Space Based Laser

PARAGRAPH 13- SECURITY GUIDANCE

a. Item 10a, 10h: This contract requires access to Communications Security (COMSEC) information. The contractor agrees to provide for COMSEC, at the facility identified in item 6a, as follows:

(1) The contractor shall comply with the provisions of die National Industrial Security Program Operating Manual (NISPOM) and COMSEC Annex Guidance regarding COMSEC accounts. The contractor shall furnish all necessary equipment, devices, techniques, or services and must meet ownership eligibility conditions for COMSEC materials designated as Controlled Cryptographic Items (CCD. The National Security Agency (NSA) has primary responsibility for the auditing of all COMSEC materiel governed by die MSPOM COMSEC Annex Guidance. The Cognizant Security Office is responsible for inspecting for compliance with the MSPOM COMSEC Annex Guidance.

(2) The contractor shall make arrangements and utilize the services of Defense Courier Service (DCS) for transportation of COMSEC material. Publishing or release of any COMSEC information by any means without the written approval of the U.S. Government is prohibited.

b. Classified AIS Processing will occur at specified location(s). Contractor must provide a current approved AIS SPP.

c. The follow list of Security Classification Guides shall be used for specific security classification guidance:

(1) Space Based Laser Readiness Demonstration (SBLRD) Information Protection Guide (IPG) - DD MMM 98

(2) If security classification guidance is needed in areas not specifically addressed in this document, the contractor shall be required to develop an updated, Government approved, security classification guide for the SBLRD Program.

d. Item l0f: The SBLRD Program may require a secure Laser Testing Facility.

e. Item 11f: The contractor shall ensure that compromising emanations (TEMPEST) conditions are minimized.

 

COMMUNICATIONS SECURITY (COMSEC)

Reference Block: 10a

DoD 5220.22-A applies to contractor facilities and operations. Access to COMSEC material/information is restricted to U.S. citizens holding final U.S. Government clearances and is not releasable to personnel holding only a reciprocal clearance. DoD 5522.22A, paragraph 10a(d), personnel must also be briefed on COMSEC for uncontrolled COMSEC material. NACSIM/NACSEM documents are not considered COMSEC controlled material. The Manager of each program shall designate the number of personnel requiring cryptographic access. The number will be limited to the minimum necessary, will be on a strict need-to-know basis.

RESTRICTED DATA AND FORMERLY RESTRICTED DATA

 

Reference Block 10b and 10d:

Access and handling of Restricted Data and Formerly Restricted Data shall be in compliance with the NISPOM.

FABRICATE, MODIFY, OR STORE CLASSIFIED HARDWARE

Reference Block 10d:

The Contractor is required to provide adequate storage for classified hardware up to and including the level of SECRET. When such a size and/or quantity cannot be safeguarded in an approved storage container, a permanent structure in accordance with Chapter 5, Section 3, of the NISPOM shall apply.

 

ACCESS TO CLASSIFIED INFORMATION OUTSIDE THE U.S.

Reference Block 11f:

Contractor requires access to U.S. Classified information outside the U.S. Possessions and Trust Territories.

The User Agency (UA) (HQ, Space and Missile Systems Center) will furnish complete classification guidance for the service to be performed. The highest level of classification for the contract is Secret.

All Other foreign disclosure is covered by AFI 16-201, and Delegated Disclosures Letters (DDL) provided by SMC/AXPP. A training program must be developed to insure personnel are aware of foreign disclosure guidelines.

COMSEC ACCOUNT

Reference Block 10h:

NSA account will be established for and maintained by contractor IAW, the COMSEC Annex to the NISPOM. (DoD 5220.22A). The Contractor will comply with the additional security requirements and the management of NSA information/material as defined in the Annex.

Sending FOUO Information by United States Postal Service.

Send records containing FOUO information in a way that will not disclose their contents. When not mixed with classified information, individuals may send FOUO information by First Class Mail or Parcel Post. Bulky shipments, such as distribution of FOUO directives or testing materials, that otherwise qualify under postal regulations, may be sent by Fourth-Class Mail.

Electrically Transmitted Messages.

Mark each part of an electrically transmitted message that contains FOUO information. Unclassified messages containing FOUO information must show the abbreviation "FOUO" before the beginning of the text.

