Current through October 31, 2024
Section 117.15 - Safeguarding classified information(a)General safeguarding. Contractors will be responsible for safeguarding classified information in their custody or under their control, with approval for such storage of classified information by the applicable CSA. Individuals are responsible for safeguarding classified information entrusted to them. Contractors will provide the extent of protection to classified information sufficient to reasonably protect it from loss or compromise. (1)Oral discussions. Contractors will ensure that all cleared personnel are aware of the prohibition against discussing classified information over unsecured telephones, in public conveyances or places, or in any other manner that permits interception by unauthorized persons.(2)End of day security checks.(i) Contractors that store classified material will establish a system of security checks at the close of each working day to verify that all classified material and security repositories have been appropriately secured.(ii) Contractors that operate multiple work shifts will perform the security checks at the end of the last working shift in which classified material was removed from storage for use. The checks are not required during continuous 24-hour operations.(3)Perimeter controls.(i) Contractors authorized to store classified material will establish and maintain a system to deter and detect unauthorized introduction or removal of classified material from their facility without proper authority.(ii) If the unauthorized introduction or removal of classified material can be reasonably prevented through technical means (e.g., an intrusion detection system), which are encouraged, no further controls are necessary. The contractor will provide appropriate authorization to personnel who have a legitimate need to remove or transport classified material for passing through designated entry or exit points.(iii) The contractor will: (A) Provide appropriate authorization to personnel who have a legitimate need to remove or transport classified material for passing through designated entry or exit points.(B) Conspicuously post notices at all pertinent entries and exits that persons who enter or depart the facility are subject to an inspection of their personal, except under circumstances where the possibility of access to classified material is remote.(C) Limit inspections to buildings or areas where classified work is being performed.(D) Establish the extent, frequency, and location of inspections in a manner consistent with contractual obligations and operational efficiency. The contractor may use any appropriate random sampling technique.(E) Seek legal advice during the formulation of implementing procedures.(F) Submit significant problems pertaining to perimeter controls and inspections to the CSA.(iv) Contractors will develop procedures for safeguarding classified material in emergency situations. (A) The procedures should be as simple and practical as possible and adaptable to any type of emergency that may reasonably arise.(B) Contractors will promptly report to the CSA any emergency situation that renders them incapable of safeguarding classified material.(b)Standards for Security Equipment. Contractors will follow guidelines established in 32 CFR part 2001, when procuring storage and destruction equipment. Authorized repairs for GSA-approved security containers and vaults must be in accordance with Federal Standard 809.(c)Storage. Contractors will store classified information and material in General Services Administration (GSA)-approved security containers, vaults built to Federal Standard 832, or an open storage area constructed in accordance with 32 CFR 2001.53 . In the instance that an open storage area has a false ceiling or raised floor, contractors shall develop and implement procedures to ensure their structural integrity. Nothing in 32 CFR part 2001, should be construed to contradict or inhibit compliance with local laws or building codes, but the contractor will notify the applicable CSA if there are any conflicting issues that would inhibit compliance. Contractors will store classified material in accordance with the specific sections of 32 CFR 2001.43 : (1) CONFIDENTIAL. See 32 CFR 2001.43(b)(3) .(2) SECRET. See 32 CFR 2001.43(b)(2) .(3) TOP SECRET Documents. See 32 CFR 2001.43(b)(1) .(d)Intrusion Detection Systems (IDS). This paragraph specifies the minimum standards for an approved IDS when used for supplemental protection of TOP SECRET and SECRET material. The CSA will provide additional guidance for contingency protection procedures in the event of IDS malfunction, including contractors located in USG owned contractor operated facilities.(1)CSA approval.(i) CSA approval is required before installing an IDS. The CSA will base approval of a new IDS on the criteria of Intelligence Community Directive 705 (available at: https://www.dni.gov/files/documents/ICD/ICD_705_SCIFs.pdf) and any applicable intelligence community standard, Underwriters Laboratories (UL) Standard 2050 (Government agencies with a role as a CSA or CSO may obtain this reference without charge; available at: www.ul.com/contact), or the CSA may base approval on written CSA-specific standards for the information to be protected.(ii) Installation will be performed by an alarm services company certified by a NRTL that meets the requirements in 29 CFR 1910.7 to perform testing and certification. The NRTL-approved alarm service company is responsible for completing the appropriate alarm system description form approved by the NRTL.(iii) All the intrusion detection equipment (IDE) used in the IDS installation will be tested and approved (or listed) by a NRTL, ensuring its proper operation and resistance from tampering. Any IDE that has not been tested and approved by a NRTL will require CSA approval.