On February 11, 2015, the Under Secretary of Defense for Intelligence issued a Directive- Type Memorandum (DTM) that significantly alters key components of the process by which a company under foreign ownership, control or influence (FOCI) operating under a US Department of Defense (DoD) Special Security Agreement (SSA) may obtain a National Interest Determination (NID) in order to access proscribed classified information (Proscribed Information). In summary, the DTM assigns the DoD’s Defense Security Service (DSS) a more centralized role in the overall process for evaluating and obtaining a NID from a Government Contracting Activity (GCA), removes some of the open- endedness of NID timing and contemplates a broader “blanket” NID for certain companies that have been operating under SSAs for at least ten years. Most other fundamental aspects of NIDs—including when NIDs are required, the NID approval standard and the statutory requirement for a waiver by the Secretary of Defense for the issuance of a NID to a foreign-government-controlled company—remain unchanged. While the new provisions have the potential to streamline the NID process, SSA companies that require access to Proscribed Information should continue to carefully plan their NID strategy, including with respect to coordination with both DSS and the relevant GCA(s).
In general, an SSA company may not access Proscribed Information without first obtaining a favorable NID. Proscribed Information is defined under the National Industrial Security Program Operating Manual as Top Secret information; Communications Security (COMSEC) material, excluding controlled cryptographic items when unkeyed or utilized with unclassified
keys; Restricted Data (RD) as defined in the US Atomic Energy Act of 1954, as amended; Special Access Program (SAP) information; and Sensitive Compartmented Information (SCI). Grant of a NID requires a determination that the release of the particular Proscribed Information to the SSA company is consistent with the national security interests of the United States.
Historically, the NID process could draw out for an extended, often indefinite period of time. In accordance with the recent DTM, however, DSS will assume a more centralized role in the NID process by coordinating and proposing NIDs. As a result, and particularly in cases where the GCA controls the relevant Proscribed Information, a NID is more likely to be granted within 30 days of DSS’s submitting the proposed NID to the GCA unless it is affirmatively opposed by the GCA. Under the DTM, which applies to cases in which DSS is the Cognizant Security Authority (CSA), the GCA is required to initiate the NID process by notifying DSS of the need for a NID when an SSA company requires access to Proscribed Information. (Note: DSS is generally the CSA for all of DoD, including for Top Secret, SCI, RD, COMSEC and SAP, though in certain cases SAP may be carved out for another CSA and be subject to separate NID requirements.) Although the DTM requires the GCA to trigger the process by notifying DSS of the need for a NID, the contractor should ensure that this step occurs promptly and may consider proactive outreach to the GCA and DSS when it anticipates a potential NID requirement.
The need for a NID can occur under a variety of circumstances when access to Proscribed Information is required. For example, it may arise during pre-contract activities if they involve accessing Proscribed Information. A NID also may be necessary when a new contract is awarded to an SSA company or to a company in process for a facility security clearance and an SSA, or when an existing cleared contractor comes under FOCI (e.g., after an acquisition) that will be mitigated with an SSA.
Once DSS receives notification from the GCA regarding the requirement for a NID, it will discuss the need for access to Proscribed Information with the GCA to ensure that the requirement is valid. If, for example, the DD Form 254 (Contract Security Classification Specification) can be modified such that the SSA company can perform the scope of work without accessing Proscribed Information, then the NID might be avoided.
If DSS and the GCA determine that a valid requirement for access to Proscribed Information exists, then DSS will analyze the details of the access requirements with the GCA. If the requirements involve Proscribed Information under the purview of a different control agency (or agencies), then DSS will also coordinate the NID with that control agency. For example, a contract where the GCA is the US Air Force might involve access to Top Secret information as well as COMSEC controlled by the National Security Agency (NSA) and RD controlled by the US Department of Energy (DoE). In that case, DSS would coordinate the NID with the GCA as well as the two relevant control agencies—the NSA and the DoE. The NID would not be granted without the concurrence of all three agencies.
