Classifying your Federal Contract: A Guide to the DD Form 254

August 17, 2020

---

Through our experts’ decades of experience supporting federal procurement, Washington Business Dynamics, LLC (WBD) understands our DoD clients push to ensure minimum security clearance standards are met and avoid unnecessarily granting security clearance. The US Government Accountability Office (GAO) identifies the backlog of security investigations as high risk item, and WBD understands that improperly completing the DD254 contributes to that risk. In order to better assist the DoD acquisition community determine security requirements, we have created this step-by-step guide on how to complete a DD254.

DD254 and Its Impact on Assisted Acquisitions

The Department of Defense’s (DoD) mission requires its organizations to pursue highly-complex acquisitions in a wide-range of fields, such as information technology (IT) and cyber security, that entail the maintenance of security clearances and classified information. As a result, the DoD is often required to complete the DD254, also known as the Contract Security Classification Specification. The DD254 is required for completion under the Federal Acquisition Regulation (FAR) and National Industrial Security Program Operating Manual (NISPOM), and it is used to grant contractors access to classified information, which may be required to execute contractual requirements. After the US Department of Health and Human Services’ (HHS) decision to end assisted acquisitions for DoD Agencies in 2019, the impact of the DD254 is more prominent than ever.

Despite many years of assisted acquisitions, many were surprised to learn of HHS’s decision to end assisted acquisitions. Reports state that a key impetus behind the decision was the DD254 requirement for DoD contracts. Although some in the acquisition community argue that the existence of a DD254 does not make the contract itself classified, HHS cited the presence of the DD254 on DoD contracts as classified work.

What Is the Clearance Level?

The first item to complete is the form classification level. Note that this section only refers to the classification level of the form itself. In completing an unclassified DD254, please be sure to select “Unclassified” from the drop down menu.

Next, procurement professionals should complete Section 1a – the Facility Security Clearance Level (FCL), which is the highest level of facility clearance the contractor must obtain to perform work under the contract. An important note is that the contractor must have an FCL at least as high as the classification level indicated in Section 1a. It is also important to correctly identify the appropriate FCL for the work – too low of a classification could jeopardize security and too high result in undue contract costs

Section 1b refers to the level of safeguarding for classified information/material required at the contractor’s facility for performance of the contract. If the contractor will only be accessing classified information/material at a government facility, item 1b does not apply and “None” should be selected. Note: the classification level in Section 1b cannot be higher than the level specified in Section 1a.

What Stage of the Acquisition Are We In?

In Section 2, you will specify whether the form is for a prime contract or subcontract and, if the former is the case, you will specify whether the form is for a solicitation. If the form is for a solicitation, mark the box to the left for Section 2c, and enter the solicitation number and solicitation due date assigned by the issuing activity. If you are filling out the form for an awarded contract, mark the box to the left for Section 2a, and enter the contract number generated by the contracting office. Note, keep the solicitation information entered for Section 2c on the form when you later go to enter the award information in Section 2a (and the awarded contractor information in Section 6). If there are any other numbers beyond the contract number issued by the Government Contracting Activity (GCA), be sure to list that number(s) in Section 13 (i.e., task order or a mass schedule).

What Version Is It? Is This a Final DD Form 254?

If this is the first time completing a DD254 for a given requirement, mark Section 3a for “Original,” and enter the date of the form creation. Original date refers to the release/certifying official signature date in Section 17. Section 3b refers to a revision of an already-approved form. A revision is needed when there are changes to a contract pertaining to security requirements: FCL, level of classified access (Section 10 items), level of access (Section 11 items), places of performance, or period of performance. In reference to the scenario regarding the period of performance, the contract performance cannot extend beyond the period of performance specified on the DD254 form. If any of the mentioned changes apply, the DD254 must be revised. In addition to marking Section 3b for “revision,” indicate in the box the revision number – “1” if this is the first time the form has been revised. Indicate the revision date. It is important to note that depending on the processing agency, Section 13 may need to be annotated with a reference to Section 3b stating the revision reason. A few notes:

• Revisions to the DD254 must be incorporated into the contract via a modification.
• Exercising option years does not require a DD254 revision – unless the aforementioned security-related conditions change
• Classification requirements should be reviewed at least biennially

Section 3c should only be marked if the contractor requests the right to retain any project-related documents beyond the two-year retention period authorized by the NISPOM (DoD 5220.22-M). If the contractor needs the materials for a longer period of time, permission must be requested in writing to the Government Contracting Activity (GCA). It is recommended that the contractor maintains a copy of this formal request until retention authorization is received from the GCA, who determines if the materials should be destroyed, returned, or retained by the contractor. If Section 3c is marked then Section 5 should be marked “yes” and the date of the contractor’s request for retention should be entered, along with the authorized period of retention.

Is this a Follow-on or New Requirement?

Section 4 indicates whether or not the form is for a follow-on contract, which is a contract that is awarded to the same contractor for the same services/items as a preceding contract. If the contract is a follow-on contract, mark “yes” and enter the preceding contract number in the space provided. Section 13 should reference Section 4, stating that the contractor is authorized to transfer material received or generated under the preceding contract to the new contract.

Who Is the Contractor?

If you are filling out the form for a solicitation, the contractor information in Section 6 will not yet be known. In this case, enter “TBD” for all blocks in Section 6. When the contractor information is known, enter the contractor name – exactly as it appears on the contractor’s National Industrial Security System (NISS) profile – and address in Section 6a. Annotate in Section 13 the contractor’s classified mailing address, if one is included in the contractor’s NISS profile. Indicate the contractor’s cage code in Section 6b, and the contractor’s Cognizant Security Office (CSO), address, and phone number in Section 6c. Note: the CSO information can be found on the contractor’s NISS profile.