(2)Central monitoring station.(i) For the purpose of monitoring alarms, an equivalent level of monitoring service is available from multiple types of providers. The central monitoring station may be located at a one of the following:(A) Government contractor monitoring station (GCMS), formerly called a proprietary central station.(B) Cleared commercial central station.(C) Cleared protective signal service station (e.g., fire alarm monitor).(D) Cleared residential monitoring station.(E) National industrial monitoring station.(ii) SECRET-cleared central station employees at the alarm monitoring station will be in attendance in sufficient number to monitor each alarmed area within the cleared contractor facility.(iii) The central monitoring station will be supervised continuously by a U.S. citizen who has eligibility for access to SECRET information.(iv) The IDS must be activated at the close of business whenever the area is not occupied by cleared personnel. Any IDS exit delay function must expire prior to the cleared personnel leaving the immediate area. A record will be maintained to identify the person or persons who are responsible for setting and deactivating the IDS.(v) Records will be maintained for 12 months indicating time of receipt of alarm, name(s) of security force personnel responding, time dispatched to facility or area, time security force personnel arrived, nature of alarm, and what follow-up actions were accomplished.(3)Investigative response to alarms.(i) Alarm response teams will ascertain if intrusion has occurred and, if possible, assist in the apprehension of the individuals involved.(A) If an alarm activation resets in a reasonable amount of time and no damage to the area is visible, then entrance into the area is not required and an initial response team may consist of uncleared personnel.(B) If the alarm activation does not reset and damage is observed, then a cleared response team must be dispatched. The initial uncleared response team must stay on station until relieved by the cleared response team. If a cleared response team does not arrive within 1 hour, then a report to the CSA must be made by the close of the next business day.(ii) The following resources may be used to investigate alarms: Proprietary security force personnel, central station guards, local law enforcement personnel, or a subcontracted guard service. The CSA may approve procedures for the use of entity cleared employees who can meet the minimum response requirements outlined in this section.(A) For a GCMS, trained proprietary or subcontractor security force personnel, cleared to the SECRET level and sufficient in number to be dispatched immediately to investigate each alarm, will be available at all times when the IDS is in operation.(B) For a commercial central station, protective signaling service station, or residential monitoring station, there will be a sufficient number of trained guards available to respond to alarms. Guards will be cleared only if they have the ability and responsibility to access the area or container(s) housing classified material (i.e., keys to the facility have been provided or the personnel are authorized to enter the building or check the container or area that contains classified material).(C) Uncleared guards dispatched by a commercial central station, protective signaling service station, or residential monitoring station in response to an alarm will remain on the premises until a designated, cleared representative of the facility arrives, or for a period of not less than 1 hour, whichever comes first. If a cleared representative of the facility does not arrive within 1 hour following the arrival of the guard, the central control station must provide the CSA with a report of the incident that includes the name of the subscriber facility, the date and time of the alarm, and the name of the subscriber's representative who was contacted to respond. A report will be submitted to the CSA by the end of business on the next business day.(D) Subcontracted guards must be under a classified contract with either the installing alarm service company or the cleared facility.(iii) The response time will be in accordance with the provisions in paragraphs (c)(1) through (c)(3) in this section as applicable. When environmental factors (e.g., traffic, distance) legitimately prevent meeting the requirements for TOP SECRET information, as indicated in paragraph (c)(3) in this section, the CSA may authorize up to a 30-minute response time. The CSA approval will be documented on the alarm system description form and the specified response time will be noted on the alarm certificate. The requirement for response is 80 percent within the time limits.(4)Installation. The IDS will be installed by an NRTL-approved entity or by an entity approved in writing by the CSA. When connected to a commercial central station, GCMS, national industrial monitoring station, or residential monitoring station, the service provided will include line security (i.e., the connecting lines are electronically supervised to detect evidence of tampering or malfunction). The level of protection for the alarmed area will include all points of probable entry (perimeter doors and accessible windows) with magnetic contacts and motion detectors positioned in the probable intruder paths from the probable points of entry to the classified information. In accordance with Federal Standard 809, no IDS sensors (magnetic contacts or vibration detectors) will be installed on GSA-approved security containers. CSA authorization on the alarm system description form is required in the following circumstances: (i) When line security is not available, installation will require two independent means of transmission of the alarm signal from the alarmed area to the monitoring station.