As part of a way to mitigate against evolving insider threats to national security information, the Defense Counterintelligence and Security Agency (DCSA) implemented the Security Executive Agent Directive 3 — commonly referred to as SEAD 3. The directive, which became effective June 12th, 2017, created reporting requirements for defense contractors and employees who have access to classified information.
In terms of what’s required to be divulged to each contractor’s agency office, SEAD 3 specifies numerous life events, activities (both personal and work-related), and foreign contacts of “covered individuals.” It also indicates certain “Reportable Actions by Others” that individuals need to communicate — mainly if the actions could be a security concern such as drug use, criminal history, or misuse of government property.
The purpose of the SEAD 3 reporting requirements is to ensure that sensitive information and critical government resources are only in the hands of competent and trustworthy individuals. The premise of the directive is simple — by collecting and tracking info on those with cleared access to national security assets and data, the Department of Defense (DoD) can proactively prevent breaches and other national security threats sourced at their contractors.
However, the recent Industrial Security Letter (ISL) 2021-02 from August 12th, 2021, with reporting guidance, clarification, and amended changes, shook the defense contracting industry quite a bit. So what exactly did that letter entail and what does it mean for the future of SEAD 3?
Initial Clarifications Per the Industry Security Letter Guidance
Upon the ISL 2021-02 release, a few initial items were raised concerning the National Industrial Security Program Operating Manual (NISPOM) reporting requirements. The first was the disclosing of adverse information. Because of the changing threat landscape in information security, the DCSA wanted to reiterate the need to report information on adverse (or potentially threatening) cleared employees.
This includes any activities that could compromise the integrity of someone with access to classified information. The ISL has various descriptions of “activities” that relate to psychological and emotional health, such as medically prescribed treatments as well as personal finance and business interests. One of the new ones that stand out is the ownership of cryptocurrency IF backed, hosted, or managed by a foreign country or exchange.
Another item outlined was the effective date when compliance assessments would begin for SEAD 3. Starting August 24th, 2021, all contractors that fall in the security requirements of DCSA would have needed to comply with the reporting requirements and then go into scheduled assessments by March 1st, 2022 — just a few months ago.
As we inch closer to this coming August (2022), a new focus is being emphasized when it comes to DoD foreign travel reporting.
Change to DoD Foreign Travel Reporting
Arguably the most important implication of the ISL is the amendment made to the NISPOM rule that extends the compliance date of (unofficial) foreign travel reporting. Beginning August 24th, 2022, reporting of foreign travel for the non-work-related activity of cleared personnel will be required as part of SEAD 3.
While cleared contractors under the DoD umbrella are currently and have already been required to disclose foreign travel to Facility Security Officers (FSOs), the August 24th date will be when they must inform the DCSA. Some critical items of DoD foreign travel reporting include the following:
- Unofficial foreign travel with an itinerary
- Any deviations from the original itinerary
- Unplanned or spontaneous day trips to Canada or Mexico
- Travel outside of the resided country (if the individual resides abroad)
There was also information in the ISL regarding pre-approval before unofficial foreign travel and which circumstances would trigger an approved trip. For example, if an individual notifies an FSO or other designee before the trip takes place or the cleared contractor gives the individual the National Counterintelligence and Security Center (NCSC) safe travel resource, it counts as an approved trip.
Additionally, guidance was provided for utilizing specific resources, coordinating with DCSA, and submitting aggregated travel reports. Per the ISL, reporting official or work-related foreign travel is not required as part of these changes.
How MathCraft is Evolving with New Reporting Requirements
Our top priorities are helping FSOs fulfill their industrial security objectives while remaining in compliance. We are constantly updating our products as new or revised requirements are set forth by the DoD and other federal departments. Our Portal Commander platform, for instance, has evolved with the ongoing reporting changes to help manage, track, and report on foreign travel requests made by cleared personnel through self-service tools.
Contact us today to learn more about how you can streamline your audit and compliance processes with integrative industrial security technology solutions.