Given the specific nature and crucial importance to national security, defence and military projects require special measures to protect classified information. In Poland, contractors participating in public tenders for defence and military projects are required to meet stringent requirements for the protection of such information. This includes the establishment of a classified information protection office whenever classified information marked as “secret” or “top secret” is or will be handled.
Establishing a classified information protection office requires compliance with specific legal regulations and implementation of specialised procedures to protect classified information. The contractor is responsible for ensuring an adequate system for the protection of classified information, designed to maintain the highest level of security for information the unauthorised disclosure of which could seriously harm the Republic of Poland. It is therefore advisable to consult a lawyer regarding these matters before participating in a public tender.
This article provides a general overview of the process of establishing an internal structure to manage classified information, including setting up a classified information protection office. This publication also outlines the requirements for contractors intending to participate in public tenders for defence projects.
Participation in a public tender
Participating in public tenders for defence and military projects involves the processing of classified information marked as “secret” or “top secret”. Therefore, to participate in such tenders, a contractor must establish a classified information protection office. Detailed information in this regard is typically provided in the initial tender documents.
Contractors are typically required to include the following in their tender documents:
1Security clearance for key personnel,
2Industrial Security Certificate,
3Description of procedures for protecting classified information, including physical and technical security measures.
Please note that for defence and military projects additional requirements relating to national and international security may be established.
Understanding the provisions and requirements regarding the protection of classified information
The key Polish legal acts concerning the protection of classified information are:
- Act of 5 August 2010 on the protection of classified information (“Classified Information Protection Act”), governing access to classified information and setting out obligations of entities storing such information, including the principles of processing information subject to secrecy in the course of business activities;
- Implementing regulations of the Council of Ministers setting out detailed rules for organising the protection of classified information, including requirements for establishing a classified information protection office, e.g. the Regulation of the Council of Ministers of 29 May 2012 on physical security measures used to secure classified information.
What is a classified information protection office?
A classified information protection office is a separate unit within the organisational structure of a contractor’s company, established by the manager of the organisational unit where classified information marked as “secret” or “top secret” is handled. The manager of the organisational unit, as defined by the statutory provisions, is the manager of a company intending to apply or applying for a contract involving access to classified information or performing such contracts or performing tasks involving access to classified information under statutory provisions.
A company’s manager is usually an entity authorised to represent this company, e.g. a member of a single-member management board or other single-member governing body, or, if the body is composed of more than one person, the entire body, or a member or members of that body authorised by at least a management board’s resolution to act as the company’s manager. In the case of a general partnership and a civil-law partnership, the partners running this partnership’s affairs act as the manager, in a professional partnership – the partners managing the partnership’s affairs or the management board, and in a limited partnership and a limited joint-stock partnership –the general partners running the partnership’s affairs.
In certain cases, particularly due to the organisational structure of a contractor’s enterprise, such as when materials are distributed across different departments (e.g. bidding department, bridge directorate), the legislator allows the establishment of more than one classified information protection office.
Classified information protection office: Requirements
The requirements related to classified information protection offices include:
- premises and technical requirements, such as burglary protection, CCTV, access control
- personnel requirements, such as employing a manager with the appropriate security clearance
- work organisation, such as maintaining a classified material register and controlling document circulation.
Key step: Appointment of a classified information protection officer
To handle classified information, a contractor must appoint a classified information protection officer. This person is responsible for ensuring compliance with information protection regulations, maintaining records and supervising the work of the office.
The classified information protection officer, referred to in the Classified Information Protection Act as the “protection officer”, is employed by the manager of the organisational unit. The requirements to be fulfilled by the protection officer, as well as his or her tasks, are set out in the said Classified Information Protection Act and specific regulations, such as the regulation on the detailed responsibilities of protection officers regarding the protection of classified information in units subordinate to or supervised by the Minister of National Defence. Given the numerous regulations that must be observed, it may be helpful to consult an external lawyer to properly appoint the protection officer.
A key requirement for the protection officer is holding the appropriate security clearance issued by either the Polish Internal Security Agency (ABW) or the Polish Military Counterintelligence Service (SKW). The security clearance confirms that the individual for whom it was issued guarantees the maintenance of secrecy. An extended security clearance procedure is carried out for protection officers, their deputies and the manager of the organisational unit.
The tasks of the protection officer are set out in Article 15(1) of the Classified Information Protection Act and cover physical security, personal security, ICT security and the control over classified information protection. The protection officer performs his or her tasks with the assistance of a protection division, i.e. a separate and subordinate organisational unit dedicated to the protection of classified information.
