Show New to ISOO? This page contains answers to some of the questions most frequently asked by security professionals. If you have a question that is not listed here please visit our individual programs or Contact Us. Guidance listed on this page pertains only to Federal agencies and applicable contractors and is binding on agency actions as required by law and similar authority. The guidance does not apply to, and is not meant to bind, the public, except as authorized by law or regulation or as incorporated into a contract.Executive Order 13526What is Classified National Security Information? In E.O. 13526, section 4.1(f)(3)(B) who determines "standardized electronic formats?" What is the difference between a "confidential human source" and a "human intelligence source?" Is there a standard procedure for notifying the Archivist in case of reclassification? According to section 3.3(j)(1)(C) of E.O. 13526, who is responsible for verifying "a specific and independently verifiable event?" In E.O. 13526, section 3.7(b)(1), how is "timely" defined? Who do we contact for information on the SF 312, Nondisclosure Agreement? Are there any circumstances when I might be allowed to take classified documents home with me? Who should be the SAO for an agency? Outside of Goverment Controlled documents How does Classified Information end up in Private Collections? How can I identify Classified National Security Information? How is Classified National Security Information stored and protected? How is Classified National Security Information transmitted? How do I file a Mandatory Declassification Review (MDR) request? How do I find out the MDR Results and Appeal Options? MarkingWhat are the requirements for the use of the 50X and 75X exemptions? What happens to the documents marked 50X-HUM and WMD after 50 years? What marking goes on the "declassify on" line for derivative documents, if the source document is marked 25X1-Human? How is a derivative document marked if the source document has no date? What happens if a document does not have any declassification instructions? How are dynamic documents portioned marked? How are documents being declassified remarked? Can a classification be extended? If an agency has a current exemption, does it need to be reapproved? If a security declassification guide has an instruction to mark certain information for declassification for 25 years, is it from the date of the guide or the date of the document? If we receive a classified document and notice the classification level is not on the top and bottom of every page is it okay to mark the top and bottom with the appropriate classification level of the document even though we did not create the document? When were portion markings first required on classified documents? If individual PowerPoint© slides within a classified presentation have an overall classification of unclassified, is it really necessary to mark the portions as unclassified? May an agency derivatively classify information from a document prepared/classified by a different agency prior to the effective date of Executive Order 13526 which is not portion marked as would be required under E.O. 13526? Original Classification Authority (OCA) and Derivative ClassificationIs the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)? Must anyone who creates derivative work be pre-designated as "authorized" to do so and if so, at what level should the training be? If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI to report, or NRO, or both? Who can derivatively mark documents? Who is responsible for providing Original Classification Authority (OCA) training to those designated specifically by the President? Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117 and NISPPAC When did 32 CFR Part 117 become effective?? Where can I find additional information? Does NISPPAC Industry have a way to reach out to cleared companies? Questions re: GSA Containers What is the Government policy for procuring GSA Approved containers for storing US Government classified information? What is the process if a defense contractor needs to purchase a GSA Approved container What is the process if a defense contractor wants to purchase a GSA container off contract and with company dollars? Does it mean contractors cannot just buy containers from any vendor? Can contractors buy used containers? Is there a process to re-certify a GSA approved container that we are unsure of or is missing a label? Is it acceptable to have preventative maintenance performed instead of replacing the safe? What is the disposal process for used containers? Black lettering indicates safes are nearing the end of their expected life. Is there information on when they need to be replaced? Are older versions of locks previously approved under Federal Specification FF-L-2740B (e.g. X-07, X-08, X-09 still allowed to be used? Is the DODAAC number issued once to a contractor or is there a different number per contract? Can we use a cabinet owned by our company from other location? Express Carriers and National Security System What overnight express carriers are authorized for NISP cleared contractors? What is a "national security system" (NSS)? Can Secret and Confidential information be transmitted by an overnight delivery service within the U.S. and its Territories? Where can I get additional information on the NSS, incidents, and spills? Where can I contact the Committee on National Security Systems (CNSS)? Executive Order 13526What is Classified National Security Information? Classified national security information is information created or received by an agency of the federal government or a government contractor that would damage national security if improperly released. Since 1940, the President has managed the system of classifying information by executive order (E.O.); the most recent order concerning classified national security information is E.O. 13526, signed by President Obama on December 29, 2009. Information can only be classified if an official determination is made that its unauthorized release would damage the national security. Levels of classification correspond to levels of supposed damage. E.O. 13526 specifies that information whose release would cause “exceptionally grave damage to the national security” is classified TOP SECRET; information whose release would cause “serious damage” is classified SECRET; CONFIDENTIAL is the lowest category of classified information currently in use. RESTRICTED is an obsolete category that was discontinued in 1953. Classified information may take any form. Though paper documents are most common, there are classified photographs, maps, motion pictures, videotapes, databases, microfilms, hard drives, CDs, etc. Regardless of medium, classified information requires protection until it is formally declassified. The Federal Government's current system of marking and controlling security-classified information dates from World War II. Very little pre-1941 information still meets the criteria for continued classification. Only very specific information dating from before 1942 controlled by the National Security Agency regarding signals intelligence, by the United States Secret Service regarding the protection of the President, and by the U.S. Mint concerning the gold bullion depository at Fort Knox remains classified. In E.O. 13526, section 4.1(f)(3)(B) who determines "standardized electronic formats?" What is the difference between a "confidential human source" and a "human intelligence source?" Is there a standard procedure for notifying the Archivist in case of reclassification? According to section
