Classified Information (I.A.7)

Volume ­­I: Academic Affairs and Research
Chapter A: Education and Research
Responsible Executive: Executive Vice President for Research
Responsible Office: Purdue Security Office
Date Issued: September 1, 2025
Date Last Revised: N/A

Table of Contents

Contacts
Statement of Policy
Reason for This Policy
Individuals and Entities Affected
Exclusions
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
Website Address for This Policy
History and Updates
Appendix

Contacts

Policy Clarification

Director of Security
765-494-3149 | fso@purdue.edu

Statement of Policy

Purdue University is committed to safeguarding Classified Information and complying with federal regulations governing national security-related activities. This policy outlines the essential requirements for compliance with the National Industrial Security Program Operating Manual (NISPOM) and other federal requirements for Classified Information. Detailed information is provided in Purdue’s Standard Practices and Procedures (SPP) maintained by the Purdue Security Office.

Triggers for Security Controls

The Purdue Security Office must be consulted before engaging in the following activities:

• Entering into a contract, subcontract or agreement that involves the handling or safeguarding of Classified Information.
• Accessing classified facilities or systems to fulfill project requirements.
• Entering into negotiations with an external entity regarding classified activities at or on behalf of the University.
• Allowing visitors to enter classified facilities of Purdue and its affiliates.

Basic Obligations and Prohibited Actions

Faculty, staff, students and affiliates involved in work that involves Classified Information are required to comply with directives from the Purdue Security Office and the Facility Security Officer (FSO) to maintain the integrity of classified activities.

Classified facilities at Purdue University are exclusively for activities directly related to Purdue’s and its affiliates’ research and contractual obligations. Personal use is strictly prohibited. Use for unrelated activities, including consulting or secondary employment, is prohibited without explicit written permission from the Purdue Security Office.

All Purdue faculty, staff, students, contractors and affiliates are prohibited from:

1. Unauthorized Participation and Access
   • Engaging in classified activities without prior approval from the Purdue Security Office.
   • Attempting to access Classified Information without proper authorization or clearance, even if unsuccessful.
2. Unauthorized Disclosure and Sharing
   • Sharing or discussing Classified Information with unauthorized individuals.
   • Revealing someone’s security clearance status without a legitimate need-to-know.
3. Unauthorized Public Disclosure
   • Publicly confirming, implying or disclosing Purdue’s involvement in classified contracts, programs or facilities without prior written authorization from the Purdue Security Office, and, if required, approved by the sponsoring U.S. Government agency.
   • Disclosing or suggesting participation in Special Access Programs (SAP), Sensitive Compartmented Information (SCI) or other compartmented activities unless such involvement has been publicly acknowledged and cleared for release.
4. Improper Handling and Storage
   • Transporting, transmitting, processing or storing Classified Information without explicit authorization.
   • Using unauthorized physical or digital locations to store or access Classified Information.
5. Misuse of Authorized Access
   • Using classified access for purposes unrelated to approved research or contractual obligations.

Third-Party Security Clearance

Faculty, staff, contractors and affiliates who hold a clearance managed by an entity other than Purdue or its affiliates are encouraged to request that the managing entity’s security office notify the Purdue Security Office of the clearance. Notification is not recommended if the disclosure is explicitly prohibited under the NISPOM or other federal regulations. Disclosed information will be handled in accordance with federal confidentiality standards and used only for operational security purposes.

Violations

Violations of this policy and its supporting SPP will be handled in accordance with the University’s disciplinary practices and federal guidelines and may result in actions, including but not limited to:

• Removal from the classified project.
• Discipline, up to and including termination of employment.
• Suspension or termination of access privileges.
• Reporting to authorities for criminal prosecution or other appropriate action.

Reason for This Policy

As a top public research institution, Purdue University is often granted contracts and other agreements with federal agencies. Occasionally these involve classified activities. This policy provides guidance on the handling, access and safeguarding of Classified Information as defined under the NISPOM.

