 |
Code of Federal Regulations (Last Updated: April 5, 2024) |
 |
Title 32 - National Defense |
|
Subtitle B - Other Regulations Relating to National Defense |
|
Chapter XX - Information Security Oversight Office, National Archives and Records Administration |
|
Part 2004 - National Industrial Security Program Directive No. 1 |
|
Subpart C - Operations |
§ 2004.32 - Determining entity eligibility for access to classified information.
-
§ 2004.32 Determining entity eligibility for access to classified information.
(a) Eligibility determinations.
(1) The responsible CSA determines whether an entity is eligible for access to classified information. An entity may not have access to classified information until the responsible CSA determines that it meets all the requirements in this section. In general, the entity must be eligible to access classified information at the appropriate level before the CSA may consider any of the entity's subsidiaries, sub-contractors, or other sub-entities for eligibility. However, when the subsidiary will perform all classified work, the CSA may instead exclude the parent entity from access to classified information rather than determining its eligibility. In either case, the CSA must consider all information relevant to assessing whether the entity's access poses an unacceptable risk to national security interests.
(2) A favorable access eligibility determination is not the same as a safeguarding capability determination. Entities may access classified information with a favorable eligibility determination, but may possess classified information only if the CSA determines both access eligibility and safeguarding capability, based on the GCA's requirement in the contract security classification specification (or equivalent).
(3) If an entity has an existing eligibility determination, a CSA will not duplicate eligibility determination processes performed by another CSA. If a CSA cannot acknowledge an entity eligibility determination to another CSA, that entity may be subject to duplicate processing.
(4) Each CSA maintains a record of its entities' eligibility determinations (or critical infrastructure entity eligibility status under the CCIPP, for DHS) and responds to inquiries from GCAs or entities, as appropriate and to the extent authorized by law, regarding the eligibility status of entities under their cognizance.
(b) Process.
(1) The responsible CSA provides guidance to entities on the eligibility determination process and on how to maintain eligibility throughout the period of the agreement or as long as an entity continues to need access to classified information in connection with a legitimate U.S. or foreign government requirement.
(2) The CSA coordinates with appropriate authorities to determine whether an entity meets the eligibility criteria in paragraph (e) of this section. This includes coordinating with appropriate U.S. Government regulatory authorities to determine entity compliance with laws and regulations.
(3) An entity cannot apply for its own eligibility determination. A GCA or an eligible entity must sponsor the entity to the responsible CSA for an eligibility determination. The GCA or eligible entity may sponsor an entity at any point during the contracting or agreement life-cycle at which the entity must have access to classified information to participate (including the solicitation or competition phase). An entity with limited eligibility granted under paragraph (f) of this section may sponsor a sub-entity for a limited eligibility determination for the same contract, agreement, or circumstance so long as the sponsoring entity is not under FOCI (see § 2004.34(i)).
(4) The GCA must include enough lead time in each phase of the acquisition or agreement cycle to accomplish all required security actions. Required security actions include any eligibility determination necessary for an entity to participate in that phase of the cycle. The GCA may award a contract or agreement before the CSA completes the entity eligibility determination. However, in such cases, the entity may not begin performance on portions of the contract or agreement that require access to classified information until the CSA makes a favorable entity eligibility determination.
(5) When a CSA is unable to make an eligibility determination in sufficient time to qualify an entity to participate in the particular procurement action or phase that gave rise to the GCA request (this includes both solicitation and performance phases), the GCA may request that the CSA continue the determination process to qualify the entity for future classified work for any GCA, provided that the processing delay was not due to the entity's lack of cooperation. Once the CSA determines that an entity is eligible for access to classified information, but a GCA does not award a contract or agreement requiring access to classified information to the entity, or the entity's eligibility status changes, the CSA terminates the entity eligibility determination in accordance with paragraph (g) of this section.
(c) Coverage.
(1) A favorable eligibility determination allows an entity to access classified information at the determined eligibility level, or lower.
(2) The CSA must ensure that all entities needing access to classified information as part of a legitimate U.S. or foreign government requirement have or receive a favorable eligibility determination before accessing classified information. This includes both prime or parent entities and sub-entities, even in cases in which an entity intends to have the classified work performed only by sub-entities. A prime or parent entity must have a favorable eligibility determination at the same classification level or higher than its sub-entity(ies), unless the CSA determined that the parent entity could be effectively excluded from access (see paragraph (a)(1) of this section).