3.3(j)(1)(C) of E.O. 13526, who is responsible for verifying "a specific and independently verifiable event?" In E.O. 13526, section 3.7(b)(1), how is "timely" defined? Who do we contact for information on the SF 312, Nondisclosure Agreement? Are there any circumstances when I might be allowed to take classified documents home with
me? Who should be the SAO for an agency? The SAO must be located within the organization so as to make adjustments to agency practices, personnel, and funding as may be necessary to ensure compliance and support the business needs of the department or agency. A partial list of some current SAO job titles includes:
Outside of Goverment Controlled documents How does Classified Information end up in Private Collections? Former government officials and contractors have been known to retain papers containing classified national security information and to eventually donate them to private archives. Often, it is not until these records are formally processed that archivists realize a collection contains classified information. If an archives or a library has not received Federal approval to store classified materials, continuing to store the records in an unapproved area could be endangering national security. In these instances, the institution should contact the Information Security Oversight Office (ISOO) at the National Archives and arrange for these records to be securely stored. ISOO will maintain temporary custody of the records through the declassification process. By contacting ISOO you will be respecting the access restrictions placed on that information by the U.S. government. ISOO, in turn, will respect the rights of your institution to maintain the integrity of collections of donated personal papers. How can I identify Classified National Security Information? There are three basic tests that you can apply to determine whether a document contains classified information:
While these are the primary means of identifying classified information, those who suspect they have classified materials in their collections should also be careful to examine documents for:
How is Classified National Security Information stored and protected? If you discover classified materials in your collection and your institution does not have federally approved secure storage, immediately remove the records from public review and restrict access to as few staff members as possible. Until they are ready for transmittal to ISOO, the records should be locked in a safe, filing cabinet, or other secure areas. How is Classified National Security Information transmitted? Transmittal requirements for classified materials vary depending on the classification level of the information they contain. In all instances, the use of street side mailboxes is prohibited. CONFIDENTIAL materials may be sent via U.S. Postal Service certified, first class, express, or registered mail or government courier service. SECRET materials may ONLY be sent via U.S. Postal Service express or registered mail or government courier service. When mailing materials to ISOO, please adhere to the following guidelines: Wrap the body of records in opaque paper. Heavy brown paper or brown mailing envelopes are best. CONFIDENTIAL and SECRET materials may be wrapped together. Seal all seams with filament tape. Address the package to: Director, Information Security Oversight Office Provide a return address. Label the front and back of the package with the highest classification marking of the documents it contains. Wrap the entire package ONCE MORE in opaque paper. Again, address the package to the Director of ISOO as indicated above and provide a return address. On this outer wrapper, do NOT write the classification level of the materials contained within. Again, seal all seams with filament tape. TOP SECRET materials may NOT be sent via U.S. mail and may only be transmitted by authorized government courier service. ISOO can make the necessary arrangements on your institution’s behalf. ISOO staff will give more detailed instructions regarding the shipment of classified records and regarding the temporary retention of records by ISOO pending declassification. How do I file a Mandatory Declassification Review (MDR) request? If ISOO determines that the records provided require declassification review by equity-holding agencies, a non-governmental repository will be encouraged to file a Mandatory Declassification Review (MDR) request. The request should come in the form of a formal letter to the Director of ISOO explaining that the institution is filing an MDR for those records furnished to ISOO for temporary custody. ISOO will then contact all equity-holding agencies and provide them with copies of the records for their review. How do I find out the MDR Results and Appeal Options? ISOO will communicate the results once all agencies have completed their reviews or after one year’s time, whichever comes first. If an institution is not satisfied with the results of an agency’s review, it may appeal the agency’s initial determination. If an agency or agencies fail to review the records within a year, ISOO will notify the requesting institution of its right to appeal directly to the Interagency Security Classification Appeals Panel (ISCAP) for a final determination on the records’ classification status.. Marking What are the requirements for the use of the 50X and 75X exemptions? Section 3.3(h)(3) allows for agencies to seek the exemption of specific information from automatic declassification at 75 years. Proposals to seek an exemption at 50 or 75 years, shall be submitted to the Director of ISOO, serving as Executive Secretary of the ISCAP, 1 year before the information is subject to automatic declassification.