(ii) Alarm installation provides a level of protection, e.g. UL's Extent 5, based on patrolling employees and CSA approval of security-in-depth.(iii) Where law enforcement personnel are the primary alarm response. Under those circumstances, the contractor must obtain written assurance from the police department regarding the ability to respond to alarms in the required response time.(iv) Alarm signal transmission is over computer-controlled data-networks (e.g., internet, intranet). The CSA will provide specific acceptance criteria (e.g., encryption requirements) for alarms monitored over data networks.(v) Alarm investigator response time exceeds the parameters outlined in paragraphs (c)(1) through (c)(3) in this section as applicable.(5)Certification of compliance. Evidence of compliance with the requirements of this section will consist of a valid (current) certification by an approved NRTL for the appropriate category of service. This certificate: (i) Will have been issued to the protected facility by the NRTL, through the alarm service company.(ii) Serves as evidence that the alarm service company that did the installation is: (A) Listed as furnishing security systems of the category indicated.(B) Authorized to issue the certificate of installation as representation that the equipment is in compliance with requirements established by NRTL for the class of alarm system.(C) Subject to the NRTL inspection program whereby periodic inspections are made of representative alarm installations by NRTL personnel to verify the correctness of certification practices.(6)Exceptional cases.(i) If the requirements in paragraphs (d)(1) through (d)(5) in this section cannot be met, the contractor may request CSA approval for an alarm system meeting one of these conditions, which will be documented on the alarm system description form: (A) Monitored by a central control station but responded to by a local (municipal, county, state) law enforcement organization.(B) Connected by direct wire to alarm receiving equipment located in a local (municipal, county, State) police station or public emergency service dispatch center. This alarm system is activated and deactivated by employees of the contractor, but the alarm is monitored and responded to by personnel of the monitoring police or emergency service dispatch organization. Personnel monitoring alarm signals at police stations or dispatch centers do not require PCLs. Police department response systems may be requested only when: (1) The contractor facility is located in an area where central control station services are not available with line security or proprietary security force personnel, or a contractually-dispatched response to an alarm signal cannot be achieved within the time limits required by the CSA.(2) It is impractical for the contractor to establish a GCMS or proprietary guard force at that location. In this case, installation of these systems must use NRTL-approved equipment and be accomplished by an NRTL-approved entity meeting the applicable testing standard for the category of service.(ii) An installation proposal, explaining how the system would operate, will be submitted to the CSA. The proposal must include:(A) Sufficient justification for the granting of an exception and the full name and address of the police department that will monitor the system and provide the required response.(B) The name and address of the NRTL-approved entity that will install the system, and inspect, maintain, and repair the equipment.(iii) The response times will be in accordance with the provisions in paragraphs (c)(1) through (c)(3) in this section as applicable. Arrangements will be made with the central monitoring station to immediately notify a contractor representative on receipt of the alarm. The contractor representative is required to go immediately to the facility to investigate the alarm and to take appropriate measures to secure the classified material.(iv) In exceptional cases where central station monitoring service is available, but no proprietary security force, central station, or subcontracted guard response is available, and where the police department does not agree to respond to alarms, and no other manner of investigative response is available, the CSA may approve cleared employees as the sole means of response.(e)Information controls - (1)Information management system. Contractors will establish: (i) A system to verify that classified information in their custody is used or retained only for a lawful and authorized USG purpose.(ii) An information management system to protect and control the classified information in their possession regardless of media, to include information processed and stored on authorized information systems.(2)Top secret information. Contractors will establish controls for TOP SECRET information and material to validate procedures are in place to address accountability, need to know, and retention, e.g., demonstrating that TOP SECRET material stored in an electronic format on an authorized classified information system does not need to be individually numbered in series. These controls are in addition to the information management system and must be applied, unless otherwise directed by the applicable CSA, regardless of the media of the TOP SECRET information, to include information processed and stored on authorized information systems. Unless otherwise directed by the applicable CSA, the contractor will establish the following additional controls:(i) Designate TOP SECRET control officials to receive, transmit, and maintain access and accountability records to TOP SECRET information.(ii) Conduct an annual inventory of TOP SECRET information and material.(iii) Establish a continuous receipt system for the transmittal of TOP SECRET information within and outside the contractor location.