C18.104.22.168. Carve-Out Contracts
C22.214.171.124.1. The use of contracts that relieve DoD
organizations of their established contract-related responsibilities must be
fully explained and justified. If the SAP will perform the functions of
review and/or inspection, the responsibilities of the Cognizant Security
Office(s), or investigative functions, a request must be made to relieve DIS
from their responsibilities under the National
Industrial Security Program, and the practice must be identified as a
"carve-out." Carve-outs are prohibited unless:
C126.96.36.199.1.1. The contract in question supports a SAP that
has been approved by the SAPOC.
C188.8.131.52.1.2. Mere knowledge of the existence of a
particular contract or its association with the SAP is classified and
designated as SAP-protected information; and
C184.108.40.206.1.3. The carve-out status for the SAP on its
contract was approved as a part of the DoD SAPOC process.
C220.127.116.11.2. The DD Form 254, classified if necessary, shall be
used to document a carve-out contract. The DD Form 254 shall identify
specific areas, or locations within a contractor's facility that define the
extent of the carve-out, (e.g., a safe, a room, or a particular building).
It will also identify the CSO and CSA. The Component-level SAP Central
Office shall provide a copy of each DD Form 254 to the appropriate DIS
cognizant security office and, if applicable, to the Director, Defense
Contract Audit Agency (DCAA). In exceptional instances the OSD-level SAP
Central Office may, with concurrence of the Director, Special Programs,
ODTUSD(P), OUSD(P) convey appropriate written notification defining the
extent of the carve-out directly to the Director, DIS, and if applicable to
the Director, DCAA.
C18.104.22.168.3. Approved carve-out contracts shall be afforded the
support from the sponsoring Component-level SAP Central Office for the
protection of the classified information involved. The support shall be
provided through a system of controls that includes, but is not limited to,
the following elements:
C22.214.171.124.3.1. Designate a central office of record and an
official designated to be the single point of contact for SAP security
planning, control, and administration. These security plans shall be
submitted to the Director, Special Programs, ODTUSD(P), OUSD(P) for review
and endorsement as a part of the SAPOC approval process.
C126.96.36.199.3.2. A Written Security Plan. The plan will
include, if applicable, how security will be accomplished for contractors.
An overprinted DoD 5220.22-M-Sup. 1 (reference (uu)) will be
provided if contracts are a part of the SAP. Oral changes or deviations
from the written plan are prohibited except in critical situations. These
changes will be documented as soon as practicable after the fact.