OVERLOOK

SYSTEMS TECHNOLOGIES, INC.

Standard Practice Procedure

for

Safeguarding Classified Information

25 March 2013

FOREWORD

As stated in the Overlook Security Policy, dated 23 January 2013, Overlook Systems Technologies, Inc. has entered into a formal written agreement with the Department of Defense and has been granted a U.S. Government Facility Clearances (FCLs) in order to perform work on government contracts requiring access to classified information. The Overlook Headquarters Facility in Vienna, VA has been granted a Top Secret FCL, as has the Overlook Facility in Los Angeles, CA. This agreement provides that the company, and all its employees, will follow the regulations and procedures established by the National Industrial Security Program Operating Manual (NISPOM) (DOD 5220.22-M). As required by the NISPOM, this Standard Practice Procedure (SPP) has been developed to provide detailed, company specific, amplification of NISPOM requirements to “reasonably foreclose the possibility of loss or compromise of classified information.” Failure to handle classified information properly can result in damage, in varying degrees, to the national security of the United States, including the potential for loss of life! Additionally it can result in severe penalties under the Federal Espionage Laws and Criminal Statutes. Egregious violations or infractions could be considered justification for revocation of individual security clearances and, possibly, suspension or revocation of the company’s facility clearance. Therefore, it is incumbent on all Overlook employees to read, understand, and adhere to the provisions of this SPP. _(file copy signed)_____________ Ronald T. Hansson Principal Corporate Security Officer

Table of Contents

Chapter 1. General Provisions and Requirements Section 1. Introduction 1-100. Purpose 1-102. Scope 1-103. Waivers Section 2. General Requirements 1-200. Facility Security Officer 1-201. Standard Practice Procedure (SPP) 1-202. Security Reviews 1-203. Hotlines 1-204. Cooperation with Federal Agencies and their Officially Credentialed Reps Section 3. Reporting Requirements 1-300. General 1-301. FSO Responsibilities Chapter 2. Security Clearances Section 1. Facility Clearance 2-100. General 2-101. PCLs Required in Connection with FCL Section 2. Personnel Clearances 2-200. General 2-201. Investigative Requirements 2-202. Pre-employment Clearance Actions 2-203. Verification of Citizenship 2-204. JPAS/JCAVS 2-205. Representative of a Foreign Interest (RFI) 2-206. Interim Clearances 2-207. Consultants 2-208. Converting and Reinstating Security Clearances 2-209. Clearance Terminations 2-210. Records Maintenance 2-211. Annual Personnel Clearance Review Section 3. Foreign Ownership, Control or Influence (FOCI) 2-300. General Chapter 3. Security Education,Training and Briefings Section 1. Security Training and Briefings

3-100. General. 3-101. FSO Training 3-102. Initial Security Briefings 3-103. Refresher Training 3-104. Training Records 3-105. Debriefings 3-106. Foreign Travel and Travel Threat Briefings 3-107. Derivative Classification Training Chapter 4. Classification and Marking Section 1. Classification 4-100. General 4-101. Derivative Classification Responsibilities 4-102. Security Classification Guidance 4-103. Challenges to Classification 4-104. IR&D and other Contractor Developed Information 4-105. Classified Information Appearing in Public Media 4-106. Declassification of Classified Information. Section 2. Marking Requirements 4-200. General 4-201. Training Chapter 5. Safeguarding Classified Information Section 1. General Safeguarding Requirements 5-100. General 5-101. Oral Discussions 5-102. End of Day Security Checks 5-103. Perimeter Controls 5-104. Emergency Procedures 5-105. Annual Classified Holdings Review Section 2. Control and Accountability 5-100. General 5-201. Policy 5-202. External Receipt and Dispatch 5-203. Accountability for TOP SECRET 5-204. Receiving Classified Material 5-205. Generation of Classified Material Section 3. Storage and Storage Equipment 5-300. General 5-301. GSA Storage Equipment 5-302. Top Secret Storage

5-303. Secret Storage 5-304. Restricted Areas 5-305. Closed Areas 5-306. Supplemental Protection 5-307. Protection of Combinations to Security Containers and Closed Areas 5-308. Changing Combinations 5-309. Container Repair 5-310. Supplanting and Automated Access Control Systems 5-311. Mechanical Access Control Devices Section 4. Transmission 5-400. General 5-401. Preparation and Receipting 5-402. TOP SECRET Transmission 5-403. SECRET and CONFIDENTIAL Transmission. 5-404. Transmission outside U.S., Puerto Rico, or a U.S. Possession or Territory 5-405. Addressing Classified Material 5-406. Large Packages or Equipment Requiring Shipment by Commercial Carrier 5-407. Use of Commercial Passenger Aircraft for Hand-carrying Classified 5-408. Local or Metro Courier Authorizations Section 5. Disclosure 5-500. General 5-501. Disclosure Categories Section 6. Reproduction 5-600. General Section 7. Disposition and Retention 5-700. General 5-701. Destruction 5-702. Destruction Records 5-703. Disposition of Classified Material Not Received on Specific Contract Section 8. Construction Requirements 5-800. General Section 9. Intrusion Detection Systems 5-900. General. Chapter 6. Visits and Meetings Section 1. Visits 6-100. General 6-101. Notification 6-102. Need-to-Know Determination

6-103. Visitor Control and Records. Section 2. Meetings 6-200. General 6-201. Location and Security Arrangements for Meetings Chapter 7. Subcontracting Section 1. Prime Contractor Responsibilities 7-100. General Chapter 8. Automated Information Systems Security Section 1. Responsibilities 8-100. General 8-101. Responsibilities 8-102. Requirements and Procedures. Chapter 9. Special Requirements Section 1. Restricted Data and Formerly Restricted Data 9-100. General Section 2. DoD Critical Nuclear Weapon Design Information (CNWDI) 9-200. General Section 3. Intelligence information 9-300. General 9-301. Control Markings Authorized for non-SCI Intelligence Information Chapter 10. International Security Requirements Section 1. General and Background Information 10-100. General Section 2. Disclosure of U.S. Information to Foreign Interests 10-200. General Section 3. Foreign Government Information 10-300. General Section 4. International Transfers 10-400. General Section 5. International Visits and Control of Foreign Nationals 10-500. Foreign Visits to Overlook Facilities.

10-501. Technology Control Plans (TCPs) 10-502. Foreign Visitor Control 10-503. Foreign Disclosure 10-504. Overlook Attendance at International Conferences or Meetings Section 6. Contractor Operations Abroad 10-600. General Section 7. NATO Information Security Requirements 10-700. General Section 8. International Requests For Visit (IRFV) Procedures for overseas meetings 10-800. Overlook Employee OUTUS Visits Chapter 11. Miscellaneous Information. Section 1. TEMPEST, DTIC, and IR&D 11-100. General APPENDICES Appendix A. Overlook Security Program Organization Chart Appendix B. Definitions Appendix C. Abbreviations and Acronyms Appendix D. Forms

Chapter 1. General Provisions and Requirements

Section 1. Introduction

1-100. Purpose. This Standard Practice Procedure is issued to amplify and specify the requirements of the NISPOM and is not intended to supplant its requirements. No requirement in this SPP may be less stringent than that provided by the NISPOM. However, in several instances, company procedures may include stricter or more detailed safeguarding measures. These specific measures will be delineated comprehensively to ensure understanding and reduce the potential for security incidents. Additionally, some NISPOM restrictions and safeguards will be summarized for reference. This SPP is keyed to the NISPOM. Chapters and, in most cases, Sections are numbered and titled similarly to enable easy cross-reference between the two documents. 1-102. Scope. The provisions of this SPP extend to all Overlook employees, whether or not cleared for access to classified information. While uncleared employees will certainly not be required to handle, store, or transmit classified information, it is critical that they understand the concepts and recognize the potential for serious damage to the national security when classified information is mishandled. They must also be aware of reporting requirements and methods, to ensure that, in the event an infraction or incident occurs, they can take proper steps to maintain the integrity of the Overlook security program. All cleared employees are charged with understanding and abiding by the regulations and specifications contained in this SPP, as well as appropriate sections of the NISPOM. Other security guidance may come in the form of procedural directives, such as the ISOO Marking Guide for Classified Information, Contract Security Classification Specifications (DD Forms 254), and Security Classification Guides, to name a few. According to their involvement with classified information, employees will be responsible for understanding and adhering to these instructions. Whenever there is a question related to security and safeguarding classified information, individual employees should always verify processes with their FSO BEFORE risking loss or compromise. 1-103. Waivers and Exceptions to the Manual. Requests for exceptions to procedures described in this SPP must be approved by the Principal Corporate Security Officer (PCSO). Requests must be considered against NISPOM requirements as well as company needs.

