Red Line Content: Procurement Guidance:
T3.14.1 Security (Revision 4, July 2008)
Security
Section 3 : Personnel Security

a. Definitions.

(1) Access. The ability to physically enter or pass through a FAA area or a facility; or having the physical ability or authority to obtain FAA sensitive information, materials, or resources; or the ability to obtain FAA sensitive information by technical means including the ability to read or write information or data electronically stored or processed in a digital format such as on a computer, modem, the Internet, or a local-or wide area network (LAN or WAN). When used in conjunction with classified information, access is the ability, authority, or opportunity to obtain knowledge of such information, materials, or resources, in accordance with the provisions of Executive Order (EO)12968, Access to Classified Information.

(2)  Classified acquisition. An acquisition that consists of one or more contracts in which offerors would be required to have access to classified information (Confidential Secret, or Top Secret) to properly submit an offer or quotation to understand the performance requirements of a classified contract under the acquisition or to perform the contract.

(3) Classified Contract. Any contract, purchase order, consulting agreement, lease agreement, interagency agreement, memorandum of agreement, or any other agreement between the FAA and another party or parties that requires the release or disclosure of classified information to the contractor and/or contractor employees in order for them to perform under the contract or provide the services or supplies contracted for.

(4) Classified information. Official information or material that requires protection in the interest of national security and is labeled or marked for such purpose by appropriate classification authority in accordance with the provision of Executive Order 12958, Classified National Security.

(5) Contractor employee. A person employed as or by a contractor, subcontractor, or consultant in support of the FAA or any non-FAA person who performs work or services for the FAA within FAA facilities.

(6) FAA facility. Any manned or unmanned building structure, warehouse, appendage, storage area, utilities and components, which when related by function and location form an operating entity owned, operated or controlled by FAA.

(7)Immigrant Alien. Any person not a citizen or national of the United States who has been lawfully admitted for permanent residence to the United States by the U.S. Immigration and Naturalization Service (INS). (Reference the Immigration and Nationality Act (INA)(8 United States Code 1101), Sections 101(a)(3) and (20).

(8) Non-Immigrant Alien. Any person not a citizen or national of the United States who has been authorized to work in the United States by the INS, but who has not been lawfully admitted for permanent residence. (Reference the INA, Sections 101(a)(3) and (20).

(9) Operating Office. An FAA line of business, an office or service in FAA headquarters or an FAA division-level organization in a region or center, or any FAA activity or organization that utilizes the services and/or work of a contractor.

(10) Quality Assurance Program. A system that provides a means of continuous review and oversight of a program/process to ensure (1) compliance with applicable laws and regulations; (2) the products and services are dependable and reliable.

(11) Resources. FAA physical plant, sensitive equipment, information databases including hardware, software and manual records pertaining to agency mission or personnel.

(12) Sensitive Information. Any information which if subject to unauthorized access, modification, loss, or misuse could adversely affect the national interest, the conduct of Federal programs or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an EO or an Act of Congress to be kept secret in the interest of national defense or foreign policy. Sensitive data includes propriety data.

(13) Sensitive Unclassified Information (SUI). Unclassified information withheld from public release and protected from unauthorized disclosure because of its sensitivity. Section 552a of Title 5, United States Code (the Privacy Act) identifies information, which if subject to unauthorized access, modification, loss, or misuse could adversely affect the national interest, the conduct of Federal programs or the privacy to which individuals are entitled.

(14) Servicing Security Element (SSE). The FAA headquarters, region, or center organizational element responsible for providing security services to a particular activity.

b. The National Industrial Security Program (NISP) was established by (EO) 12829; January 6, 1993, for the protection of the Government’s classified information. The NISP Operating Manual (NISPOM) prescribes the requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of classified information and to control authorized disclosure of Classified information released by the U.S. Government. NISPOM is available on the Internet at http//www.dss.mil/isec/nispom.htm.

c. Section 3.5, Patents, Data, and Copyrights of the FAA Acquisition Management System contains policy for safeguarding classified information in patent applications and patents.

d. Classified Information- Responsibilities of Contracting Officers (COsCO).

(1) Comply with NISP requirements.

(2) The CO must contact the personnel security specialists in the local office regarding FAA procedures/requirements for any contracting activity requiring access to classified information, whether that information is owned by another agency or the FAA. The responsible security organizations includes the following:

(a) Headquarters – ASI-200

(b) Regions – 700-designated organizations, such as "ASO-700"

(c) Technical Center – ACT-8

(d) Aeronautical Center – AMC-700

(3) Prescreening information request phaseInformation Request Phase. COs should review all proposed Screening Information Requests (SIR) to determine whether access to classified information may be required by offerors, or by a contractor during contract performance. If access to classified information may be required, the CO must comply with d. (1) and d. (2) above.

