user 

ID, start date and time, and stop date and time. Logs will be maintained IAW 8303. 

 

d. Security Assurances for Dedicated Security Mode. 

 

(l) AIS security assurances must include an approach for specifying, documenting, controlling, and maintaining the 

integrity of all appropriate AIS hardware, firmware, software, communications interfaces, operating procedures, 

installation structures, security documentation, and changes thereto. 

 

(2) Examination of Hardware and Software. Classified AIS hardware and software shall be examined when received 

from the vendor and before being placed into use. 

 

(a)Classified AIS Hardware. An examination shall result in assurance that the equipment appears to be in good 

working order and have no parts that might be detrimental to the secure operation of the resource. Subsequent 

changes and developments which affect security may require additional examination. 

 

(b)Classified AIS Software. 

 

l. Commercially procured software shall be examined to assure that the software contains no features which might be 

detrimental to the security of the classified AIS. 

 

2. Security related software shall be examined to assure that the security features function as specified. 

 

(c) Custom Software or Hardware Systems. New or significantly changed security relevant software and hardware 

developed specifically for the system shall be subject to testing and review at appropriate stages of development. 

 

8202. System High Security Mode. 

 

a. An AIS is operating in the system high mode (processing either full time or for a specified period) when each user 

with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts has all of the following: 

 

(1) A valid personnel clearance for all information on the AIS. 

 

(2) Formal access approval and has signed nondisclosure agreements for all the information stored and/or processed 

(including all compartments and subcompartments). 

 

(3) A valid need-to-know for some of the information contained within the system. 

 

b. AISs operating in the system high mode, in addition to meeting all of the security requirements, features, and 

assurances established for the dedicated mode, will meet the following: 

 

(1) Security Features for System High Mode 

 

(a)Define and control access between system users and named objects (e.g., files and programs) in the AIS. The 

enforcement mechanism must allow system users to specify and control the sharing of those objects by named 

individuals and/or explicitly defined groups of individuals. The access control mechanism must, either by explicit 

user action or by default, provide that all objects are protected from unauthorized access (discretionary access 

control). Access permission to an object by users not already possessing access permission must only be assigned by 

authorized users of the object. 

 

(b)Time Lockout. Where technically feasible, the AIS shall time lockout an interactive session after an interval of 

user inactivity. The time interval and restart requirements shall be specified in the AIS Security Plan. 

 

(c)Audit Trail. Provide an audit trail capability that records time, date user ID, terminal ID (if applicable), and file 

name for the following events: 

 

1. Introduction of objects into a user's address space (e.g., file open and program initiation as determined by the 

Customer and ISSR). 

 

2. Deletion of objects (e.g., as determined by the Customer and ISSR). 

 

3. System logon and logoff. 

 

4. Unsuccessful access attempts. 

 

(d)Require that memory and storage contain no residual data from the previously contained object before being 

assigned, allocated, or reallocated to another subject. 

 

(e)identification Controls. Each person having access to a classified AIS shall have the proper security clearances 

and authorizations and be uniquely identified and authenticated before access to the classified AIS is permitted. The 

identification and authentication methods used shall be specified and approved in the AIS Security Plan. User access 

controls in classified AISs shall include authorization, user 

in the AIS Security Plan. User access controls in classified AISs shall include authorization, user identification, and 

authentication administrative controls for assigning these shall be covered in the AISSP. 

 

1. User Authorizations. The manager or supervisor of each user of a classified AIS shall determine the required 

authorizations, such as need-to-know, for that user. 

 

2. User Identification. Each system user shall have a unique user identifier and authenticator. 

 

a. User ID Removal. The ISSR shall ensure the development and implementation of procedures for the prompt 

removal of access from the classified AIS when the need for access no longer exists. 

 

b. User ID Revalidation. The AIS ISSR shall ensure that all user IDs are revalidated at least annually, and 

information such as sponsor and means of off-line contact (e.g., phone number, mailing address) are updated as 

necessary. 

 

Authentication. Each user of a classified AIS shall be authenticated before access is permitted. This authentication 

can be based on any one of three types of information: something the person knows (e.g., a password); something the 

person possesses (e.g., a card or key); something about the person (e.g., fingerprints or voiceprints; or some 

combination of these three. Authenticators that are passwords shall be changed at least every six months. 

 

l. Requirements. 

 

a. Logon. Users shall be required to authenticate their identities at "logon" time by supplying their authenticator 

(e.g., password, smart card, or fingerprints) in conjunction with their user ID. 

 

b. Protection of Authenticator. An Authenticator that is in the form of knowledge or possession (password, smart 

card, keys) shall not be shared with anyone. Authenticators shall be protected at a level commensurate with the 

accreditation level of the Classified AIS. 

 

2. Additional Authentication Countermeasures. Where the operating system provides the capability, the following 

features shall be implemented: 

 

a. Logon Attempt Rate. Successive logon attempts shall be controlled by denying access after multiple (maximum of 

five) unsuccessful attempts on the same user ID; by limiting the number of access attempts in a specified time period; 

by the use of a time delay control system; or other such methods, subject to approval by the Customer. 