Safeguarding FOUO Information.

During Duty Hours. During normal duty hours, place FOUO records in an out-of-sight location, if the work area is open to non-government people.

During Non-duty Hours. At the close of business, store FOUO records to prevent unauthorized access. File such material with other unclassified records in unlocked files or desks, etc., when the Government or a Government contractor provides normal internal building security during non-duty hours. When there is no such internal security, locked buildings or rooms usually provide adequate after hours protection. If you desire additional protection, store FQUO material in locked containers, such as file cabinets, desks, or bookcases.

The Termination, Disposal, and Unauthorized Disclosure of FOUO.

Terminating FOUO Material: The originator or other component authority; should remove FOUO markings or indicate on the document the markings no longer apply when circumstances show that the information no longer needs protection from public disclosure. When a record is no longer FOUO, tell all known holders, to the extent practical. Do not retrieve records in files or storage only for that purpose.

Disposing of FOUO Material. Destroy FOUO materials by shredding, in any type shredder, to preclude reconstruction.

Unauthorized Disclosure. The unauthorized disclosure of FOUO records is not an unauthorized disclosure of classified information. However, Air Force and DoD contractor personnel have a duty to take reasonable actions to protect FOUO records under their control from unauthorized disclosure. Appropriate administrative actions should be taken to fix responsibility for such disclosures and disciplinary action taken where appropriate. Unauthorized disclosure of FOUO information protected by the

Privacy' Act (PA) may also result in civil or criminal sanctions against individuals or against the Air Force. Tell the originating organization about an unauthorized disclosure of its records.

Unclassified Controlled Nuclear Information (UCNI).

UCNI is sensitive unclassified information subject to special handling as outlined in DoD Directive 5210.83. The likelihood of your company coming in contact with UCNI is remote. However, if the situation does arise, employees will protect the information in the same manner as FOUO information, contact the company Security Office who, in turn, will obtain guidance from its cognizant Security Office

(30 SPS/SPAI).

EMSEC REQULREMENTS

Reference Block 10i:

EMISSIONS SECURITY ASSESSMENT REQUEST (ESAR)

FOR ALL CLASSIFIED SYSTEMS

The information below are EMSEC requirements that must be complied with by government contractors before the processing of classified data can begin. These are the minimum requirements established for the processing of DOD SECRET information. The processing of higher than DOD SECRET call for more stringent requirements.

(1) The contractor shall ensure that emission security (EMSEC) conditions related to this contract are minimized.

(2) The contractor shall provide countermeasure assessment data to the Contracting Officer as an ESAR. The ESAR shall provide only specific responses to the data required in paragraph 3 below. The contractor's standard security plan is unacceptable as a "standalone" ESAR response. The contractor shall NOT submit a detailed facility analysis/assessment. The ESAR information will be used to complete an EMSBC Countermeasures Assessment Review of the contractor's facility to be performed by the government EMSEC authority using current Air Force EMSEC directives.

(3) When any of the information required in paragraph 4 below changes (such as location or classification level), the contractor shall notify the contracting officer of the changes, so a new EMSEC Countermeasures Assessment Review is accomplished. The contractor shall submit to the Program Management Office a new ESAR. The new ESAR will identify the new configuration, a minimum of 30 days before beginning the change(s). The contractor shall not commence classified processing in the new configuration until receiving approval to do so from the contracting officer.

(a) SYSTEM DESCRIPTION:

1. SYSTEM/FACILITY: Provide full name and address of company submitting request, RFP/contract number, and duration. Also, provide a brief title identifying the overall system or facility (e.g., XYZ Missile word processing system, ABC aircraft interactive graphics system, etc.).

2. LOCATION: Identify the system or facility's location and address (including city' state, zip code, facility, building, and room number). Further, identify any other contractor/company/agency located within 200 meters of the facility (building, room, or office where classified processing is taking place). Also, identify the Inspectable Space (IS), see below.

3. Additional information may be needed for TOP SECRET or SECRET level with Special Access Required (SAR), Special Category (SPECAT) information or other non-collateral caveats processing and access to classified information outside the continental United States (OCONUS) block 11c and 1 if checked): Identify the Controlled Access Area (CAA), see below.

