FAR 4.402—General.
Plain-English Summary
FAR 4.402 explains the governmentwide framework for protecting classified information when it is released to contractors, licensees, and grantees. It ties the FAR to the National Industrial Security Program (NISP), identifies the controlling executive orders, and points readers to the National Industrial Security Program Operating Manual (NISPOM) and related DoD guidance that implement the program. It also addresses special procedures for foreign classified contracts, the use of DD Form 254 to provide security classification guidance, and the requirement to identify contractor and subcontractor performance locations with CAGE codes (or agency location codes for Government facilities). In addition, it clarifies that contractor performance locations do not have to be separately registered in SAM solely because they appear on a DD Form 254. Finally, it notes that FAR Part 27 covers safeguarding classified information in patent applications and patents. In practice, this section is the roadmap for how contracting personnel and contractors handle classified work, who issues security guidance, and what identifiers and systems must be used to keep classified contract performance properly controlled and traceable.
Key Rules
NISP governs classified work
Executive Order 12829 establishes the National Industrial Security Program to safeguard classified information released to contractors, licensees, and grantees. The program builds on earlier executive orders and is the baseline policy framework for industrial security.
NISPOM implements the program
The NISPOM incorporates the executive order requirements and is the primary operating manual for industrial security. It is issued and maintained by the Secretary of Defense in coordination with other affected national security agencies.
Foreign classified contract procedures apply
Special procedures for protecting information related to foreign classified contracts awarded to U.S. industry, and for protecting U.S. information related to classified contracts awarded to foreign firms, are prescribed in 32 CFR 117.19. These rules must be followed when classified work crosses national boundaries.
DD Form 254 provides security guidance
Nondefense agencies with industrial security services agreements with DoD, and DoD components, must use DD Form 254 to provide classification guidance to contractors and subcontractors needing access to Confidential, Secret, or Top Secret information. If the submittal is unclassified, the form must be completed electronically in NCCS unless the agency already uses another DD Form 254 system.
CAGE codes identify performance locations
A contractor or subcontractor requiring access to classified information must be identified by CAGE code on the DD Form 254. Each performance location listed must have a corresponding unique CAGE code, unless the work is performed at a Government facility, in which case the agency location code is used.
Subcontractor locations must be listed
Every subcontractor location that requires access to classified information must appear on the DD Form 254. This ensures security guidance follows the actual places where classified work will be performed.
SAM registration is not required for DD 254 alone
Contractor and subcontractor performance locations listed on the DD Form 254 do not have to be separately registered in SAM solely because they are listed on the form. SAM registration requirements are separate and should not be imposed just for security documentation purposes.
Patent-related classified safeguards are elsewhere
FAR Part 27 contains the policy and procedures for safeguarding classified information in patent applications and patents. This section flags that patent-related classified issues are handled under a different FAR part.
Responsibilities
Contracting Officer
Ensure the contract’s classified-information requirements are supported by the proper security guidance and that DD Form 254 is used when required. Verify that contractor and subcontractor performance locations are properly identified with CAGE codes or agency location codes, and coordinate with security officials and the cognizant industrial security office as needed.
DoD Components
Use DD Form 254 to provide security classification guidance for classified contract performance and follow the applicable NISPOM and DoD industrial security procedures. Ensure classified work is administered consistently with the NISP and related DoD guidance.
Nondefense Agencies with DoD Industrial Security Agreements
Use DD Form 254 to provide security classification guidance to U.S. contractors and subcontractors requiring access to classified information. If using an unclassified data submittal, complete the form electronically in NCCS unless the agency maintains an existing DD Form 254 system.
Secretary of Defense
Issue and maintain the NISPOM in consultation with affected agencies and with required concurrence from other national security officials. Maintain the operating manual that implements the executive order framework.
Contractor
Obtain and use the security guidance provided on DD Form 254, ensure the correct CAGE code is associated with each performance location, and comply with the applicable classified-information safeguarding requirements. Coordinate subcontractor access and location information so all required sites are listed.