 

b. Notification to the User. The user shall be notified upon successful logon of: the date and time of the user's last 

logon; the ID of the terminal used at last logon; and the number of unsuccessful logon attempts using this user ID 

since the last successful logon. This notice shall require positive action by the user to remove the notice from the 

screen. 

 

(g)The audit, identification, and authentication mechanisms must be protected from unauthorized access, 

modification, or deletion. 

 

c. Security Assurances for System High Mode. The system security features for need-to-know controls will be tested 

and verified. Identified flaws will be corrected. 

 

8203. Compartmented Security Mode. 

 

a. An AIS is operating in the compartmented mode when users with direct or indirect access to the AIS, its 

peripherals, or remote terminals have all of the following: 

 

(l) A valid personnel clearance for access to the most restricted information processed in the AIS. 

 

(2) Formal access approval and have signed nondisclosure agreements for that information to which he/she is to have 

access (some users do not have formal access approval for all compartments or subcompartments processed by the 

AIS.) 

 

(3) A valid need-to-know for that information for which he/she is to have access. 

 

b. Security Features for Compartmented Mode. In addition to all Security Features and Security Assurances required 

for the System High Mode of Operation, Classified AIS operating in the Compartmented Mode of Operation shall 

also include: 

 

(1) Resource Access Controls. 

 

(a)Security Labels. The Classified AIS shall place security labels on all entities (e.g., files) reflecting the sensitivity 

(classification level, classification category, and handling caveats) of the information for resources and the 

authorizations (security clearances, need-to-know, formal access approvals) for users. These labels shall be an 

integral part of the electronic data or media. These security labels shall be compared and validated before a user is 

granted access to a resource. 

 

(b)Export of Security Labels. Security labels exported from the Classified AIS shall be accurate representations of 

the corresponding security labels on the information in the originating Classified AIS. 

 

(2) Mandatory Access Controls. Mandatory access controls shall be provided. These controls shall provide a means 

of restricting access to files based on the sensitivity (as represented by the label) of the information contained in the 

files and the formal authorization (i.e., security clearance) of users to access information of such sensitivity. 

 

(3) No information shall be accessed whose compartment is inconsistent with the session logon. 

 

(4) Support a trusted communications path between itself and each user for initial logon and verification. 

 

(5) Enforce, under system control, a system generated, printed, and human readable security classification level 

banner at the top and bottom of each physical page of system hard copy output. 

 

(6) Audit these additional events: the routing of all system jobs and output, and changes to security labels. 

 

(7) Security Level Changes. The system shall immediately notify a terminal user of each change in the security level 

associated with that user during an interactive session. A user shall be able to query the system as desired for a 

display of the user's complete sensitivity label. 

 

c. Security Assurances for Compartmented Mode. 

 

( l ) Confidence in Software Source. In acquiring resources to be used as part of a Classified AIS, consideration shall 

be given to the level of confidence placed in the vendor to provide a quality product, to support the security features 

of the product, and to assist in the correction of any flaws. 

 

(2) Flaw Discovery. The Provider shall ensure the   vendor has implemented a method for the discovery of flaws in 

the system (hardware, firmware, or software) that may have an effect on the security of the AIS. 

 

(3) No Read up, No Write Down. Enforce an upgrade or downgrade principle where all users processing have a 

system maintained classification; no data is read that is classified higher than the processing session authorized; and 

no data is written unless its security classification level is equal to or lower than the user's authorized processing 

security classification and all non-hierarchical categories are the same. 

 

(4) Description of the Security Support Structure (often referred to as the Trusted Computing Base). The protections 

and provisions of the security support structure shall be documented in such a manner to show the underlying 

planning for the security of a Classified AIS. The security enforcement mechanisms shall be isolated and protected 

from any user or unauthorized process interference or modification. 

 

Hardware and software features shall bee provided that can be used to periodically validate the correct operation of 

the elements of the security enforcement mechanisms. 

 

(5) Independent Validation and Verification. An Independent Validation and Verification team shall assist in the 

technical evaluation testing of a classified AIS and shall perform validation and verification testing of the system as 

required by the Customer. 

 

(6) Security Label Integrity. The methodology shall ensure the following: 

 

(a)Integrity of the security labels; 

 

(b)The association of a security label with the transmitted data; and 

 

(c)Enforcement of the control features of the security labels. 

 

(7) Detailed Design of security enforcement mechanisms. An informal description of the security policy model 

enforced by the system shall be available. 

 

8204. Multilevel Security Mode. NOTE: Multilevel Security Mode is not routinely authorized for SCI or SAP 

applications. Exceptions for SCI may be made by the heads of CIA, DIA, or NSA on a case-by-case basis. 

Exceptions for SAP may be made by the Customer. 

 

a An AIS is operating in the multilevel mode when all of the following statements are satisfied concerning the users 

with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts: 

 

(1) Some users do not have a valid personnel clearance for all of the information processed in the AIS. (Users must 

possess a valid CONFIDENTIAL, SECRET, or TOP SECRET clearance.) 

