Jafan 6 0 Form – Fill Out and Use This PDF

JOINT AIR FORCE - ARMY – NAVY

Manual

SpecialAccessProgram

SecurityManual-Revision 1

29 May, 2008

JAFAN 6-0, Revision 1

TABLE OF CONTENTS

		Page
CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS
Section 1.	Introduction	1
Section 2.	General Requirements	3
Section 3.	Reporting Requirements	11
CHAPTER 2. SECURITY CLEARANCES
Section 1.	Facility Clearances	15
Section 2. Personnel Clearances and Access		15
Section 3. Foreign Ownership, Control, or Influence (FOCI) &
National Interest Determinations (NIDs)		20
CHAPTER 3. SECURITY TRAINING AND BRIEFINGS		28
CHAPTER 4. CLASSIFICATION AND MARKING
Section 1.	Classification	32
Section 2.	Marking Requirements	32
CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION
Section 1. General Safeguarding Requirements		34
Section 2. Control and Accountability		34
Section 3. Storage and Storage Equipment		36
Section 4.	Transmission	36
Section 5.	Disclosure	41
Section 6.	Reproduction	42
Section 7. Disposition and Retention		42
Section 8.	Construction Requirements	43
Section 9. Control of Portable Electronic Devices (PEDs)		44
CHAPTER 6. VISITS AND MEETINGS
Section 1.	Visits	45
Section 2.	Meetings	46
CHAPTER 7. SUBCONTRACTING		48
CHAPTER 8. INFORMATION ASSURANCE		49
	i

JAFAN 6-0, Revision 1

Chapter 1

General Provisions and Requirements

Section 1. Introduction

1-100. Purpose. This manual prescribes requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of SAP information and to control authorized disclosure of classified information.

1-101. Authority. This manual is promulgated pursuant to authorities and responsibilities assigned to the Directors, Special Access Program Central Office (SAPCO) for the protection of SAPs under their cognizance. These authorities and responsibilities may be found in Title 10 United States Code (U.S.C). 119(e); National Security Act of 1947, as amended; in Executive Order (EO) 12958, as amended; in the Code of Federal Regulations, 32CFR2103 (per Information Security Oversight Office Directive No. 1); and in other applicable laws and orders. Component- level SAPCO have been established to execute, manage, administer, oversee, and maintain records on the SAPs they exert cognizant authority over. These offices exercise the authorities and responsibilities as outlined in DoD Directive 5205.7 and DoD Instruction 5205.11.

1-102. Scope.

a.This manual applies to all service component SAPs and participants within these SAPs. These procedures are also applicable to licensees, grantees, and certificate holders to the extent legally and practically possible within the constraints of applicable law and the Code of Federal Regulations.

b.This manual applies to and shall be used by service components and their contractors to safeguard classified information released during all phases of the contracting, licensing, and grant process, including bidding, negotiation, award, performance, and termination. This manual also applies to classified information not released under a contract, license, certificate or grant, and to foreign government information furnished to contractors that requires protection in the interest of national security. The manual implements applicable Federal Statutes, Executive orders, National Directives, international treaties, and certain government-to-government agreements.

c.If a contractor determines that implementation of any provision of this manual is more costly than provisions imposed under previous U.S. Government policies, standards or requirements, the contractor shall notify the cognizant security authority (CSA) through the PSO (also see para 1-104 below). The notification shall indicate the prior policy, standard or requirement and explain how this manual's requirement is more costly to implement. Contractors will implement the provisions of this manual on initial contract award or modification or subsequent modification to an existing contract normally incorporated via a Contract Security Classification Specification (DD Form 254).

JAFAN 6-0, Revision 1

1

d.In the interest of clarity, consistency and procedural guidance; all contractual requirements outlined in this manual and as directed by the government will be made official only when forwarded through contracting channels.

1-103. Agency Agreements. The service component SAPCOs may enter into agreements with each other that establish the terms of responsibilities for administration and operation of SAPs of mutual interest. See paragraphs 1-208 and 209 of this manual.

1-104. Security Cognizance. The term "Cognizant Security Authority" (CSA) denotes the service component SAPCO. SAPCOs may delegate any aspect of security administration regarding classified activities and contracts under their purview to another CSA. Any further delegations from the SAPCO will be in writing and maintained in the appropriate SAPCO.

1-105. Manual Interpretations. Interpretations of this manual will be resolved at the PSO- level. Any unresolved interpretations will be forwarded by the PSO to the appropriate service component SAPCO.

