Aerospace & Defense: How to Determine Whether a Security Clearance Certificate is Needed in Turkey?
Alike many countries Turkey has also a detailed legislation for confidential and secret clearances in defense and military projects. It has been a long discussion that if foreign contractors entered supply contracts with Turkish defense entities need to obtain security clearance certificates even their core business is not in defense industries even they are selling products related to defense industries. In this article you will find more on regulatory framework of clearance in defense industries with answers to some frequently asked questions.
Legislation
The security and protection of any classified information, documents, projects, materials and services, mentioned in the contracts made within the scope of defense industry, to be provided by way of direct purchasing, participation in joint project programs, incentive or investment, belonging to those real and legal persons carrying out research, development, manufacturing and installation in the area of defense industry technology and equipment and to those persons working in these areas, and the security and protection of the places in relation thereto, were enacted since national interests have importance. In this context, the main legislation is the Defense Industry Security Law no. 5202 dated 29.06.2004 (the “Law”) and the Defense Industry Security Regulation with the Official Gazette no. 27601 dated 04.06.2010 (the “Regulation”). In addition, there are also certain guiding documents shared by the Presidency of Defense Industries (“SSB”).
The Law covers all the public institutions and organizations and real and legal persons that will carry out or have carried out the purchasing, sales, production, research and development, preservation and storage of any classified agreements as well as information, documents, projects, materials and services in relation to the defense industry, and the facilities where they will carry on a business and the facilities established in accordance with the Technology Development Areas Law no. 4691 dated 26.01.2001. Thus, while military facilities and personnel included in the staff and organizations of Turkish Armed Forces (“TAF”) are excluded from the scope of application of the Law, in case any defense industry project is carried out in military facilities, provisions of the Law find area of application. In addition, the security procedures of the works and projects relating to the North Atlantic Treaty Organization (“NATO”), are carried out by the Presidency of Central Council of the North Atlantic Treaty, within the frame of NATO security principles and procedures, in coordination with the Ministry of National Defense (“MSB”).
The limits and principles confidentiality elements find a described area of application under the Law. Accordingly, “classification” refers to the classification and denomination of the information, documents and materials which are deemed to be inconvenient, with respect to national security and the interests of the country, to be disclosed to those other than those persons who need to know them, as “top secret”, “confidential”, “private” and “restricted” according to their level of importance. “Classified information, documents and materials” cover any records, written and oral communication media, messages and documents with classified content, including cryptographic and atomic information and materials, and any materials such as weapons, ammunition, tools and equipment and the parts and sections and software and hardware thereof.
While “classified projects” is described as the whole of those practices involving the purchasing and sales, all kinds of production activities and research and development of and the services and infrastructure facilities and activities in relation to all kinds of warfare weapons and tools and equipment needed for defense, which contain classified information, and the important and critical sub-systems and parts thereof, the description of a “person who needs to know” refers to a person who has a responsibility to learn and use any classified information, documents, projects or materials, only as part of his job, and who has a “Personal Security Certificate” with the required classification. The said Personal Security Certificate refers to the certificate which ensures access to classified information, documents, projects or materials or the permit of entry to the places and facilities where they are found.
The Law associates the confidentiality element not only with persons, but also with facilities. Thus, the certificate specifying that the protection measures designed into a project in order to ensure the physical security of classified information, documents, projects and materials which are or might be found in a facility, taking into consideration the location of the facility and the environmental conditions and the external and internal threats that it might sustain, are found acceptable, is described as the “Facility Security Certificate”.
It is seen that clear descriptions of classifications have been made and the players of defense industry security legislation have been detailed under the Regulation. Thus;
“Top Secret” refers to the classification used for papers, tools, equipment, information, documents, projects, materials, facilities and places, which might vitally damage the security of the state, our nation, our national presence and integrity, our internal and external interests and our alliances, gain favour to a foreign country and bear extraordinary consequences in case they are disclosed in an unauthorized manner,
“Confidential” refers to the classification used for papers, tools, equipment, information, documents, projects, materials, facilities and places, which might seriously damage the security of the state, our nation, our national presence and integrity, our internal and external interests, weaken our reputation and interests and gain favor to a foreign country in case they are disclosed in an unauthorized manner,
“Private” refers to the classification used for papers, tools, equipment, information, documents, projects, materials, facilities and places, which might weaken the interests and prestige of the state, cause damage to any person and gain favor to a foreign country,
“Restricted” refers to the classification used for papers, tools, equipment, information, documents, projects, materials, facilities and places, which are not required to be protected by the classifications of “TOP SECRET”, “CONFIDENTIAL” or “PRIVATE”, not intended to be known by any person other than those persons who need to know them.
