Reporting Requirements for U.S. Government Contractor Facilities and Personnel

Organizations that perform work on U.S. Government classified contracts are required to report certain incidents, events, information, and behaviors. Reporting is required under a variety of U.S. Government policies. Today we will focus on the most common types of reporting required under 32 CFR Part 117, Security Executive Agent Directive 3 (SEAD 3), and many U.S. Government contractual stipulations.

Do You Have an Obligation to Report?

All cleared facilities and all covered individuals are required to follow the reporting requirements outlined in 32 CFR Part 117, SEAD 3 and ISL2021-02, and all other U.S. Government policies and contractual requirements.

A Covered Individual is any person that:

• Has been granted eligibility for access to classified information; and/or
• Occupies a “Sensitive Position”; and/or
• Is in the process of eligibility determination for access to classified or sensitive information; and/or
• Occupies a position wherein contractual guidance for reporting requirements has been applied by any U.S. government agency or customer

If you perform work for a cleared facility, you have reporting requirements. If you have any question as to whether reporting requirements pertain to you, contact your organization’s FSO immediately.

What Are You Required to Report?

Security Incidents/Violations/Vulnerabilities: Any known or suspected security incident, violation, infraction, or vulnerability. NOTE: Security violations must be reported within 24 hours of discovery!

Espionage, Sabotage, Terrorism, or Subversive Activities: Any situation related to actual, probable, or possible espionage, sabotage, terrorism, or subversive activities directed at the United States.

Adverse Information: Any information (about yourself or any other covered individual) that could adversely reflect on the integrity, trustworthiness, reliability, or character of an individual, or suggests their ability to safeguard classified or sensitive information may be impaired.

Insider Threat Concerns and Indicators: Any information or behavior that suggests an individual may be, or may become, an insider threat, including indicators of recruitment by a foreign intelligence service, suspicious behavior, or questionable national loyalty.

Suspicious Contact: Any contact by any individual, regardless of nationality, that is of a suspicious nature, including efforts to obtain illegal or unauthorized access to classified information.

Foreign Travel: Travel to any foreign country (including Canada and Mexico). NOTE: Cleared individuals must report ALL foreign travel, both personal and professional.

Foreign Contact and Influence: Close and continuing contact with a foreign national in any capacity, contact with anyone associated with a foreign government or foreign-owned organization, or financial obligations to any foreign national or entity.

Personal Finance & Business Interests: Ownership of foreign state-backed, hosted, or managed cryptocurrency and ownership of cryptocurrency wallets hosted by foreign exchanges.

Change in Personal Status: Name changes, changes in marital or cohabitation status, changes in citizenship, changes in employment status or need for access to classified information.

Cyber Intrusions and Cyber Incidents: Any actual, possible, or potential penetration of information systems, suspicious network activity, unauthorized use of DOD account credentials, or spillage.

DoD Hotline

Your organization’s FSO should always be your first point of contact for all matters. That said, certain types of reports may be made to the Department of Defense Hotline if going to your FSO is not an option.

Examples of matters to report to the DoD Hotline include: fraud, waste, abuse, whistleblower reprisal, bribery, contract and procurement fraud, health care fraud, and COVID-19/CARES Act Fraud.

DoD National Hot Line: Email: dodighotline@dodig.mil | Phone: 1-800-424-9098 | Website: https://www.dodig.mil/Hotline

Resources and Additional Learning

• Reporting Requirements at a Glance
• DCSA Self-Reporting
• NISP Reporting Requirements
• SEAD 3 – Reporting
• Reporting Job Aid
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!