(iv) Number each item of TOP SECRET material in a series. Place the copy number on TOP SECRET documents, regardless of media, and on all associated transactions documents.(v) Establish a record of TOP SECRET material when the material is:(A) Completed as a finished document.(B) Retained for more than 180 days after creation, regardless of the stage of development.(C) Transmitted outside the contractor location.(vi) Establish procedures for destruction of TOP SECRET material by two authorized persons.(vii) Establish destruction records for TOP SECRET material and maintain the records for two years in accordance with § 117.13(d)(5) or in accordance with GCA requirements.(3)Working papers. Contractors will establish procedures for the control of classified working papers generated in the preparation of a finished document. The contractor will:(i) Date working papers when they are created.(ii) Mark each page of the working papers with the highest classification level of any information contained in them and with the annotation "WORKING PAPERS."(iii) Destroy working papers when no longer needed.(iv) Mark in the same manner prescribed for a finished document at the same classification level if released outside the contractor location or retained for more than 180 days from the date of origin.(4)Combinations to locks. Contractors will follow the guidance in 32 CFR 2001.45(a)(1) and 2001.43 (c) to address thresholds when combinations will be changed. Combinations to locks used to secure vaults, open storage areas, and security containers that are approved for the safeguarding of classified information will be protected in the same manner as the highest level of classified information that the vault, open storage area, or security container is used to protect.(5)Information system passwords. Contractors will follow the guidance established in 32 CFR 2001.45(a)(2) for the protection of passwords to information systems authorized to process and store classified information at the highest level of classification to which the information system is authorized.(6)Reproduction of classified information. Contractors will follow the guidance established in 32 CFR 2001.45(b) for the reproduction of classified information.(f)Transmission of classified information. Contractors will establish procedures for transmitting and receiving classified information and material in accordance with 32 CFR 2001.46 . (1)Top secret. The contractor must have written authorization from the GCA to transmit TOP SECRET material outside the contractor location.(2)Transmission outside the United States and its Territorial Areas. The contractor may transmit classified material to a USG activity outside the United States or a U.S. territorial area only under the provisions of a classified contract or with written authorization from the GCA.(3)Commercial delivery entities. The CSA may approve contractors to transmit SECRET or CONFIDENTIAL information within the United States and its territorial areas by means of a commercial delivery entity that is a current holder of the GSA contract for overnight delivery, and which provides nation-wide, overnight service with computer tracking and reporting features (a list of current contract holders may be found at: https://www.archives.gov/isoo/faqs#what-is-overnightcarriers). Such entities do not need to be determined eligible for access to classified information.(i) Prior to CSA approval, the contractor must establish and document procedures to ensure the proper protection of incoming and outgoing classified packages, including the street delivery address, for each cleared facility intending to use GSA-listed commercial delivery entities for overnight services.(ii) Contractors will establish procedures for the use of commercial delivery entities in accordance with 32 CFR part 2001. The procedures will:(A) Confirm that the commercial delivery entity provides nationwide, overnight delivery service with automated in-transit tracking of the classified packages.(B) Ensure the package integrity during transit and that incoming shipments are received by appropriately cleared personnel.(C) Not be used for COMSEC, NATO, or FGI.(4)Couriers and hand carriers. Contractors may designate cleared employees as couriers or hand carriers. Contractors will:(i) Brief employees providing such services on their responsibility to safeguard classified information and keep classified material in their possession at all times.(ii) Provide employees with an identification card or badge which contains the contractor's name and the name and a photograph of the employee.(iii) Make arrangements in advance of departure for overnight storage at a USG installation or at a cleared contractor's facility that has appropriate storage capability, if needed.(iv) Conduct an inventory of the material prior to departure and upon return. The employee will carry a copy of the inventory with them.(5)Use of commercial passenger aircraft. The contractor may authorize cleared employees to hand carry classified material aboard commercial passenger aircraft. (i)Routine processing. Employees hand carrying classified material are subject to routine processing by airline security agents. Hand-held packages will normally be screened by x-ray examination. If security personnel are not satisfied with the results of the inspection and requests the prospective passenger to open a classified package for visual examination, the traveler must inform the screener that the carry-on items contain USG classified information and cannot be opened. Under no circumstances may traveler or security personnel open the classified material unless required by customs or other government officials.(ii)Special processing. The contractor will contact the appropriate air carrier in advance to explain the particular circumstances and obtain instructions on the special screening procedures to follow when:(A) Routine processing would subject the classified material to compromise or damage.