In addition, although it is not described under the Law or the Regulation, article 7(3) of the Regulation specifies that information, documents, materials, or projects can also be denominated or marked as “Unclassified”.
On the other hand, “NATO classification” covers the classifications of “Cosmic Top Secret”, “NATO Secret”, “NATO Confidential” and “NATO Restricted” in the practices in relation to NATO, and the classifications used in the correspondences between Turkish authorities or organizations in relation to NATO, used with their meaning in Turkish, in the form of “Kozmik Çok Gizli”, “Çok Gizli”, “NATO Gizli”, “NATO Özel” and “NATO Hizmete Özel” respectively.
Here, we find it beneficial to additionally mention the Controlled List and the relevant legislation. Pursuant to the Regulation, the “Controlled List” is described as the list of controlled warfare tools and equipment and weapons, ammunitions and their spare parts, explosives and their technologies, which is identified by MSB after having obtained the opinions of the relevant public institutions and organizations, and which is announced in the Official Gazette every year in January or within the year when necessary, pursuant to the Law on the Control of Industrial Enterprises Manufacturing Warfare Tools and Equipment and Weapons, Ammunitions and Explosives no. 5201 dated 29.06.2004 (the “Law no. 5201”). In this context, while the defense industry security legislation sets forth certain special provisions with respect to those products appearing in the Controlled List, as will be seen in the light of explanations, being subject to the defense industry security legislation is not only determined according to whether you carry on a business for the purpose of production and/or service under the Controlled List, but also whether you have access to the above-explained classified information, documents, projects and materials, is considered. In other words, the defense industry security legislation finds area of application with respect to classified projects, independent from being subject to the Controlled List. In this context, it is possible to say that the defense industry security legislation is the primary legislation setting forth the general rules, and the relevant regulations including the Law no. 5201 and the Controlled List constitute the special secondary legislation.
Pursuant to the Law and the Regulation, the defense industry national security authority is the Technical Services Department of the Ministry of National Defense (“Defense Industry National Security Authority”). The Defense Industry National Security Authority is authorized for the national classified documentation requests under the Law and examination and finalization of the said requests in coordination with the relevant authorities, and for the issuance of the relevant documents. In addition, duties of the Defense Industry National Security Authority are set forth under the Regulation. In this context, it is among the duties of the Defense Industry National Security Authority to review the security measures taken in accordance with the legislation in force in relation to defense industry security, and in case needed, to prepare the necessary amendments to the legislation by coordinating with the relevant authorities, and to accept the national classified documentation applications under the Law and NATO classified documentation applications under the delegation of authority made by the Presidency of Central Council of the North Atlantic Treaty Organization, to examine the application documents under the said request and to have the deficiencies completed. Thus, the Defense Industry National Security Authority is the application authority for the Personal Security Certificate and Facility Security Certificate applications.
In addition, under the Regulation, the authority which identifies and notifies to the project authority the goods and services to be provided for the purpose of meeting the operational and logistics needs of TAF, in accordance with the procedures and principles explained in the relevant legislation, and which plans and manages the use fit for the purpose of the goods and services provided in coordination of the project authority, is described as the “needer authority”. “Project authority” on the other hand refers to the authority which carries out all the activities necessary for the provision of the goods and/or services requested by the needer authority.
Although the terms “contractor” and “subcontractor” are mentioned in the Regulation, these terms are not described. However, it is seen that, under the Guide for Preparation of Classification Guideline of the Presidency of Defense Industries, which was shared by SSB, the real person or the legal person organization with which the project authority has concluded a contract in order that it can carry out the relevant activities under the classified project as described in the Regulation, is considered within the scope of the “contractor” status, and the real person or the legal person organization with which the contractor that will carry out the classified project has made a sub-contract containing classified information under the classified project, is referred to as the “sub-contractor”.