 

(4) SIR phasePhase. COs must:

(a) Ensure that the classified acquisition is conducted in accordance with the requirements of d. (1) and (2) above; and

(b) Include appropriate security requirements and decending clauses in SIRs (see Clause 3.14-1, Security Requirements, and its alternates); and as appropriate in SIRs and contracts when the contractcontractor may require access to classified information. Requirements for security safeguards in addition to those provided in Clause 3.14-1, Security Requirements, might be necessary in some instances.

(c) COs should ensure the use of Contract Security Classification Specification, DD Form 254 when classified contracts are employed.

e. Employment Suitability and Security Clearances for Contractor Personnel. FAA’s policy on personnel security for contractor employees, including those working on a FAA contract employed at contractor facilities, requires that procurement personnel take appropriate actions to protect the Government’s interest where it appears that contractor employees, subcontractors, or consultants may have access to FAA facilities, classified information, sensitive information, and/or resources. Additional details of the agency’s contractor and industrial security program are provided in FAA Order 1600.72A.

(1) Security Clearances for Contractor Employees.

(a) FAA Order 1600.72A provides that contracts requiring contractor employees to have access to classified information must be prepared and processed according to the procedures contained in the National Industrial Security Program Operating Manual (NISPOM)

(b) In the case of a contract or agreement where the FAA requires persons not employed by the U.S. Government to have access to classified information, a statement to that effect should be included in the SIR and the requirements of FAA Order 1600.72A.

(2) Employment Suitability of Contractor Employees.

(a) FAA Order 1600.72A provides specific guidance for determining suitability of FAA contractor employees for access to FAA facilities, sensitive information, and/or resources. It outlines risk levels and associated investigations requirements, and identified additional specific requirements and exemptions from investigative requirements.

(b) As it pertains to suitability determinations, at a minimum, the following actions are required:

(i) Each SIR should include provisions that require the contractor to submit an interim-staffing plan describing the anticipated positions and key employees, as appropriate.

(ii) CO and the appropriate SSE, with input from the Operating Office (e.g., Contracting Officer’s Technical Representative (COTR), have the responsibility to make an initial determination as to the applicability of the order in any given SIR and/or contract. An assessment will be made up-front as to whether any positions contained in the staffing plan will require access to FAA facilities, sensitive information, and/or resources. If the CO determines that the order does not apply to a given SIR/contract, this will be documented in a memorandum to file, indicating the matter was given due consideration, addressed adequately, and said determination made.

(iii) The Operating Office, with input from the CO, has the responsibility to make initial position risk/sensitivity level designations based on the initial list of positions and the Statement of Work (SOW). FAA Order 1600.72A contains guidelines with a systematic process of uniformly designating program, position risk, and sensitivity levels. FAA form 1600-77, Contractor Position Risk/Sensitivity Level Designation Record is used in conjunction with this process and to document the designations.

(iv) For modifications to existing contracts, the appropriate SSE will approve the Operating Office’s initial position risk/sensitivity level designations prior to the execution of the modification and these positions and risk level designations should be included in AMS Clause 3.14-2 at the time the contract is modified. For new contracts, the same process would be followed for determining risk/sensitivity level designations, using information required by way of a provision in the SIR, with final positions and risk levels being inserted into Clause 3.14-2 at time of contract award.

(v) The AMS Clause 3.14-2 will require the contractor to submit the completed documentation for each employee in a stated position, as necessary to permit the SSE to make an employment suitability determination. This documentation must be submitted directly to the SSE (for Privacy Act reasons) for approval, or denial of access using the process described in FAA Order 1600.72A.

(vi) The SSE will initially coordinate with the CO on the approval (completeness and accuracy) of the submitted forms, and then on the status of any checks or investigations required and final decision of employment.

(vii) For new contracts, contractor employees must be required to submit the required documentation prior to performing or providing services or supplies under any FAA contract actions. Depending upon the nature and extent of access required, after an initial review of the documentation submitted by the contractor or contractor employee, the SSE may grant conditional approval for the contractor employee to commence performing or providing services or supplies under the contract pending completion of the check and/or investigation and final suitability determination. However, this initial or interim suitability determination will not be automatically made by the SSE. The Operating Office must request this determination in writing.

(viii) For modifications to existing contracts, contractor employees may continue working under the contract pending submission of the necessary documentation, if any, and completion of a suitability investigation by the SSE. Note: There is a period of 30 days that cannot be exceeded in which contractors must submit the forms after the positions and associated risks have been identified via contract modification. The SSE may establish conditions governing such access pending completion of suitability investigation.