Section 2. General Requirements

1-200. Facility Security Officer. Each Overlook FSO must be cleared to the level of the Facility Clearance (FCL) for his or her facility and shall complete security training as required by the NISPOM. 1-201. Standard Practice Procedure (SPP). Each FSO will submit to the PCSO a Local Addendum to the SPP. The PCSO will ensure that, at a minimum, the following items are included in the SPP Local Addenda: Emergency Action Plans, Physical

Security specifics (such as alarms, key access, etc.), Security In Depth plans, perimeter control, and classified material storage locations, visitor controls, and references to Special Access Program and SCI Standard Operating Procedures. 1-202. Security Reviews. a. Government Reviews or Inspections will be conducted approximately annually by Defense Security Service (DSS) Industrial Security Representatives (ISRs) and Overlook FSOs will normally be informed in advance of a scheduled review. Additional inspections may be made by other government agencies for Sensitive Compartmented Information Facilities (SCIFs) and for Special Access Program Facilities (SAPFs). Each FSO will provide guidance to employees and assistance to government representatives for these reviews. b. Self-Inspections will be conducted annually (as a rule, midway between scheduled government inspections) by each FSO, with the assistance of one or more cleared staff members. The purpose of these inspections is to ensure that there has been no degradation of the security posture at Overlook and that security procedures are being observed. Self-inspections are an excellent tool for training Assistant FSOs, administrative personnel and others who will assist the FSO. A summary report of the results of each such self-inspection will be prepared and placed in facility security files. A copy of each summary report will be forwarded to the PCSO for corporate records. 1-203. Hotlines. Federal agencies maintain hotlines to provide an unconstrained avenue for contractor employees to report, without fear of reprisal, known or suspected instances of serious security irregularities and infractions concerning contracts, programs, or projects. While all employees are urged to report these issues to the FSO without fear of reprisal so that immediate and appropriate corrective action can be taken, they are also at liberty to use these hotlines and are encouraged to do so. The DoD hotline number is listed below, while numbers for CIA, NRC, and DOE are available from the NISPOM. Defense Hotline The Pentagon Washington, DC 20301-1900 (800) 424-9098 (703) 693-5080 1-204. Cooperation with Federal Agencies and Officially Credentialed Representatives of Those Agencies. There are several instances where representatives of federal agencies, both government service and contractor personnel, will request and require assistance from Overlook personnel. While verification of the identity and credentials of such personnel is both appropriate and required, all Overlook staff shall provide willing and comprehensive support to these representatives.

Section 3. Reporting Requirements

1-300. General. As a cleared contractor under the National Industrial Security Program (NISP), Overlook is required to report certain events that have an impact on the status of our FCLs as well as employees’ personnel clearances (PCLs), that affect safeguarding of classified information, or that indicate classified information may be lost or stolen. Most of these reports are prepared and submitted by FSOs and are not listed here. However, all employees are responsible to report any of the following conditions or situations to their FSOs: a. Any information concerning actual, probable or possible espionage, sabotage, or subversive activities; actual, probable, or possible terrorism. b. Adverse Information. Any information that adversely reflects on the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security. Self-reporting is encouraged, since information of this nature will almost certainly be revealed at the next periodic reinvestigation and non-reporting may be perceived as an attempt to prevent discovery. Examples of adverse information include: Criminal activity Treatment for mental or emotional disorders Bizarre or notoriously disgraceful conduct Excessive use of intoxicants Use of illegal, controlled substances Excessive indebtedness or recurring financial difficulties Garnishment of wages Moving violation with a fine over $150.00 c. Suspicious contacts. These include efforts by any individual to obtain illegal or unauthorized access to classified information or to compromise a cleared employee. Contacts by cleared employees with known or suspected intelligence officers of foreign countries must also be reported. Suspicious Contact Reports (SCRs) may also include indirect contacts, such as cyber “phishing” attempts. d. Change in status. Some of these are changes to name, marital status, and citizenship. e. Representative of a Foreign Interest. Any cleared employee who becomes a representative of a foreign interest (RFI). Example: working as a sales representative for a foreign company. (This item is no longer reportable to DSS, but shall be maintained in the employee’s security personnel file for reference during reinvestigations and adjudications.)

f. Loss, compromise, or suspected compromise. Any such loss or compromise must be immediately reported to the FSO, who will conduct inquiries appropriately in accordance with the NISPOM. Employees must remember, when reporting such incidents, that any details could reveal a vulnerability and, therefore, must only be reported via face-to-face contact or via secure communications, such as a STE. g. Foreign Travel. All cleared Overlook employees must report planned foreign travel, whether for business or pleasure, to their FSOs at least 30 days in advance of scheduled travel. While there are a variety of different reporting formats, based on program level directives and other instructions, employees will use the Overlook Notification of Foreign Travel, January 2013 attached at Appendix D, unless directed otherwise by their FSO. Additionally, when travel is for business, an employee will complete the Overlook Draft International Request For Visit (IRFV) (also attached at Appendix D) and submit it to his or her FSO at least 35 days prior to planned travel. While completion of two separate forms may seem redundant, each form serves a specific purpose and each meets specific regulatory requirements. A Foreign Travel Checklist, intended for the convenience of the traveler, is also attached at Appendix D. Overlook employees whose access to classified information is either wholly or partly at other cleared contractor facilities or government facilities must observe reporting requirements levied by these organizations in addition to their Overlook requirements. 1-301. FSO Responsibilities. Copies of preliminary and final reports to DSS, the FBI, or CSAs will be filed in official company security records. Individual culpability reports, when punitive actions are taken against an employee, will be approved by management prior to such actions being initiated. Changes in employee status and adverse information will be reported via JPAS. A copy of the JPAS report will be printed and retained in company security files.

Chapter 2. Security Clearances

Section 1. Facility Clearances

2-100. General. While Overlook operates as a single facility organization with a Top Secret FCL, Overlook’s Los Angeles office has a separate CAGE Code and Top Secret FCL. Changes to these authorizations will be requested by the FSO through DSS and other agencies, as necessary. 2-101. PCLs Required in Connection with the FCL. The senior management officials designated as Key Management Personnel (KMPs) and the FSO must always be cleared to the level of the FCL.

Section 2. Personnel Clearances

2-200. General. Employees who will perform tasks in conjunction with a classified contract, which will require access to classified information, will be processed for a PCL at the level of the access required. The majority of work currently performed by Overlook requires access to Top Secret information. Therefore, in most cases, a Top Secret clearance will be requested. 2-201. Investigative Requirements. A Single Scope Background Investigation (SSBI) is required for Top Secret eligibility and SCI access. A National Agency Check with Local Agency Check and Credit Check (NACLC) is required for Secret eligibility. 2-202. Pre-employment Clearance Actions. No action may be taken to initiate security clearance processing for an applicant until a written commitment for employment has been received with a clause indicating that employment will commence within 30 days of granting of eligibility at the required level. (In other words, when the position which is being offered requires Secret or Top Secret eligibility, and the candidate does not currently possess the requisite eligibility, but is otherwise qualified, the company may issue an offer letter for employment, contingent on successful completion of a Personnel Security Investigation (PSI) and adjudication of eligibility at the appropriate level, to commence within 30 days after adjudication.) At that point, the FSO may commence clearance processing procedures, including Initiating a Personnel Security Investigation (PSI) in JPAS, getting the candidate started on e-QIP, and all other required actions, such as fingerprinting. 2-203. Verification of Citizenship. FSOs will verify U.S. Citizenship for each candidate prior to starting clearance processing. A copy of the individual’s Birth Certificate or U.S. Passport will be made and placed in the employee’s Security Personnel File as proof of verification. If a birth certificate or passport is not available, other documentation may be used. See NISPOM 2-207 for acceptable proofs of citizenship.

2-204. JPAS/JCAVS is the CSA approved database for eligibility and access approvals. FSOs will retain the Person Summary page in JPAS for each cleared employee. 2-205. Representative of a Foreign Interest (RFI). Any candidate for a security clearance, who is an RFI, must submit a statement, as part of their PSQ data, that fully explains the foreign connections and identifies all foreign interests. This statement becomes part of the person’s Investigative File. The Cognizant Security Agency (usually the DoD Central Adjudication Facility or DODCAF) will then determine whether the candidate is eligible for access to classified information. Overlook employees are discouraged from representing foreign organizations, businesses, or interests while employed by Overlook. 2-206. Interim Clearances. Interim Secret and Top Secret eligibility may be granted (when possible) by DODCAF at the appropriate stage in the investigative process. An interim Secret eligibility is valid for access to classified information at the level of the interim PCL, except for Restricted Data, COMSEC Information, and NATO information. An interim Top Secret PCL is valid for access to Top Secret information and for Restricted Data, NATO information and COMSEC information at the Secret and Confidential level. SCI and SAP accesses may be granted at the discretion of the CSA, based on an Interim eligibility. An interim eligibility may be withdrawn, if derogatory information is subsequently developed, until completion of the investigative and adjudicative process. 2-207. Consultants. A consultant is defined in the NISPOM as “an individual under contract to provide professional or technical assistance to a contractor or Government Contracting Authority (GCA) in a capacity requiring access to classified information.” Consultants will be processed for security clearances in the same manner as employees, except that, in each case a Consultant Security Agreement will be prepared by the appropriate FSO. This agreement must specify that, except in connection with authorized visits to installations on behalf of Overlook Systems Technologies, Inc: a. the consultant shall not possess classified material away from Overlook premises; b. Overlook shall furnish classified material to the consultant only at Overlook premises; c. the consultant shall accomplish performance of the consulting services only on Overlook premises. The appropriate Overlook FSO will provide classification guidance to the consultant and will brief the consultant on all security controls and procedures in the same manner as an employee. The consultant’s PCL is only valid for access directly related to tasks assigned by Overlook and may NOT be used for other business. FSOs must carefully review requests