Responsibilities
Pursuant to the legislation, any classified information, documents and materials or classified projects can be accessed only by those persons having a Personal Security Certificate appropriate for the classification thereof, according to the need-to-know principle. Here, the “need-to-know principle” refers to circumstances where any issue or dealing is known to and accessed by only those who are responsible for learning, examining, fulfilling, and protecting the same, as required by their duties and responsibilities, within their authority. In addition, the said project is not given and disclosed to those persons who don’t have a Personal Security Certificate with appropriate level, or to those organizations which don’t have a Facility Security Certificate. Any classified information, documents and materials or classified projects in the area of defense industry, should be kept in a facility or place having a Facility Security Certificate appropriate for their classification, or actions should be taken thereon accordingly.
Pursuant to the Law, access by those persons or organizations not having a Personal Security Certificate and Facility Security Certificate with appropriate level, to any classified information, documents and materials and classified projects which are considered to be within the scope of defense industry security legislation, their entry into the places and facilities where they are found or carried out, and their participation into the endeavours and practices of agreements, contracts and sub-contracts in relation thereto, is in breach of the legislation.
It should be additionally specified in this context, that it is clearly set forth that the information, documents, materials or projects denominated or marked as Unclassified pursuant to the Regulation, are not required to be protected within the framework of the procedures and principles specified in the Regulation, provided that the provisions of international treaties to which we are a party are reserved, and that no security certificate will be requested for the access to such Unclassified information, documents, materials or projects. In this context, although a person who needs to know is described as a person who may access classified information, documents and materials or classified projects, only as part of his job, it is considered that there is no obligation to make an application for Personal Security Certificate and Facility Security Certificate for those who have access to information, documents and materials or projects which are denominated and marked only as Unclassified. In any case, taking into consideration the nature of the defense industry security legislation and the ambiguity of expressions, it should be taken into consideration that it is in the realm of possibility that the term “a person who needs to know” can be interpreted widely.
Pursuant to the Law, those who act in breach of the responsibilities explained above in relation to classified information, are sentenced to imprisonment of six months to one year, unless their act constitutes another crime.
Clearance Certificates
Personal Security Certificate
As was also described above, Personal Security Certificate refers to the certificate which ensures access by the personnel to classified information, documents, projects or materials or the permit of entry to the places and facilities where they are found, in accordance with the need-to-know principle. Pursuant to the Law, it is obligatory to obtain a Personal Security Certificate for every person related to defense industry issues requiring access to classified information, documents, projects or materials. Thus, it is also understood from the grounds for the article, that a Personal Security Certificate should be obtained for every person who is a person who needs to know under a classified project. The ground for the relevant article is as follows:
“Those persons who will use classified information, documents, projects or materials to ensure defense industry security, and the facilities where they are found, should be reliable. For this reason, by imposing an obligation to obtain a “Personal Security Certificate” for a person who needs to know and a “Facility Security Certificate” for the facility or place where the project will be implemented, it is aimed not to provide any person or organization with any classified information, documents, projects or materials without obtaining these certificates.”
Applications for Personal Security Certificate are made to the Defense Industry National Security Authority. On the other hand, a Personal Security Certificate should be obtained for all the shareholders of those organizations which are in a private company status, for those shareholders of those organizations which are in a joint stock company status, who are permitted with a board decision to access to classified information, documents and materials, for the board members, general manager and deputy general managers and security coordinator of these companies, and for their personnel who are likely to access to classified information, documents and materials.
It should be specified here, that in the applications for Personal Security Certificate, a security investigation and archive research is carried out upon the request of the Defense Industry National Security Authority, by the National Intelligence Organization, Turkish National Police or local authorities. Those persons who are found appropriate, following the legal opinion as to whether a Personal Security Certificate will be issued for those who are appropriate and who are found to have an unfavourable condition as a result of the investigations made, are issued a Personal Security Certificate in the classification requested by the Defense Industry National Security Authority, valid for a period of maximum five years. However, in case the security investigation and archive research, that the Defense Industry National Security Authority will have carried out on personnel who has a Personal Security Certificate within the validity period of the certificate, results unfavourably, the certificate is cancelled.