Example of requesting a 75X1 or 75X6 exemption:
What happens to the documents marked 50X-HUM and WMD after 50 years? What marking goes on the "declassify on" line for derivative documents, if the source document is marked 25X1-Human? How is a derivative document marked if the source document has no date? What happens if a document does not have any declassification instructions? How are dynamic documents portioned marked? How are documents being declassified
remarked? Can a
classification be extended? If an agency has a current exemption, does it need to be reapproved? All current 10 and 225-yearexemptions should be updated with the ISCAP. If a security declassification guide has an instruction to mark certain information for declassification for 25 years, is it from the date of the guide
or the date of the document? If we receive a classified document and notice the classification level is not on the top and bottom of every page is it okay to mark the top and bottom with the appropriate
classification level of the document even though we did not create the document? When were portion markings first required on classified documents? E.O. 11652, Classification and Declassification of National Security Information and Material, June 8, 1972, signed by Richard Nixon The following rules shall apply to classification of information under this order: E.O. 12065, National Security Information, June 28, 1978, signed by Jimmy Carter 1.504 In order to facilitate excerpting and other uses, each classified document shall, by marking or other means, indicate clearly which portions are classified, with the applicable classification designation, and which portions are not classified. The Director of the Information Security Oversight Office may, for good cause, grant and revoke waivers of this requirement for specified classes of documents or information. If individual PowerPoint© slides within a classified presentation have an overall classification of unclassified, is it really necessary to mark the portions as unclassified? When you are marking a classified document, it is critical that all portions be appropriately marked so as to avoid any confusion about the classification of each portion. 32 CFR 2001.21(c) states that each portion...shall be marked to indicate which portions are classified and which portions are unclassified. This remains true regardless of the overall classification of that page. If you were to take an unmarked portion out of one briefing and place that portion into another briefing, and there is no accompanying marking, you have created a classification problem. May an agency derivatively classify information from a document prepared/classified by a different agency prior to the effective date of Executive Order 13526 which is not portion marked as would be required under E.O. 13526? There is an inherent responsibility to go back to the originating agency and request proper markings. If this is not possible, then the document cannot be used as a source document for other derivatively classified documents and must contain a statement stating so. Original Classification Authority (OCA) and Derivative Classification Is the statement, "original classification authority may extend the duration of classification up to 25 years from the date of the origin of the document" intended to allow an OCA to extend declassification for another 25 years (total 50 years)? Must anyone who creates derivative work be pre-designated as "authorized" to do so and if so, at what level should the training be? If an agency is delegated original classification authority (OCA) from another agency (e.g. the ODNI delegating OCA authority to NRO), which agency reports to the Director of ISOO in accordance with the Memorandum for the Heads of Executive Departments and Agencies? Is the ODNI
to report, or NRO, or both? Who can derivatively mark documents? Who is responsible for providing Original Classification Authority (OCA) training to those designated specifically by the President? Those who are responsible to the Senior Agency Official for implementation of the program should provide required training to the OCAs and everyone else in the organization. Frequently Asked Questions GSA ContainersGSA GLOBAL SUPPLY DOCUMENT What is the Government policy for procuring GSA Approved containers for storing US Government classified information? The Government wide policy is documented in Information Security Oversight Office (ISOO) Notice 2014-02. New containers can only be purchased through the GSA process. They cannot be purchased from third party vendors, refurbishers, or sales boards such as E:Bay. Containers for storage of classified storage can be transferred or sold from one cleared program to another either within a company or between two separate companies. The concern is that containers that leave a cleared contractor or Government control may be accessed by someone with bad intentions and compromised, so those containers may not be used. Information on the procurement process can be located at the following web sites: https://www.gsa.gov/buying-selling/purchasing-programs/requisition-programs/gsa-global-supply/national-stock-numbers/security-containers/ordering-procedures-for-security-containers and https://www.archives.gov/files/isoo/notices/notice-2014-02.pdf What is the process if a defense contractor needs to purchase a GSA Approved container? The contractor ordering process is detailed in documents at the above link. What is the process if a defense contractor wants to purchase a GSA container off contract and with company dollars? Contractors who need to purchase GSA Approved containers need to follow the process detailed in the ordering procedures even if the purchase is being made with company money.