 

(2) All users have the proper clearance and have the appropriate access approval (i.e., signed nondisclosure 

agreements) for that information to which they are intended to have access. 

 

(3) All have a valid need-to-know for that information to which they are intended to have access. 

 

b. Security Features for Multilevel Mode. In addition to all security features and security assurances required for the 

compartmented mode of operation, classified AIS operating in the multilevel mode of operation shall also include: 

 

( l ) Audit. Contain a mechanism that is able to monitor the occurrence or accumulation of security auditable events 

that may indicate an imminent violation of security policy. This mechanism shall be able to immediately notify the 

security administrator when thresholds are exceeded and, if the occurrence or accumulation of these security relevant 

events continues, the system shall take the least disruptive action to terminate the event. 

 

(2) Trusted Path. Support a trusted communication path between the AIS and users for use when a positive AIS-to-

user connection is required (i.e.,logon, change subject security level). Communications via this trusted path shall be 

activated exclusively by a user or the AIS and shall be logically isolated and unmistakably distinguishable from other 

paths. For Restricted Data, this requirement is only applicable to multilevel AIS that have at least one uncleared user 

on the AIS. 

 

(3) Support separate operator and administrator functions. The functions performed in the role of a security 

administrator shall be identified. The AIS system administrative personnel shall only be able to perform security 

administrator functions after taking a distinct auditable action to assume the security administrative role on the AIS 

system. Non-security functions that can be performed in the security administrative role shall be limited strictly to 

those essential to performing the security role effectively. 

 

(4) Security Isolation. The AIS security enforcement mechanisms shall maintain a domain for its own execution that 

protects it from external interference and tampering (e.g., by reading or modification of its code and data structures). 

The protection of the security enforcement mechanisms shall provide isolation and non-circumvention of isolation 

functions. For Restricted Data, this requirement is only applicable to multilevel AIS that have at least one uncleared 

user on the AIS. 

 

(5) Protection of Authenticator. Authenticators shall be protected at the same level as the information they access. 

 

c. Security Assurances for Multilevel Mode. 

 

(l) Flaw Tracking and Remediation. The Provider shall ensure the vendor provides evidence that all discovered flaws 

have been tracked and remedied. 

 

(2) Life-Cycle Assurance. The development of the Classified AIS hardware, firmware, and software shall be under 

life-cycle control and management (i.e., control of the Classified AIS from the control features of the data flow 

between originator and destination. 

 

(3) Separation of Functions. The functions of the AIS ISSR and the Classified AIS manager shall not be performed 

by the same person. 

 

(4) Device Labels. The methodology shall ensure that the originating and destination device labels are a part of each 

message header and enforce the control features of the data flow between originator and destination. 

 

(5) Security Penetration Testing. In addition to testing the performance of the classified AIS for certification and for 

ongoing testing, there shall be testing to attempt to penetrate the security countermeasures of the system. The test 

procedures shall be documented in the test plan for certification and for on going testing. 

 

(6) Trusted Recovery. Provide procedure and/or mechanisms to assure that, after an AIS system failure or other 

discontinuity, recovery without a protection compromise is obtained. 

 

(7) Covert Channels. A covert channel analysis shall be performed. 

 

Section 3. System Access and Operation 

 

8300 System Access. Access to the system will be limited to authorized personnel. Assignment of AIS access and 

privileges will be coordinated with the ISSR. Authentication techniques must be used to provide control for 

information on the system. Examples of authentication techniques include, but are not limited to: passwords, tokens, 

biometrics, and smart cards. User 

authentication techniques and procedures will be described in the AISSP. 

 

a. User IDs. User IDs identify users in the system and are used in conjunction with other authentication techniques to 

gain access to the system. User IDs will be disabled whenever a user no longer has a need-to-know. The user ID will 

be deleted from the d. system only after review of programs and data associated with the ID. Disabled accounts will 

be removed from the system as soon as practical. e. Whenever possible, access attempts will be limited to five tries. 

Users who fail to access the system within the established limits will be denied access until the user ID is reactivated. 

 

b. Access Authentication. 

 

(l) Password. When used, system logon passwords will be randomly selected and will be at least six characters in 

length. The system logon password generation routine must be approved by the Customer. 

 

(2) Validation. Authenticators must be validated by the system each time the user accesses the AIS. 

 

(3) Display. System logon passwords must not be displayed on any terminal or contained in the audit trail. When the 

AIS cannot prevent a password from being displayed (e.g., in a half-duplex connection), an overprint mask shall be 

printed before the password is entered to conceal the typed password. 

 

(4) Sharing. Individual user authenticators (e.g., passwords) will not be shared by any user. 

 

(5) Password Life. Passwords must be changed at least every six months. 

 

(6) Compromise. Immediately following a suspected or known compromise of a password or Personal Identification 

Number (PIN) the ISSR will be notified and a new password or PIN issued. 

 

(7) Group Logon Passwords. Use of group logon passwords must be justified and approved by the Customer. After 

logon, group passwords may be used for file access. 

