Mastering DD254s

Mastering DD254s

Jennie* was excited about her Security Vulnerability Assessment.   As an FSO, she worked hard on her security program and wanted to make a good impression to her IS Representative and company management.   This was the first year that Jennie had subcontractors on the organization’s classified contracts.

To prepare the correct security guidance for her subs, Jennie had checked and double-checked the process in NISPOM Chapter 7, asked advice from her security association chapter and sent the final subDD254s to her IS Rep before sending them to the sub-contractor.   She felt confident when her IS Rep reached the DD254 section of her assessment binder.

“Hmmmm…..” said her IS Rep, reviewing her first DD254. “There are 5 different errors on this DD254.”

“What?” dumbfounded, Jennie looked at the document the Rep was holding.

“Oh – that isn’t one of my DD254s to a subcontractor. That one is from the issuing authority to me.   That is the way they sent it.” She said with a shrug. Government. What are you gonna do?

What Jennie, and many other FSOs, don’t always realize is that FSO’s are required to review and work to get any DD254s corrected.

Specifically, the NISPOM – which refers to DD254s as Contract Security Classification Specification states “Contractors shall, to the extent practicable, advise and assist in the development of the original [DD254]”. Additionally, “Users”“are also encouraged to notify the originator of the [DD254] when they acquire information that suggests the need for change …” (NISPOM, 4-103a)

Long story short – contractors are required to work to get incorrect DD254s corrected!

What should you correct?

Each DD254 contains 17 items (not counting addendums) that need to be reviewed for errors.   You want to go over the DD254 thoroughly to ensure it is correct.

Use a Checklist

FSO PRO has created a “DD254 Checklist” using NISPOM Guidance and Security Society guides/job aids – all condensed into a checklist to ensure the required information is reviewed and key items are correct.   Request your copy of the checklist here.

Now that you have identified incorrect information ….

Start early

It takes a little bit of time to get a DD254 corrected because, you know, government. So don’t wait until right before your assessment to begin.   Ideally, you work on this when the DD254 arrives or during your self-inspection.

Help the government out!

Send a corrected version of the DD254 to the government issuing agency and requesting their review and signature.  Many will be happy that you have helped them out and send you a signed, corrected version quickly.

Wash, rinse, repeat

If they don’t respond, keep at it (again, why you should start early), but carefully.   These are your customers so you have to balance your challenge with diplomacy and helpfulness.     Your management will not be impressed if you argue or make threats to your government customers.   Be respectful. Appeal to their need to help you during your “inspection.”   You would be surprised how many people sympathize with the words inspection, assessment or audit.

Get help

If all forms of communication fail, ask your IS Rep to assist you by contacting their security authority directly.   That may not win you good-will with your government customer, but the big picture is to ensure classified information is properly safeguarded.   If someone is deliberately ignoring that, they may need to be contacted by an office that gets their attention.

Another option is to enlist the help of FSO PRO who has the time and experience requesting changes to DD254s. Your time is valuable. We can all use an extra set of hands to keep our security posture strong and increase confidence during our security assessments.

For more DD254 guidance, read all of NISPOM 4-103.    Have questions? Ask here.


Need help remembering your FSO requirements? Sign up for monthly text reminders for JPAS login and other DSS due-outs!