Subcontractor
Comply with the classified-information requirements applicable to its work location and access level, and ensure its performance location is properly identified on the DD Form 254 when access to classified information is required.
Agency Security Officials / Industrial Security Offices
Provide or validate classification guidance, support preparation and maintenance of DD Form 254, and ensure the correct industrial security procedures are applied to classified contract performance.
Practical Implications
This section is the starting point for any contract involving classified information: if the work touches Confidential, Secret, or Top Secret material, the security guidance must be documented correctly and tied to the right industrial security rules.
A common pitfall is failing to list every subcontractor location that will access classified information, or listing a location without the correct unique CAGE code. That can create security compliance gaps and delay performance.
Another frequent issue is confusing DD Form 254 requirements with SAM registration. A location listed only for classified-work purposes does not need separate SAM registration just because it appears on the form.
For foreign classified contracts, contractors and contracting personnel should not rely on the general DD Form 254 process alone; they must follow the specific procedures in 32 CFR 117.19.
Patent and invention-related classified issues are not handled here. If the contract involves patent applications or patents containing classified information, FAR Part 27 must also be reviewed.
Official Regulatory Text
(a) Executive Order 12829, January 6, 1993 (58 FR3479, January 8, 1993), entitled "National Industrial Security Program" (NISP), establishes a program to safeguard Federal Government classified information that is released to contractors, licensees, and grantees of the United States Government. Executive Order 12829 amends Executive Order 10865, February 20, 1960 (25 FR1583, February 25, 1960), entitled "Safeguarding Classified Information Within Industry," as amended by Executive Order 10909, January 17, 1961 (26 FR508, January 20, 1961). (b) The National Industrial Security Program Operating Manual (NISPOM) incorporates the requirements of these Executive orders. The Secretary of Defense, in consultation with all affected agencies and with the concurrence of the Secretary of Energy, the Chairman of the Nuclear Regulatory Commission, the Director of National Intelligence, and the Secretary of Homeland Security, is responsible for issuance and maintenance of this Manual. The following publications implement the program: (1) National Industrial Security Program Operating Manual (NISPOM) (32 CFR part 117). (2) DoD Manual 5220.22, Volume 2, National Industrial Security Program: Industrial Security Procedures for Government Activities. (c) Procedures for the protection of information relating to foreign classified contracts awarded to U.S. industry, and instructions for the protection of U.S. information relating to classified contracts awarded to foreign firms, are prescribed in 32 CFR 117.19. (d) Nondefense agencies that have industrial security services agreements with DoD, and DoD components, shall use the DD Form 254, Contract Security Classification Specification, to provide security classification guidance to U.S. contractors, and subcontractors as applicable, requiring access to information classified as "Confidential", "Secret", or "Top Secret". (1) Provided that the data submittal is unclassified, the DD Form 254 shall be completed electronically in the NISP Contract Classification System (NCCS), which is accessible at https://www.dcsa.mil/is/nccs/ . Nondefense agencies with an existing DD Form 254 information system may use that system. (2) (i) A contractor, or subcontractor (if applicable), requiring access to classified information under a contract shall be identified with a Commercial and Government Entity (CAGE) code on the DD Form 254 (see subpart 4.18 for information on obtaining and validating CAGE codes). (ii) Each location of contractor or subcontractor performance listed on the DD Form 254 is required to reflect a corresponding unique CAGE code for each listed location unless the work is being performed at a Government facility, in which case the agency location code shall be used. Each subcontractor location requiring access to classified information must be listed on the DD Form 254. (iii) Contractor and subcontractor performance locations listed on the DD Form 254 are not required to be separately registered in the System for Award Management (SAM) solely for the purposes of a DD Form 254 (see subpart 4.11 for information on registering in SAM). (e) Part 27, Patents, Data, and Copyrights, contains policy and procedures for safeguarding classified information in patent applications and patents.