 

c. Protection of Authenticators. Master data files containing the user population system logon authenticators will be 

encrypted when practical. Access to the files will be limited to the ISSR and designated alternate(s), who will be 

identified in writing. 

 

d. Modems. Modems require Customer approval prior to connection to an AIS located in a Customer SAPF. 

 

e. User Warning Notice. The Customer may require logon warning banners be installed. 

 

8301. System Operation. 

 

a. Processing initialization is the act of changing the AIS from unclassified to classified, from one classified 

processing level to another, or from one compartment to another or from one Customer to another. To begin 

processing classified information on an approved AIS the following procedures must be implemented: 

 

( l ) Verify that prior mode termination was properly performed. 

 

(2) Adjust the area security controls to the level of information to be processed. 

 

(3) Configure the AIS as described in the approved AISSP. The use of logical disconnects requires Customer 

approval. 

 

(4) Initialize the system for processing at the approved level of operation with a dedicated copy of the operating 

system. This copy of the operating system must be labeled and controlled commensurate with the security 

classification and access levels of the information to be processed during the period. 

 

b. Unattended Processing. Unattended processing will have open storage approval and concurrence from the 

customer. Prior to unattended processing, all remote input and/or output (I/O) not in approved open storage areas 

will be physically or electrically disconnected from the host CPU. The disconnect will be made in an area approved 

for the open storage. Exceptions are on a case-by-case basis and will require Customer approval. 

 

c. Processing Termination. Processing termination of any AIS will be accomplished according to the following 

requirements. 

 

(l) Peripheral Device Clearing. Power down all connected peripheral devices to sanitize all volatile buffer memories. 

Overwriting of these buffer areas will be considered by the Customer on a case-by-case basis. 

 

(2) Removable Storage Media. Remove and properly store removable storage media. 

 

(3) Non-removable (Fixed) Storage Media. Disconnect (physically or electrically) all storage devices with non-

removable storage media not designated for use during the next processing period. 

 

(4) CPU Memory. Clear or sanitize as appropriate all internal memory including buffer storage and other reusable 

storage devices (which are not disabled, disconnected, or removed) in accordance with 8501, Table 2. 

 

(5) Laser Printers. Unless laser printers operating in SAPFs will operate at the same classification level with the same 

access approval levels during the subsequent processing period, they will be cleared by running three pages of 

unclassified randomly generated text. For SCI, five pages of unclassified pages will be run to clear the printer. These 

pages will not include any blank spaces or solid black areas. Otherwise, no pages need be run through the printer at 

mode termination. 

 

(6) Thermal printers. Thermal printers have a thermal film on a spool and take-up reel. Areas in which these types of 

laser printers are located will be either approved for open storage, or the spools and take-up reels will be removed 

and placed in secure storage. The printer must be sanitized prior to use at a different classification level. 

 

(7) Impact-type Printers. Impact-type printers (e.g., dot-matrix) in areas not approved for open storage will be 

secured as follows: Remove and secure all printer ribbons or dispose of them as classified trash. Inspect all printer 

platens. If any indication of printing is detected on the platen, then the platen will be either cleaned to remove such 

printing or removed and secured in an approved classified container. 

 

(8) Adjust area security controls. 

 

8302. Collocation of Classified and Unclassified AIS. 

 

a. Customer permission is required before a Provider may collocate unclassified AIS and classified AIS. This applies 

when: 

 

(l) The unclassified information is to be processed on an AIS located in a SAPF, or 

 

(2) The unclassified information is resident in a database located outside of a SAPF but accessed from terminals 

located within the SAPF. 

 

b. AIS approved for processing unclassified information will be clearly marked for UNCLASSIFIED USE ONLY 

when located within a SAPF. In addition the following requirements apply: 

 

( l ) Must be physically separated from any classified AIS. 

 

(2) Cannot be connected to the classified AIS. 

 

(3) Users shall be provided a special awareness briefing. 

 

(4) ISSR must document the procedures to ensure the protection of classified information. 

 

(5) All unmarked media is assumed to be classified until reviewed and verified. 

 

c. Unclassified portable AIS devices are prohibited in a SAPF unless Customer policy specifically permits their use. 

If permitted, the following procedures must be understood and followed by the owner and user: 

 

(l) Connection of unclassified portable AIS to classified AIS is prohibited. 

 

(2) Connection to other unclassified AISS may be allowed provided Customer approval is obtained. 

 

(3) Use of an internal or external modem with the AIS device is prohibited within the SAPF. 

 

(4) The Provider will incorporate these procedures in the owner's initial and annual security briefing. 

 

(5) Procedures for monitoring portable AIS devices within the SAPF shall be outlined in either the AISSP or the 

Facility Security Plan. These devices and the data contained therein are subject to security inspection by the ISSR 

and the Customer. Procedures will include provisions for random reviews of such devices to ensure that no classified 

program specific or program sensitive data is allowed to leave the secure area. Use of such a device to store or 

process classified information may, at the discretion of the Customer, result in confiscation of the device. All persons 

using such devices within the secure area will be advised of this policy during security awareness briefings. 