Location and preparation of infrastructure for a classified information protection office
The location of the classified information protection office is crucial for security. The place where classified information is stored and processed must meet a number of technical and physical requirements, including measures to protect the boundaries of the space where classified information is handled.
It is also important that the classified information protection office includes areas with different levels of security measures, depending on the classification level of the documents stored.
Physical security measures:
- The classified information protection office space must be separated and adequately secured with systems such as locks, CCTV, access control, traffic monitoring, to ensure continuous surveillance of the office.
- Armoured cabinets or safes for storing classified documents must be certified to meet the requirements for the classification level of the information to be stored in them.
- Access to the classified information protection office should be restricted to individuals with the appropriate authorisation. Companies may be required to install CCTV and provide physical security for the office.
Technical security measures:
- IT systems used to process classified information must comply with the requirements of the Classified Information Protection Act. This includes the use of certified data encryption software, antivirus protection and other security measures.
ICT security: for defence projects, it is also often required to put in place systems that meet NATO or EU standards, which may require additional certifications.
Managing classified documents
The classified information protection office must keep strict records of all classified documents, including those circulated already at the tender stage:
1Recording documents: all classified information must be registered and assigned to a person responsible for its storage and processing.
2Document destruction procedures: classified documents must be destroyed in line with specific procedures, e.g. using special shredders ensuring that the content of the document cannot be recovered.
3Storing documents: classified documents must be stored in special safes or cabinets with specific certifications.
Industrial Security Certificate
Contractors wishing to participate in public tenders for defence and security projects involving access to classified information designated as “confidential”, “secret” or “top secret” must obtain an Industrial Security Certificate.
An entity applies for an industrial security certificate to qualify for contracts involving access to classified information with at least “confidential” classification level. This certificate is issued by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW) following an industrial security clearance procedure (this name is used in statutory provisions). This procedure verifies whether the entity is capable of protecting classified information with a classification and certificate level specified in its application.
There are three types of Industrial Security Certificates depending on the extent to which they confirm the capability to protect classified information. The period for which an Industrial Security Certificate is issued depends on the classification level.
As part of the industrial security clearance procedure, background checks are carried out regarding the entity and the individuals who will have access to classified information.
Obtaining security clearance for personnel
The contractor’s personnel who will have access to classified information must obtain the appropriate security clearance. This involves a security clearance procedure conducted by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW) to ensure that the individual meets national security requirements and may handle classified information.
The process of obtaining the security clearance requires the contractor to submit an application to the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW), and it can take several months. It is therefore essential to start the process well in advance of submitting a bid in the tender procedure. The security clearance is issued at different levels, depending on the type of information to which an individual will have access: “restricted”, “confidential”, “secret”, “top secret”.
In addition, each employee should receive training on information protection regulations, security procedures and protocols for handling classified documents. One of the appendices to the Terms of Reference for defence and security projects is a list of persons assigned by the contractor to perform the public contract. This list includes, among other things, a written authorisation from the manager of the organisational unit granting access to classified information or the security clearance, as well as a valid certificate confirming completion of training on classified information protection.
Establishing a classified information protection office is an ongoing process. It requires regular audits, both internal and external, conducted by authorised services such as the Internal Security Agency (ABW) and the Military Counterintelligence Service (SKW). These audits aim to verify whether the office is operating in compliance with the applicable regulations and no violations have occurred.
Meeting all requirements related to the protection of classified information is a crucial step for contractors wishing to participate in public tenders for defence projects. This process involves steps at many levels – from obtaining the security clearance, and preparing the infrastructure of a classified information protection office, to obtaining an Industrial Security Certificate. Proper preparation and fulfilment of formal requirements ensure the lawful and secure processing of classified information and increase the chances of succeeding in defence projects. It is therefore advisable to consult with lawyers the establishment of a classified information protection office.
This article provides only a general overview of the topic. It is important to note that this matter is governed by various independent regulations. If your company intends to compete or is already competing for a contract involving access to classified information in a public tender for defence and military projects, our experts would be happy to discuss possible solutions with you and prepare the necessary documentation.
Our Litigation and Arbitration Team has vast experience in advising on this type of projects.
Contact:
Wojciech Bazan – Attorney-at-law | Partner in the Litigation and Arbitration Team
Martyna Strzelińska – Associate in the Litigation and Arbitration Team