(B) Visual examination is or may be required to successfully screen a classified package.(C) Classified material is in specialized containers, which due to its size, weight, or other physical characteristics cannot be routinely processed.(iii)Authorization letter. Contractors will provide employees with written authorization to hand carry classified material on commercial aircraft that includes: (A) Full name, date of birth, height, weight, and signature of the traveler and statement that he or she is authorized to transmit classified material.(B) Description of the type of identification the traveler will present on request.(C) Description of the material being hand carried, with a request that it be exempt from opening.(D) Identification of the points of departure, destination, and known transfer points.(E) Name, telephone number, and signature of the FSO, and the location and telephone number of the CSA.(6)Escorts. If an escort is necessary to ensure the protection of the classified information being transported, the contractor will assign a sufficient number to each classified shipment to ensure continuous surveillance and control over the shipment while in transit. The contractor will furnish escorts with specific written instructions and operating procedures prior to shipping that include:(i) Name and address of persons, including alternates, to whom the classified material is to be delivered.(ii) Receipting procedures.(iii) Means of transportation and the route to be used.(iv) Duties of each escort during movement, during stops end route, and during loading and unloading operations.(v) Emergency and communication procedures.(g)Destruction. Contractors will: (1) Destroy classified material in their possession based on the disposition instructions in the contract security classification specification or equivalent.(2) Follow the guidance for destruction of classified material in accordance with 32 CFR 2001.47 and the destruction equipment standards in accordance with 32 CFR 2001.42(b) . See https://www.nsa.gov/resources/everyone/media-destruction/ and any CSA provided guidance for additional information.(h)Disclosure. Contractors will establish processes by which classified information is disclosed only to authorized persons.(1)Disclosure to employees. Contractors are authorized to disclose classified information to their cleared employees with the appropriate eligibility for access to classified information and need to know as necessary, including cleared employees across the MFO, when applicable, for the performance of tasks or services essential to the fulfillment of a classified contract or subcontract.(2)Disclosure to subcontractors.(i) Contractors: (A) Are authorized to disclose classified information to a cleared subcontractor with the appropriate entity eligibility determination (also known as a facility security clearance) and need to know when access to classified information is necessary for the performance of tasks or services essential to the fulfillment of a prime contract or a subcontract.(B) Will convey appropriate classification guidance for the classified information to be disclosed with the subcontract in accordance with § 117.13 .(ii) The CSA must have:(A) Made a determination of eligibility for access to classified information for the subcontractor, at the same level, or higher, than the classified information to be disclosed, to allow for such disclosures.(B) Approved storage capability for classified material at the subcontractor location if a physical transfer of classified material occurs.(3)Disclosure between parent and subsidiaries.(i) Contractors: (A) Are authorized to disclose classified information between parent and subsidiary entities with the appropriate entity eligibility determination (also known as a facility security clearance) and need to know when access to classified information is necessary for the performance of tasks or services essential to the fulfillment of a prime or subcontract.(B) Will convey appropriate classification guidance with the agreement or procurement action that necessitates the disclosure.(ii)The CSA must have:(A) Made a determination of eligibility for access to classified information for both the parent and subsidiary, at the same level, or higher, than the classified information to be disclosed, to allow for such disclosures.(B) Approved storage capability for classified material at the parent and the subsidiary if a physical transfer of classified material occurs.(4)Disclosure to federal agencies. Contractors will not disclose classified information received or generated under a contract from one agency to any other federal agency unless specifically authorized by the agency that has classification jurisdiction over the information.(5)Disclosure of classified information to foreign persons. Contractors will not disclose classified information to foreign persons unless specified by the contract and release of the information is authorized in writing by the government agency having classification jurisdiction over the information involved, i.e. the DOE for RD and FRD (also see § 117.23 ), the NSA for COMSEC, the DNI for SCI, and all other executive branch departments and agencies for classified information under their respective jurisdictions.(6)Disclosure to other contractors. Contractors will not disclose classified information to another contractor except in furtherance of a contract, subcontract, or other GCA purpose without the authorization of the GCA, if such authorization is required by contract.