from cleared consultants for Visit Authorization Letters to ensure that the requested visit is required to perform work for Overlook. 2-208. Converting and Reinstating Security Clearances. Eligibility of new employees for access to classified information will be determined by the FSO from JPAS records. The employee must have been eligible and briefed for access to classified material within the previous two years in order to be eligible for immediate access. Once the employee is determined to be eligible for a given level of access, the FSO will brief the employee and make appropriate entries in JPAS. 2-209. Clearance Terminations. Overlook must terminate a security clearance for any employee who (a) terminates employment or (b) will not need access to classified information in the foreseeable future. Clearances may NOT be terminated by Overlook due to Adverse Information or other disqualifying factors. FSOs who discover serious Adverse Information about a cleared employee should request direction from the PCSO. As a general rule, the employee may be temporarily relieved of duties requiring access to classified information. However, the PCL may not be suspended or terminated until directed by DSS or other CSA. 2-210. Records Maintenance. Each Overlook FSO will maintain a record of all cleared employees at his or her location, to include clearance level and status, additional accesses (such as NATO or COMSEC), investigation type and date, and other relevant information. Copies of documents used to support the eligibility and accesses, as well as briefings, required reports, and debriefings, will be maintained by the FSO in the Overlook Security Personnel File for each employee. Details of file format and retention requirements will be provided by the PCSO. FSOs are cautioned that JPAS is the official database for individual eligibility and access; therefore it must accurately reflect the current status of all Overlook Employees’ eligibility and accesses. 2-111. Annual Personnel Clearance Review. The FSO at each cleared Overlook facility will conduct an annual review of personnel clearances at the facility to ensure that the number of cleared personnel is kept to the minimum necessary to accomplish contractual or support requirements.

Section 3. Foreign Ownership, Control, or Influence (FOCI)

2-300. General. Overlook is a privately owned company whose owners are U.S. citizens and whose entire management are U.S. citizens who hold Top Secret security clearances. Therefore, the only FOCI issue is with influence from foreign interests with whom Overlook does business directly. At this time, these are few. Details of FOCI requirements may be found in NISPOM, section 2-3.

Chapter 3. Security Training and Briefings

Section 1. Security Training and Briefings

3-100. General. It is Overlook’s responsibility to provide training and briefings in accordance with employees’ involvement with classified information. 3-101. FSO Training. Overlook FSOs must complete the prerequisites for and attend the DSS FSO Program Management Course within six months of appointment, unless this training has been completed while previously employed by a NISP contractor. 3-102. Initial Security Briefings. FSOs are responsible to ensure that all cleared employees are thoroughly briefed on their responsibilities BEFORE granting them access to classified information. Initial security briefings must include: a. A threat awareness briefing; b. A defensive security briefing; c. An overview of the security classification system; d. Reporting obligations and requirements; e. Security procedures and duties applicable to the employee’s job; f. Site specific and contract specific requirements. The PCSO will review all initial briefing materials to ensure that at least minimum requirements are met and that all employees will understand the procedures and processes necessary to properly safeguard classified information. 3-103. Refresher Training. Overlook FSOs will administer an ongoing Security Education program at each location to ensure that security issues are kept in the forefront of employee consciousness at all times. Annual refresher briefings, while not specifically required, are strongly recommended. The PCSO will develop and make available training and education resources for FSOs to use, including broadcast emails relating to current security-related subjects, bullets and new items of threat information sent directly to FSOs for local use, and any materials acquired through government sources which the PCSO deems appropriate for use at Overlook locations. 3-104. Training Records. Records of NATO, COMSEC, CNWDI, and Courier Briefings will be maintained in the Security Personnel File of each cleared employee. Filing plans will be developed by the PCSO to help maintain continuity between different Overlook sites. Refresher training records may be kept in the Security Personnel Files, but may also be kept in a “Security Training and Education” file within each FSOs office. Employees are required to affirm by signature that they have received annual refresher training. Records of attendance at other briefings or distribution of mail and email bulletins must be maintained by the FSO.

3-105. Debriefings. FSOs will conduct debriefings in accordance with paragraph 3-108 of the NISPOM. 3-106. Foreign Travel and Travel Threat Briefings. Upon receipt of a Notification of Foreign Travel form from an Overlook employee, the applicable FSO will review it to ensure that all required information is completed and that the employee dated and signed the form. The FSO will then provide the employee with a copy of the latest Department of State Country travel advisory or warning, regional warnings, and current threat warnings or advisories. If the employee has not had a Foreign Travel Briefing within the past three years, the FSO will conduct a Foreign Travel Threat Briefing or Defensive Security Briefing and provide a copy of the pamphlet “Your Passport to a Safe Trip Abroad” and any other appropriate travel safety information. The FSO will retain the Notification of Foreign Travel form in a suspense file until the employee returns, at which time the FSO will administer the Foreign Travel Debriefing. Should the employee have had suspicious contacts with foreign nationals, the FSO will report immediately to the PCSO, relevant Program Security Officers, and DSS, as required. Completed Notification of Foreign Travel forms will be filed in the subject’s Security Personnel File for reference and for future use by the employee when completing periodic reinvestigation forms. 3-107. Derivative Classification Training (DCT). All employees who have been identified as performing functions which could require them to derivatively classify information shall complete initial required Derivative Classification Training PRIOR to performing these duties. The approved training program can be accessed at the following URL. http://www.cdse.edu/stepp/index.html. Thereafter, DCT will be completed on a biannual basis, in Sep/Oct of every odd numbered year. Employees will certify completion of DCT to their FSO, who will maintain a record of this training in each employee’s Security Personnel File.

Chapter 4. Classification and Marking

Section 1. Classification

4-100. General. Original classification of information may only be made by a U.S. Government official who has been delegated the authority in writing. Original Classification Authorities (OCAS) may then issue a security classification guide (SCG) for use in making Derivative Classification decisions. Contractors make derivative classification decisions either by: a. referring to the SCG; b. continuing the classification marking for information extracted from an already marked document; c. referring to the Contract Security Classification Specification (DD Form 254) provided with each classified contract; d. referring to programmatic classification instructions provided by the government contracting authority. 4-101. Derivative Classification Responsibilities. Overlook employees who extract or summarize classified information, or who apply classification markings derived from a source document or SCG are making derivative classification decisions. As such, they must be trained in their responsibilities and in the procedures inherent in derivative classification. See paragraph 3-107. 4-102. Security Classification Guidance. Government Contracting Authorities (GCAs) must provide classification guidance with each contract which requires access to and generation of classified material. This guidance is provided by means of the DD Form 254. The DD Form 254 is a contractual specification necessary for performance on a classified contract. If a classified contract is received without a DD Form 254, the FSO shall advise the GCA, with a copy to the PCSO. When changes occur, the GCA must issue a revised DD Form 254. Upon completion of the contract, the GCA must issue a final DD Form 254, specifying disposition instructions for all classified material. FSOs will review all DD Forms 254 at least annually to determine their currency and validity. If issues cannot be resolved through the GCA, the FSO will refer the problem to the PCSO for action. 4-103. Challenges to Classification. Whenever an Overlook employee believes that information is classified improperly or unnecessarily, or that the classification is either too high or too low, or that security classification guidance provided is improper or inadequate, he or she is encouraged to immediately report this to the FSO. The FSO, working with the GCA, should attempt to resolve the situation. If no resolution can be obtained, the FSO will begin the process of a formal classification challenge, in accordance with paragraph 4-104 of the NISPOM. Any such challenges must be made through the PCSO, to validate corporate identity and management support.

4-104. IR & D and other Contractor Developed Information. Procedures described in 4-105 of the NISPOM will be followed when an employee believes that Overlook developed information should be classified. The “Classification Determination Pending” marking must be used on all such documents. 4-105. Classified Information Appearing in Public Media. Overlook employees are reminded of the fact that just because classified information has been made public does not mean that it is automatically declassified. Employees shall continue the classification safeguards and controls until formally advised to the contrary. Remember! Information, which appears to have been extracted from classified sources, may actually be only speculation on the part of the writer. Confirmation by a knowledgeable, cleared person may serve to validate the truth of the information and change the status from “guesswork” to compromise! 4-106. Declassification of Classified Information. Overlook employees will downgrade or declassify information based on a DD Form 254 or upon formal notification by a CSA. Declassification dates on documents are not automatic authorization for declassification. Prior to declassifying any document (or classified information extracted from the document), FSOs will make contact with either the originator of the document or the GCA of the contract under which it is held. Formal confirmation of the declassification of the document by one of these two parties is mandatory prior to declassification. Only FSOs are authorized to officially downgrade or declassify information held by Overlook. NOTE: Declassification of information is not automatic approval for public disclosure!

