Skip to content
LexBuild

32 CFR § 2004.10 - Responsibilities of the Director, Information Security Oversight Office (ISOO). 

---
identifier: "/us/cfr/t32/s2004.10"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "32 CFR § 2004.10 - Responsibilities of the Director, Information Security Oversight Office (ISOO)."
title_number: 32
title_name: "National Defense"
section_number: "2004.10"
section_name: "Responsibilities of the Director, Information Security Oversight Office (ISOO)."
chapter_name: "INFORMATION SECURITY OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION"
part_number: "2004"
part_name: "NATIONAL INDUSTRIAL SECURITY PROGRAM (NISP)"
positive_law: false
currency: "2026-03-24"
last_updated: "2026-03-24"
format_version: "1.1.0"
generator: "[email protected]"
authority: "Section 102(b)(1) of E.O. 12829 (January 6, 1993), as amended by E.O. 12885 (December 14, 1993), E.O. 13691 (February 12, 2015), and section 4 of E.O. 13708 (September 30, 2015)."
regulatory_source: "83 FR 19951, May 7, 2018, unless otherwise noted."
cfr_part: "2004"
---

# 2004.10 Responsibilities of the Director, Information Security Oversight Office (ISOO).

The Director, ISOO:

(a) Implements E.O. 12829, including ensuring that:

(1) The NISP operates as a single, integrated program across the executive branch of the Federal Government (*i.e.,* such that agencies that release classified information to entities adhere to NISP principles);

(2) A responsible CSA oversees each entity's NISP implementation in accordance with § 2004.22;

(3) All agencies that contract for classified work include the Security Requirements clause, 48 CFR 52.204-2, from the Federal Acquisition Regulation (FAR), or an equivalent clause, in contracts that require access to classified information;

(4) Those agencies for which the Department of Defense (DoD) serves as the CSA or provides industrial security services have agreements with DoD defining the Secretary of Defense's responsibilities on behalf of their agency;

(5) Each CSA issues directions to entities under their cognizance that are consistent with the NISPOM insider threat guidance;

(6) CSAs share with each other, as lawful and appropriate, relevant information about entity employees that indicates an insider threat; and

(7) CSAs conduct ongoing analysis and adjudication of adverse or relevant information about entity employees that indicates an insider threat.

(b) Raises an issue to the National Security Council (NSC) for resolution if the EA's NISPOM coordination process cannot reach a consensus on NISPOM security standards (see § 2004.20(d)).