1. Facility Security _{(Revised 04/2003)}

FAA Facility (per Order 1600.69, FAA Facility Security Management Program,Appendix 1,#29) is defined as any building, structure, warehouse, appendage, storage area, utilities, and component, which, when related by function and location form an operating entity owned, operated or controlled by the FAA.

2. Information and Systems Security _{(Revised 07/2003)}

FAA ISS requirements are located in FAA Order 1370.82 with implementation in the ISS Handbook (http://intranet.faa.gov/aio/). Prior to the development of an information Security Certification and Authorization Package (SCAP), the information system (IS) owner coordinates with the Office of Security and Investigations (ASI) representative and reviews system-specific physical, personnel, classified material, and operations security assessments and/or requirements. System owners work closely with their ASI representatives to meet the needs of the system while maintaining compliance with existing FAA orders. AIS-300 is responsible for review of security plans and SCAPs. (See Security under FAST homepage for additional guidance).

3. Personnel Security _{(Revised 04/2003)}

a. Definitions

(1) Access. The ability to physically enter or pass through a FAA area or a facility; or having the physical ability or authority to obtain FAA sensitive information, materials, or resources; or the ability to obtain FAA sensitive information by technical means including the ability to read or write information or data electronically stored or processed in a digital format such as on a computer, modem, the Internet, or a local-or wide area network (LAN or WAN). When used in conjunction with classified information, access is the ability, authority, or opportunity to obtain knowledge of such information, materials, or resources, in accordance with the provisions of Executive Order (EO)12968, Access to Classified Information.

(2)  Classified acquisition. An acquisition that consists of one or more contracts in which offerors would be required to have access to classified information (Confidential Secret, or Top Secret) to properly submit an offer or quotation to understand the performance requirements of a classified contract under the acquisition or to perform the contract.

(3) Classified Contract. Any contract, purchase order, consulting agreement, lease agreement, interagency agreement, memorandum of agreement, or any other agreement between the FAA and another party or parties that requires the release or disclosure of classified information to the contractor and/or contractor employees in order for them to perform under the contract or provide the services or supplies contracted for.

(4) Classified information. Official information or material that requires protection in the interest of national security and is labeled or marked for such purpose by appropriate classification authority in accordance with the provision of Executive Order 12958, Classified National Security.

(5) Contractor employee. A person employed as or by a contractor, subcontractor, or consultant in support of the FAA or any non-FAA person who performs work or services for the FAA within FAA facilities.

(6) FAA facility. Any manned or unmanned building structure, warehouse, appendage, storage area, utilities and components, which when related by function and location form an operating entity owned, operated or controlled by FAA.

(7)Immigrant Alien. Any person not a citizen or national of the United States who has been lawfully admitted for permanent residence to the United States by the U.S. Immigration and Naturalization Service (INS). (Reference the Immigration and Nationality Act (INA)(8 United States Code 1101), Sections 101(a)(3) and (20).

(8) Non-Immigrant Alien. Any person not a citizen or national of the United States who has been authorized to work in the United States by the INS, but who has not been lawfully admitted for permanent residence. (Reference the INA, Sections 101(a)(3) and (20).

(9) Operating Office. An FAA line of business, an office or service in FAA headquarters or an FAA division-level organization in a region or center, or any FAA activity or organization that utilizes the services and/or work of a contractor.

(10) Quality Assurance Program. A system that provides a means of continuous review and oversight of a program/process to ensure (1) compliance with applicable laws and regulations; (2) the products and services are dependable and reliable.

(11) Resources. FAA physical plant, sensitive equipment, information databases including hardware, software and manual records pertaining to agency mission or personnel.

(12) Sensitive Information. Any information which if subject to unauthorized access, modification, loss, or misuse could adversely affect the national interest, the conduct of Federal programs or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an EO or an Act of Congress to be kept secret in the interest of national defense or foreign policy. Sensitive data includes propriety data.

(13) Sensitive Unclassified Information (SUI). Unclassified information withheld from public release and protected from unauthorized disclosure because of its sensitivity. Section 552a of Title 5, United States Code (the Privacy Act) identifies information, which if subject to unauthorized access, modification, loss, or misuse could adversely affect the national interest, the conduct of Federal programs or the privacy to which individuals are entitled.

(14) Servicing Security Element (SSE). The FAA headquarters, region, or center organizational element responsible for providing security services to a particular activity.

b. The National Industrial Security Program (NISP) was established by (EO) 12829; January 6, 1993, for the protection of the Government’s classified information. The NISP Operating Manual (NISPOM) prescribes the requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of classified information and to control authorized disclosure of Classified information released by the U.S. Government. NISPOM is available on the Internet at http//www.dss.mil/isec/nispom.htm.

c. Section 3.5, Patents, Data, and Copyrights of the FAA Acquisition Management System contains policy for safeguarding classified information in patent applications and patents.

d. Responsibilities of Contracting Officers (COs).