Once DSS has completed its analysis, it will send the proposed NID to the GCA’s designated point of contact. If the NID does not involve any other control agency, then it will be granted after 30 days if the GCA does not object, though the GCA can request more time for its review. If the GCA objects, then its senior official with NID authority must provide a written rationale for its objection during the initial 30-day review period. Notably, this puts a burden on the GCA to justify rejecting a NID request, whereas no such explanation is required to grant a NID.
In cases of requirements for access to RD, COMSEC or SCI—which may involve a different control agency than the GCA—DSS will request that the relevant control agency provide a written NID decision within 30 days of confirmation by the GCA that such Proscribed Information access is required. In these cases, the NID will not be granted until the control agency concurs with the NID. In other words, unlike the GCA, the control agency is required under the DTM to affirmatively respond to the NID request in order for the NID to be approved.
Although this new process provides much-welcomed streamlining and improvements to NID timing constraints, particularly in cases where there is no separate control agency for the Proscribed Information, some steps remain notably open ended. First, the DTM sets no time limit for DSS to submit its NID proposal to the GCA (thereby triggering the 30-day clock). Second, there is no apparent limit for a GCA to request extensions as long as it does so with at least five days remaining in the 30-day period allotted to the GCA’s review of the NID request. Third, where the NID involves a different control agency, the NID will not be issued without the control agency’s concurrence. Although DSS will “request” a written decision within 30 days, the NID will not become effective at the end of that period absent a response (as it would where no control agency is involved). Thus, the DTM does not address any recourse should a control agency delay its response to a NID request.
Interestingly, while NIDs are typically contract-, program- or project-specific, the DTM contemplates a broader NID (i.e., a “blanket” NID) in certain cases, which would remain in effect at least throughout the term of the contractor’s SSA. Although traditionally NIDs could be granted for a single contract, for a series of contracts under a single program or for related access needs under a single project, under the DTM, a NID now may also be granted for access to Proscribed Information not specific to any single contract, program or project. The DTM does not, however, set forth the precise scope of these blanket NIDs (e.g., whether a hypothetical blanket NID might apply to all Proscribed Information, all of a particular category of Proscribed Information or only Proscribed Information from a specific GCA).
Blanket NIDs are limited by the DTM to certain SSA companies and circumstances. The DTM sets forth criteria that must be considered in evaluating an SSA company for such a NID, including its compliance with its SSA and the International Traffic in Arms Regulations for at least ten consecutive years. It must also have scored no less than “satisfactory” on all of its DSS security inspections in the past five years. Furthermore, DSS must analyze the SSA company’s relevant threat and risk assessments (and conduct one if none exists) as well as assess all of the SSA company’s relevant FOCI factors. Thus, although the contractor’s length of time operating under an SSA is a key component for blanket-NID eligibility, the criteria also underscore the need to maintain robust protocols for SSA and export compliance and to thoroughly prepare for DSS inspections.
While the DTM revises the above-discussed aspects of the NID process, it leaves other fundamental components in place. First, the basic NID requirement remains the same—namely, an SSA company may not access Proscribed Information without first obtaining a NID. Second, the standard for granting the NID—that access to Proscribed Information must be consistent with the national security interests of the United States—is unchanged. Third, by statute SSA companies under foreign-government control remain ineligible for NIDs absent a waiver from the Secretary of Defense. In addition, as before, if a NID request is rejected, DSS, the GCA and (if applicable) the relevant control agency(ies) will explore alternative means of FOCI mitigation, such as a Proxy Agreement, which does not impose access restrictions on Proscribed Information.
Overall, the DTM provides mechanisms that should improve the efficiency and predictability of the NID process, particularly in cases where the NID need only be coordinated between DSS and the GCA. Some potential ambiguities exist, however, and practice will show whether they ultimately reduce or offset the benefits of the changes to the process. Moreover, although the DTM focuses on coordination within governmental agencies, the NID process inherently involves advocacy of the SSA company’s trustworthiness and character with potentially high financial stakes. Therefore, an SSA company seeking to access Proscribed Information must continue to maintain an active role in the interface with DSS and the GCA to ensure that the company’s interests are diligently and faithfully represented.