The three-dimensional space surrounding equipment that process classified or sensitive information within which EMSEC is not considered practical or where legal authority to identify or remove a potential EMSBC exploitation exists.

The complete building or facility area under direct physical control that can include one or more limited exclusion areas, controlled BLACK equipment areas, or in any combination.

(b) RESPONSIBLE PERSONNEL:

1. SECURITY OFFICER/MANAGER: Provide name, title, office symbol, and telephone number. Include the same for the company appointed EMSEC authority, if applicable.

2. SYSTEM CUSTODIAN: If different from above, provide name, title, office symbol, and telephone number.

(c) OPERATIONAL RISK:

1. Identify the highest level of classified processing.

2. Additional information may be needed for TOP SECRET or SECRET level with SAR, SPECAT information or other non-collateral caveats processing and access to classified information OCONUS (Block 11c and 11f checked). Further, Identify classified processing levels by estimated hours per day/month for each level and a percentage of total material processed (e.g., 10% Top-Secret, 55% Secret, etc.) for each level.

d) EQUIPMENT:

I. List the manufacturer and exact model number, nomenclature (terminal, disk drive, video system, etc.), and quantity of each equipment involved in classified processing. Do not provide a complete inventory of all the company's processing equipment.

2. List any encryption equipment (i.e., STU-II, KG-84, KG-194, etc.) that might be used for processing and transmission of classified information.

TRANSMITTERS

Reference Block 11c:

Use of UHF/UF radios, cellular phones, pages, or other types of Resting Frequency transmitters should not be allowed in classified processing facilities/areas unless approved by the EMSEC manager.

EMSEC RED/BLACK

TEMPEST SEPARATION REQUIREMENTS

Countermeasure Application. The following paragraphs discuss how to apply the countermeasures and under what Conditions they would not be required (see Table 1).

Keep RED and BLACK signal lines separated. Keeping RED signal lines about 6 Inches away from BLACK signal lines will reduce coupling to a level low enough to prevent detection at greatrelevant distances (over one mile). This separation may be reduced to 2 inches if the RED signal lines are shielded.

Keep RED Signal Lines Separated from BLACK Power Lines. Keeping RED signal lines about 6 inches away from BLACK power lines will reduce Coupling to a low enough level to prevent detection at great distances (over one mile). This separation may be reduced to 2 inches if the RED signal lines arc shielded.

Keep RED Signal Lines Separated from BLACK telephones and telephone Lines. Keep non-TEMPEST approved printers at least 6 feet away from telephones. Do not use the telephone while printing classified information. Keep all non-TEMPEST approved equipment at least three feet away from telephone lines. 2 inches if the telephone lines are shielded.

TABLE 1: TEMPEST SEPARATION MATRIX

 

CRYPTO EQUIPMENT

UNSHIELDED SIGNAL AND TELEPHONE LINES

SHIELDED TELEPHONE LINES

POWER LINES

CRYPTO EQUIPMENT

0

3 ft

2 in

2 in

UNSHIELDED SIGNAL LINES

6 in

6 in

2 in

6 in

SHIELDED SIGNAL LINES

2 in

2 in

2 in

2 in

TEMPEST APPR. EQUIPMENT

2 in

6 in

2 in

NONE

NON-TEMPEST APPR EQUIPMENT

3 ft

3 ft

2 in

NONE

OPSEC

Reference Block: 11j:

The contractor will accomplish the following minimum' requirements in support of the User Agency Operations Security (OPSEC) Program.

Document items of critical information applicable to its operations. Items of critical information are those facts which individually, or in the aggregate, reveal sensitive details about the contractor's security operations, and thus require protection from adversarial collection or exploitation.

Include OPSEC as a part of its ongoing security awareness program conducted in accordance with Chapter 3, Section 1, of the National Industrial Security Operating Manual.

Be responsive to the User Agency OPSEC Manager (HQ SMC/AXPI) on a non-interference basis.

Protect sensitive unclassified information and activities which could compromise classified information or operations, or degrade the planning and execution of military operations performed by the contractor in support of the mission. Sensitive unclassified information is that Information marked FOR OFFICIAL USE ONLY, PRIVACY ACT OF 1974, COMPANY PROPRIETARY, and as identified by the Air Force Program Office and the HQ SMC/AXPI OPSEC Manager.