(1) Comply with NISP requirements.

(2) The CO shall contact the personnel security specialists in the local office regarding FAA procedures/requirements for any contracting activity requiring access to classified information, whether that information is owned by another agency or the FAA. The responsible security organizations includes the following:

(a) Headquarters – ASI-200

(b) Regions – 700-designated organizations, such as "ASO-700"

(c) Technical Center – ACT-8

(d) Aeronautical Center – AMC-700

(3) Prescreening information request phase. COs should review all proposed Screening Information Requests (SIR) to determine whether access to classified information may be required by offerors, or by a contractor during contract performance. If access to classified information may be required, the CO shall comply with d. (1) and d. (2) above.

 

(4) SIR phase. COs shall:

(a) Ensure that the classified acquisition is conducted in accordance with the requirements of d. (1) and (2) above; and

(b) Include appropriate security requirements and decending clauses in SIRs (see Clause 3.14-1, Security Requirements); and as appropriate in SIRs and contracts when the contract may require access to classified information. Requirements for security safeguards in addition to those provided in Clause 3.14-1, Security Requirements might be necessary in some instances.

(c) COs should ensure the use of Contract Security Classification Specification, DD Form 254 when classified contracts are employed.

e. Employment Suitability and Security Clearances for Contractor Personnel. FAA’s policy on personnel security for contractor employees, including those working on a FAA contract employed at contractor facilities, requires that procurement personnel take appropriate actions to protect the Government’s interest where it appears that contractor employees, subcontractors, or consultants may have access to FAA facilities, classified information, sensitive information, and/or resources. Additional details of the agency’s contractor and industrial security program are provided in FAA Order 1600.72 and 1600.73.

(1) Security Clearances for Contractor Employees.

(a) FAA Order 1600.72, chapter 1, paragraph 10, and chapter 4, paragraph 405 require that contracts requiring contractor employees to have access to classified information shall be prepared and processed according to the procedures contained in the National Industrial Security Program Operating Manual (NISPOM)

(b) In the case of a contract or agreement where the FAA requires persons not employed by the U.S. Government to have access to classified information, a statement to that effect should be included in the SIR and the requirements of FAA Order 1600.72, chapter 4, paragraph 405 apply.

(2) Employment Suitability of Contractor Employees.

(a) FAA Order 1600.72 provides specific guidance for determining suitability of FAA contractor employees for access to FAA facilities, sensitive information, and/or resources. It outlines risk levels and associated investigations requirements, and identified additional specific requirements and exemptions from investigative requirements.

(b) As it pertains to suitability determinations, at a minimum, the following actions are required:

(i) Each SIR should include provisions that require the contractor to submit an interim-staffing plan describing the anticipated positions and key employees, as appropriate.

(ii) CO and the appropriate SSE, with input from the Operating Office (e.g., Contracting Officer’s Technical Representative (COTR), have the responsibility to make an initial determination as to the applicability of the order in any given SIR and/or contract. An assessment will be made up-front as to whether any positions contained in the staffing plan will require access to FAA facilities, sensitive information, and/or resources. If the CO determines that the order does not apply to a given SIR/contract, this will be documented in a memorandum to file, indicating the matter was given due consideration, addressed adequately, and said determination made.

(iii) The Operating Office, with input from the CO, has the responsibility to make initial position risk/sensitivity level designations based on the initial list of positions and the Statement of Work (SOW). FAA Order 1600.72, chapter 3 and FAA Order 1600.73, chapter 3,contains guidelines with a systematic process of uniformly designating program, position risk, and sensitivity levels. FAA form 1600-77, Contractor Position Risk/Sensitivity Level Designation Record is used in conjunction with this process and to document the designations.

(iv) For modifications to existing contracts, the appropriate SSE will approve the Operating Office’s initial position risk/sensitivity level designations prior to the execution of the modification and these positions and risk level designations should be included in AMS Clause 3.14-2 at the time the contract is modified. For new contracts, the same process would be followed for determining risk/sensitivity level designations, using information required by way of a provision in the SIR, with final positions and risk levels being inserted into Clause 3.14-2 at time of contract award.

(v) The AMS Clause 3.14-2 will require the contractor to submit the completed documentation for each employee in a stated position, as necessary to permit the SSE to make an employment suitability determination. This documentation shall be submitted directly to the SSE (for Privacy Act reasons) for approval, or denial of access using the process described in FAA Order 1600.73.