In addition, pursuant to the Regulation, in case those organizations willing to take part in international classified projects are a foreign organization not incorporated within the boundaries of the Republic of Turkey, or the willing persons are foreign, the willing organizations and persons must obtain security certificates with appropriate classification, issued and approved by the authorized bodies of their country. Access by these organizations and persons to classified information, documents and materials is permitted only after the validity of the security certificates provided is confirmed by the Defense Industry National Security Authority with the authorized bodies of the relevant country.
Facility Security Certificate
Facility Security Certificate is described as the certificate specifying that the protection measures designed into a project to ensure the physical security of classified information, documents, projects and materials which are or might be found in a facility under the legislation, taking into consideration the location of the facility and the environmental conditions and the external and internal threats that it might sustain, are found acceptable. On the other hand, any classified information, documents and materials or classified projects in the area of defense industry should be kept in a facility or place having a Facility Security Certificate appropriate for their classification, or actions should be taken thereon in such a facility or place. Pursuant to the grounds for the relevant article, which was quoted above, it is obligatory to obtain a Facility Security Certificate for the facility or place where the project will be implemented. It should be specified in addition that pursuant to the relevant article of the Regulation, those organizations which have not made an application for Facility Security Certificate cannot make an application for Personal Security Certificate. Thus, taking into consideration that a Personal Security Certificate should be obtained for those who are a person who needs to know under the defense industry security legislation, it is possible to say that the relevant organization should first of all make an application for Facility Security Certificate in such a circumstance.
In order that organizations can be given a classified Facility Security Certificate, the security investigation and archive research to be carried out for all the shareholders of those organizations which are in a private company status, for those shareholders of those organizations which are in a joint stock company status, who are permitted with a board decision to access to classified information, documents and materials, for the board members, general manager and deputy general managers and security coordinator of these companies, and for their personnel who are likely to access to classified information, documents and materials, should give an affirmative result. Those organizations with foreign shareholders, or those one or more of the chairman of the board of directors and the board members of which are foreign nationals, are granted only a national restricted Facility Security Certificate by the Defense Industry National Security Authority in case the check to be made by the “board of control” results affirmatively. Here, the board of control refers to the board consisting of the personnel appointed by the Defense Industry National Security Authority and the personnel to attend on behalf of the Ministry of Industry and Commerce, in coordination of the Defense Industry National Security Authority, to carry out checks of the facilities of organizations to identify their sufficiency with respect to defense industry security. On the other hand, in case the shareholders or the chairman of the board of directors and board members who are foreign nationals are a national of a country which is a member of NATO, a NATO classified Facility Security Certificate is given by the Presidency of Central Council of the North Atlantic Treaty Organization, in case the said personnel have a Personal Security Certificate with appropriate classification, obtained from their country, and the check to be made by the board of control results affirmatively. Pursuant to the legislation, the validity period of the Facility Security Certificate is five years, and it is valid only for the facilities located at the address for which it is given.
It is crucial to state that organizations carrying on a business for the purpose of producing the materials appearing in the Controlled List and/or providing services in respect of them, should obtain a Facility Security Certificate, and minimum the board members, general manager and deputy general managers and security coordinator of organizations, and their personnel who are likely to have access to classified information, should obtain a Personal Security Certificate. However, the Regulation clearly prescribes that organizations which do not make production within the scope of the Controlled List, but have access to classified information, documents and materials in the area of defense industry due to their activity in this area, should obtain a Facility Security Certificate, and a minimum of their board members, general manager and deputy general managers and security coordinator, and their personnel who are likely to have access to classified information, should obtain a Personal Security Certificate.
In light of above considerations, we hereby reiterate that the expressions appearing in the legislation are ambiguous and open to dual interpretation, and although the requirements for such security certificates are generally referred to in administrative specifications in practice, we recommend that a legal assessment is made from this aspect for the transactions between two legal persons which do not make sales to the public but which are obliged to have a personal/facility security certificate.
Şafak Herdem
Related
International Trade: Turkey’s New Regulation on CE Marking Aiming for Harmonization with the EU
28 May 2021
Aerospace & Defense: SSB’s 7th R&D Panel: New Projects to Launch in Aerospace & Defense
27 May 2021
Technology Law: Turkey Amends the Rules Regarding Internet Domain Names
21 April 2021
