Chapter 8


8-100 Policy

It is the policy of the Department of Defense to use the security classification categories and the applicable sections of E.O. 12958 and its implementing ISOO Directives to limit access to classified information on a "need-to-know" basis only to those personnel who have been determined to meet requisite personnel security requirements. Further, it is DoD policy to rigorously apply the need-to-know principle in the normal course of controlling collateral classified information so that Special Access Program (SAP) controls will be used only when exceptional security measures are required based on threat and/or vulnerability (e.g. sensitivity or value of the information) associated with the SAP. Need-to-know principles shall also be applied within SAPs. In this context, SAPs may be created or continued only on a specific finding that:

8-101 SAP Procedures

Unless exempted by the Secretary of Defense or Deputy Secretary of Defense, the DoD SAP Oversight Committee, (SAPOC), management structure and its working level Senior Review Group (SRG) shall be the forum for addressing the approval and disapproval for all DoD SAPs. In brief, the DoD utilizes a SAP Coordination Office (SAPCO), to support the SAPOC. The SAPOC is a matrix management organization that is made up of three OSD-level SAP Central Offices. The required approval documents shall be processed through the appropriate Unified Commands or respective component to the appropriate OSD-level SAP Central Office (i.e., Acquisition SAPs to Director, Special Programs, OUSD (A&T)); Operations and Support SAPs, Director, Special Programs, ODTUSD(P)PS, OUSD(P); and Intelligence SAPs, Director, Special Programs, OASD (C3I). The OSD-level SAP Central Office will "sponsor" the program for SAP approval and as a part of the SAPCO control it as it is processed through the SRG and SAPOC management structures to the Deputy Secretary of Defense, Chairman, SAPOC. In addition, the OSD-level SAP Central Offices must be advised of all non-DoD SAPs that have DoD participation (e.g., DoD personnel performing any program functions). SAPs that are NOT DoD SAPs, but which have active DoD support must be reported to one of the three cognizant OSD-level Central Offices. Specifically:

8-102 Control and Administration

a. SAPs shall be controlled and managed in accordance with DoD Directive O-5205.7. The processes of the SAPOC, the SRG, the SAPCO, and the Special Access Program Policy Forum facilitate standardized and uniform security procedures and requirements. Specific responsibilities of the SAPOC, SRG, SAPCO, and SAP Policy Forum are defined in DoD Directive O-5205.7.

b. The three OSD-level SAP Central Offices (Acquisition, Intelligence, and Operations and Support) have primary responsibility for (and authority over): (l) the types of activities conducted in the SAPs under their areas of cognizance; (2) endorsing or negotiating a change of the assigned category of a SAP; (3) collating, coordinating, and forwarding the SAPs annual reports; (4) conducting oversight reviews, as required; (5) reviewing and endorsing terminating or transitioning plans; and (6) ensuring SAPs do not duplicate or overlap other programs under its purview.

c. Each DoD Component shall establish a Component-level SAP Central Office to coordinate SAP requests for approval and otherwise "mirror" the activities of the three OSD-level SAP Central Offices. In addition to the specific responsibilities set forth in DoD Directive O-5205.7, Component-level SAP Central Offices shall maintain records of all SAPs and Prospective SAPs, (P-SAPs), under their cognizance to include approval documentation and, if appropriate, revalidation documentation. Records shall be retained for the life of the SAP and for 12 months after termination of the program.

d. In accordance with DoD Directive 5010.38 and Office of Management and Budget Circular A-123, the DoD Management Control Program (MCP) will be implemented within all SAPs. To ensure adequate implementation, DoD Components are required to have MCP coordinators within special access channels to:

e. Unless specifically exempted by the SAPCO, SAP contract administration services shall be delegated to the Defense Contract Management Command's (DCMC) dedicated cadre of personnel. Also, the DCMC shall utilize the dedicated cadre of personnel of the Defense Contract Audit Agency for audit services, unless specifically exempted.