(7)Disclosure of classified information in connection with litigation. Contractors will not disclose classified information to:(i) Attorneys hired solely to represent the contractor in any civil or criminal case in federal or State courts unless the disclosure is specifically authorized by the agency that has jurisdiction over the information.(ii) Any federal or state court except on specific instructions of the agency, which has jurisdiction over the information or the attorney representing the United States in the case.(8)Disclosure to the public. Contractors will not disclose classified information to the public. Contractors will not disclose unclassified information pertaining to a classified contract to the public without prior review and clearance as specified in the Contract Security Classification Specification, or equivalent, for the contract or as otherwise specified by the GCA. The procedures of this paragraph also apply to information pertaining to classified contracts intended for use in unclassified brochures, promotional sales literature, reports to stockholders, or similar material.(i) The contractor will: (A) Submit requests for approval through the activity specified in the GCA-provided classification guidance for the contract involved.(B) Include in each request the approximate date the contractor intends to release the information for public disclosure and identify the media to be used for the initial release.(C) Retain a copy of each approved request for release for a period of one inspection cycle for review by the CSA.(D) Clear all information developed subsequent to the initial approval through the appropriate office prior to public disclosure.(ii) Unless specifically prohibited by the GCA, the contractor does not need to request approval for disclosure of: (A) The fact that a contract has been received, including the subject of the contract or type of item in general terms provided the name or description of the subject is not classified.(B) The method or type of contract.(C) Total dollar amount of the contract unless that information equates to: (1) A level of effort in a sensitive research area.(2) Quantities of stocks of certain weapons and equipment that are classified.(D) Whether the contract will require the hiring or termination of employees.(E) Other information that from time-to-time may be authorized on a case-by-case basis in a specific agreement with the contractor.(F) Information previously officially approved for public disclosure.(iii) Information that has been declassified is not authorized for public disclosure. If the information is comingled with CUI, or qualifies as CUI once declassified, it will be marked and protected as CUI until it is decontrolled pursuant to 32 CFR part 2002 and reviewed for public release. If the information does not qualify as CUI, it will be protected in accordance with the basic safeguarding requirements in 48 CFR 52.204-21 and subject to the agency's public release procedures. Contractors will request approval for public disclosure of declassified information in accordance with the procedures of this paragraph.(i)Disposition. Contractors will:(1) Establish procedures for review of their classified holdings on a recurring basis to ensure the classified holdings are in support of a current contract or authorization to retain beyond the end of the contract period.(2) Destroy duplicate copies as soon as practical.(3) For disposition of classified material not received under a specific contract:(i) Return or destroy classified material received with a bid, proposal, or quote if the bid, proposal, or quote is not:(A) Submitted or is withdrawn within 180 days after the opening date of bids, proposals, or quotes.(B) Accepted within 180 days after notification that a bid, proposal, or quote has not been accepted.(ii) If the classified material was not received under a specific contract, such as material obtained at classified meetings or from a secondary distribution center, return or destroy the classified material within one year after receipt.(j)Retention. The provisions of § 117.13(d)(5) apply for retention of classified material upon completion of a classified contract. (1) If contractors propose to retain copies of classified material beyond 2 years, the contractor will identify: (i) TOP SECRET material identified in a list of specific documents unless the GCA authorizes identification by subject and approximate number of documents.(ii) SECRET and CONFIDENTIAL material may be identified by general subject and the approximate number of documents.(iii) Contractors will include a statement of justification for retention beyond two years based on if the material:(A) Is necessary for the maintenance of the contractor's essential records.(B) Is patentable or proprietary data to which the contractor has the title.(C) Will assist the contractor in independent research and development efforts.(D) Will benefit the USG in the performance of other prospective or existing agency contracts.(E) Will benefit the USG in the performance of another active contract and will be transferred to that contract (specify contract).(2) If the GCA does not authorize retention beyond two years, the contractor will destroy all classified material received or generated in the performance of a classified contract unless it has been declassified or the GCA has requested that the material be returned.(k)Termination of security agreement. Notwithstanding the provisions for retention outlined in paragraph (i) in this section, in the event that the CSA terminates the contractor's eligibility for access to classified information, the contractor will return all classified material in its possession to the GCA concerned, or dispose of such material in accordance with instructions from the CSA.(l)Safeguarding CUI. While outside the requirements of the NISPOM, when a classified contract also includes provisions for protection of CUI, contractors will comply with those contract requirements.