(ix) The contractor must be required to provide quarterly updates, reporting changes to the status of employment of any contractor employee. However, notification of termination of employees performing within a stated position under a contract must be provided within one (1) day.

(x) COs will notify the SSE whenever a contract is issued or when the status of a contract changes (i.e., replaced, defaulted, terminated, etc.). Prior coordination of new contracts should have occurred between the Operating Office, the CO, and the SSE.

f. Costs of Investigations. To pay for investigations, allotments of funds are made to regions, centers, and headquarters. Unless there has been a specific allotment to the SSE to pay for all contractor employee investigations for operating officers that the SSE services, each operating office must arrange to pay the costs for investigations on those employees working under contracts for which it is responsible. Security screenings, including fingerprint checks on contractor employees are funded through operational funds by each office or division. The operating office responsible for payment must provide the SSE with the accounting code information necessary to have the cost charged appropriately.

---

Red Line Content: Procurement Guidance:
T3.14.1 Security (Revision 4, July 2008)
Security
Section 6 : Sensitive Unclassified Information

a. General.

(1) FAA Order 1600.75, "Protecting Sensitive Unclassified Information (SUI)," outlines policy and guidance on protecting sensitive unclassified information (SUI).

(2)  When a contract, order, lease, or agreement requires a contractor or offeror to have access to SUI, the Contracting Officer (CO) must incorporate appropriate security clauses into the solicitation or contract.  These include clauses on safeguarding standards, personnel security suitability, and non-disclosure agreements.

(3) SUI may include information such as Personally Identifiable Information (PII), sensitive NAS data, construction drawings, or equipment specifications.  Prospective FAA vendors may need access to this information to ensure they can accurately propose and perform the work that the  FAA requires.   

(4) When a screening information request (SIR) includes information determined to be SUI, the CO (and anyone else granted access to the SUI) must take reasonable care disseminating the SUI documents and ensure the recipient has a need-to-know and is authorized to receive it.

b. FOUO and SSI. There are over 50 types of SUI; however the two types generally handled within the FAA are:

(1) For Official Use Only (FOUO):. FOUO is the primary designation given to SUI by the FAA, and consists of information that could adversely affect the national interest, the conduct of Federal programs, or a person's privacy if released to unauthorized individuals.  Uncontrolled issuance of FOUO may allow someone to:

(a) Circumvent agency laws, regulations, legal standards, or security measures; or

(b) Obtain unauthorized access to an information system.

(2) Sensitive Security Information (SSI):. SSI is a designation unique to the FAA, DOT, and the Department of Homeland Security (DHS), and applied to information obtained or developed while conducting security activities, including research and development.  Unauthorized disclosure of SSI can:

(a) Constitute an unwarranted invasion of privacy;

(b) Reveal trade secrets or privileged or confidential information; or

(c) Be detrimental to transportation safety or security.

c. Distribution of SUI Information. When distributing SUI information, the CO (and anyone else granted access to the SUI, including prime contractors, subcontractors, suppliers, etc.) must ensure the persons receiving the information are authorized to receive the SUI and have a need-to-know.  Methods of pre-award SUI dissemination utilized in the FAA include FedTeDSFedBizOpps and hardcopy dissemination.

d. Federal TechnicalBusiness Data SolutionsOpportunities (FedTeDSFedBizOpps). FedTeDSFedBizOpps is an E-Gov initiative that provides a secure environment for distributing sensitive acquisition information (to include SUI) to vendors during the solicitation phase of procurement.  This system electronically disseminates information or data to the vendor community while still protecting SUI from unauthorized distribution.  Data that can be uploaded into FedTeDSFedBizOpps includes construction plans, equipment specifications, and security plans, and SIRs.  As FAA utilizes the FAA Contract Opportunities website to announce procurement opportunities, COs will utilize the Non-FBO Secure Document Link functionality in FedBizOpps when electronically distributing SUI.