 

(6) Additionally, where Customer policy permits, personally owned portable AIS devices may be used for 

unclassified processing only and must follow the previous guidelines. 

 

8303. System Auditing. 

 

a. Audit Trails. Audit trails provide a chronological record of AIS usage and system support activities related to 

classified or sensitive processing. In addition to the audit trails normally required for the operation of a standalone 

AIS, audit trails of network activities will also be maintained. Audit trails will provide records of significant events 

occurring in the AIS in sufficient detail to facilitate reconstruction, review, and examination of events involving 

possible compromise. Audit trails will be protected from unauthorized access, modification, and deletion. Audit trail 

requirements are described under mode of operation. 

 

b. Additional Records and Logs. The following additional records or logs will be maintained by the Provider 

regardless of the mode of operation. These will include: 

 

(1) Maintenance and repair of AIS hardware, including installation or removal of equipment, devices, or 

components. 

 

(2) Transaction receipts, such as equipment sanitization, release records, etc. 

 

(3) Significant AIS changes (e.g., disconnecting or connecting remote terminals or devices, AIS upgrading or 

downgrading actions, and applying seals to or removing them from equipment or device covers). 

 

Audit Reviews. The audit trails, records, and logs created during the above activities will be reviewed and annotated 

by the ISSR (or designee) to be sure that all pertinent activity is properly recorded and appropriate action has been 

taken to correct anomalies. The Customer will be notified of all anomalies that have a direct impact on the security 

posture of the system. The review will be conducted at least weekly. 

 

Record Retention. The Provider will retain the most current 6 to 12 months (Customer Option) of records derived 

from audits at all times. The Customer may approve the periodic use of data reduction techniques to record security 

exception conditions as a means of reducing the volume of audit data retained. Such reduction will not result in the 

loss of any significant audit trail data. 

 

Section 4. Networks 

 

8400 Networks. This section addresses network specific requirements that are in addition to the previously stated 

AIS requirements. Network operations must preserve the security requirements associated with the AIS's mode of 

operation. 

 

a. Types of Networks. 

 

(1 ) A unified network is a collection of AIS's or network systems that are accredited as a single entity by a single 

CSA. A unified network may be as simple as a small LAN operating in dedicated mode, following a single security 

policy, accredited as a single entity, and administered by a single ISSR. The perimeter of such a network 

encompasses all its hardware, software, and attached devices. Its boundary extends to all its users. A unified network 

has a single mode of operation. This mode of operation will be mapped to the level of trust required and will address 

the risk of the least trusted user obtaining the most sensitive information processed or stored on the network. 

 

(2) An interconnected network is comprised of separately accredited AISs and/or unified networks. Each self-

contained AIS maintains its own intra AIS services and controls, protects its own resources, and retains its individual 

accreditation. Each participating AIS or unified network has its own ISSR. The interconnected network c must have 

a security support structure capable of adjudicating the different security policy (implementations) of the 

participating AISs or unified networks. An interconnected network requires accreditation, which may be as simple as 

an addendum to a Memorandum of Agreement (MOA) between the accrediting authorities. 

 

b. Methods of Interconnection. 

 

(1) Security Support Structure (SSS) is the hardware, software, and firmware required to adjudicate security policy 

and implementation d differences between and among connecting unified networks and/or AISs. The SSS must be 

accredited. The following requirements must be satisfied as part of the SSS accreditation: 

 

(a)Document the security policy enforced by the SSS. 

 

(b)Identify a single mode of operation. 

 

(c)Document the network security architecture and design. 

 

(d)Document minimum contents of MOA's required for connection to the SSS. 

 

(2) The interconnection of previously accredited systems into an accredited network may require a reexamination of 

the security features and assurances of the contributing systems to ensure their accreditations remain valid. 

 

(a)Once an interconnected network is defined and accredited, additional networks or separate AISs (separately 

accredited) may only be connected through the accredited SSS. 

 

(b)The addition of components to contributing unified networks which are members of an accredited interconnected 

network are allowed provided these additions do not change the accreditation of the contributing system. 

 

c. Network Security Management. The Provider will designate an ISSR for each Provider network. The ISSR may 

designate a Network Security Manager (NSM) to oversee the security of the Provider's network(s), or may assume 

that responsibility. The ISSR is responsible for coordinating the establishment and maintenance of a formal network 

security program based on an understanding of the overall security relevant policies, objectives, and requirements of 

the Customer. The NSM is responsible for ensuring day to day compliance with the network security requirements as 

described in the AISSP (as covered below) and this Supplement. 

 

d.. Network Security Coordination. When different accrediting authorities are involved, a Memorandum of 

Agreement is required to define the cognizant authority and the security arrangements that will govern the operation 

of the overall network. When two or more ISSRs are designated for a network, a lead ISSR will be named by the 

Provider(s) to ensure a comprehensive approach to enforce the Customer's overall security policy. 

 

e. Network Security 

 

The AISSP must address: 

 

(1) A description of the network services and mechanisms that implement the network security policy. 

 

(2) Consistent implementation of security features across the network components. 