Section 2. Marking Requirements

4-200. General. Physically marking classified information serves to warn and inform holders of the degree of protection required to safeguard it properly. It is essential that all cleared Overlook employees pay strict attention to marking requirements. All documents, media, and other forms of classified material will be marked in accordance with Chapter 4-2 of the NISPOM and the Information Security Oversight Office (ISOO) directive “Marking Classified National Security Information.” 4-201. Training. The PCSO will develop a Document Marking training program to ensure that all Overlook employees are well versed in their responsibilities and the appropriate procedures. FSOs will ensure that ALL cleared personnel are trained in marking classified material and are periodically updated on changes to marking requirements.

Chapter 5. Safeguarding Classified Information

Section 1. General Safeguarding Requirements

5-100. General. Overlook is responsible for safeguarding all classified material in its possession or control. All Overlook employees are responsible for safeguarding classified information entrusted to them. The extent of protection will be determined by the level of classification and shall always be sufficient to reasonably preclude the possibility of loss or compromise. FSOs will establish local procedures for the handling and storage of classified material, commensurate with Chapter 5 of the NISPOM. 5-101. Oral Discussions. All Overlook employees will pay particular attention to accessibility by unauthorized personnel when preparing to discuss classified information. They are prohibited from discussing classified over unsecured telephones, in public conveyances or public places (including common areas of Overlook facilities, such as kitchens, entrance foyers, and similar gathering places), or in any other manner that permits interception by unauthorized persons. Remember! To be an authorized person, the individual must have both the appropriate clearance AND the Need To Know for the information being discussed! 5-102. End of Day Security Checks. FSOs at all Overlook facilities will establish a system of security checks at the end of each working day to ensure that all classified material and authorized containers have been appropriately secured. Detailed procedures will be included in the location specific addendum to this SPP. Records of such checks will be kept in the FSO’s security files for one year. 5-103. Perimeter Controls. Overlook is required to establish controls to discourage the unauthorized introduction or removal of classified material from its premises. To do so, all Overlook facilities, where classified storage is authorized, will observe the following procedures: a. FSOs will post warning signs at all pertinent entries and exits that “All persons who enter or exit the facility are subject to an inspection of their personal effects, to include bags, parcels, briefcases, totes, computer cases, and luggage, to preclude the unauthorized introduction or removal of classified material.” (Inspections are not required of wallets, change purses, etc.) b. FSOs will conduct random sample inspections of persons entering or departing, including visitors, employees, vendors, and consultants. FSOs should consult with the PCSO prior to commencing inspections to assure maximum results with minimal impact on operational effectiveness. Results of these inspections will be maintained in FSO files for two years.

c. FSOs will conduct an annual review of perimeter access control measures, in conjunction with the annual self-inspection, to determine if these measures should be altered or upgraded to reflect changes in access requirements. 5-104. Emergency Procedures. FSOs will develop location specific action plans for safeguarding classified material in an emergency and include them in their SPP addenda. Plans should be keyed to emergency situations most likely to occur in the particular geographic area. For example, while an earthquake emergency plan would be appropriate in California, it would not be so in Virginia. All locations must include a plan for fire emergencies. All plans will be based on the following criteria: a. Protection of life and limb takes precedence over safeguarding classified material. In other words, returning a large volume of classified material to approved locked storage prior to evacuation of the premises must NEVER be required if it would endanger the life or health of an employee. b. Provisions must be made for the removal of classified material to an identified alternate storage location in the event that it cannot be properly safeguarded after a fire or other natural disaster. c. Provisions must be included for collecting, safeguarding, and properly storing classified material that could not be properly stored prior to evacuation. In this case, steps should be identified for interviewing emergency response team members and others who might have gained inadvertent access. 5-105. Annual Classified Holdings Review. FSOs, at cleared Overlook facilities which are authorized storage of classified material, will conduct an annual review of classified holdings to ensure that only the minimum necessary to accomplish contractual requirements is maintained. This review will be held in conjunction with appropriate management personnel and cleared employees who work with the material held. Documents or media, which are determined to be in excess or are no longer authorized retention due to expiration of relevant contract, will be returned to the GCA or destroyed by authorized means.

Section 2. Control and Accountability

5-200. General. Overlook must establish an information management system and control classified material in its possession. 5-201. Policy. While NISP has eliminated the requirement for a document accountability system for SECRET material as a security protection measure, all classified material must be accessible to those requiring it, must be retrievable by the government for disposition, and must be protected to ensure that it is used or retained “only in furtherance of a lawful and authorized U.S. Government purpose.” Therefore,

ALL classified material received or generated by Overlook, will be entered into a document accountability system maintained and controlled by the FSO at each facility. 5-202. External Receipt and Dispatch. FSOs shall maintain records of all Classified Material Receipts (CMRs) for both incoming and outgoing material. Signed copies of all CMRs will be maintained for one year. Before destroying CMRs, FSOs will ensure that relevant information is entered into the document accountability system. To facilitate retrieval, the Overlook document control number and copy number, assigned to an incoming classified document, will be noted on the Overlook copy of the incoming CMR. 5-203. Accountability for TOP SECRET. Overlook does not currently have authorization for the storage of Top Secret material at any Overlook facilities. Should this change, procedures established by paragraphs 5-200 – 5-203 of the NISPOM will be followed. 5-204. Receiving Classified Material. FSOs will establish procedures, in their SPP addenda, to ensure that all signature mail, to include FedEx, UPS, and other courier services, is delivered to and signed for only by properly cleared individuals and that safeguarding procedures are followed until all such mail can be opened to determine if it contains classified material. The envelope or packaging shall be examined for evidence of tampering and the classified contents (when found to be so) checked against the CMR. Discrepancies will be reported to the PCSO and the originator of the material. All CMRs will be signed and returned within two working days of receipt. 5-205. Generation of Classified Material. a. Finished Documents. All finished classified documents, produced by Overlook, will be entered into the classified document accountability system by the FSO. b. Classified Working Papers. Working papers are intended for short-term, temporary use. As such, they must be dated on the date of creation, marked with the overall classification and “Working Papers”, marked with the name of the creator, and destroyed when no longer needed. If transmitted outside the facility, they must first be entered into the accountability system and marked in the same manner as a finished document (including portion markings, page markings, and declassification instructions), and receipted by the FSO. Secret and below Working Papers retained beyond 180 days after creation will also be entered in the accountability system. Working Papers must be reviewed quarterly to ensure that they are still required and that they have not exceeded the 180 day limitation.

Section 3. Storage and Storage Equipment 5-300. General. This section details and amplifies Chapter 5, Section 3 of the NISPOM, same subject. Physical protection of classified material must always meet at least the minimum standards set by the NISPOM and will frequently exceed them. FSOs

requiring storage for classified material will coordinate efforts with the PCSO, PRIOR TO purchasing any equipment or contracting for any construction designed to meet government standards for physical safeguarding of classified information. 5-301. GSA Storage Equipment. It is Overlook’s policy to use GSA-approved, Class VI or higher storage cabinets to store classified material. Exceptions will be made for Closed Areas which are approved for Open Storage of classified material. However, in general, requests for exemption will not normally be approved if Class VI containers are available. 5-302. Top Secret Storage. Should future changes to Overlook’s storage authorization warrant Top Secret Storage, FSOs will coordinate with the PCSO to ensure that TS storage requirements, including supplemental protection (alarms), are met. 5-303. Secret Storage. Only GSA-approved, Class VI or higher, containers will be used to store Secret or Confidential material at Overlook. FSOs are responsible for the acquisition and installation of approved containers. Coordination with the PCSO is suggested. 5-304. Restricted Areas. In general, a Restricted Area is an area within a facility which is used for work on classified information. It is only for use when appropriately cleared employees with Need-to-Know are present and its purpose is to prevent inadvertent access to classified information by persons who would not intentionally do so. While no physical barriers are required, they are recommended. Example: while work may be done in an “open bay” environment, provided that warnings and visual protections are in place, it is safer to do the work in an office or conference room, where the doors can be closed and access physically barred, if only for a few moments. FSOs will approve locations for classified work and include them in their local SPP addenda. 5-305. Closed Areas. When a closed area is required, due to the size and nature of the material, or operational necessity, it may be necessary to construct one. FSOs must review carefully all requests for Closed Areas to ensure that they are valid and not just a matter of convenience. Construction costs for Closed Areas can be significant! FSOs must submit conceptual plans to the PCSO prior to contracting for any design or construction of Closed Areas. Closed Areas must be constructed according to Chapter 5, Section 8 of the NISPOM and DSS must approve them. Procedures for use of Closed Areas will be described in the local SPP addenda, to include securing by approved locking device when the area is unattended during working hours and procedures for ensuring structural integrity above false ceilings and below raised floors. 5-306. Supplemental Protection. If required, supplemental protection at Overlook will be in the form of Intrusion Detection Systems or IDS. FSOs must take great care when investigating IDS requirements and researching vendors to ensure that vendors can meet established standards and any upgrades. Particular care must be taken when a space will be both a Closed Area and a SCIF or SAP Facility, as there are different standards for