(1) FedTeDSFedBizOpps provides several security measures to include:

(a) During processing of a vendor's access request to FedTeDSFedBizOpps, theirthe informationvendor’s profile is confirmed againstretrieved from datathe Central Contractor Registration (CCR).  Using the Data Universal Numbering System (DUNS) number, FedBizOpps ensures that the vendor seeking access is a viable vendor in otherCCR;

(b) Marketing Partner Identification Number (MPIN). A number required systemsby FedBizOpps to includeaccess SUI.  This number is unique to each vendor, and chosen by the Centralvendor Contractorwhen each Registryregister (with CCR;

(c) Vendors receive an e-mail after registration to confirm the validity of their identity and contact information;

(bd) The access level of the data in FedTeDSFedBizOpps can be adjusted; the CO can specifically allow access to only certain vendors (termed "Selection as an Interested Party"), or if a vendor requests access to the data and they are not specifically authorized, the system will verify with the CO if access should be granted (termed "Approval ofExplicit VendorAccess Request");

(ce) The systemExport tracksControl. which When Government users and vendors accessexport control is selected in theFedBizOpps, data throughthe system FedTeDS;requires and (d) Thethat default expiration date for SUI in FedTeDS is sixthe vendor be certified by the Defense Logistics Information months;Service the audit trail forJoint Certification Program before SUI in FedTeDS iswill never removedbe released.  If six monthsThis is not appropriateusually reserved for thetechnology givenrelated SUI,to the CO maymilitary or space specifyapplication; theand

(f) The system tracks expirationwhich Government dateusers and itvendors canaccess bethe data extended indefinitelythrough FedBizOpps.

(2) Use of FedTeDSFedBizOpps requires the CO to adhere to the following process:

(a) Upload SUI files into the FedTeDSFedBizOpps website (www.fedtedsfbo.gov) by the procurement request (PR) and solicitation numbers.  Note that the problems may arise when uploading attachments greater that 100 mb.

(b) "Release" the solicitation: priorPrior to it being made available to anyone through FedTeDSFedBizOpps, the CO must determine the scope of vendors allowed to access the data and release the data for authorized viewing.

(c) Once established in FedTeDSFedBizOpps, the system provides the CO a web address to provide to vendors that will link authorized persons directly into the applicable data.  The CO can email this link to individual vendors when access has been restricted, or can place it on a public announcement via the internet so, if properly registered, all interested parties may view the data.  Prior to downloading the data, the vendor must electronically sign an SUI policy statement in FedTeDSFedBizOpps.

(3) Web-based training and user guides are available to both FAA users and contractors at www.fedtedsfbo.gov.

e. Hardcopy Dissemination of SUI Using FedTeDSFedBizOpps. At times, electronic versions of documents or data do not exist, and the SUI must be disseminated in a hardcopy form.  In situations such as this, the CO must still utilize FedTeDSFedBizOpps for vendor verification and for the vendor to electronically read and certify to SUI policy.  This will eliminate the need for the CO to manually validate vendor information and document in hardcopy form the vendor's certification to properly handle and protect SUI.  Once the vendor is verified by FedTeDSFedBizOpps and has agreed to the SUI policy, the hardcopy documentation can then be forwarded to that vendor.  Processes for distributing SUI in hardcopy form to vendors are:

(1) The CO may upload a "Document Security Notice and SUI Request Form" into FedTeDSFedBizOpps for the vendor to download, complete, sign, and return to the CO requesting the SUI data.  Because the form can only be accessed after vendor verification and certification to SUI policy has taken place, hardcopy documentation can be distributed to the vendor after the CO receives a completed form.  In some situations a portion of the SUI may be available in digital media and the remainder in hardcopy form; the CO may upload into FedTeDSFedBizOpps the digital portion for the vendor to download directly and the request form for the vendor to request the remaining hardcopy documentation; or

(2) The CO may request the vendor to use the "Request CD to be Sent" link for hardcopy SUI documentation.  Once the vendor links to the SUI, has properly accessed FedTeDSFedBizOpps, and certified to SUI policy, they may select the "Request CD to be Sent" link.  Once the vendor selects the link, the system sends the CO an e-mail with the vendor's information and request for the SUI.  This link can be used for both hardcopy documentation and information that the CO desires to distribute via a CD or other like media.

f. Registration with FedTeDSFedBizOpps.

(1) The process in which a CO registers for FedTeDSFedBizOpps is:

(a) Access the FedTeDSFedBizOpps website at www.fedtedsfbo.gov.

(b) Click the "Register with FedTeDSNow" link for buyers.

(c) Click the "BeginEnter Governmentname, Userposition, Registrationand Process"e-mail linkinformation.

(d) Use the Agency, Organization, and Location (A/O/L) drop-down menusmenu to select A/O/Lthe proper agency from the list provided.  FAA users will select Department of Transportation for Agency, /Federal Aviation Administration (FAA) for Organization“Agency,” and the proper FAA location in which the user resides for the “Contracting Office Location.”  The Locationlocation list for FAA includes Headquarters and each region and center.

(e) Select the type of user account you requirerequired.  COs will choose Buyer from the drop-down menu.