 

(a) Identification and Authentication Forwarding. Reliable forwarding of the identification shall be used between 

AISs when users are connecting through a network. When identification forwarding cannot be verified, a request for 

access from a remote AIS shall require authentication before permitting access to the system. 

 

(b)Protection of Authenticator Data. In forwarding the authenticator information and any tables (e.g., password 

tables) associated with it, the data shall be protected from access by unauthorized users (e.g., encryption), and its 

integrity shall be ensured. 

 

(c)Description of the network and any external connections. 

 

(d)The network security policy including mode of operation, information sensitivities, and user clearances. 

 

(e) Must address the internode transfer of information (e.g., sensitivity level, compartmentation, and any special 

access requirements), and how the information is protected. 

 

(f) Communications protocols and their security features. 

 

(g)Audit Trails and Monitoring. 

 

1. If required by the mode of operation, the network shall be able to create, maintain, and protect from modification 

or unauthorized access or destruction an audit trail of successful and unsuccessful accesses to the AIS network 

components within the perimeter of the accredited network. The audit data shall be protected so that access is limited 

to the ISSR or his/her designee. 

 

2. For Restricted Data, methods of continuous on-line monitoring of network activities may be included in each 

network operating in the Compartmented Security Mode or higher. This monitoring may also include real-time 

notification to the ISSR of any system anomalies. 

 

3. For Restricted Data networks operating in the Compartmented Mode or higher, the Customer may require the 

audit trail to include the changing of the configuration of the network (e.g., a component leaving the network or 

rejoining). 

 

4. The audit trail records will allow association of the network activities with corresponding user audit trails and 

records. 

 

5. Provisions shall be made and the procedures documented to control the loss of audit data due to unavailability of 

resources. 

 

6. For Restricted Data, the Customer may require alarm features that automatically terminate the data flow in case of 

a malfunction and then promptly notify the ISSR of the anomalous conditions. 

 

(h)Secure Message Traffic. The communications methodology for the network shall ensure the detection of errors in 

traffic across the network links. 

 

f. Transmission Security. Protected Distribution Systems or National Security Agency approved encryption 

methodologies shall be used to protect classified information on communication lines that leave the SAPF. Protected 

distribution systems shall be either constructed in accordance with the national standards or utilize National Security 

Agency approved protected distribution systems. 

 

g. Records. The Customer may require records be maintained of electronic transfers of data between automated 

information systems when those systems are not components of the same unified network. Such records may include 

the identity of the sender, identity and location of the receiver, date/time of the transfer, and description of the data 

sent. Records are retained according to 8303.d. 

 

Section 5. Software and Data Files 

 

8500. Software and Data Files. 

 

a. Acquisition and Evaluation. ISSR approval will be obtained before software or data files may be brought into the 

SAPF. All software must be acquired from reputable and/or authorized sources as determined by the ISSR. The 

Provider will check all newly acquired software or data files, using the most current version and/or available of virus 

checking software and procedures identified in the AISSP to c. improve assurance that the software or data files are 

free from malicious code. 

 

b. Protection. Media that may be written to (e.g., magnetic media) must be safeguarded commensurate with the level 

of accreditation of the dedicated or system high AIS. Media on compartmented or multilevel AISs will be protected 

commensurate with the level of the operating session. If a physical write protect mechanism is utilized, media may be 

introduced to the AIS and subsequently removed without changing the original classification. The integrity of the 

write protection mechanism must be verified at a minimum of once per day by attempting to write to the media. 

Media which cannot be changed (e.g., CD read-only media) may be loaded onto the classified system without 

labeling or classifying it provided it is immediately removed from the secure area. If this media is to be retained in 

the secure area, it must be d. Labeled, controlled, and stored as unclassified media as required by the Customer. 

 

(1) System Software. Provider personnel who are responsible for implementing modifications to system or security 

related software or data files e. on classified AISs inside the SAPF will be appropriately cleared. Software that 

contains security related functions (e.g., sanitization, access control, auditing) will be validated to confirm that 

security related features are fully functional, protected from modification, and effective. 

 

(2) Application Software. Application software or data files (e.g., general business software), that will be used by a 

Provider during classified processing, may be developed/modified by personnel outside the security area without the 

requisite security clearance with the concurrence of the Customer. 

 

(3) Releasing Software. Software that has not been used on an AIS processing classified information may be returned 

to a vendor. If media containing software (e.g., applications) are used on a classified system and found to be 

defective, such media may not be removed from a SAPF for return to a vendor. When possible, software will be 

tested prior to its introduction into the secure facility. 

 

c. Targetability. For SCI and SAP the software, whether obtained from sources outside the facility or developed by 

Provider personnel, must be safeguarded to protect its integrity from the time of acquisition or development through 

its life cycle at the Provider's facility (i.e., design, development, operational, and maintenance phases). Uncleared 

personnel will not have any knowledge that the software or data files will be used in a classified area, although this 

may not be possible in all cases. Before software or data files that are developed or modified by uncleared personnel 

can be used in a classified processing period, it must be reviewed by appropriately cleared and knowledgeable 

personnel to ensure that no security vulnerabilities or malicious code exists. Configuration management must be in 

place to ensure that the integrity of the software or data files is maintained. 

