32 CFR § 2004.22 - Agency responsibilities.
(a) Agency categories and general areas of responsibility. Federal agencies fall into three categories for the purpose of NISP responsibilities:
(1) CSAs. CSAs are responsible for carrying out NISP implementation within their agency, for providing NISP industrial security services on behalf of non-CSA agencies by agreement when authorized, and for overseeing NISP compliance by entities that access classified information under the CSA's cognizance. When the CSA has oversight responsibilities for a particular non-CSA agency or for an entity, the CSA also functions as the responsible CSA;
(2) Non-CSA agencies. Non-CSA agencies are responsible for entering agreements with a designated CSA for industrial security services, and are responsible for carrying out NISP implementation within their agency consistently with the agreement, the CSA's guidelines and procedures, and this regulation; or
(3) Agencies that are components of another agency. Component agencies do not have itemized responsibilities under this regulation and do not independently need to enter agreements with a CSA, but they follow, and may have responsibilities under, implementing guidelines and procedures established by their CSA or non-CSA agency, or both.
(b) Responsible CSA role.
(1) The responsible CSA is the CSA (or its delegated CSO) that provides NISP industrial security services on behalf of an agency, determines an entity's eligibility for access, and monitors and inspects an entity's NISP implementation.
(2) In general, the goal is to have one responsible CSA for each agency and for each entity, to minimize the burdens that can result from complying with differing CSA procedures and requirements.
(i) With regard to agencies, NISP accomplishes this goal by a combination of designated CSAs and agreements between agencies and CSAs.
(ii) With regard to entities, CSAs strive to reduce the number of responsible CSAs for a given entity as much as possible. To this end, when more than one CSA releases classified information to a given entity, those CSAs agree on which is the responsible CSA. However, due to certain unique agency authorities, there may be circumstances in which a given entity is under the oversight of more than one responsible CSA.
(3) Responsible CSA for agencies:
(i) In general, each CSA serves as the responsible CSA for classified information that it (or any of its component agencies) releases to entities, unless it enters an agreement otherwise with another CSA.
(ii) DoD serves as the responsible CSA for DHS with the exception of the CCIPP, based on an agreement between the two CSAs.
(iii) DoD serves as the responsible CSA on behalf of all non-CSA agencies, except CSA components, based on E.O. 12829 and its role as NISP EA.
(iv) ODNI serves as the responsible CSA for CIA.
(4) Responsible CSA for entities: When determining the responsible CSA for a given entity, the involved CSAs consider, at a minimum: retained authorities, the information's classification level, number of contracts requiring access to classified information, location, number of Government customers, volume of classified activity, safeguarding requirements, responsibility for entity employee eligibility determinations, and any special requirements.
(5) Responsible CSAs may delegate oversight responsibility to a cognizant security office (CSO) through CSA policy or by written delegation. The CSA must inform entities under its cognizance if it delegates responsibilities. For purposes of this rule, the term CSA also refers to the CSO.
(c) CSA responsibilities.
(2) As CSA, the CSA performs or delegates the following responsibilities:
(i) Designates a CSA senior agency official (SAO) for NISP;
(ii) Identifies the insider threat program senior official (SO) to the Director, ISOO;
(iii) Shares insider threat information with other CSAs, as lawful and appropriate, including information that indicates an insider threat about entity employees eligible to access classified information;
(iv) Acts upon and shares - with security management, GCAs, insider threat program employees, and Government program and CI officials - any relevant entity-reported information about security or CI concerns, as appropriate;
(v) Submits reports to ISOO as required by this part; and
(vi) Develops, coordinates, and provides concurrence on changes to the NISPOM when requested by the EA.
(3) As a responsible CSA, the CSA also performs or delegates the following responsibilities:
(iv) Conducts periodic security reviews of entity operations (see § 2004.26) to determine that entities: effectively protect classified information provided to them; and follow NISPOM (or equivalent) requirements;
(v) Provides and regularly updates guidance, training, training materials, and briefings to entities on:
(A) Entity implementation of NISPOM (or equivalent) requirements, including: responsibility for protecting classified information, requesting NISPOM interpretations, establishing training programs, and submitting required reports;
(B) Initial security briefings and other briefings required for special categories of information;
(D) Security training for security officers (or CCIPP POCs) and other employees whose official duties include performing NISP-related functions;
(F) Other guidance and training as appropriate;
(vi) Establishes a mechanism for entities to submit requests for waivers to NISPOM (or equivalent) provisions;
(vii) Reviews, continuously analyzes, and adjudicates, as appropriate, reports from entities regarding events that:
(B) Impact an employee's eligibility for access;
(C) May indicate an employee poses an insider threat;
(D) Affect proper safeguarding of classified information; or
(E) Indicate that classified information has been lost or compromised;
(ix) Requests any additional information needed from an entity about involved employees to determine continued eligibility for access to classified information when the entity reports loss, possible compromise, or unauthorized disclosure of classified information; and
(1) Designates an SAO for the NISP;
(2) Identifies the insider threat program SO to ISOO to facilitate information sharing;
(3) Enters into an agreement with the EA (except agencies that are components of another agency or a cross-agency oversight office) to act as the responsible CSA on the agency's behalf (see paragraph (a)(1)(ii) of this section);
(4) Performs, or delegates in writing to a GCA, the following responsibilities:
(i) Provides appropriate education and training to agency personnel who implement the NISP;
(ii) Includes FAR security requirements clause 52.204-2, or equivalent (such as the DEAR clause 952.204-2), and a contract security classification specification (or equivalent guidance) into contracts and solicitations that require access to classified information (see § 2004.30); and