Collateral, SCI, and SAP classified material protection. FSOs will coordinate all efforts requiring IDS with the PCSO. 5-307. Protection of Combinations to Security Containers and Closed Areas. FSOs will keep a record of the names of all employees holding the combination to any classified container or Closed Area. Since combinations to containers and Closed Areas provide a method to gain access to classified material, they must be protected at the same level as the highest level of classified protected by them. In other words, they cannot be written down and stored ANYWHERE but in a safe or container which is approved for storage of that level and category of information. Employees must memorize combinations, NOT write them down. 5-308. Changing Combinations. FSOs will ensure that combinations to containers or Closed Areas are changed in accordance with Chapter 5, Section 309 of the NISPOM. 5-309. Container Repair. Should repair of a classified material container become necessary, the FSO will advise the PCSO of the situation, contract with an approved locksmith who has the relevant experience and training in maintenance and repair of containers, and escort the vendor at all times. As a general rule, if a safe must be drilled open in order to access it, the vendor must be escorted at all times and removed from the area as soon as the drawer or container is open. Classified material enclosed in the container is then removed or covered and the technician is allowed to finish the repair, under escort. Certification of container repair shall be provided by the repairer in accordance with Chapter 5 of the NISPOM. 5-310. Supplanting and Automated Access Control Systems. Due to the complexity and cost of supplanting and automated access control systems, perimeter access to Closed Areas while they are open, is controlled by properly accessed employees. In other words, while a cipher-lock, or similar device, may be in place to prevent inadvertent access, it is the responsibility of employees who are present in the Closed Area to assure that only properly cleared and briefed personnel gain access. When Closed Areas are unoccupied during working hours, they must be secured by the approved locking device, but need not be alarmed. Outside normal working hours, when not occupied, they must be locked and alarmed. 5-311. Mechanical Access Control Devices. Combinations to mechanical devices, such as Unican push button locks, used to prevent inadvertent access, will be changed whenever an employee who holds the combination is terminated or no longer requires access. Combinations will be changed only by the FSO.

Section 4. Transmission

5-400. General. Classified material will be transmitted outside an Overlook facility only by DSS approved means. With the exception of voice transmission via STE Secure

Communications Devices, classified material will be prepared for transmission only by the FSO. 5-401. Preparation and Receipting. a. Classified material will be wrapped in two opaque covers. The sealed inner wrap will include the name and address of both the sender and addressee, as well as the highest classification of material contained. The outer wrap will contain sender and addressee information, but will not display any indication that it contains classified information. b. A Classified Material Receipt (CMR) will be included with each classified package to ensure that it reaches its final destination. The receipt will identify the sender, the addressee, and the document (Overlook control number and copy number, classification, and Unclassified title). Receipts will be held in a suspense system until the signed copy is received. A tracer copy will be sent to the addressee whenever a signed receipt is not received within 30 days. 5-402. TOP SECRET Transmission. At this time, Overlook is not authorized to receive, generate or store Top Secret information. Should that change, transmission procedures will be in accordance with NISPOM Chapter 5-4. 5-403. SECRET and CONFIDENTIAL Transmission. Secret and Confidential material may be transmitted by: a. approved electronic devices (such as STE Securefax); b. a designated courier cleared for access to Secret information; c. USPS Express Mail and USPS Registered Mail; d. other methods approved by DSS with the advance approval of the PCSO. Note: FSOs will meet the requirements of NISPOM Chapter 5-4 regarding specific restrictions and procedures when using Express Mail. 5-404. Transmission outside the U.S., Puerto Rico, or a U.S. Possession or Territory. Should such transmission become necessary, FSOs will use methods specified in NISPOM Chapter 5-4. Carrying sealed envelopes and packages through the Customs and Immigration checkpoints in foreign countries is an invitation to disaster. Therefore, Overlook employees WILL NOT be authorized to hand-carry classified material outside the United States without the approval of the PCSO. 5-405. Addressing Classified Material. Classified mail must not be addressed to individuals. The approved classified mailing address must always be used on the outer wrap, while attention lines or “for” lines may be included on the inner wrap or receipt.

5-406. Large Packages or Equipment Requiring Shipment by Commercial Carrier. Although such situations are rare, should this requirement come about, the FSO will research methods approved by DSS in NISPOM 5-4 and coordinate with the PCSO to ensure adequate procedures are followed. 5-407. Use of Commercial Passenger Aircraft for Hand-carrying Classified Material. Due to the extreme sensitivity of the Transportation Security Administration (TSA) to sealed packages being carried onto aircraft, hand-carrying classified by commercial air should be used only as a last resort. When this method is required, the FSO will thoroughly brief the designated courier on the procedures and will prepare an individual Commercial Air Courier Authorization Letter in accordance with Chapter 5-4 of the NISPOM. 5-408. Local or Metro Courier Authorizations. When Overlook employees are designated to handcarry classified information, the procedures specified in Chapter 504 of the NISPOM will be followed. Courier cards will contain the information listed in the NISPOM and a photo of the employee. Prior to being granted permission to handcarry classified information, each Overlook designated courier will be given a briefing on his or her responsibilities and applicable safeguarding procedures. Each such courier will receive a refresher courier briefing annually.

Section 5. Disclosure

5-500. General. Overlook employees will only disclose classified information in their possession to authorized persons. An authorized person is one who has a security clearance (PCL) at or above the level of information to be disclosed AND the Need to Know (NTK) for that information. NTK is relatively easily defined as the need to have the information in order to perform duties IN DIRECT RELATION TO THE CONTRACT to which the information applies! 5-501. Disclosure Categories. The NISPOM Chapter 5-5, provides detailed rules applicable to the disclosure of classified information to fellow Overlook employees, subcontractors, other DoD activities, Federal Agencies, foreign persons, other contractors, courts and attorneys, and the public. Additionally, it refers to disclosure of export controlled information and unclassified information relating to classified contracts. FSOs will ensure that all Overlook employees are aware of their disclosure responsibilities and include this information in annual refresher training.

Section 6. Reproduction

5-600. General. Modern photocopiers are complex and vulnerable systems which resemble Automated Information Systems (AIS) in their modes of operation. A modern copier is a computer, which scans the document, stores the information in memory, then prints the document according to specifications. This means that an electronic version of

the document is resident in the memory of the copier for an indeterminate period of time, depending on its make, model, and capabilities. Additionally, many leased copiers are connected through phone lines with the leasing company, allowing the company to monitor usage, remotely diagnose maintenance problems, and, in some cases, extract data from documents being copied. Therefore, the FSO at each facility is the only person authorized to reproduce classified material. Reproduction may be done personally by the FSO or under the FSOs immediate direction and control. FSOs will establish procedures for reproduction, to include safeguards against inadvertent access or transmission, in local SPP addenda. All reproduced documents will be entered into the classified document accountability system.

Section 7. Disposition and Retention

5-700. General. Classified information, which is no longer needed, must be returned to the GCA, destroyed, or retained for reference. As part of the self-inspection process, FSOs will verify that all contracts under which they hold classified material are still active. Upon completion of a contract, all classified material will be reviewed for retention or disposal. Retention for more than two years beyond completion of the contract must be requested from the GCA. Retention and disposition reviews will be conducted in accordance with the requirements of Chapter 5-7 of the NISPOM. 5-701. Destruction. FSOs will personally conduct or supervise destruction of paper classified material at their locations. This destruction will be by approved cross-cut shredder. Residue shall be inspected to ensure that the equipment is shredding to the required size. The shredder will be opened at completion of the shredding process and checked for material that was not completely shredded. Specifications are provided at Chapter 5-7 of the NISPOM. FSOs will establish procedures for destruction of non-paper classified material in their local SPP Addenda and ensure, prior to use, that these procedures are approved by their DSS Representative. 5-702. Destruction Records. While the NISPOM only requires destruction records for Top Secret material, to maintain continuity in the classified document accountability system, destruction reports will be prepared for all levels of classified material destroyed. Records will be kept for the two calendar years preceding and the current year. 5-703. Disposition of Classified Material Not Received under a Specific Contract. If classified material was not received under a specific contract, such as material obtained at classified seminars, conferences, or non-contract meetings, it must be destroyed within one year of receipt. With the approval of the GCA, such material may be applied to a relevant classified contract for further retention.

Section 8. Construction Requirements

5-800. General. Chapter 5-8 of the NISPOM contains specific details of construction requirements for Closed Areas and Vaults. FSOs whose facilities may require these areas

will ensure that construction contracts reflect these requirements. All such spaces must be coordinated in advance with the PCSO to ensure corporate continuity.

Section 9. Intrusion Detection Systems

5-900. General. Intrusion Detection Systems (IDS) must meet very specific requirements if used as supplemental controls on a Closed Area. These requirements are identified in Chapter 5-9 of the NISPOM. If an IDS is used for facility perimeter control and not required as supplemental protection for classified material, it need not meet these standards. FSOs will coordinate details with the PCSO to ensure that IDS, installation, and monitoring requirements are included in all IDS contracts.

