Security Requirements for List X Contractors - GOV.UK

1 Version April 2014 Security Requirements for List X Contractors Version April 2014 2 Version History SPF Version Document Version Date Published Summary Of Changes Dec 08 N/A May 09 N/A Oct 09 No significant changes to the document Apr 10 No significant changes to the document Oct 10 New paragraph 9h) detailing additional responsibility of Security Controllers to immediately report any Security incident involving MOD-owned, processed or generated information to the MOD Defence Industry Warning, Advice and Reporting Point (WARP) in the Joint Security Co-ordination Centre (JSyCC).

2 Oct 11 Paragraph 9c) Replace reference to System Security Policy (SSP) and Security Operating Procedures (SyOPs) with Risk Management and Accreditation Document Set (RMADS) Oct 11 New paragraphs 45-55 concerning Un-cleared Visitor Areas (UVAs) and other minor textual changes for the purposes of clarity. May 12 Additional information inserted at paragraph 83 concerning Private venture Projects. New paragraphs 126-137 concerning Homeworking. Minor amendments and additions to paragraphs 112-122 to update and provide more information on Overseas promotion, sale or release of defence equipment or technologies and on US Export controls.

3 Apr 13 Minor amendments to update paragraphs as necessary, including the format and branding. Amendments to paragraphs 114-129 concerning the Promotion, sale or release of defence equipment overseas. Apr 14 General update to reflect GSC Requirements . Version April 2014 3 Contents THE ROLE OF THE contractor 'S MANAGEMENT .. 5 MANDATORY SUPERVISION Requirements .. 5 RESPONSIBILITIES OF THE BOARD CONTACT .. 6 RESPONSIBILITIES OF THE Security CONTROLLER .. 6 COMPANY Security INSTRUCTIONS .. 8 NOTIFICATION OF CHANGES IN OWNERSHIP AND CONTROL OR CLOSURE OF A LIST X contractor .

4 8 CONTROLLING VISITORS TO LIST X PREMISES .. 9 Types of visitors .. 9 Contracting Authority and visitors from other List X Contractors .. 10 Security controls for meetings and conferences .. 10 VISITING OFFICIALS WITH A STATUTORY RIGHT OF ENTRY ..11 HEALTH AND SAFETY INSPECTORS .. 11 LOCAL AUTHORITY INSPECTORS .. 11 VISITORS FROM OVERSEAS ..12 VISITS TO ESTABLISHMENTS WHERE THE MOD IS THE CONTRACTING AUTHORITY .. 12 VISITORS FROM COUNTRIES OF SPECIAL Security INTEREST .. 13 UN-CLEARED VISITOR AREAS (UVAS) .. 13 OVERSEAS VISITS BY LIST X contractor EMPLOYEES .. 15 PROTECTION OF UK CLASSIFIED ASSETS OVERSEAS.

5 16 PROTECTION OF FOREIGN CLASSIFIED ASSETS RECEIVED DURING A VISIT .. 16 CONVENTIONAL FORCES IN EUROPE TREATY - GUIDELINES FOR CHALLENGE INSPECTIONS OF LIST X Contractors .. 17 PREPARATION AND CONTINGENCY PLANS ..17 INSPECTIONS .. 17 ACCOMMODATION Requirements .. 17 PROTECTING SENSITIVE ASSETS .. 17 INSPECTION TEAMS .. 18 UNITED NATIONS CHEMICAL WEAPONS CONVENTION - GUIDELINES FOR CHALLENGE INSPECTIONS OF LIST X Contractors ..19 PREPARATION AND CONTINGENCY PLANS .. 19 PRIVATE venture DEFENCE RELATED PROJECTS AND TECHNOLOGY .. 20 EXHIBITIONS AND PUBLICITY 21 Exhibitions.

6 23 Classified equipment .. 24 ADVERTISEMENTS ..24 Questionnaires and media enquiries .. 24 The Queen's Awards for Enterprise .. 25 OVERSEAS PROMOTION AND SALE OF EQUIPMENT AND TECHNOLOGIES .. 25 Export controls .. 25 OVERSEAS PROMOTION, SALE OR RELEASE OF DEFENCE EQUIPMENT OR TECHNOLOGIES ..26 MOD Form 680 Procedure .. 26 Relationship to defence exhibitions .. 26 Relationship to export licensing .. 26 Re-export of foreign-originated Security classified items .. 27 Processing times .. 27 Submission of applications .. 27 Further information .. 27 US RE-EXPORT CONTROLS.

7 27 Version April 2014 4 TRANSMISSION .. 28 LICENSED MANUFACTURE .. 28 HOMEWORKING ..28 THE RESPONSIBILITY OF THE Security CONTROLLER .. 29 THE RESPONSIBILITY OF THE INDIVIDUAL HOMEWORKER .. 29 IT Security .. 30 SUPERVISION AND AFTERCARE .. 30 Version April 2014 5 The Role of the contractor 's Management 1. Contractual responsibility for the Security of government assets held on the contractor 's premises rests with the contractor 's Board of Directors. 2. While some of the Security controls required under the terms of a contract may seem inconvenient, the baseline controls discussed in this framework have been designed to flexibly provide appropriate levels of protection for sensitive government assets, wherever they are held.

8 They can also be used to protect the contractor 's own assets, technology and expertise, on which the integrity, prosperity and Security of the company and its employees depend. 3. Senior managers should emphasise that Security is an integral function of line management and Security controls are only effective if properly planned, implemented and supervised. They should insist on the implementation of appropriate levels of Security as contractually defined, and be seen to give full support to line managers and Security staff involved in achieving and maintaining that objective.

9 4. Arrangements for meeting required Security controls are for the contractor to decide, but must always be sufficient to meet the baseline controls discussed in this Document and elsewhere in the Security Policy Framework. The Departmental Security Officer (DSO) or Security officials of the relevant Contracting Authority will be available to provide advice as to the adequacy of the Security controls implemented. 5. When deciding such arrangements, the contractor should bear in mind that the Contracting Authority is likely to treat any significant lapse in Security , leading to the compromise of classified assets, as a serious matter.

10 Failure to fulfil Security obligations in breach of contract conditions could result in contractual penalties, the termination of the contract and the removal of the contractor from List X. Mandatory supervision Requirements 6. The contractor will need to make the following appointments to satisfy mandatory Requirements for the supervision of the appropriate Security aspects: a) Board Level Contact - who must be a British national and a member of the Board of Directors, who will have overall responsibility for Security .