32 CFR § 2004.22 - Agency responsibilities.

§ 2004.22 Agency responsibilities.

(a) Agency categories and general areas of responsibility. Federal agencies fall into three categories for the purpose of NISP responsibilities:

(1) CSAs. CSAs are responsible for carrying out NISP implementation within their agency, for providing NISP industrial security services on behalf of non-CSA agencies by agreement when authorized, and for overseeing NISP compliance by entities that access classified information under the CSA's cognizance. When the CSA has oversight responsibilities for a particular non-CSA agency or for an entity, the CSA also functions as the responsible CSA;

(2) Non-CSA agencies. Non-CSA agencies are responsible for entering agreements with a designated CSA for industrial security services, and are responsible for carrying out NISP implementation within their agency consistently with the agreement, the CSA's guidelines and procedures, and this regulation; or

(3) Agencies that are components of another agency. Component agencies do not have itemized responsibilities under this regulation and do not independently need to enter agreements with a CSA, but they follow, and may have responsibilities under, implementing guidelines and procedures established by their CSA or non-CSA agency, or both.

(b) Responsible CSA role.

(1) The responsible CSA is the CSA (or its delegated CSO) that provides NISP industrial security services on behalf of an agency, determines an entity's eligibility for access, and monitors and inspects an entity's NISP implementation.

(2) In general, the goal is to have one responsible CSA for each agency and for each entity, to minimize the burdens that can result from complying with differing CSA procedures and requirements.

(i) With regard to agencies, NISP accomplishes this goal by a combination of designated CSAs and agreements between agencies and CSAs.

(ii) With regard to entities, CSAs strive to reduce the number of responsible CSAs for a given entity as much as possible. To this end, when more than one CSA releases classified information to a given entity, those CSAs agree on which is the responsible CSA. However, due to certain unique agency authorities, there may be circumstances in which a given entity is under the oversight of more than one responsible CSA.

(3) Responsible CSA for agencies:

(i) In general, each CSA serves as the responsible CSA for classified information that it (or any of its component agencies) releases to entities, unless it enters an agreement otherwise with another CSA.

(ii) DoD serves as the responsible CSA for DHS with the exception of the CCIPP, based on an agreement between the two CSAs.

(iii) DoD serves as the responsible CSA on behalf of all non-CSA agencies, except CSA components, based on E.O. 12829 and its role as NISP EA.

(iv) ODNI serves as the responsible CSA for CIA.

(4) Responsible CSA for entities: When determining the responsible CSA for a given entity, the involved CSAs consider, at a minimum: retained authorities, the information's classification level, number of contracts requiring access to classified information, location, number of Government customers, volume of classified activity, safeguarding requirements, responsibility for entity employee eligibility determinations, and any special requirements.

(5) Responsible CSAs may delegate oversight responsibility to a cognizant security office (CSO) through CSA policy or by written delegation. The CSA must inform entities under its cognizance if it delegates responsibilities. For purposes of this rule, the term CSA also refers to the CSO.

(c) CSA responsibilities.

(1) The CSA may perform GCA responsibilities as its own GCA.

(2) As CSA, the CSA performs or delegates the following responsibilities:

(i) Designates a CSA senior agency official (SAO) for NISP;

(ii) Identifies the insider threat program senior official (SO) to the Director, ISOO;

(iii) Shares insider threat information with other CSAs, as lawful and appropriate, including information that indicates an insider threat about entity employees eligible to access classified information;

(iv) Acts upon and shares - with security management, GCAs, insider threat program employees, and Government program and CI officials - any relevant entity-reported information about security or CI concerns, as appropriate;

(v) Submits reports to ISOO as required by this part; and

(vi) Develops, coordinates, and provides concurrence on changes to the NISPOM when requested by the EA.

(3) As a responsible CSA, the CSA also performs or delegates the following responsibilities:

(i) Determines whether an entity is eligible for access to classified information (see § 2004.32);

(ii) Allocates funds, ensures appropriate investigations are conducted, and determines entity employee eligibility for access to classified information (see § 2004.36);

(iii) Reviews and approves entity safeguarding measures, including making safeguarding capability determinations (see § 2004.38);

(iv) Conducts periodic security reviews of entity operations (see § 2004.26) to determine that entities: effectively protect classified information provided to them; and follow NISPOM (or equivalent) requirements;

(v) Provides and regularly updates guidance, training, training materials, and briefings to entities on:

(A) Entity implementation of NISPOM (or equivalent) requirements, including: responsibility for protecting classified information, requesting NISPOM interpretations, establishing training programs, and submitting required reports;

(B) Initial security briefings and other briefings required for special categories of information;

(C) Authorization measures for information systems processing classified information (except DHS) (see § 2004.40);

(D) Security training for security officers (or CCIPP POCs) and other employees whose official duties include performing NISP-related functions;

(E) Insider threat programs in accordance with the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs; and

(F) Other guidance and training as appropriate;

(vi) Establishes a mechanism for entities to submit requests for waivers to NISPOM (or equivalent) provisions;

(vii) Reviews, continuously analyzes, and adjudicates, as appropriate, reports from entities regarding events that:

(A) Impact the status of the entity's eligibility for access to classisfied information;

(B) Impact an employee's eligibility for access;

(C) May indicate an employee poses an insider threat;

(D) Affect proper safeguarding of classified information; or

(E) Indicate that classified information has been lost or compromised;

(viii) Verifies that reports offered in confidence and so marked by an entity may be withheld from public disclosure under applicable exemptions of the Freedom of Information Act (5 U.S.C. 552);

(ix) Requests any additional information needed from an entity about involved employees to determine continued eligibility for access to classified information when the entity reports loss, possible compromise, or unauthorized disclosure of classified information; and

(x) Posts hotline information on its website for entity access, or otherwise disseminates contact numbers to the entities for which the CSA is responsible.

(d) Non-CSA agency head responsibilities. The head of a non-CSA agency that is not a CSA component and that releases classified information to entities, performs the following responsibilities:

(1) Designates an SAO for the NISP;

(2) Identifies the insider threat program SO to ISOO to facilitate information sharing;

(3) Enters into an agreement with the EA (except agencies that are components of another agency or a cross-agency oversight office) to act as the responsible CSA on the agency's behalf (see paragraph (a)(1)(ii) of this section);

(4) Performs, or delegates in writing to a GCA, the following responsibilities:

(i) Provides appropriate education and training to agency personnel who implement the NISP;

(ii) Includes FAR security requirements clause 52.204-2, or equivalent (such as the DEAR clause 952.204-2), and a contract security classification specification (or equivalent guidance) into contracts and solicitations that require access to classified information (see § 2004.30); and

(iii) Reports to the appropriate CSA adverse information and insider threat activity pertaining to entity employees having access to classified information.