Chapter 6

Visits and Meetings

Section 1. Visits

6-100. General. When it is anticipated that classified information will be disclosed during a visit to a cleared contractor or federal facility, the applicable sections of NISPOM Chapter 6-1 apply. 6-101. Notification. a. Outgoing Visits by Overlook Employees. Advance notification of classified visits within DoD and other agencies, who have access to it, will normally be made by submission of a Visit Request in JPAS/JCAVS. If written Visit Requests are required by the visited activity, FSOs will prepare them for Overlook personnel, ensuring that all information required by NISPOM 6-1 is included. (VAL database procedures are available from the PCSO.) b. Incoming Visits by Cleared Contractors or Government Personnel. When classified visits or meetings are to be held at Overlook, all employees are responsible to determine that visitors are properly cleared and have a valid Need-to-Know. FSOs will establish local procedures for verification of visitors’ access eligibility via JPAS. In practice, Overlook employees sponsoring visits or meetings will provide lists of visitor names, social security numbers, and organizations to their FSOs in advance of meeting dates. FSOs will then perform JPAS searches and validate the eligibility of each visitor. It is important to know the organization which the individual is representing at the meeting, as some people are listed in JPAS under several different Security Management Organizations (SMOs). For example, a contractor may also be a military reservist or national guardsman, as well as being a paid consultant for a government entity or other contractor. FSOs must ensure that access eligibilities from the organization being represented are adequate to meet meeting or visit requirements. In the case of non-DoD visitors whose information is not contained in JPAS, FSOs will require advance notification by official Visit Request from the represented agency. FSOs will ensure that all required information is included on the incoming request. For recurring visits, FSOs may request a 12-month inclusive period. Since visit cancellations are no longer required, FSOs must check JPAS each visit to ensure that no change has been made since the previous visit. 6-102. Need-to-Know Determination. The person who will be disclosing classified information is responsible for determining the need-to-know of all recipients. As a rule, when there is a classified contractual relationship between the parties involved, classified information may be disclosed to properly cleared visitors. When there is no direct contractual relationship, per the NISPOM, “disclosure of the information will be based on an assessment that the receiving contractor has a bona fide need to access the information

in furtherance of a GCA (Government Contracting Authority) purpose.” COR certification of need-to-know is no longer required or desired. 6-103. Visitor Control and Records. FSOs will ensure that visitors are controlled (either by escorting them or by restricting their movements) to ensure that they are only granted access to classified information which applies to their visit. (This is also a very important factor in protecting Overlook’s Proprietary Information and Intellectual Property.) All Overlook employees are responsible for visitors for whom they are the sponsors and will ensure that escort, access eligibility, and need-to-know requirements are met. Visitor Logs are no longer required by the NISPOM. However, some form of identification of recipients of classified information must still be kept. Therefore, when a meeting involving more than direct one-to-one disclosure of classified information is involved, FSOs will compile an attendee list, based on JPAS or authorized visit request data, and check visitors on arrival to ensure that all attendees have been validated for access eligibility. This list need not require signatures of the attendees. Each such list will be retained in the FSO’s security files for one year, at which time it may be destroyed.

Section 2. Meetings

6-200. General. Meetings are defined in the NISPOM as conferences, seminars, symposia, exhibits, conventions, training courses, or other such gatherings during which classified information is disclosed. Classified meetings may not be initiated and sponsored solely by Overlook. A government agency must sponsor each meeting and agree to assume security responsibility. This assumption of responsibility may be limited to directing Overlook how to conduct the meeting and providing unusual or extra security requirements over and above the norm. Should an Overlook facility desire to conduct such a meeting, the FSO will prepare a request for authorization, in accordance with NISPOM 6-201. A copy of the request will be sent to the PCSO for corporate records. It is fair to note that many such seminars and symposia will be initiated by government sponsors, using Overlook facilities and security support without formal meeting authorizations. As long as these are contract associated, there is no requirement for formal signed authorizations. 6-201. Location and Security Arrangements for Meetings. FSOs will ensure that meetings are conducted only in spaces which meet the requirements of the NISPOM AND the sponsoring government agency. Administrative procedures, such as meeting announcements, VALs, clearance and NTK verification at the meeting, and physical security arrangements will be in accordance with NISPOM 6-2 and the requirements of the sponsoring agency. FSOs will pay special attention to classified presentation materials. All such must be approved in advance by the government agency having cognizance over the information. Additionally, briefing notes, handouts, and supporting data must be screened to assure that proper transmittal methods are followed. Basically, if the notes or handouts are classified, attendees CANNOT take them with them, unless the FSO properly wraps and receipts them and the attendee has a courier authorization.

Detailed procedures and a security checklist for meetings will be provided by FSOs to Overlook meeting coordinators.

Chapter 7.

Subcontracting

Section 1. Prime Contractor Responsibilities

7-100. General. When considering subcontracting part of the work on a classified contract to another company, Overlook personnel, especially managers, must work closely with their FSOs to ensure that: a. the particulars of the subcontract are clearly defined so that, if access to classified information is necessary, the level of access and special requirements are clear; b. the potential subcontractor’s facility clearance and safeguarding capability are verified from the Industrial Security Facility Database (ISFD) by the FSO and that the FCL meets the requirements defined in step “a”; c. security classification guidance is prepared in the form of a Subcontract DD Form 254, issued by Overlook to the subcontractor. Since DD Forms 254 are considered legal parts of subcontracts, they will normally be issued by the corporate contracts office. However, FSOs will prepare draft DD Forms 254 as necessary and submit them to the PCSO for review, prior to issuance with the subcontract. If a potential subcontractor does not have an FCL or the FCL does not meet requirements, Overlook may sponsor them for an FCL or upgrade. This is a time consuming and fairly lengthy process, however, and should be considered only when there is a likelihood of a long term relationship between Overlook and the company in question or the potential subcontractor is the only available resource. Sponsorship will be handled by the PCSO at the corporate level with the assistance of the appropriate FSO.

Chapter 8.

Information System Security

Section 1. Responsibilities and Duties

8-100. General. Automated Information Systems (AIS) that are used to process classified information must be managed to protect against unauthorized disclosure of that information. Protection involves balancing a variety of security measures, including administrative controls, physical security and personnel controls, to name only a few. Since most users have little, if any, information systems security training or knowledge, the risk of loss or compromise of classified information through misuse or inadvertent disclosure is especially high when it is AIS related. Therefore, it is critical that all Overlook employees understand and adhere to the security requirements for AIS use. 8-101. Responsibilities. a. FSO - The FSO at each Overlook facility will, with the approval of management, designate an Information Systems Security Manager (ISSM), who will establish, document, implement and monitor the IS Security Program and ensure facility compliance with requirements for AIS. The FSO will work with the ISSM to ensure that the IS Security Program is integrated with the overall industrial security program. Depending on facility size, FSO skill sets and training, the FSO may serve as the ISSM. b. ISSM - The ISSM is responsible for all aspects of the AIS security program at each facility. Tasks include those named above, as well as ensuring periodic self-inspections are conducted, developing facility procedures, and developing and certifying System Security Plans (SSPs) for all classified systems. c. Users - Users are defined as all Overlook employees who use AIS to process classified information. All Users MUST: 1. be aware of and knowledgeable about their responsibilities in regard to IS security; 2. use ONLY APPROVED AIS for processing classified information; 3. comply with the IS Security Program requirements; 4. be accountable for their actions on an AIS; 5. ensure that any authentication mechanisms (including passwords) issued for the control of their access to an AIS are not shared and are protected at the highest classification level and most restrictive classification category of information to which they permit access; 6. acknowledge, in writing, their responsibilities for the protection of the IS and classified information. 8-102. Requirements and Procedures. Detailed requirements for AIS processing are spelled out in NISPOM Chapter 8. The SSP for each Overlook system approved for

classified processing will provide procedures for all aspects of use of that AIS. Overlook Users, as part of their responsibilities for awareness, knowledge, and accountability, will become thoroughly familiar with the restrictions and procedures for each AIS that they use and will comply with the requirements of each SSP.

Chapter 9.

Special Requirements

Section 1. Restricted Data and Formerly Restricted Data

9-100. General. Restricted Data (RD) and Formerly Restricted Data (FRD) is atomic energy information which is classified under the authority of the Atomic Energy Act of 1954 and is under the jurisdiction and control of the Department of Energy (DOE). There are certain handling restrictions and very strict classification, declassification and marking requirements delineated in NISPOM 9-1. All Overlook employees who will be handling RD and FRD information must be thoroughly briefed by their FSOs concerning these requirements. FSOs will ensure that RD and FRD information is handled, stored, and transmitted in accordance with NISPOM 9-1.

Section 2. DOD Critical Nuclear Weapon Design Information (CNWDI)

9-200. General. CNWDI is a DoD category of Top Secret (RD) or Secret (RD) that reveals the theory of operation or design of the components of a thermonuclear or fission bomb, warhead, demolition munitions, or test device. The FSO must conduct a formal briefing whenever an employee will require access to CNWDI information; the briefing must be noted in JPAS. CNWDI materials may not be transmitted except as specified in NISPOM 9-2. A formal debriefing is required of employees who terminate employment or otherwise no longer require CNWDI access.

Section 3. Intelligence Information

9-300. General. Intelligence information is under the jurisdiction and control of the Director of Central Intelligence (DCI). It includes information relating to Foreign Intelligence, Counterintelligence, and Intelligence Information relating to U.S. intelligence activities. Sensitive Compartmented Information (SCI) is controlled within formal access control systems established by the DCI. Special Access Program (SAP) information also has special access control systems. 9-301. Control Markings Authorized for non-SCI Intelligence Information. Many of the authorized markings are defined in NISPOM 9-3. FSOs will train cleared Overlook employees on these definitions and the relevant handling restrictions. These markings are: a. Warning Notice-Intelligence Sources or Methods Involved (WNINTEL) b. Dissemination and Extraction of Information Controlled by Originator (ORCON) c. Not Releasable to Contractors/Consultants (NOCONTRACT) d. Caution – Proprietary Information Involved (PROPIN) e. Not Releasable to Foreign Nationals (NOFORN) f. Authorized for Release To (country or international organization) (REL)

Chapter 10.