(vi) The SSE will initially coordinate with the CO on the approval (completeness and accuracy) of the submitted forms, and then on the status of any checks or investigations required and final decision of employment.

(vii) For new contracts, contractor employees shall be required to submit the required documentation prior to performing or providing services or supplies under any FAA contract actions. Depending upon the nature and extent of access required, after an initial review of the documentation submitted by the contractor or contractor employee, the SSE may grant conditional approval for the contractor employee to commence performing or providing services or supplies under the contract pending completion of the check and/or investigation and final suitability determination. However, this initial or interim suitability determination will not be automatically made by the SSE. The Operating Office must request this determination in writing.

(viii) For modifications to existing contracts, contractor employees may continue working under the contract pending submission of the necessary documentation, if any, and completion of a suitability investigation by the SSE. Note: There is a period of 30 days that cannot be exceeded in which contractors must submit the forms after the positions and associated risks have been identified via contract modification. The SSE may establish conditions governing such access pending completion of suitability investigation.

(ix) The contractor shall be required to provide quarterly updates, reporting changes to the status of employment of any contractor employee. However, notification of termination of employees performing within a stated position under a contract shall be provided within one (1) day.

(x) COs will notify the SSE whenever a contract is issued or when the status of a contract changes (i.e., replaced, defaulted, terminated, etc.). Prior coordination of new contracts should have occurred between the Operating Office, the CO, and the SSE.

f. Costs of Investigations. To pay for investigations, allotments of funds are made to regions, centers, and headquarters. Unless there has been a specific allotment to the SSE to pay for all contractor employee investigations for operating officers that the SSE services, each operating office shall arrange to pay the costs for investigations on those employees working under contracts for which it is responsible. Security screenings, including fingerprint checks on contractor employees are funded through operational funds by each office or division. The operating office responsible for payment shall provide the SSE with the accounting code information necessary to have the cost charged appropriately.

4. Foreign Nationals _{(Revised 04/2003)}

Aliens and foreign nationals employed or hired by the contractor to perform services for the FAA must have resided within the United States for three (3) years of the last five (5) years unless a waiver of this requirement has been granted by the SSE in accordance with FAA regulations (see AMS Clause 3.14-3, Foreign Nationals as Contractor Employees).

The following sections refer to areas within the procurement toolbox that contain security issues to be considered during contract formulation.

T3.1.6 Nondisclosure of Information

T3.2.1 Procurement Planning

T3.2.2.5 Commercial and Simplified Purchase Method

T3.2.2.6 Unsolicited Proposals

T3.2.2.7 Contractor Qualifications

T3.3.1 Contract Funding, Financing & Payment

T3.5 Patents, Rights in Data, and Copyrights

T3.6.4 Foreign Acquisitions

6. Sensitive Unclassified Information (SUI) _{(Added 04/2003)}

The FAA has the right to require special handling instructions for those contractors requiring access to (SUI), For Official Use Only (FOUO), Sensitive Security Information (SSI), or any other designator assigned by the Federal Government to identify unclassified information that may be withheld from public release. Contact the local FAA SSE or in Headquarters, the Office of Security and Investigations, Internal Security Division, ASI-100 for the minimum standards to mark, store, control, transmit, and destroy sensitive information.

B. Clauses _{(Revised 07/2003)}

3.14-1 Security Requirements – Classified Contracts (July 2002)

3.14-1/alt 1 Security Requirements – Classified Contracts Alternative I (July 2002)

3.14-1/alt 2 Security Requirements – Classified Contracts Alternative II (July 2002)

3.14-2 Contractor Personnel Suitability Requirements (July 2002)

3.14-3 Foreign Nationals as Contractor Employees (July 2002)

3.14-4 Government-Issued Keys, Identification Badges, and Vehicle Decals (July 2002)

3.14-5 Sensitive Unclassified Information (SUI) (April 2003)

3-14-6 Information and Systems Security (ISS) (July 2003)

The following forms apply to security related procurements. Hard copies of these forms may be obtained from the Investigative Division of the Office of Civil Aviation Security (ASI-200) for headquarters contracts, from the –700 Office of Civil Security in the regions and the Aeronautical Center, and from the ACT-8 Office of Civil Aviation Security at the William J. Hughes Technical Center. The FAA Form 1600.77 may be obtained in electronic format via the FAST Toolset.

For use by FAA personnel in designating position risk/sensitivity levels for contractor employees:

For use by Contractors in complying with the contract positions:

• Standard Form (SF) 85P, Questionnaire for Public Trust Positions
• FD-258 Card (original fingerprint card shall be used)