32 CFR § 2004.26 - Reviews of entity NISP implementation.
(a) The responsible CSA conducts recurring oversight reviews of entities' NISP security programs to verify that the entity is protecting classified information and is implementing the provisions of the NISPOM (or equivalent). The CSA determines the scope and frequency of reviews. The CSA generally notifies entities when a review will take place, but may also conduct unannounced reviews at its discretion.
(b) CSAs make every effort to avoid unnecessarily intruding into entity employee personal effects during the reviews.
(c) A CSA may, on entity premises, physically examine the interior spaces of containers not authorized to store classified information in the presence of the entity's representative.
(d) As part of a security review, the CSA:
(1) Verifies that the entity limits entity employees with access to classified information to the minimum number necessary to perform on contracts requiring access to classified information.
(2) Validates that the entity has not provided its employees unauthorized access to classified information;
(3) Reviews the entity's self-inspection program and evaluates and records the entity's remedial actions; and
(4) Verifies that the GCA approved any public release of information pertaining to a contract requiring access to classified information.
(e) As a result of findings during the security review, the CSA may, as appropriate, notify:
(1) GCAs if there are unfavorable results from the review; and
(2) A prime entity if the CSA discovers unsatisfactory security conditions pertaining to a sub-entity.
(f) The CSA maintains a record of reviews it conducts and the results. Based on review results, the responsible CSA determines whether an entity's eligibility for access to classified information may continue. See § 2004.32(g).