Thinking of entering the defense contractor market place or wish to provide services to a classified government customer, Department of Defense, intelligence community or other government agency or department? You will want to familiarize yourself with the National Industrial Security Program Operating Manual (NISPOM) and the Director of Central Intelligence Directives (DCIDs). The NISPOM is your security operational bible, containing the many parameters surrounding the defense classified engagement, while the DCIDs serve the same purpose from engagement within the intelligence community.

Fair warning, engaging within the classified community you will encounter acronym overload, the manual contains over 103 of these. That said, there are acronyms which every entity supporting a classified government engagement will want to know. The CSA, CSO, and FSO are three of the most important.

CSA = Cognizant Security Authority

Within the NISPOM/DCIDs parlance, Cognizant Security Authority (CSA) denotes the department or agency which has security administrative responsibility for the classified activities and contracts under their remit. The CSA serves as the ultimate arbiter with respect to interpretation of the NISPOM or DCIDs, whichever is applicable. Inquiries are forwarded to the CSA either through the Cognizant Security Offices (CSO) for contractor facilities or the commander or head of facility for U.S. Government facilities. If a contractor is to utilize a CSO, the CSA will identify the entity to the contractor. In addition to providing interpretation of the operating manuals, the CSA also serves as the  decision point with respect to obtaining a waiver.

FSO = Facility Security Officer

Within Defense contractor facilities, sits the Facility Security Officer (FSO). The FSO must be a US Citizen employee, who is cleared to work within the cleared facility. The FSO is appointed by his/her employer – the contractor –  as the FSO. The FSO will “supervise and direct security measures” within the facility. Thankfully, one is not simply appointed FSO and cut loose, the FSO is required to take applicable training courses in order to understand fully the complexity of the requirements levied by the CSA and outlined within the NISPOM/DCIDs.

For those who enjoy the trust of their government, and are working within a classified environment, they can expect the FSO to provide a facility specific standard operating procedures (SOP). The SOP will include those portions of the NISPOM/DCIDs applicable, as well as any unique requirements levied by the CSA or the contracting government agency.

Reference: NISPOM February 2006 (Incorporating Change 1 – March 28, 2013)

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of