AUTHORIZED USE OF DEFENSE COURIER SERVICE

Reference Block 11k:

This contract requires use of the Defense Courier Service (DCS). The CSSO will prepare and submit DCS Form 10 in original triplicates to 550 SMC/INS for validation prior to their submittal to the appropriate DCS station.

PROGRAM PROTECTION, SYSTEMS SECURITY ENGINEERING AND PRODUCT SECURITY

Reference Block 11l:

The contractor shall protect classified national security information, special access and

unclassified controlled information, technologies and critical Systems as prescribed in

Space Systems Protect Guides established under DoD 3500.2; as well as traditional

Security Classification Guides applicable to Non-DoD Space Programs.

INSPECTIONS

Reference Block 15:

The Defense Investigative Service is relieved of security inspection responsibility for all

SAR; SCI material, and information released to the contractor under this contract.

SMC/AXP is responsible for security oversight for all SAR information/material.

FOR OFFICIAL USE ONLY (FOUO) HANDLING INSTRUCTIONS

Reference Block: 10j:

 

For OFFICIAL USE ONLY (FOUO) Explained.

FOUO information is not classified according to Executive Order, but is exempt from disclosure to the public under exemptions 2 through 9 of the FOIA. Do not consider or mark any other records FOUO. FOUO is not authorized as a form of classification to protect national security Interests.

Prior FOUO Application.

A FOUO marking is not a conclusive basis for withholding a record under the FOJA. When such a record is requested, evaluate the information in it to determine if FOIA exemptions apply and whether a discretionary release is appropriate.

Time to Mark Records.

Marking records when they are created gives notice of FOUO content but does not eliminate the need to review a record requested under the FOJA. Examine records with and without markings before release to identify information that needs continued protection and qualifies as exempt from public release.

Distribution Statement.

Information in a technical document that requires a distribution statement according to AFI 61-204 must show that statement. The originator may also apply the FOUO marking, as appropriate.

How to Apply FOUO Markings.

Mark an unclassified document containing FOUO information "FOR OFFICIAL USE ONLY" at the bottom, on the outside of the front cover (if any), on each page containing FOUO information, on the back page, and on the outside of the back cover (if. any).

In unclassified documents, note that the originator may also mark individual paragraphs that contain FOUO information to alert the users and assist in the review process.

Mark an individual paragraph in a classified document that contains FOUO information, but no classified information, by placing "(FOUO)" at the beginning of the paragraph.

Mark an individual page in a classified document that has both FOUO and classified information at the top and bottom with the highest security classification of information on that page.

Mark an individual page in a classified document that has FOUO information, but no classified information, "FOR OFFICIAL USE ONLY" at the bottom of the page.

If a classified document also contains FOUO information, or, if the classified material becomes FOUO when declassified, place the following statement on the bottom of the cover or the first page, under the classification marking. If declassified, review the document to make sure material is not FOUO and not exempt under FOIA before public release.

Mark other records, such as computer printouts, photographs, films, tape, or slides, "FOR OFFICIAL USE ONLY" or "FOUO" in a way that ensures the recipient or viewer knows the record contains FOUO Information.

For FOUO material sent outside the DoD to authorized recipients, place an expanded marking to explain its meaning. Do this by typing or stamping the following statement on the document before transfer. This document contains information EXEMPT FROM MANDA TORY DJSCLOSURE UNDER THE FOIA. Exemption(s) applies (apply). (Further distribution is prohibited without the approval of (enter OPR)).

Procedures for Releasing, Disseminating, and Transmitting FOUO Material.

FOUO information may be sent within DoD components and between officials of DoD components and authorized DoD contractors, consultants, and grantees to conduct official business for the DoD. Inform recipients of the status of such information, and send the material in a way that prevents unauthorized public disclosure. Make sure documents that transmit FOUO material call attention to any FOUO attachments. Normally, FOUO records may be sent over facsimile equipment. To preclude unauthorized disclosure, consider such factors as attaching special cover sheets, location of sending and receiving machines, and availability of authorized personnel to receive the FOUO information. FQUO information may be passed to officials in other departments and agencies of the executive and judicial branches to fulfill a government function. Mark the records "FOR OFFICIAL USE ONLY," and tell the recipient the information is exempt from public disclosure under the FOIA and if special handling instructions apply.