\ Does it mean contractors cannot just buy containers from any vendor? Can contractors buy used containers? Information Security Oversight Office (ISOO) Notice 2012-04 does not allow the use of used or refurbished containers. All new containers for US Government contractors must be purchased through the specified process. https://www.archives.gov/files/isoo/notices/notice-2012-04.pdf Is there a process to re-certify a GSA approved container that we are unsure of or is missing a label? Is it acceptable to have preventative maintenance performed instead of replacing the safe? Yes. Allowable maintenance is identified in Federal Standard 809, paragraph 4.2. This does include allowing the replacement of the lock. FED STD 809 can be found at the following web address: https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock/Documents/DirectivesandGuidance.html What is the disposal process for used containers? Minimum disposal
instructions can be found at the following web address: Black lettering indicates safes are nearing the end of their expected life. Is there information on when they need to be replaced? Federal Standard 809D, Section 5, states once a black label GSA-approved security file cabinet is neutralized, it shall not be repaired (Table 1, page 8). It is important to note that the term “neutralized” means the cabinet was locked in the closed condition and it was opened using one of the four neutralization methods described in Federal Standard 809D, Section 6. Per the new “DO NOT REPAIR” statement in Federal Standard 809D, Table 1, once a black label security file cabinet has been neutralized, it cannot be repaired and put back in service protecting classified information. GSA-approved black label security file cabinets that remain in service protecting classified information should continue to be periodically inspected and maintained as described in Federal Standard 809D, Section 4. Specifically, the following routine maintenance and repair procedures can be accomplished on a black label security file cabinet: • The combination lock can be replaced. • The drawer suspensions can be replaced or repaired. • The drawer handles and springs can be replaced or adjusted. • Periodic adjustments (drawer head, thumb latches etc.) and bolt tightening can be accomplished as required. Are older versions of locks previously approved under Federal Specification FF-L-2740B (e.g. X-07, X-08, X-09 still allowed to be used? All locks previously approved under Federal Specification are still allowed to be used. Be aware that the X-07, X-08 and the early X-09 locks have exceeded their expected life and should be on a considered for replacement. If we had a lock that failed and we need to replace it how do we find an authorized locksmith to replace the lock? Information on locksmiths who have completed the GSA Safe and Vault Technicians course can be found on the DoD Lock program web page at: https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html Is the DODAAC number issued once to a contractor or is there a different number per contract? According to PGI251.102-70 a DoDAAC is assigned to a contractor for use per the contract number and is unique to that contract. It expires 24 months beyond contract closeout. DoDAACs are assigned by contract number. Can we use a cabinet owned by our company from other location? Yes, Containers can be transferred within a company. Frequently Asked Questions re: National Security InformationWhat carriers are approved by the NISP as overnight carriers? GSA’s Multiple Award Schedule (MAS) no longer includes UPS (contract number GS-23F-0282L). This impacts any orders or blanket purchasing agreements an agency had placed or intended to place with UPS under that particular contract. Agencies are still authorized to use UPS under another valid Government contract: DoD/USTRANSCOM’s Next Generation Delivery Services (NGDS) program. NGDS is a GSA-delegated, OMB mandatory-use program for small parcel delivery services. It has current contracts with UPS and FedEx that satisfy the requirements of 32 CFR 2001.46(c)(2)(ii) for overnight delivery of Confidential and Secret classified information. For Federal users to get more information on the NGDS program, its rates, and shipper’s guide, see https://hallways.cap.gsa.gov/app/#/gateway/transportation-logistics-services. Cleared NISP contractors should contact their