1-106. Waivers. For the purposes of this manual, a waiver is any action to increase or decrease the security requirements of any of the Joint Air Force Army Navy (JAFAN) Manuals.

a.On occasion, it may be necessary to grant a waiver to the requirements of this

manual. Every effort will be made to avoid waivers to established SAP policies and procedures unless they are in the best interest of the Government. Waivers 1 can only be approved by the appropriate service component SAPCO.

b.In those cases where waivers are required, a request will be submitted to the service component SAPCO or designee via the PSO's chain of command. Submit the completed SAP Format 12 to the PSO, who will process the waiver to the cognizant service component SAPCO. Security Officers at all levels shall maintain a file of approved waivers. Attach maps, floor plans, photos, or drawings to waiver requests when necessary. Subcontractors submit SAP Format 12 through their prime contractor, who will sign as the "Reviewing Official". The requester ensures adequate compensatory measures are documented on the request and if approved, executed.

1-107. Commensurate Levels of Protection. In situations where conditions or unforeseen factors render full compliance to these standards unreasonable, the cognizant PSO may apply commensurate levels of protection. Applying commensurate protective measures to a particular SAP means that equivalent protections are being used rather than following the exact wording of this manual. Commensurate levels of protection will not be designed with the intent to reduce or lessen the security protection of the area of consideration and/or requirements of this manual. Within 90 days of implementing commensurate protective measures, the PSO will notify the service component SAPCO of the commensurate level of protection and request validation and final approval.

1Service SAPCOs will forward all requests for waivers which exceed the requirements outlined in this manual to the DoD SAPCO for approval.

JAFAN 6-0, Revision 1

2

1-108. Special Access Program Categories and Types

a.Categories. There are three categories of SAPs: (1) Acquisition; (2) Intelligence; and (3) Operations and Support.

b.Types. There are two types of service component SAPs, Acknowledged and Unacknowledged.

(1)An Acknowledged SAP is a program which may be openly recognized or known; however, specifics are classified within that SAP. An Acknowledged SAP is acknowledged to exist and whose purpose is identified (e.g., the B-2 or the F- 117 aircraft program) while the details, technologies, materials, techniques, etc., of the program are classified as dictated by their vulnerability to exploitation and the risk of compromise. Program funding is generally unclassified.

(2)An Unacknowledged SAP’s existence is protected as special access and the details, technologies, materials, techniques, etc., of the program are classified as dictated by their vulnerability to exploitation and the risk of compromise.

Program funding is often unacknowledged, classified, or not directly linked to the program.

Note: An unacknowledged SAP for which the Secretary of Defense has waived applicable reporting requirements under Title 10 U.S.C. 119(e) is identified as a "Waived-SAP" and, therefore, has more restrictive Congressional reporting.

Section 2. General Requirements

1-200. Responsibilities.

a.Service Component and Contractor SAP Security Officer titles: Government:

(1)Program Security Officer (PSO): The PSO is responsible for the program security management and execution of all security policies and requirements for a specific SAP program, sub-compartment or project. The PSO exercises these authorities on behalf of the SAPCO or service component designee. The PSOs will be appointed, in writing, by the SAPCO or designee.

(2)Government SAP Security Officer (GSSO): The individual appointed at a government program facility to provide security administration and management based on guidance provided by the PSO. GSSOs will be appointed in writing and assigned to specific facilities/projects/subcompartments. Copies of appointment letters will be provided to the PSO.

JAFAN 6-0, Revision 1

3

Contractor:

(1)Contractor Program Security Officer (CPSO): The individual appointed at a contractor program facility to provide security administration and management based on guidance provided by the PSO.

(2)CPSOs will be appointed in writing and assigned to specific facilities/projects/subcompartments. Copies of appointment letters will be provided to the PSO.

b.Each activity associated with a SAP will assign one or more SAP Security

Officers to each SAP. SAP Security Officers are technical specialists and serve as the primary SAP security focal points at each government and contractor facility. They are appointed to perform the duties indicated below and responsible for implementing program SAP security policies within each facility. All SAP Security Officers will have the position, responsibility, and authority commensurate with the degree of SAP security support required for each organization.

c.GSSO/CPSOs will:

(1)Possess a personnel clearance at least equal to the highest level of classified information for which they require access.

(2)Possess access to all SAPs assigned to the facility(s) for which he/she is responsible.

(3)Provide facility security administration and management.

(4)Ensure personnel processed for access to a SAP meet the prerequisite personnel clearance and/or investigative requirements.

(5)Ensure adherence to the provisions of this manual.

(6)Oversee an information management system for each SAP used to facilitate the control of requisite information within each SAP.

(7)Conduct an annual accountable classified material inventory.

(8)Maintain a Special Access Program Facility (SAPF) IAW JAFAN 6/9.

(9)Ensure Information Systems (IS) are IAW JAFAN 6/3.

(10)Establish and oversee a visitor control program.

(11)Establish reproduction and destruction capability of SAP information.

(12)Ensure adherence to special communications capabilities within the SAPF.

JAFAN 6-0, Revision 1

4

(13)Ensure the conduct of program indoctrination and annual refresher, briefings and debriefings of personnel.

(14)Establish and oversee specialized procedures for the transmission of SAP material to and from Program elements.

(15)When required, ensure contractual specific SAP security requirements such as TEMPEST and Operations Security (OPSEC) are accomplished.