8-103 Establishment of DoD SAPs

a. In accordance with E.O. 12958, within the Department of Defense, only the Secretary of Defense or Deputy Secretary of Defense may create a SAP. The DoD Components proposing the establishment of SAPs shall evaluate and process proposals in accordance with the procedures in this Regulation, DoD Directive O-5205.7 and other implementing directives. DoD Components are responsible for ensuring that Unified Combatant Commands are appropriately briefed and consulted during the development process. A SAP may not be initiated until the defense committees of Congress are notified of the program and a period of 30 days elapses after such notification is received.

b. The military Departments SAP Central Offices or OSD-level SAP Central Offices may authorize a Prospective SAP (P-SAP). Upon authorization, enhanced security measures (i.e., SAP controls) may be applied to a P-SAP for up to 6 months. The program must be terminated if not submitted to SAPOC process after 6 months or formally extended by the Director, SAPCO. Except for minor administrative security operations and maintenance ("O&M") funds needed to maintain security, no direct funding may be expended on any P-SAP without the required notifications to Congress. Transitional funds for associated efforts in some instances are authorized where direct funding is not applicable. In all cases, the Director or Deputy Director SAPCO must be notified of the establishment or termination of P-SAPs through the appropriate OSD-level SAP Central Office.

c. Before initiating a SAP, notifying Congress, or expending funds on a SAP, the DoD Components shall forward a request for approval of the SAP and relevant funding documentation to the Deputy Secretary of Defense through the appropriate OSD-level SAP Central Office for processing through SAPOC management structure. The Director, Special Programs, ODTUSD(P)PS, OUSD(P) shall review the security requirements on behalf of the SAPOC.

d. The request package shall include the following:

e. Carve-Out Contracts

f. Nicknames and Code words

8-104 Reviews of SAPs

a. To facilitate management's stewardship over SAPs, each DoD SAP shall be reviewed annually by the DoD Component responsible for initiation and sponsorship of the program, in coordination with appropriate Unified Combatant Commands. These reviews shall include annual regularly scheduled audits by security, contract administration, and audit organizations. Written records of these reviews and audits shall be maintained for the lifetime of the SAP and for 12 months following its termination. These records shall be available for evaluation during the OSD-level SAP Central Office program reviews.

b. As part of the annual reporting and revalidation of all DoD SAPs, the DoD Components shall ensure that these programs continue to be reviewed by qualified legal counsel for compliance with applicable laws, executive orders, and regulations.

c. The OSD-level SAP Central Offices shall conduct oversight reviews, as required, to determine compliance with DoD Directive O-5205.7 and this Regulation, to specifically include verification of the conduct of Component-level annual security reviews.

d. The ODTUSD(P)PS, OUSD (P), shall conduct appropriate annual oversight reviews of each SAP Central Office and, as deemed necessary, on-sight program security reviews at Government and contractor locations.

e. The Inspector General of the Department of Defense shall conduct oversight of DoD SAPs, pursuant to statutory authority.

f. Oversight, review, and SAP support activities shall accomplish their functions using small cadres of specially cleared and qualified personnel, sufficient in size to address the SAP workload. The cadre's primary responsibility is to support SAPs.

8-105 Annual Reports and Revalidation

a. Section 119 of title 10, United States Code requires that not later than March 1 of each year, the Secretary of Defense shall report all DoD SAPs to Congress. These annual reports also serve as the vehicle for revalidation and approval for continuation of all DoD SAPs by the Deputy Secretary of Defense. Any SAP not granted approval to continue shall be terminated.

b. Not later than December 15 of each year, the Component-level SAP Central Office shall submit reports for the Deputy Secretary of Defense on all SAPs under their sponsorship. Since the President's budget may not be available by that date, provide the best estimate as a part of the report with actual budget numbers being provided as soon as they are available.

