Reporting Requirements for U.S. Government Contractor Facilities and Personnel

Organizations that perform work on U.S. Government classified contracts are required to report certain incidents, events, information, and behaviors. Reporting is required under a variety of U.S. Government policies. Today we will focus on the most common types of reporting required under 32 CFR Part 117, Security Executive Agent Directive 3 (SEAD 3), and many U.S. Government contractual stipulations.
 
“Covered Individuals” also have personal requirements to report under these same policies.
 
The policies that outline what we must report, as individuals and as U.S. Government Contractor Facilities, are critical to protecting national security. As such, every individual that works for an organization that performs work on U.S. Government contracts has a duty to report to their organization’s Facility Security Officer (FSO) any events, information, incidents, or personnel behaviors that may affect the organization’s, or any individual’s, eligibility for access to U.S. Government information.
 
Do You Have an Obligation to Report?
All cleared facilities and all covered individuals are required to follow the reporting requirements outlined in 32 CFR Part 117, SEAD 3 and ISL2021-02, and all other U.S. Government policies and contractual requirements.
 
A Covered Individual is any person that:

• Has been granted eligibility for access to classified information; and/or
• Occupies a “Sensitive Position”; and/or
• Is in the process of eligibility determination for access to classified or sensitive information; and/or
• Occupies a position wherein contractual guidance for reporting requirements has been applied by any U.S. government agency or customer.

 
Sensitive Positions include any role within, or in support of, an agency in which the occupant could bring about, by virtue of the nature of the position, a material adverse effect on nation security, regardless of whether the individual has access to classified information. These individuals can be civilian employees, military service members, or contractor personnel.
 
If you perform work for a cleared facility, you have reporting requirements. If you have any question as to whether or not reporting requirements pertain to you, contact your organization’s FSO immediately.
 
Do You Know What You Are Required to Report?
It would be impossible to list every reportable scenario here, however, below are key items that must be reported to your company’s FSO upon discovery.
 
Security Incidents/Violations/Vulnerabilities: Any known or suspected security incident, violation, infraction, or vulnerability of which you become aware, independent of who is responsible or at fault for the situation.
NOTE: Security violations must be reported within 24 hours of discovery!
 
Espionage, Sabotage, Terrorism, or Subversive Activities: Any situation related to actual, probable, or possible espionage, sabotage, terrorism, or subversive activities directed at the United States. For additional information: https://www.fbi.gov/investigate
 
Adverse Information: Any information (about yourself or any other covered individual) that

• Could adversely reflect on the integrity, trustworthiness, reliability, or character of an individual,
• Suggests a person’s ability to safeguard classified or sensitive information may be impaired,
• Suggests that a person’s access to US Government information may not be in the interest of national security,
• Suggests an individual may be an insider threat.

NOTE: Adverse information includes a broad spectrum of indicators that are covered in more detail here: CDSE Shorts on Reporting Adverse Information
 
Insider Threat Concerns and Indicators: Any information or behavior that suggests an individual may be, or may become, an insider threat. Such as any:

• Indicators of recruitment by a foreign intelligence service/agent,
• Information collection,
• Information transmittal,
• General suspicious behavior,
• Attempts to compromise an individual with access to Government information or assets,
• Questionable national loyalty,
• Actions or behaviors indicative of a disgruntled employee,
• Contact by a member of the media about information an individual is not authorized to share.

NOTE: Insider Threat indicators are broad. Your company should have an Insider Threat Plan (ITP) that covers this in depth. If you have not taken Insider Threat training or your do not have access to your company’s ITP, contact your FSO immediately.
 
Suspicious Contact: Any contact by any individual, regardless of nationality, that is of a suspicious nature. Such as any:

• Efforts by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise any cleared individual,
• Contact with known or suspected intelligence officers from any country,
• Contact which suggests you or another person may be the target of exploitation by a subversive group or the intelligence services of another country.

 
Foreign Travel: Travel to any foreign country (including Canada and Mexico), whether by yourself or any other covered individual, that is:

• To any high threat location,
• Inconsistent with an individual’s financial ability and official duties,
• Short trips inconsistent with logical vacation travel and that is not part of official duties.

NOTE: Cleared individuals must report ALL foreign travel, both personal and professional.
 
Foreign Contact and Influence: Contact with or influence by foreign national, foreign entity, foreign country or their government, etc. This includes but is not limited to:

• Close and continuing contact with a foreign national in any capacity (in person, by telephone, via internet, social media, etc.),
• Contact with anyone who works for, or is associated with, a foreign government (including a foreign embassy) or a foreign-owned organization or business,
• Financial obligation to any foreign national, organization, business, or government,
• Investments in any foreign national, organization, business, or government
• Employment with any foreign national, organization, business, or government,
• Purchase of foreign real estate,
• Monies held in foreign bank accounts,
• Investments in foreign entities/stocks, etc.,
• Any attempts to solicit a person to act as a representative of, or consultant to, any foreign entity, including a government, a government agency, a commercial business, or a person.

