(a) Access is the ability or opportunity to gain knowledge of classified information.
(b) Agency(ies) are any “Executive agency” as defined in 5 U.S.C. 105; any “Military department” as defined in 5 U.S.C. 102; and any other entity within the executive branch that releases classified information to private sector entities. This includes component agencies under another agency or under a cross-agency oversight office (such as ODNI with CIA), which are also agencies for purposes of this regulation.
(c) Classified Critical Infrastructure Protection Program (CCIPP) is the DHS program that executes the classified infrastructure protection program designated by E.O. 13691, “Promoting Private Sector Cybersecurity Information Sharing.” The Government uses this program to share classified cybersecurity-related information with employees of private sector entities that own or operate critical infrastructure. Critical infrastructure refers to systems and assets, whether physical or virtual, so vital to the United States that incapacitating or destroying such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof. These entities include banks and power plants, among others. The sectors of critical infrastructure are listed in Presidential Policy Directive 21, Critical Infrastructure Security and Resilience (February 12, 2013).
(d) Classified Critical Infrastructure Protection Program (CCIPP) security point of contact (security POC) is an official whom a CCIPP entity designates to maintain eligibility information about the entity and its cleared employees, and to report that information to DHS. The CCIPP security POC must be eligible for access to classified information.
(e) Classified information is information the Government designates as requiring protection against unauthorized disclosure in the interest of national security, pursuant to E.O. 13526, Classified National Security Information, or any predecessor order, and the Atomic Energy Act of 1954, as amended. Classified information includes national security information (NSI), restricted data (RD), and formerly restricted data (FRD), regardless of its physical form or characteristics (including tangible items other than documents).
(f) Cognizance is the area over which a CSA has operational oversight. Normally, a statute or executive order establishes a CSA's cognizance over certain types of information, programs, or non-CSA agencies, although CSAs may also have cognizance through an agreement with another CSA or non-CSA agency or an entity. A CSA may have cognizance over a particular type(s) of classified information based on specific authorities (such as those listed in § 2004.1(c)), and a CSA may have cognizance over certain agencies or cross-agency programs (such as DoD's cognizance over non-CSA agencies as the EA for NISP, or ODNI's oversight (if applicable) of all intelligence community elements within the executive branch). Entities fall under a CSA's cognizance when they enter or compete to enter contracts or agreements to access classified information under the CSA's cognizance, including when they enter or compete to enter such contracts or agreements with a non-CSA agency or another entity under the CSA's cognizance.
(g) Cognizant security agencies (CSAs) are the agencies E.O. 12829, sec. 202, designates as having NISP implementation and security responsibilities for their own agencies (including component agencies) and any entities and non-CSA agencies under their cognizance. The CSAs are: Department of Defense (DoD); Department of Energy (DOE); Nuclear Regulatory Commission (NRC); Office of the Director of National Intelligence (ODNI); and Department of Homeland Security (DHS).
(h) Cognizant security office (CSO) is an organizational unit to which the head of a CSA delegates authority to administer industrial security services on behalf of the CSA.
(i) Contracts or agreements are any type of arrangement between an agency and an entity or an agency and another agency. They include, but are not limited to, contracts, sub-contracts, licenses, certificates, memoranda of understanding, inter-agency service agreements, other types of documents or arrangements setting out responsibilities, requirements, or terms agreed upon by the parties, programs, projects, and other legitimate U.S. or foreign government requirements. FOCI mitigation or negation measures, such as Voting Trust Agreements, that have the word “agreement” in their title are not included in the term “agreements” within this part.
(j) Controlling agency is an agency that owns or controls the following categories of proscribed information and thus has authority over access to or release of the information: NSA for communications security information (COMSEC); DOE for restricted data (RD); and ODNI for sensitive compartmented information (SCI).