(3) If a parent and sub-entity need to share classified information with each other, the CSA must validate that both the parent and the sub-entity have favorable eligibility determinations at the level required for the classified information prior to sharing the information.
(d) DHS Classified Critical Infrastructure Protection Program (CCIPP). DHS shares classified cybersecurity information with certain employees of entities under the Classified Critical Infrastructure Protection Program (CCIPP). The CCIPP applies only to entities that do not need to store classified information, have no other contracts or agreements already requiring access to classified information, and are not already determined eligible for access to classified information. DHS establishes and implements procedures consistent with the NISP to determine CCIPP entity eligibility for access to classified information.
(e) Eligibility criteria. An entity must meet the following requirements to be eligible to access classified information:
(1) It must need to access classified information as part of a legitimate U.S. Government or foreign government requirement, and access must be consistent with U.S. national security interests as determined by the CSA;
(2) It must be organized and existing under the laws of any of the 50 States, the District of Columbia, or an organized U.S. territory (Guam, Commonwealth of the Northern Marianas Islands, Commonwealth of Puerto Rico, and the U.S. Virgin Islands); or an American Indian or Alaska native tribe formally acknowledged by the Assistant Secretary - Indian Affairs, of the U.S. Department of the Interior;
(3) It must be located in the United States or its territorial areas;
(4) It must have a record of compliance with pertinent laws, regulations, and contracts (or other relevant agreements);
(5) Its KMOs must each have and maintain eligibility for access to classified information that is at least the same level as the entity eligibility level;
(6) It and all of its KMOs must not be excluded by a Federal agency, contract review board, or other authorized official from participating in Federal contracts or agreements;
(7) It must meet all requirements the CSA or the authorizing law, regulation, or Government-wide policy establishes for access to the type of classified information or program involved; and
(8) If the CSA determines the entity is under foreign ownership, control, or influence (FOCI), the responsible CSA must:
(i) Agree that sufficient security measures are in place to mitigate or negate risk to national security interests due to the FOCI (see § 2004.34);
(ii) Determine that it is appropriate to grant eligibility for a single, narrowly defined purpose (see § 2004.34(i)); or
(iii) Determine that the entity is not eligible to access classified information.
(9) DoD and DOE cannot award a contract involving access to proscribed information to an entity effectively owned or controlled by a foreign government unless the Secretary of the agency first issues a waiver (see 10 U.S.C. 2536). A waiver is not required if the CSA determines the entity is eligible and it agrees to establish a voting trust agreement (VTA) or proxy agreement (PA) (see § 2004.34(f)) because both VTAs and PAs effectively negate foreign government control.
(f) Limited entity eligibility determination. CSAs may choose to allow GCAs to request limited entity eligibility determinations (this is not the same as limited entity eligibility in situations involving FOCI when the FOCI is not mitigated or negated; for more information on limited entity eligibility in such FOCI cases, see § 2004.34(i)). If a CSA permits GCAs to request a limited entity eligibility determination, it must set out parameters within its implementing policies that are consistent with the following requirements:
(1) The GCA, or an entity with limited eligibility, must first request a limited entity eligibility determination from the CSA for the relevant entity and provide justification for limiting eligibility in that case;
(2) Limited entity eligibility is specific to the requesting GCA's classified information, and to a single, narrowly defined contract, agreement, or circumstance;
(3) The entity must otherwise meet the requirements for entity eligibility set out in this part;
(4) The CSA documents the requirements of each limited entity eligibility determination it makes, including the scope of, and any limitations on, access to classified information;
(5) The CSA verifies limited entity eligibility determinations only to the requesting GCA or entity. In the case of multiple limited entity eligibility determinations for a single entity, the CSA verifies each one separately only to its requestor; and
(6) CSAs administratively terminate the limited entity eligibility when there is no longer a need for access to the classified information for which the CSA approved the limited entity eligibility.
(g) Terminating or revoking eligibility.
(1) The responsible CSA terminates the entity's eligible status when the entity no longer has a need for access to classified information.
(2) The responsible CSA revokes the entity's eligible status if the entity is unable or unwilling to protect classified information.
(3) The CSA coordinates with the GCA(s) to take interim measures, as necessary, toward either termination or revocation.