Government Contracting Activity (GCA) for approval to utilize the NGDS contract for overnight delivery of Confidential and Secret classified information in accordance with 32 CFR 117.15(f)(3), as there are NGDS requirements that the GCA must ensure are met. If an agency is not able to utilize delivery services under the NGDS program, the agency may use another approved vendor for overnight delivery of Confidential and Secret classified information. USPS and FedEx have current contracts for delivery services under GSA’s MAS 492110 schedule. Although these vendors meet the requirement in 32 CFR 2001.46(c)(2)(ii) to use a GSA-approved vendor, they have not been vetted under this schedule to determine if they meet the additional requirements for classified delivery services outlined in 32 CFR 2001.46(c)(2)(ii). Before placing an order against the MAS, the agency must therefore vet the vendor to ensure it meets these additional regulatory requirements. Cleared NISP contractors will also need to make sure the supplier meets requirements in 32 CFR 117.15(f)(3). For more information on MASs, see https://www.gsa.gov/buying-selling/purchasing-programs/gsa-schedule. What is a "national security system" (NSS)? 44 USC 3552 (b)(6)(A), Federal Information Security Management Act of 2014 (FISMA), Public Law 113-283, December 18, 2014, defines a "national security system" as: Any information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, (i) the function, operation, or use of which: (I) Involves intelligence activities; (II) Involves cryptologic activities related to national security; (II) Involves command and control of military forces; (IV) Involves equipment that is an integral part of a weapon or weapon system; or (V) Subject to subparagraph B, is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (B) Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). Can Secret and Confidential information be transmitted by an overnight delivery service within
the U.S. and its Territories? Overnight Express Carriers: These overnight express carriers below meet the requirements outlined In 32 CFR Part 2001 for Federal Executive Branch and the requirements established in DoD Manual 5220.22, NISPOM for cleared contractors for the shipment of CONFIDENTIAL AND SECRET MATERIAL. Federal Express USPS *(see note 1) Where can I get additional information on the NSS, incidents, and spills? See Federal Incident Reporting Guidelines Where can I contact the Committee on National Security Systems (CNSS)? See Committee on National Security Systems Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117 and NISPPAC When did 32 CFR Part 117 become effective? 32 CFR Part 117 became effective February 24, 2021, and authorizes the contractor no more than six months to comply with changes from the effective date of the rule, which is August 24, 2021. Where can I find additional information? To assist in implementing the NISPOM Rule and help those not familiar with the rule's new format, the Defense Counterintelligence Security Agency (DCSA) released a cross-reference tool. This tool maps the DoD 5220.22-M format to the appropriate location within the NISPOM Rule. The tool can be found on the Center for Development of Security Excellence (CDSE) website at https://www.cdse.edu/documents/toolkits-fsos/32CFR_Part117_NISPOM_Rule_Cross_Reference_Tool.xlsx. Does NISPPAC Industry have a way to reach out to cleared companies? Check out the Industry NISPPAC Newsletter- What's New with the Industry NISPPAC What is the Purpose of the NDC?The NDC will shorten the amount of time that it takes to declassify a document. Who Established the NDC?The authority for the NDC is Section 3.7 of Executive Order 13526, which was signed by President Obama on December 29, 2009. Where Can I Go to Learn More?For additional information, visit NDC. or send a comment, question or concern to . Additionally, you can visit the NDC blog. Which method may be used to transmit CONFIDENTIAL materials?The United States Postal Service, or USPS, offers two services that you may use for transmission of Secret material: Priority Mail Express and Registered Mail.
How is classified information transmitted?Classified documents must be double wrapped prior to mailing. Show the full return address on the envelope (office and name of contact where item should be returned if undeliverable, if damaged or found open).
What cover sheet is attached to help protect a SECRET document?Cover sheets are required with classified documents, (i.e., Form SF-703, Top Secret Cover Sheet; Form SF-704, Secret Cover Sheet; and Form SF-705, Confidential Cover Sheet). Form DS-1902, Access Control Sheet Top Secret Information, must be permanently affixed to all Top Secret material.
What is required to access classified information Select all that apply?In order to have authorized access to classified information, an individual must have national security eligibility and a need- to-know the information, and must have executed a Standard Form 312, also known as SF-312, Classified Information Nondisclosure Agreement.
|