Classified Research
Upon receipt of funding, the federal sponsor or pass-through sponsor will provide the specifics for the handling of classified information.
Effective November 2020, DoD contracts will begin to include a requirement for Cybersecurity Maturity Model Certification. Review DoD Preparing for CMMC Requirements and DoD CMMC FAQs.
DD Form 254
DD Form 254 sets out the nature of the restriction on the information as well as the standards for handling. Every DD Form 254 sets out the security classification guidance needed for the classified effort. UW personnel who will generate classified information or who have access to classified information must have a security clearance in place. Security clearance for classified information requires compliance with the National Industrial Security Program Operations Manual (NISPOM).
Either within the DD Form 254 or the contract terms, the guidance will refer to NISPOM among other requirements.
Office of Sponsored Programs (OSP) Requirements
Before accepting funding for work that contains classified information, OSP must have:
- DD Form 254 signed by the Contracting Officer
- PI’s confirmation from the Faculty Council on Research (FCR) approving the restricted research
- Approval by the UW Facility Security Officer (FSO) on associated eGC1 or written approval that UW personnel on the project have clearance.
NAVSEA and Basic Operating Agreement (BOA) contracts: Various task orders under this contract may be classified. The overall contracts have FCR approval. However, individual classified taskings must have a signed DD Form 254 in place and FSO approval on the eGC1.
National Industrial Security Program Operations Manual (NISPOM)
Compliance with NISPOM is complicated and may require considerable changes to an IT system so that only those with security clearance have access to the classified materials. NISPOM requirements must be followed in handling all levels of classified information and associated unclassified information.
Policy, Regulation, and Guidance
- APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
- Office of the Chief Information Security Officer: Laws
- APS 2.6 Information Security Controls and Operational Practices
- Homeland Security Presidential Decision Directive 12 (HSPD-12)
- Information Assurance
- National Institute of Standards and Technology (NIST) Special Publications (SPs)
- Federal Information Security Management (and Modernization) Act (FISMA)
- Classified or Restricted Research