Are Subcontractors Supporting the Requirement?

Once the DD254 has been signed by the appropriate security office, the Facility Security Officer (FSO) can add a subcontractor to the DD254 form. If a prime contractor wishes to employ a subcontractor for classified work, the prime FSO must complete the subcontractor DD254. To do so, the FSO transfers all prime DD254 information onto a new DD254, ensuring the Section 7 items are complete with the subcontractor name, address, cage code, and CSO information listed in their company NISS profile. A prime contract with an FCL of Secret cannot have a subcontractor performing work at the Top Secret (TS) level. Additionally, the subcontractor cannot have access to the items checked in Section 10 that are not already specified on the prime DD254.

Where Is Performance Taking Place?

In Section 8, indicate the location name and address of where the contractor will be accessing classified information. If there are multiple places of performance, instead indicate “see Section 13” and include all location names and addresses in Section 13. Note, Sections 8b and 8c do not apply if the access to classified information will occur only at a government facility.

Describe Your Requirement

For Section 9, enter a concise, unclassified description of the procurement. This information can be derived from the scope and/or objective listed in the Performance Work Statement / Statement of Work.

What Access Is Required?

Now we have arrived at the fun part (and arguably the most difficult part to complete) of the form: Section 10. Mark all items “YES” or “NO,” as appropriate to the requirements of the contract. Section 10 items are access requirements for the contractor and their employees. It does not refer to safeguarding. Fill this section out regardless of where the access will occur (contractor’s facility, a government facility). Additionally, any item checked in Section 10 must be properly annotated. Some noteworthy Section 10 items include:

• Sections 10g-10g could arguably be the most easily misunderstood part of the DD254 form. Section 10g is only checked when the requirement is in support of a NATO mission, and direct access to NATO is required. The Requirement Owner, Business Customer, and/or Subject Matter Expert for the requirement work should know if the requirement is in direct support of a NATO mission. If the requirement is not in direct support of a NATO mission, but SIPRNET access is needed, Section 13 simply needs to contain a reference to Section 10k stating that a NATO Secret briefing is required before SIPRNET access is granted, due to NATO information residing on the SIPRNET. The prime FSO is responsible for handling the briefing and ensuring that the contractor’s NISS profile is updated to include NATO access.
• For Section 10k, indicate any other access the contractor needs, such as classified network access (i.e., SIPRNET/JWICS).

What Actions Will the Contractor Perform?

Section 11 addresses actions the contractor will perform. Note: any items checked in Section 11 should be annotated in Section 13. To the same tune as Section 10, below are noteworthy Section 11 items that justify attention:

• If the contract contains deliverables, do not check Section 11e. Only check Section 11e if the contract strictly requires services without deliverables.
• For Section 11k, indicate any other actions the contractor needs to perform the contract, such as IT-level access. IT-I access refers to administrative user access needed to perform tasks on the network such as engineering, and IT-II refers to basic user level access.

Is Public Release Allowed?

GCAs should complete this item as required by internal agency directives to direct the prime contractor to the appropriate office in the GCA that has public release authority.

If public release of information is not authorized, leave the first two boxes unchecked and enter in the “Public Release Authority” block that “public release of information is not authorized.”

What Specific Security Requirements Apply?

Section 13 should include the General Information section listed in the DD254 instructions, and any references to items checked in Sections 10 and 11, as well as Sections 3b and 4. Within the General Information Section, ensure that the period of performance matches the PWS, and the proper security office is listed and matches the PWS (if applicable). For solicitations without defined period of performance dates, a generalized period of performance can be entered on the solicitation DD254 and the specific dates can be entered when the award DD254 is filled out.

What Other Security Procedures Apply?

Section 14 will be checked “yes” if any additional security requirements apply, such as Section 11j (OPSEC), Section 10e1 (SCI), Section 10f (SAP). Ensure the proper statements for each of the three mentioned items are entered into Section 14. Additionally, SCI and SAP each require an additional signature line on the form, so be sure to add an additional signature line per each of the two items.

Who Else is Responsible for Inspections?

Section 15 is marked “yes” when the CSO is relieved of any inspection responsibilities. The areas for which the CSO is relieved and the agency assuming responsibility must be identified in this item.

Identify Your Contracting Activities

Section 16 refers to the GCA for the contract, with Sections 16d –16f typically being the Contracting Officer. Ensure the proper DoDAAC is filled in for Sections 16b.

Obtain Your Requisite Reviews and Approvals

In Section 17, the requesting agency Contracting Officer Representative will enter his or her agency name and address, along with his or her own contact information. Much like Section 16b, ensure that the proper DoDAAC is entered in Section 17d.

Who Will Receive the DD Form 254?

To tie-off the DD254, we come to the last and final section: Section 18. Section 18 simply refers to who will receive signed copies of the DD254. Mark the boxes, as appropriate, for who will receive the signed copies. It is recommended that the following boxes be checked at a minimum: the contractor, subcontractor (if the form is for a subcontractor), the CSO, and the Administrative Contracting Officer.

Conclusion

Thorough accuracy in the DD254 not only ensures the timely award of DoD contracts and protection of national security, but it also assists in the preservation of acquisition collaboration among agencies. Especially in instances where collaboration occurs with non-DoD agencies through assisted acquisitions, DoD can substantially ease the administrative burden for agencies who are not as familiar with the security requirements specified in the NISPOM. WBD recommends constant communication and collaboration with your assisted acquisitions partners and security offices to develop accurate DD254s. We hope this step-by-step guide serves the DoD acquisition community well with a secure and successful procurement. Please visit our service page to learn more about WBD’s Acquisitions practice.