 

d. Maintenance Software. Software used for maintenance or diagnostics will be maintained within the secure 

computing facility and, even though unclassified, will be separately controlled. The AISSP will detail the procedures 

to be used. 

 

e. Remote Diagnostics. Customer approval will be obtained prior to using vendor supplied remote diagnostic links 

for on-line use of diagnostic software. The AISSP will detail the procedures to be used. 

 

8501. Data Storage Media Data storage media will be controlled and labeled at the appropriate classification level 

and access controls of the AIS unless write protected in accordance with 8500.b. Open storage approval will be 

required for non-removable media. 

 

Labeling Media. All data storage media will be labeled in human readable form to indicate its classification level, 

access controls (if applicable), and other identifying information. Data storage media that is to be used solely for 

unclassified processing and collocated with classified media will be marked as UNCLASSIFIED. Color coding (i.e., 

media, labels) is recommended. If required by the Customer, all removable media will be labeled with a 

classification label immediately after removing it from its factory sealed container. 

 

b. Reclassification. When the classification of the media increases to a higher level, replace the classification label 

with a higher classification level label. The label will reflect the highest classification level, and access controls (if 

applicable) of any information ever stored or processed on the AIS unless the media is write protected by a Customer 

approved mechanism. Media may never be downgraded in classification without the Customer's written approval. 

 

c. Copying Unclassified Information from a Classified AIS. 

 

(1) The unclassified data will be written to factory fresh or verified unclassified media using approved copying 

routines and/or utilities and/ or procedures as stated in the AISSP. For SCI and SAP, media to be released will be 

verified by reviewing all data on the media including embedded text (e.g., headers and footers). Data on media that is 

not in human readable form (e.g., imbedded graphs, sound, video) will be examined for content with the appropriate 

software applications. Data that cannot be reasonably observed in its entirety will be inspected by reviewing random 

samples of the data on the media. 

 

(2) Moving Classified Data Storage Media Between Approved Areas. The ISSR will establish procedures to ensure 

that data will be written to factory fresh or sanitized media. The media will be reviewed to ensure that only the data 

intended was actually written and that it is appropriately classified and labeled. Alternatives for special 

circumstances may be approved by the Customer. All procedures will be documented in the AISSP. 

 

d. Over writing, Degaussing, Sanitizing, and Destroying Media. Cleared and sanitized media may be reused within 

the same classification level (i.e., TSTS) or to a higher level (i.e., SECRETES). Sanitized media may be downgraded 

or declassified with the Customer's approval. Only approved equipment and software may be used to overwrite and 

degauss magnetic media containing classified information. Each action or procedure taken to overwrite or degauss 

such media will be verified. Magnetic storage media that malfunctions or contains features that inhibit overwriting or 

degaussing will be reported to the ISSR, who will coordinate repair or destruction with the Customer. (See Table 1.) 

 

Caution: Overwriting, degaussing, and sanitizing are not synonymous with declassification. Declassification is a 

separate administrative function. Procedures for declassifying media require Customer approval. 

 

(1) Overwriting Media. Overwriting is a software procedure that replaces the data previously stored on magnetic 

storage media with a pre-defined set of meaningless data. Overwriting is an acceptable method for clearing. Only 

approved overwriting software that is compatible with the specific hardware intended for overwriting will be used. 

use of such software will be coordinated in advance with the Customer. The success of the overwrite procedure will 

be verified through random sampling of the overwritten media. The effectiveness of the overwrite procedure may be 

reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of 

read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps. To clear 

magnetic disks, overwrite all locations three (3) times (first time with a character, second time with its complement, 

and the third time with a random character). Items which have been cleared must remain at the previous level of 

classification and remain in a secure, controlled environment. 

 

(2) Degaussing Media. Degaussing (i.e., demagnetizing) is a procedure that reduces the magnetic flux to virtual zero 

by applying a reverse magnetizing field. Properly applied, degaussing renders any previously stored data on 

magnetic media unreadable and may be used in the sanitization process. Degaussing is more reliable than 

overwriting magnetic media. Magnetic media are divided into three types. Type I degaussers are used to degauss 

Type I magnetic media (i.e., media whose coercivity is no greater than 350 Oersteds (Oe)). Type II degaussers are 

used to degauss Type II magnetic media (i.e., media whose coercivity is no greater than 750 Oe). Currently there are 

no degaussers that can effectively degauss all Type III magnetic media (i.e., media whose coercivity is over 750 Oe). 

Some degaussers are rated above 750 Oersteds and their specific approved rating will be determined prior to use. 

Coercivity of magnetic media defines the magnetic field necessary to reduce a magnetically saturated material's 

magnetization to zero. The correct use of degaussing products improves assurance that classified data is no longer 

retrievable and that inadvertent disclosure will not occur. Refer to the current issue of NSA's Information Systems 

Security Products and Services Catalogue (Degausser Products List Section) for the identification of degaussers 

acceptable for the procedures specified herein. These products will be periodically tested to ensure continued 

compliance with the specification NSA CSS Media Declassification and Destruction Manual NSA 1302. 