 
Personal Finance & Business Interests: Cryptocurrency - Ownership of foreign state-backed, hosted, or managed cryptocurrency and ownership of cryptocurrency wallets hosted by foreign exchanges.
NOTE: Reporting is not required if the individual holds cryptocurrency but is NOT aware that any such holdings are backed,  hosted, or managed by a foreign state, or that a cryptocurrency wallet is hosted by a foreign exchange, or if investments in cryptocurrency are held in a widely diversified fund (e.g. index funds), unless the investment instrument is entirely composed of holdings in cryptocurrency that is backed, hosted, or managed by a foreign state.
 
Change in Personal Status: Any change in a covered individual’s personal status. Such as, any:

• Name change (for any reason),
• Change in marital or cohabitation status (i.e., marriage, divorce, separation, new cohabitation, etc.),
• Change in citizenship, including obtaining dual citizenship, or citizenship by naturalization,
• Change in employment status or need for access to classified information,
• Change wherein access to classified information is no longer required,
• Refusal to sign the SF-312 U.S. Non-Disclosure Agreement, when required.

 
Cyber Intrusions and Cyber Incidents: Any actual, possible, or potential penetration of information systems or use of technology to target or exploit covered entities and individuals.

• Any actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.
• Any on-line attempts to target or recruit personnel including elicitation, solicitation and marketing of services, direct request for information, phishing scams, etc.,
• Suspicious network activity and/or penetration and intrusion attempts,
• Unauthorized or improper use of DOD account credentials,
• Spillage.

 
Your organization’s FSO is in the best position to ensure proper compliance with reporting requirements. If you have any question as to whether a behavior, incident, event, or information should be reported, contact your FSO immediately!

DoD Hotline
Your organization’s FSO should always be your first point of contact for all matters. As FSOs, it is our job to help you navigate difficult situations and we should always foster an environment of open and honest communication without fear of reprisal That said, certain types of reports may be made to the Department of Defense Hotline, if going to your FSO is not an option.
 
The mission of the DoD Hotline is to provide a confidential, reliable means to report violations of law, rule, or regulation; fraud, waste, and abuse; mismanagement; trafficking in persons; and other criminal or administrative misconduct that involve DoD personnel and operations, without fear of reprisal.
 
It is important to note that the DoD Hotline should not be used to circumvent your requirements to self-report information relevant to SEAD 3, 32 CFR Part 117, and contractual reporting requirements. Any reporting required under these tenants must be brought to the company FSO immediately upon discovery.
 
Examples of Matters to Report to the DoD Hotline:

• Fraud
• Waste
• Abuse
• Whistleblower Reprisal
• Bribery and acceptance of gratuities
• Counterfeit or substandard parts
• Whistleblower Reprisals
• Conflicts of interest
• Contract and procurement fraud
• Health care fraud
• Travel or purchase card fraud
• Cost/labor mischarging
• Improper military mental health evaluations
• COVID-19/CARES Act Fraud

 
DoD National Hot Line Information:
Email: [email protected] | Phone: 1-800-424-9098 | Website: https://www.dodig.mil/Hotline | Mail: Defense Hotline, The Pentagon, Washington, DC  20301-1900
 
Why Reporting is Critical & How to Report Concerns
Identifying security concerns, potential foreign intelligence gathering attempts or contacts, potential insider threats, adverse and suspicious behavior, is crucial to catch these threats early.
 
Reporting is critical because it allows us to identify and mitigate potential threats that could compromise our organization and/or national security.
 
Reporting allows for timely intervention and mitigation of potential security risks, assists counterintelligence efforts to disrupt adversary activities, and protects sensitive national security information and assets.
 
Timely reporting is crucial to protecting information and preventing breaches.
 
Personnel performing work for U.S. Government contractor facilities have a legal obligation to report relevant information. It is our duty to keep our organization and our country safe.
 
Report all concerns to your company’s FSO!
It is out job as FSOs to help you navigate any situations or concerns that arise.

Resources and Additional Learning
 

• Reporting Requirements at a Glance
• DCSA Self-Reporting
• NISP Reporting Requirements
• SEAD 3 – Reporting
• SEAD 3 ISL2021-02
• SEAD 3 Short
• SEAD 3 Toolkit
• SEAD 4 – Adjudicative Guidelines
• Adjudications – The Whole Person Concept
• Reporting the Threat
• Reporting Job Aid
• Suspicious Emails
• Reporting Requirements Crossword
• Reporting Requirements Word Search
• Personnel Security Toolkit
• Case Study Library
• 32 CFR Part 117 (NISPOM Rule)
• 32 CFR Part 147 (Adjudicative Guidelines)

 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate things to ensure you fulfill all requirements.