International Security Requirements

Section 1. General and Background Information

10-100. General. In addition to the NISPOM and other government security regulations, international security requirements are established by several other federal laws. These include The Arms Export Control Act (AECA), The International Traffic in Arms Regulations (ITAR), The Export Administration Act (EAA), and the Atomic Energy Act (AEA), among others. In combination, these regulations limit the release of information, both classified and unclassified, to foreign governments and entities. Disclosure of this information is governed by the National Disclosure Policy (NDP) and is based on support of U.S. foreign policy, impacts on U.S. military security, and similar issues. The complexity of these requirements and restrictions can be daunting. It is critical that Overlook employees check with their FSOs and the corporate Export Control Officer, and carefully plan their activities BEFORE disclosure to foreign nationals (either outside or inside the U.S.). It is important to remember that disclosure rules and authorizations for government personnel are significantly different from those required of contractors.

Section 2. Disclosure of Information to Foreign Interests 10-200. General. ALL foreign disclosures of information related to classified contracts, whether or not the information itself is classified, must be approved in advance by the U.S. Government. This may take the form of an ITAR license, a Technical Assistance Agreement (TAA), an international Memorandum of Understanding (MOU), or a detailed authorization included in contractual documents. Guidance must be provided by the GCA. Even direct commercial arrangements, where eventual disclosure of classified or classified-related information may occur, must have advance government approval.

Section 3. Foreign Government Information (FGI) 10-300. General. Classified material belonging to or originated by a foreign government requires safeguarding in a manner equivalent to that provided for U.S. classified information of the same level. However, there are additional marking, storage, and transmission requirements. If employee assignments require access to FGI, they must ensure that they are thoroughly briefed by their FSO on these additional requirements. Section 10-3 of the NISPOM provides detailed instructions.

Section 4. International Transfers 10-400. General. Transmission or transfer of classified material internationally poses great risks to safeguarding integrity. Therefore, there are specific instructions for such transfers in section 10-4 of the NISPOM. FSOs will provide guidance and assistance in all such transmissions.

Section 5. International Visits and Control of Foreign Nationals.

10-500. Foreign Visits to Overlook Facilities. Foreign nationals who desire to visit Overlook and discuss classified information must similarly submit an international visit request, which is processed through their embassy to the U.S. government for approval. Unless such a visit authorization is in place, foreign nationals must be denied access to classified information and can only have access to related unclassified information as specified below. 10-501. Technology Control Plans (TCPs). Since Overlook does not currently have any foreign national employees or consultants, complex TCPs are not required at this time. However, due to the potential for unauthorized disclosure of classified or export controlled information to foreign visitors, the following procedures must be observed at all Overlook facilities. Remember: if a government employee (whether military or civilian) reveals information to a foreign person, it is a foreign disclosure; if an Overlook employee reveals information to a foreign person, it is both a foreign disclosure and an export. 10-502. Foreign Visitor Control. As described in 6-103 and 6-201 above, ALL visitors to Overlook facilities must be escorted at all times or their movements restricted to preclude access to classified information outside the purview of the authorized visit. Additionally, all foreign visitor movements will be restricted to facility lobbies and designated conference rooms or meeting facilities. Visits by foreign persons will be recorded on a Foreign Visitor Register, which will be retained by the FSO for a minimum of three years. 10-503. Foreign Disclosure. Whether during visits or meetings, Overlook employees will not disclose information which is included in one of the categories described in 10-100 above unless: a. It has been approved for disclosure by the Government Contracting Authority (GCA), AND b. It is specifically covered by an Overlook Technical Assistance Agreement (TAA) with, or Export License for, the country or countries of citizenship of the foreign visitors. Since determining whether specific information falls into these areas can be a delicate and sensitive task, all Overlook employees are required to discuss any potential foreign disclosures with the Overlook Export Control Officer or designated Overlook export control official during the planning stages for any foreign visit or any meeting at which there will be foreign attendees. 10-504. Overlook Attendance at International Conferences or Meetings. When Overlook employees attend international events, such as Institutes of Navigation (ION) meetings, where foreign nationals will be in attendance, they must be particularly careful

in discussing either Overlook or government programs, since disclosure of information to foreign nationals at these events is just as much an export as it would be if done at an Overlook facility, a government facility or overseas. Determining the nationality of attendees is often impossible. Hence, Overlook employees will not disclose any export-controlled information to anyone during these events. When Overlook personnel present papers or technical briefings, they must be approved by the GCA in advance and reviewed by an Overlook export control official prior to the event.

Section 6. Contractor Operations Abroad 10-600. General. While Overlook does not currently have any permanent overseas operations, should they be required in the future, the appropriate FSO will coordinate all security requirements as specified in Section 10-6 of the NISPOM.

Section 7. NATO Information Security Requirements 10-700. General. Many Overlook employees will, at one time or another, require access to NATO classified information. When this occurs, the employees will receive a special NATO briefing, which will provide detailed instructions for handling NATO classified material. FSOs will note this briefing in JPAS. NATO mandates separate storage requirements, additional markings, and specific permissions to create, transmit, extract, and destroy NATO material. Overlook employees are responsible to ensure that they receive the necessary training before handling NATO classified data. FSOs are responsible for providing this training and establishing the additional security controls. If NATO information is to be stored at an Overlook facility, the FSO must include procedures in the facility addendum to this SPP.

Section 8. International Request for Visit (IRFV) Procedures for Overseas Meetings

10-800. Overlook Employee OUTUS Visits. When an Overlook employee is required to visit a foreign entity outside the U.S. and will require access to classified information (foreign or U.S.), he or she will request that the FSO send an International Request for Visit. THIS REQUEST MUST BE MADE at least 45 days in advance of travel since lead time requirements of various foreign governments vary widely. FSOs will use the International Request For Visit (IRFV) format included as Appendix B of the NISPOM, unless the visit will be to Canada, Germany, or Saudi Arabia, in which case country-specific versions of these forms (available on the DSS website) will be used. Emergency visits (within seven days) have been approved in the past. However, such approvals are unusual, cannot be counted on, and must always be coordinated through the government COR.

Chapter 11

Miscellaneous Information

Section 1. TEMPEST, DTIC, and IR&D Efforts

11-100. General. Information regarding TEMPEST (emanations from electronic equipment), the Defense Technical Information Center (DTIC), and Independent Research and Development effort security requirements is contained in Chapter 11 of the NISPOM. FSOs, who are tasked with TEMPEST or DTIC requirements in classified contracts, will develop procedures and include them in their site addenda to this SPP. Security for IR&D efforts will be coordinated with the PCSO and incorporated in the master SPP as required.

Appendix A.

Overlook Security Organization Chart

President

Corporate Technical & Analytical Officer

DIR CO SPGS Operations

VP L.A. Operations

FSO VIENNA

FSO L.A.

Principal Corporate

Security Officer

SCTY MGR ALBQ

DIR ALBQ Operations

Appendix B.

Definitions

Access. The ability and opportunity to obtain knowledge of classified information. Adverse Information. Any information that adversely reflects on the integrity, or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security. Approved Security Container. Safes or secure file cabinets that meet government standards and are labeled General Services Administration Approved Security Container. Authorized Person. A person who has a need-to-know for classified information in the performance of official duties and who has been granted a personnel clearance at the required level. Automated Information System. An assembly of computer hardware, software, and firmware configured for the purpose of automating the functions of calculating, computing, sequencing, storing, retrieving, displaying, communicating, or otherwise manipulating data, information and textual material. Classified Contract. Any contract that requires or will require access to classified information by a contractor or his or her employees in the performance of the contract. Classification Guide. A document issued by an authorized original classified that prescribes the level of classification and appropriate declassification instructions for specific information to be classified on a derivative basis. Classified Information. The term includes National Security Information, Restricted Data, and Formerly Restricted Data. Classified Visit. A visit during which the visitor will require, or is expected to require, access to classified information. Cleared Employees. All contractor employees granted a personnel security clearance (PCL) and all employees in-process for a PCL. Cognizant Security Agency. Agencies of the Executive Branch that have been authorized by E.O. 12829 to establish an industrial security program for the purpose of safeguarding classified information under the jurisdiction of those agencies when disclosed or released to U.S. Industry.