1-201. Standard Operating Procedures (SOP). The GSSO/CPSO will prepare comprehensive SOPs to implement the security policies and requirements unique to their facilities. SOPs will address and reflect methods of implementing the security aspects of the Program. Forward proposed SOPs and SOP changes to the PSO for approval. The GSSO/CPSO will utilize the topics, as applicable, provided in Appendix “B”. SOPs should address local implementation of applicable security directives.

a.Contractors are not required to prepare an SOP for Pre-Solicitation Activity, a Program Research and Development Announcement, Request for Information, or Request for Proposal when there is no contractual relationship established for that effort. Classification guidance and special security rules reflected on the DD Form 254 and in the Security Classification Guide (SCG) suffice as the SOP. If a formal contract is not executed, one of the following three actions (or combination of the three actions) will be taken:

(1)The material will be returned to the Government.

(2)The material will be inventoried, documented, and certified as destroyed and documentation will be provided to the PSO. In the case of TOP SECRET, a copy of the destruction certificate will be provided to the Government.

(3)Documentation can be retained by the contractor, provided a contractual relationship exists and if approved by the PSO/Program Contracting Officer (PCO). A DD Form 254 will be prepared and provided to the contractor outlining the retention, storage, reuse and continued access procedures. If information is retained, written security procedures are required.

b.Contractors are not required to prepare written SOPs when all work is performed at a government facility. Subcontractors are not required to prepare written SOPs when all work by is performed at a prime contractor facility. Storage normally is not authorized at the subcontractor location. Keep program access records and other program documentation at the prime contractor facility.

1-202. Badging. When all individuals within a SAPF cannot be personally identified, a badging system may be required by the PSO. The best form of entry control is personal introduction and identification. Use this procedure to the maximum extent possible. Use a badge system unless the program area is small enough (normally less than 25 people) to permit total personal identification and access level determination. When a badge system is considered necessary it will be documented in the facility SOP and address topics such as badge accountability, storage, inventory, disposition, destruction, format and use. If card readers are used

JAFAN 6-0, Revision 1

5

in conjunction with badges and a means exists to lockout lost, unused, and/or relinquished badges, the PSO may negate the requirements stated above for badge inventory, accountability and destruction.

1-203. Communications Security (COMSEC). SAP information will be electronically transmitted only by approved secure communications channels authorized by the PSO.

1-204. Two-Person Integrity (TPI). TPI is an enhanced security option that mandates the minimum of two indoctrinated persons at all times in a SAPF. This security protection can only be authorized by the CSA.

1-205. Perceived Excessive Security Requirements. All personnel are encouraged to identify excessive security measures that they believe have no value or are cost prohibitive. These excessive requirements should be reported through the PSO to the service component SAPCO.

1-206. Security Compliance Inspections. The Security Compliance Inspection Process represents a unified and streamlined approach to the SAP inspection process. All service component SAP Program Security Officers (PSOs), Government SAP Security Officers (GSSOs) and Contractor Program Security Officers (CPSOs) are required to follow the Security Compliance Inspection Process outlined below unless explicitly modified by the Service SAPCO. PSOs should work with their respective Contracting Officers to add it as a compliance, contract deliverable (via a revised DD Form 254). This oversight methodology provides an opportunity for a reduction in the number of inspections a contractor is subjected to within a defined inspection cycle (with demonstrated performance) and therefore, with good stewardship, result in cost savings to both the Government and Contractors alike. The frequency2 type and scope of Security Inspections (e.g., Government inspections, evaluations, and security surveys) are determined by the service component SAPCO.

a.Two-Phase Process. The Security Compliance Process is a two phase process which gives PSO’s a structured and consistent approach in conducting inspections. The process begins with the scoping and validation of the Self Inspection Checklist, followed by review and validation of the Core Compliance Items (CCI). The Security Compliance Process has two distinct types of inspections. The first type is the Core Compliance Inspection, which is the initial inspection by the Government. The second type is a Full Scope Inspection, which is a more in- depth inspection designed for those facilities which have either received a previous rating of Marginal or Unsatisfactory; or there are significant systemic security issues which occurred during the inspection cycle.

(1)Phase One - Self-Inspections. Depending on the location (Government/Industry) of the SAP, annual self-inspections are conducted by the GSSO/CPSO (as appropriate) and will address issues reflected in the "Security Inspections Checklist" found in Appendix “F”, this manual. Self-inspection reports will be submitted to the PSO within 30 days following completion of the inspection. The PSO will be notified immediately if the self- inspection discloses the loss, compromise or suspected compromise of classified material. Self- inspection reports will be retained for two years following the formal government CSA inspection. All outstanding items must be completed prior to the destruction of the self-inspection.

2Security inspections will not be conducted more frequently than every 12 months. However, if security risks warrant additional security oversight each service SAPCO reserves the right to conduct inspections more frequently.

JAFAN 6-0, Revision 1

6