(k) Entity is a generic and comprehensive term which may include sole proprietorships, partnerships, corporations, limited liability companies, societies, associations, institutions, contractors, licensees, grantees, certificate holders, and other organizations usually established and operating to carry out a commercial, industrial, educational, or other legitimate business, enterprise, or undertaking, or parts of these organizations. It may reference an entire organization, a prime contractor, parent organization, a branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity (referred to as “sub-entities” when necessary to distinguish such entities from prime or parent entities), a specific location or facility, or the headquarters/official business location of the organization, depending upon the organization's business structure, the access needs involved, and the responsible CSA's procedures. The term “entity” as used in this part refers to the particular entity to which an agency might release, or is releasing, classified information, whether that entity is a parent or subordinate organization.
(l) Entity eligibility determination is an assessment by the CSA as to whether an entity is eligible for access to classified information of a certain level (and all lower levels). Eligibility determinations may be broad or limited to specific contracts, sponsoring agencies, or circumstances. A favorable determination results in eligibility to access classified information under the cognizance of the responsible CSA to the level approved. When the entity would be accessing categories of information such as RD or SCI for which the CSA for that information has set additional requirements, CSAs must also assess whether the entity is eligible for access to that category. Some CSAs refer to their favorable determinations as facility security clearances (FCL). A favorable entity eligibility determination does not convey authority to store classified information.
(m) Foreign interest is any foreign government, element of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered, or incorporated under the laws of any country other than the United States or its territories; and any person who is not a United States citizen or national.
(n) Government contracting activity (GCA) is an agency component or subcomponent to which the agency head delegates broad authority regarding acquisition functions. A foreign government may also be a GCA.
(o) Industrial security services are those activities performed by a CSA to verify that an entity is protecting classified information. They include, but are not limited to, conducting oversight reviews, making eligibility determinations, and providing agency and entity guidance and training.
(p) Insider(s) are entity employees who are eligible to access classified information and may be authorized access to any U.S. Government or entity resource (such as personnel, facilities, information, equipment, networks, or systems).
(q) Insider threat is the likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to entity or program information to the extent that the information impacts the entity's or agency's obligations to protect classified information.
(r) Insider threat response action(s) are actions (such as investigations) an agency takes to ascertain whether an insider threat exists, and actions the agency takes to mitigate the threat. Agencies may conduct insider threat response actions through their counterintelligence (CI), security, law enforcement, or inspector general organizations, depending on the statutory authority and internal policies that govern the agency.
(s) Insider threat program senior official (SO) is the official an agency head or entity designates with responsibility to manage, account for, and oversee the agency's or entity's insider threat program, pursuant to the National Insider Threat Policy and Minimum Standards. An agency may have more than one insider threat program SO.
(t) Key managers and officials (KMO) are the senior management official (or authorized executive official under CCIPP), the entity's security officer (or security POC under CCIPP), the insider threat program senior official, and other entity employees whom the responsible CSA identifies as having authority, direct or indirect, to influence or decide matters affecting the entity's management or operations, its contracts requiring access to classified information, or national security interests. They may include individuals who hold majority ownership interest in the entity (in the form of stock or other ownership interests).
(u) Proscribed information is information that is classified as top secret (TS) information; communications security (COMSEC) information (excluding controlled cryptographic items when un-keyed or utilized with unclassified keys); restricted data (RD); special access program information (SAP); or sensitive compartmented information (SCI).
(v) Security officer is a U.S. citizen employee the entity designates to supervise and direct security measures implementing NISPOM (or equivalent; such as DOE Orders) requirements. Some CSAs refer to this position as a facility security officer (FSO). The security officer must complete security training specified by the responsible CSA, and must have and maintain an employee eligibility determination level that is at least the same level as the entity's eligibility determination level.
(w) Senior agency official for NISP (SAO for NISP) is the official an agency head designates to direct and administer the agency's National Industrial Security Program.
(x) Senior management official (SMO) is the person in charge of an entity. Under the CCIPP, this is the authorized executive official with authority to sign the security agreement with DHS.
(y) Sub-entity is an entity's branch or division, another type of sub-element, a sub-contractor, subsidiary, or other subordinate or connected entity. Sub-entities fall under the definition of “entity,” but this part refers to them as sub-entities when necessary to distinguish such entities from prime contractor or parent entities. See definition of “entity” in paragraph (k) of this section for more context.