Communications Security. Protective measures taken to deny unauthorized persons information derived from telecommunications of the U.S. Government relating to national security and to ensure the authenticity of such communications. Compromise. The disclosure of classified information to an unauthorized person. Contractor. Any industrial, educational, commercial, or other entity that has been granted an FCL by a CSA. Courier. A cleared employee, designated by the contractor, whose principal duty is to transmit classified material to its destination. The classified material remains in the personal possession of the courier except for authorized overnight storage. Critical Nuclear Weapon Design Information. A DoD category of weapon data designating TOP SECRET Restricted Data or SECRET Restricted Data revealing the theory of operation or design of the components of a thermonuclear or implosion-type fission bomb, warhead, demolition munitions, or test device. Custodian. An individual who has possession of, or is otherwise charged with the responsibility for, safeguarding classified information. Declassification. The determination that classified information no longer requires, in the interest of national security, any degree of protection against unauthorized disclosure, together with removal or cancellation of the classification designation. Derivative Classification. A determination that information is in substance the same as information currently classified and the application of the same classification markings. Persons who apply derivative classification markings shall observe and respect original classification decisions and carry forward to any newly created documents any assigned authorized markings. Document. Any recorded information, regardless of its physical form or characteristics. Facility (Security) Clearance. An administrative determination that, from a security viewpoint, a facility is eligible for access to classified information of a certain category and all lower categories. Foreign Government. Any national governing body organized and existing under the laws of any country other than the United States and its possessions and trust territories and any agent or instrumentality of that government. Foreign Interest. Any foreign government, agency of a foreign government, or representative of a foreign government; any form of business enterprise or legal entity organized, chartered, or incorporated under the laws of any country other that the U.S. or its possessions and trust territories, and any person who is not a citizen or national of the United States.

Foreign Nationals. Any person who is not a citizen or national of the United States. (Note that this definition specifically applies to eligibility for access to classified information. Export control and technology transfer laws define a foreign national differently. However, that definition applies to unclassified information that is not related to a classified contract.) Government Contracting Activity. An element of an agency designated by the agency head and delegated broad authority regarding acquisition functions. Hand-carrier. A cleared employee, designated by the contractor, who occasionally hand-carries classified material to its destination in connection with a classified visit or meeting. The classified material remains in the personal possession of the hand-carrier except for authorized overnight storage. Home Office Facility. The headquarters facility of a multiple facility organization. Industrial Security. That portion of information security which is concerned with the protection of classified information in the custody of U.S. industry. Information. Any information or material, regardless of its physical form or characteristics. Information Systems Security Manager. The contractor employee responsible for the implementation of Automated Information Systems security, and operational compliance with the documented security measures and controls, at the contractor facility. Letter of Consent. The form used by the CSA to notify a contractor that a PCL or a Limited Access authorization has been granted to an employee. Multiple Facility Organization. A legal entity (single proprietorship, partnership, association, trust, or corporation) that is composed of two or more facilities. National of the United States. A national of the United States is: a. A citizen of the United States, or, b. A person who, though not a citizen of the United States, owes permanent allegiance to the United States. Need-to-Know. A determination made by the possessor of classified information that a prospective recipient has a requirement for access to, knowledge of, or possession of the classified information to perform tasks or services essential to the fulfillment of a classified contract or program. Original Classification. An initial determination that information requires, in the interest of national security, protection against unauthorized disclosure, together with a classification designation signifying the level of protection required. (Only government

officials, who have been designated in writing, may apply an original classification to information.) Original Classification Authority. A government official who has been designated in writing to apply original classification to information. Personnel (Security) Clearance. An administrative determination that an individual is eligible, from a security point of view, for access to classified information of the same or lower category as the level of the personnel clearance being granted. Public. Any contractor, subcontractor, Government official, or other individual who does not require access to information (classified or unclassified) in furtherance of the performance of the classified contract under which the information was provided to the contractor or as authorized by the NISPOM. Public Disclosure. The passing of information and/or material pertaining to a classified contract to the public, or any member of the public, by any means of communication. Representative of a Foreign Interest. A citizen or national of the United States, who is acting as a representative of a foreign interest. Restricted Data. All data concerning the design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the RD category pursuant to section 142 of the Atomic Energy Act of 1954, as amended. Source Document. A classified document, other than a classification guide, from which information is extracted for inclusion in another document. Standard Practice Procedure. A document(s) prepared by a contractor that implements the applicable requirements of the NISPOM for the contractor’s operations and involvement with classified information at the contractor’s facility. Subcontractor. A supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime contrctor or another subcontractor, who enters into a contract with a prime contractor. Transmission. The sending of information from one place to another by radio, microwave, laser, or other non-connective methods, as well as by cable, wire, or other connective medium. Transmission also includes movement involving the actual transfer of custody and responsibility for a document or other classified material from one authorized addressee to another. Unauthorized Person. A person not authorized to have access to specific classified information in accordance with the requirements of the NISPOM.

Appendix C

Abbreviations and Acronyms

AEA Atomic Energy Act AECA Arms Export Control Act AIS Automated Information System CNWDI Critical Nuclear Weapons Design Information COMSEC Communications Security CSA Cognizant Security Agency CSO Cognizant Security Office DCI Director of Central Intelligence DCS Defense Courier Service DISCO Defense Industrial Security Clearance Office DoD Department of Defense DOE Department of Energy DSS Defense Security Service DTIC Defense Technical Information Center EAA Export Administration Act FCL Facility (Security) Clearance FGI Foreign Government Information FOCI Foreign Ownership, Control or Influence FRD Formerly Restricted Data FSO Facility Security Officer GCA Government Contracting Activity GSA General Services Administration HOF Home Office Facility IDS Intrusion Detection System IR&D Independent Research and Development ISSM Information System Security Manager ITAR International Traffic in Arms Regulations LOC Letter of (Consent) Notification of Personnel Clearance MFO Multiple Facility Organization NAC/LC National Agency Check/Local and Credit Checks NATO North Atlantic Treaty Organization NDP National Disclosure Policy NISP National Industrial Security Program

NISPOM National Industrial Security Program Operating Manual NRC Nuclear Regulatory Commission NSA National Security Agency OADR Originating Agency’s Determination Required OUTUS Outside the U.S. and its territories PCL Personnel (Security) Clearance PCSO Principal Corporate Security Officer RD Restricted Data RFI Representative of a Foreign Interest RFP Request for Proposal RFQ Request for Quote SSBI Single Scope Background Investigation SSP System Security Plan TCP Technology Control Plan

Appendix D – Forms D-1 Overlook Notification of Foreign Travel, January 2013 (.pdf form posted on Overlook website) D-2 Overlook Draft International Request For Visit (IRFV) (.pdf form posted on Overlook website) D-3 Foreign Travel Checklist

Foreign Travel Checklist - Appendix D-3

Use the following checklist whenever planning foreign travel, whether personal or for business. Explanations for items are on the second page. FSOs can provide more detailed information where required. Item Personal Business 1. Overlook Notification of Foreign Travel Required Required 2. Foreign Travel Briefing Required Required 3. Passport to a Safe Trip Abroad 4. Draft International Request For Visit Required 5. U.S. Passport & Other Identification Required Required 6. TAA or Export License May Be Required 7. Non-Traveling U.S. POC (for emergencies) Required Required 8. Plan Ahead Items a. Illness or Medical Emergency Required Required b. US Consulate/Embassy locations Required Required c. Protecting Sensitive Information At Visited Site Required In Hotels (Laptops, etc.) Required In Transit Required d. Protecting Classified Information Required e. Personal Safety Required Required f. Laws Different from US Required Required g. Driving and Vehicle Safety Required Required h. Espionage Attempt Avoidance Required Required i. Avoiding Terrorist Actions Required Required j. Established Foreign Relationships (Rpt) Required Required k. Ugly American Syndrome Avoidance Required Required 9. Foreign Travel Debriefing (Pg 3 of Notification) Required Required Overlook Foreign Travel Checklist, March 2013

Explanation of Items

1. Overlook Notification of Foreign Travel. Form, available from FSO, is required for all foreign travel of any kind; intended to ensure traveler receives a Foreign Travel Briefing and other briefings, as required. 2. Foreign Travel Briefing. Highlights are on reverse of Foreign Travel Notification; intended to provide traveler with maximum personal safety and information safeguarding requirements. 3. Passport to a Safe Trip Abroad. Booklet, published by NSA and other government agencies, provides travel tips and insight to assure traveler has safe and pleasant trip; available from the FSO. 4. Draft International Request For Visit (IRFV). Not required for pleasure travel; ALWAYS required for foreign business travel, whether or not the travel will involve access to classified information. Form is available from FSOs. 5. U.S. Passport & Other Identification. Now required for ANY foreign travel, including trips to Mexico and Canada; see US State Department website for application procedures. Also check the Passport to a Safe Trip Abroad for instructions on how to protect a U.S. Passport. 6. TAA or Export License. Not required for pleasure travel; however, traveler should ensure that he or she does not engage in discussions of work related information with foreign nationals, which would otherwise require a TAA or Export License. A TAA or Export License is required for business travel, when discussions with foreign nationals will involve technical issues or Export Controlled information. 7. Non-Traveling U.S. POC (for emergencies). The traveler should identify a U.S. POC (usually a spouse or close friend) who will not be traveling, but who will have the traveler’s itinerary and can act for the traveler in the event of an emergency. Traveler should ensure that his or her FSO has the telephone number and address of this POC. 8. Plan Ahead Items. These are a number of items for which the traveler, and any traveling companions, should make contingency plans. Suggestions for all of these items are contained in the booklet Passport to a Safe Trip Abroad.