c. For each SAP sponsored, the DoD Components shall prepare separate reports and "Quad Charts" in the format shown in Appendix I in both MS Word and hard copy. The reports and "Quad Charts" shall be forwarded to the appropriate Component-level SAP Central Office for processing. All information elements may not apply to all SAPs; however, as a minimum, each report must include:

d. Components' submissions shall also include a certification that there are no unreported SAPs or SAP-like programs, or an explanation for any programs not included in the report. Any SAP being terminated or unfunded must be clearly identified.

e. The Component-level SAP Central Office shall aggregate reports by category of SAP (acquisition, intelligence, and operations and support), and shall forward them to the appropriate OSD-level SAP Central Office. The OSD-level SAP Central Offices shall collate and forward the reports to the Director, SAPCO for Deputy Secretary of Defense action. After action by the Deputy Secretary of Defense, the reports will be returned to the SAPCO.

f. The SAPCO notifies Congress of the Deputy Secretary of Defense's decisions and then returns the reports to the OSD-level SAP Central Offices for distribution and action.

g. SAPs that are approved by the Deputy Secretary of Defense as Waived SAPs under Section 119(e), title 10, United States Code, shall be reported on a case-by-case basis to appropriate members of Congress, in accordance with applicable law, with specific direction from the Secretary or Deputy Secretary of Defense.

8-106 Interim Reports

The Component-level SAP Central Office shall immediately notify (through the OSD-level SAP Central Office) the Director, SAPCO, when there is a SAP or subcompartment nickname or code word change. Any additions, deletions, or corrections to the annual report should be reported as they occur during the year to include subcompartments. The interim report shall contain, at a minimum, the nickname affected, effective date of the change, and information that has been changed from the previous report.

8-107 Changes in Classification

a. DoD Components intending to downgrade the classification of a SAP, transition from unacknowledged to acknowledged, remove enhanced controls from a SAP and/or move the program to a collateral security level, declassify a program, or make a public announcement concerning any of these activities, shall prepare letters of notification to the appropriate Congressional Committees in accordance with the format in Appendix I. This requirement also applies to significant subelements or subcompartments of SAPs that could potentially be of interest to the Congress (i.e., generally this will necessitate reporting acquisition SAP subelements and most major subelements of intelligence, and operation and support SAPs, and when sub-compartments are not significant enough to be separately reported, these instances will be coordinated with the appropriate OSD SAP Central Office). This reporting requirement also applies to programmatic information that is being made public. The DoD Components shall forward these letters through the appropriate Component-level, OSD-level SAP Central Offices, and the Director, SAPCO, for processing to the Deputy Secretary of Defense. The letter shall contain a description of the proposed change, the reasons for the proposed change, and notice of any public announcement planned to be made about to the proposed change.

b. After approval and signature by the Deputy Secretary of Defense, notification letters shall be returned to the SAPCO for delivery to Congress by the DoD Component or the SAPCO. No action relative to the change in classification or enhanced security measures (i.e., removal from or change SAP status) of the SAP shall be taken or any announcement made sooner than 14 days after the letters have been delivered to the appropriate committees in Congress, unless authorized pursuant to statute by the Deputy Secretary of Defense.

8-108 Termination and Transitioning of SAPs

a. SAPs shall be carefully but promptly terminated or transitioned to collateral security programs when there is no longer a need for the enhanced security protection.

b. DoD sponsoring Components shall prepare SAP termination plans (i.e., a Plan of Action and Milestones, how the "de-sapped" program will comply with the Acquisition System Protection requirements). The plan will outline the security measures that will be followed when terminating or transitioning a SAP. The plan shall identify information that will remain classified and as appropriate, the OPSEC measures designed to protect any sensitive unclassified indicators, or methods associated with the SAP. A time and/or event phased (as deemed most appropriate) Security Classification Guide shall be included in the plan. The plan shall take into consideration continuing collateral security requirements in all functional areas to include the technical aspects, funding, contracting operations, legal, logistics, training, and administrative requirements. The DoD Components shall forward the termination and/or transitioning plan to the appropriate OSD-level SAP Central Office for review and endorsement.

c. In all cases, the notification procedures set forth in subsection 8-107 above, shall be followed before actual termination or transition of a SAP is effected.