 

(3) Sanitizing Media. Sanitization removes information from media such that data recovery using any known 

technique or analysis is prevented. 

 

Sanitizing is a two-step process that includes removing data from the media in accordance with Table } and 

removing all classified labels, markings, and activity logs. 

 

(4) Destroying Media. Data storage media will be destroyed in accordance with Customer approved methods. 

 

(5) Releasing Media. Releasing sensitive or classified Customer data storage media is a three step process. First, the 

Provider will sanitize the media and verify the sanitization in accordance with procedures in this chapter. Second, the 

media will be administratively downgraded or declassified either by the CSA or the ISSR, if such authority has been 

granted to the ISSR. Third, the sanitization process, downgrading or declassification, and the approval to release the 

media will be documented. 

 

Table 1 

Clearing and Sanitization Data Storage 

 

 

Type Media				Clear				Sanitize 

 

(a) Magnetic Tape 

Type I					a or b				a, b, or destroy 

Type II					a or b				b or destroy 

Type HI					a or b				Destroy 

 

(b) Magnetic Disk Packs 

Type I									a, b, or c 

Type II									b or c 

Type III									Destroy 

 

(c) Magnetic Disk Packs 

Floppies					a, b, or c				Destroy 

Bernoulli's				a, b, or c				Destroy 

Removable Hard Disks			a, b, or c				a, b, c, or destroy 

Non Removable Hard Disks		c				a, b, c, or destroy 

 

 

(d) Optical Disk 

Read Only								Destroy 

Write Once, Read Many (Worm)						Destroy 

Read Many, Write Many			c				Destroy 

 

These procedures will be performed by or as directed by the ISSR. 

 

a. Degauss with a Type I degausser 

 

b. Degauss with a Type II degausser 

 

c. Overwrite all locations with a character, its complement, then with a random character. Verify that all sectors have 

been overwritten and that no new bad sectors have occurred. If new bad sectors have occurred during classified 

processing, this disk must be sanitized by method a or b described above. Use of the overwrite for sanitization must 

be approved by the Customer. 

 

Note: For handheld devices (e.g., calculators or personal directories), sanitization is dependent upon the type and 

model of the device. If there is any question about the correct sanitization procedure, contact the manufacturer or the 

Customer. In general, sanitization is accomplished as follows: Depress the "CLEAR ENTRY" and the "CLEAR 

MEMORY" buttons, remove the battery for several hours, and remove all associated magnetic media and retain it in 

the SAPF or destroy. In some models there are specialpurpose memories and keynumbered memories, as well as 

"register stacks." Caution will be taken to clear all such memories and registers. This may take several keystrokes 

and may require the use of the operator's manual. Test the hand held device to ensure that all data has been removed. 

If there is any question, the device will remain in the SAPF or be destroyed. 

 

 

Table 2 

Sanitizing AIS Components 

 

 

TYPE									PROCEDURE 

 

Magnetic Bubble Memory							a, b, or c 

Magnetic Core Memory							a, b, or c 

Magnetic Plated Wire							d or e 

Magnetic Resistive Memory						Destroy 

 

Solid State Memory Components 

 

Random Access Memory (RAM) (Volatile)					f then j 

Nonvolatile RAM (NOVRAM)						l 

Read Only Memory (ROM)						Destroy (see k) 

Programmable ROM (PROM)						Destroy (see k) 

Erasable Programmable ROM (EPROM)					g, then d and j 

Electronically Alterable PROM (EAPROM)					h, then d and j 

Electronically Erasable PROM (EEPROM)					i, then d and j 

Flash EPROM (FEPROM)							i, then d and j 

 

These procedures will be performed by or as directed by the ISSR. 

 

a. Degauss with a Type I degausser. 

 

b. Degauss with a Type II degausser. 

 

c. Overwrite all locations with any character. 

 

d. Overwrite all locations with a character, its complement, then with a random character. 

 

e. Each overwrite will reside in memory for a period longer than the classified data resided. 

 

f. Remove all power, including batteries and capacitor power supplies, from RAM circuit board. 

 

g. Perform an ultraviolet erase according to manufacturer's recommendation, but increase time requirements by a 

factor of 3. 

 

h. Pulse all gates. 

 

i. Perform a full chip erase. (See Manufacturer's data sheet.) 

 

j. Check with Customer to see if additional procedures are required. 

 

k. Destruction required only if ROM contained a classified algorithm or classified data. 

 

1. Some NOVRAM are backed up by a battery or capacitor power source; removal of this source is sufficient for 

release following item f procedures. Other NOVRAM are backed up by EEPROM which requires application of the 

procedures for EEPROM  

 

Section 6. AIS Acquisition, Maintenance, and Release 

 

8600. AIS Acquisition, Maintenance, and Release. 

 

a. Acquisition AISs and AIS components that will process classified information will be protected during the 

procurement process from direct association with the Customer's program. When required by the Customer, 

protective packaging methods and procedures will be used while such equipment is in transit to protect against 

disclosure of