ŷ���ڱ���Ƶ

Bd. Min. 06-27-24; Amended Bd. Min. 11-20-24.

1. Statement of Purpose
   
   1. This rule addresses The Curators of the ŷ���ڱ���Ƶ of Missouri (a.k.a., the ŷ���ڱ���Ƶ of Missouri ŷ���ڱ���Ƶ (UM ŷ���ڱ���Ƶ)) compliance with U.S. industrial security policy, including applicable federal statutes, Executive Orders (E.O.), Code of Federal Regulations (CFR), Department of Defense Instructions (DoDI), and other applicable authorities. UM ŷ���ڱ���Ƶ is committed to compliance for the protection of classified information disclosed to or developed by contractors of the U.S. Government (USG), employed or the responsibility of UM ŷ���ڱ���Ƶ (contractors).
   2. This rule will be applied to achieve compliance with applicable federal authorities, including:
      
      1. E.O. 12829, National Industrial Security Program
      2. E.O. 10865, Safeguarding Classified Information within Industry
      3. 32 CFR Part 2004, National Industrial Security Program
      4. DoDI 5220.22, National Industrial Security Program
      5. 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM)
   3. This rule implements policy, assigns responsibilities, and establishes requirements for the protection of classified information disclosed to, or developed by contractors across the UM ŷ���ڱ���Ƶ.
2. Scope and Compliance Policy
   
   1. This rule applies to all cleared facilities (i.e., Facility Clearances or FCLs) within the UM ŷ���ڱ���Ƶ holding a FCL, to all personnel whose personnel security clearances are held by a UM ŷ���ڱ���Ƶ or subsidiary FCL, and to all personnel who hold roles related to ensuring compliance with the authorities outlined in subsection A.2 (e.g., Key Management Personnel or KMPs).
   2. The UM ŷ���ڱ���Ƶ is the “corporate family” for all classified work taking place at any FCL within the ŷ���ڱ���Ƶ. Individual universities may have subsidiary Facility Clearances under the UM ŷ���ڱ���Ƶ Facility Clearance if they have federal authorization to hold classified materials on-site, a secondary place-of- performance, or flow down to a sub-tier contractor.
   3. The UM ŷ���ڱ���Ƶ shall implement a corporate-wide Insider Threat Program to address insider threats throughout the UM ŷ���ڱ���Ƶ.
   4. The President will appoint the following personnel to oversee and implement the UM ŷ���ڱ���Ƶ industrial security program (ISP) (ŷ���ڱ���Ƶ ISP):
      
      1. Senior Management Official (SMO)
      2. Insider Threat Program Senior Management Official (ITPSO)
      3. Facility Security Officer (FSO)
   5. The personnel identified in subsection B.4 must:
      
      1. Oversee the implementation of the requirements of the NISPOM;
      2. Undergo the same security training that is required of all contractors, in addition to any position specific training;
      3. Be designated in writing; and
      4. Undergo a personnel security investigation and national security eligibility determination for access to classified information at the level of the entity’s eligibility determination for access to classified information.
   6. SMO: The President of the UM ŷ���ڱ���Ƶ is the SMO for the UM ŷ���ڱ���Ƶ FCL and for all subsidiary FCLs held by an individual university within the UM ŷ���ڱ���Ƶ. The SMO will:
      
      1. Ensure a system of security controls in accordance with the NISPOM;
      2. Appoint an UM ŷ���ڱ���Ƶ ITPSO and FSO in writing;
      3. Remain fully informed of the UM ŷ���ڱ���Ƶ ISP classified operations;
      4. Make decisions based on the threat reporting and information and the potential impacts to the UM ŷ���ڱ���Ƶ ISP; and
      5. Retain accountability for the management and operations of the ŷ���ڱ���Ƶ’s ISP without delegating that accountability.
   7. ITPSO: The Director, Research Security and Compliance is the ITPSO and will be designated in writing by the SMO. The ITPSO will:
      
      1. Ensure the FSO(s) is part of the insider threat program;
      2. Complete training in accordance with the NISPOM; and
      3. Develop an insider threat program that meets the requirements of the NISPOM.
   8. FSO: An FSO will be appointed in writing by the SMO for any ŷ���ڱ���Ƶ with an active FCL. Each FSO will:
      
      1. Supervise and direct security measures necessary for implementing the NISPOM to ensure the protection of classified information.
      2. Complete security training as deemed appropriate by the Cognizant Security Agency (CSA) who accredits the FCL. Both direct and reciprocity CSAs training must be met.
      3. Appoint an Information ŷ���ڱ���Ƶ Security Manager (ISSM) if classified information will be processed on an information system at a ŷ���ڱ���Ƶ with an FCL.
   9. ISSM: If classified information will be processed on an information system at a ŷ���ڱ���Ƶ with an FCL, the FSO will appoint an ISSM. Each ISSM will:
      
      1. Be adequately trained and possess the technical competence required to operate, maintain, and secure the contractor’s classified information system; and
      2. Oversee development, implementation, and evaluation of the ŷ���ڱ���Ƶ's classified information system program.
3. ŷ���ڱ���Ƶ of Missouri Research Security and Compliance Team
   
   1. UM Research Security and Compliance Team
      Each FCL within the UM ŷ���ڱ���Ƶ will have an appointed FSO who reports to the UM ŷ���ڱ���Ƶ Director of Research Security and Compliance. Each FSO shall be a member of the ŷ���ڱ���Ƶ of Missouri Research Security and Compliance Team (“UM RSC Team”).
   2. Collaboration
      Recognizing both the necessity and administrative efficiencies gained, the UM RSC Team shall work in collaboration with each other and with those also holding responsibilities for compliance with the authorities outlined in subsection A.2. to ensure that no single point of failure exists within the ŷ���ڱ���Ƶ.

   3. Accountability and Alignment
      To ensure the accountability and alignment of the UM RSC Team, each Chancellor shall designate one of that ŷ���ڱ���Ƶ's Vice Chancellors to work with the UM ŷ���ڱ���Ƶ Director for Research Security and Compliance, who will jointly approve the following as it relates to the FSO at each institution:

      1. Recruitment and hiring decisions;
      2. Disciplinary and termination decisions; and,
      3. Annual performance evaluations and compensation decisions.

      For situations in which concurrence is not reached, the collective decision will be made with the President.

4. Strategies
   
   1. The FSO(s) will develop the industrial security strategies for the UM ŷ���ڱ���Ƶ to establish, document, and implement processes and procedures to ensure the ŷ���ڱ���Ƶ remains in compliance with the authorities outlined in subsection A.2. These strategies will be brought before the UM RSC Team for approval before implementation.
   2. A Standard Practice Procedures (SPP) is developed and maintained by the UM RSC Team and maintained. This SPP documents the current processes and procedures used across the ŷ���ڱ���Ƶ. The SPP will contain information describing acceptable structures for the Security Executive Committee (SEC).
   3. ŷ���ڱ���Ƶ-specific appendices will be maintained within the SPP as needed.
   4. At least once annually, the Board of Curators will review and ratify a Security Resolution outlining the members of the SEC and those who are excluded from the SEC in alignment with the structure outlined in the SPP.
5. Implementation
   The FSOs and Insider Threat Program Senior Official on the UM RSC Team are responsible for the implementation of the industrial security programs and the Insider Threat Program for the UM ŷ���ڱ���Ƶ.