Note: If a CO needs to release solicitations and post SUI in FedBizOpps, the CO must register for buyer and engineer user rights.  The user rights of an engineer allow for the posting of SUI, while those of the buyer group does not; however, the system does allow for a single user to have the rights of both user groups.

(f) Complete the remaining fields.

(g) Once the user clicks submit, the registration request is sent to the Administrator at DOT for processing.  When approved, the user will receive an e-mail stating the result of the request and the appropriate username and password to use with FedTeDSFedBizOpps.

(2) The process in which a vendor registers in FedTeDSFedBizOpps is:

(a)  Access the FedTeDSFedBizOpps website at www.fedtedsfbo.gov.

(b) Click the "Register with FedTeDSNow" link for vendors.

(c) Click theThe vendor "Beginwill Vendor/Contractorenter Registrationtheir Process"DUNS linkNumber for authentication.

(d)  The vendor will review/update information retrieved from CCR, and enter applicableother information to include the vendor'sa CCR MPINuser name and DUNS Number for authenticationpassword.

(e) Once submitted, the registration is analyzed and authenticated.  If approved, the vendor will receive a confirmation page via e-mail detailing key information to include the vendor's password for FedTeDSFedBizOpps.

g. Other Electronic Transfer and Dissemination. Transfer and dissemination of SUI information beyond the intranet (internet or extranet, modem, DSL, wireless, etc.) must use at least 128 bit symmetric key encryption following NIST Special Publication 800-21 Guideline For Implementing Cryptography in the Federal Government.  All transfers must use standard commercial products (such as PGP and Secret Agent) with encryption algorithms that are at least 128 bit symmetric (3DES, AES, RC4, IDEA, etc.), and follow the instructions outlined in this order.  Authorized users that use project extranets for electronic project management during or after contract award to transfer SUI information are responsible for verifying and certifying to the CO that project extranets meet applicable physical and technical security requirements as determined by the Chief Information Officer.  Access to the sites must be password protected and access must be granted only on a need-to-know basis.  A record of those individuals who have had electronic access must be maintained by the CO or other disseminator in accordance with the system of keeping long-term records.

h. Record Keeping.  Those who disseminate SUI information must obtain a signed "Document Security Notice and SUI Request Form" from anyone who receives the information (except for those vendors that utilize FedTeDSFedBizOpps for electronic data).  Records of the signed forms must be maintained by the disseminator and destroyed 2 years after final disposition of the related SUI material (FAA Order 1350.15C and GRS 18 Item 1).  At the completion of work, secondary and other disseminators must turn over their dissemination records to FAA, to be kept with the permanent files.  The only records that the CO must keep for those vendors that utilize FedTeDSFedBizOpps to request SUI are the request forms for hardcopy documentation and any documentation detailing subsequent dissemination by the vendor and their subcontractors or suppliers.  Records of those who accessed SUI information via FedTeDSFedBizOpps and their associated SUI policy certifications are stored in FedTeDSFedBizOpps itself.

i. Retaining and Destroying Documents.  The requirements above must continue throughout the entire term of contract and for whatever specific time thereafter as may be necessary.  Necessary record copies for legal purposes (such as those retained by the architect, engineer, or contractor) must be safeguarded against unauthorized use for the term of retention.  Documents no longer needed must be destroyed (such as after contract award, after completion of any appeals process, or completion of the work).  Destruction must be by burning or shredding hardcopy, and physically destroying CDs, deleting and removing files from electronic recycling bins, and removing material from computer hard drives using a permanent erase utility or similar software.

j. Notice of Disposal.  For all contracts using SUI, the contractor must notify the CO that it and its subcontractors have properly disposed of the SUI documents, except the contractor's record copy, at the time of Release of Claims to obtain final payment.

k. State and Local Governments.  To comply with local regulations, FAA must provide localities with documents to issue building permits and to approve code requirements.  Public safety entities such as fire departments and utility departments require unlimited access on a need-to-know basis.  These authorities must be informed at the time they receive the documents that the information requires restricted access from the general public.  When these documents are retired to local archives, they should be stored in restricted access areas.  This will not preclude the dissemination of information to those public safety entities.

l. Proprietary Information Owned by Architect/Engineers.  All professional services consultants must sign the "Document Security Notice and SUI Request Form" that documents containing SUI created under contract to the Federal Government must be handled according to the procedures under this guidance.

m. Private Sector Plan Rooms.  Numerous private sector businesses provide plan rooms, which provide access to construction plans and specifications for bidding purposes as a service to construction contractors and subcontractors.  Before receiving SUI from any source for dissemination, the private sector plan room must demonstrate to FAA that they will adhere to the procedures outlined this guidance, and sign the "Document Security Notice and SUI Request Form."

---