Individuals and Entities Affected

This policy applies to all Purdue University faculty, staff, students, contractors and affiliates involved in:

• Handling or accessing Classified Information under federal contracts or agreements.
• Engaging in national security-related research or activities explicitly governed by NISPOM.
• Entering or with access to facilities that are approved for classified work.

Exclusions

This policy does not address matters of export control, controlled unclassified information, or information governed by non-disclosure obligations unless such information is explicitly designated as classified under U.S. Government standards. Refer to the policies on Export Controls and OFAC Regulations (I.A.2) and the Research Security Program (I.A.6).

Responsibilities

Purdue Security Office

• Administer compliance with NISPOM and other federal requirements for Classified Information, including but not limited to those related to training and self-inspection.
• Oversee the University’s engagement with classified research projects and ensure appropriate safeguards are in place.
• Coordinate with external governmental and non-governmental entities regarding classified research performed at or by Purdue and/or Purdue personnel or its affiliates.

Individuals Involved in Classified Work

• Comply with this policy and the Purdue SPP.
• Notify the Purdue Security Office if contemplating, and before engaging in, any classified activity conducted at or through Purdue University or its affiliates.
• Successfully complete all required security training specific to the classified work before beginning any classified work.
• Immediately report any security incidents, breaches or unauthorized disclosures to the Purdue Security Office.
• Handle and store classified materials exclusively in approved systems, facilities and manners.
• Ensure that access to Classified Information is limited to authorized personnel with appropriate clearances.
• Comply with Purdue’s visitor policies for visiting classified facilities, including obtaining prior approval, clearance verification and adherence to escort requirements.

Facility Security Officer

• Supervise and direct security measures necessary for the implementation of applicable requirements of the NISPOM and related federal requirements for Classified Information, including but not limited to those related to training and auditing.
• Oversee and approve any physical security requirements necessary to secure Information Systems in accordance with the NISPOM.

Chief Information Security Officer

• Develop, publish and maintain a standard on Classified Computing.

Definitions

All defined terms are capitalized throughout the document. Refer to the central Policy Glossary for additional defined terms.

Classified Information
As defined in the Classified Information Procedures Act 1980, any information or material that has been determined by the U.S. government, pursuant to an executive order, statute or regulation, to require protection against unauthorized disclosure for reasons of national security and any restricted data, as defined in paragraph r. of section 11 of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)).

Facility Security Clearance (FCL)
An administrative determination made by the Department of Defense that, from a national security standpoint, a facility (in this case, Purdue University) is eligible for access to Classified Information at the same or lower classification category as the clearance being granted (e.g., confidential, secret, or top secret). The FCL includes the execution of a Department of Defense Security Agreement. Under the terms of the agreement, the federal government agrees to issue the FCL and inform the contractor as to the security classification of information to which the contractor will have access. The contractor (Purdue University), in turn, agrees to abide by the security requirements set forth in the NISPOM.

Facility Security Officer
A U.S. citizen employee of the University, who is cleared and appointed as part of the FCL, responsible for supervising and directing security measures necessary for implementing applicable NISPOM measures and related federal requirements for the protection of classified systems.

NISPOM
The National Industrial Security Program Operating Manual, 32 CFR 117, which establishes the standard procedures and requirements for all government contractors with regard to Classified Information.

Related Documents, Forms and Tools

Acceptable Use of IT Resources and Information Assets (VII.A.4)

Classified Computing (S-9)

Export Controls and OFAC Regulations (I.A.2)

Information Security and Privacy (VII.B.8)

Research Security Program (I.A.6)

Website Address for This Policy

www.purdue.edu/vpec/policies/academic-research-affairs/ia7

History and Updates

September 1, 2025: While the University has had a standard on classified computing since 2018, this is the first policy to address the broader application of the NISPOM requirements.

Appendix

There are no appendices to this policy.