2. Once a facility is authorized, approved, certified, or accredited, all U.S. Government organizations desiring to conduct classified programs at the facility at the same security level shall accept the authorization, approval, certification, or accreditation without change, enhancements, or upgrades. Executive Order, Safeguarding Directives, National Industrial Security Program Operating Manual (NISPOM), the NISPOM Supplement, the Director of Central Intelligence Directives, interagency agreements, successor documents, or other mutually agreed upon methods shall be the basis for such acceptance.
3. After initial security authorization, approval, certification, or accreditation, subsequent security reviews shall normally be conducted no more frequently than annually. Additionally, such reviews shall be aperiodic or random, and be based upon risk management principles. Security reviews may be conducted "for cause", to follow up on previous findings, or to accomplish close-out actions. Visits may be made to a facility to conduct security support actions, administrative inquiries, program reviews, and approvals as deemed appropriate by the cognizant security authority or agency.
4. Agency heads shall ensure that any policy documents their agency issues setting out facilities security policies and procedures incorporate the policy set out herein, and that such policies are reasonable, effective, efficient, and enable and promote interagency reciprocity.
5. Agencies which authorize, approve, certify, or accredit facilities shall provide to the Security Policy Board Staff a points of contact list to include names and telephone numbers of personnel to be contacted for verification of authorized, approved, certified, or accredited facility status. The Security Policy Board Staff will publish a comprehensive directory of points of contact.
6. Agencies will continue to review and assess the potential value added to the process of co-use of facilities by development of electronic data retrieval across government. As this review continues, agencies creating or modifying facilities databases will do so in a manner which facilitates community data sharing.