1. Classified Data Handling By Francesco Scarimbolo

2. Outline  Purpose & Overall Authority  Security Clearances - Authorization  Security Training & Briefings  Classification & Marking  Safeguarding Classified Information  Automated Access Control System

3. Purpose & Overall Authority  Requirements, Restrictions and Safeguards to prevention unauthorized disclosure (Information Assurance Policy)  Controlled Disclosure from Government to Contractors  The President appointed Secretary of Defense – Executive Agent  The Director, Information Security Oversight Office Implements, Monitors and issues directives  Overall Authority – National Industrial Security Program (NISP) Executive Order 12829, January 6 1993Executive Order 12829, January 6 1993 Executive Order 12958, April 17 1995 – Classified National Security InformationExecutive Order 12958, April 17 1995 – Classified National Security Information

4. Security Clearances - Authorization  Facility Clearances  Personal Clearances

5. Facility Clearances - (FLC) Eligibility Requirements  Must need access to classified information for legitimate U.S. Gov. or foreign requirement  Must exist under the laws of any of the 50 states, in D.C., or Puerto Rico, and be located within the U.S. and its territorial areas or possessions  Must have a reputation for integrity and lawful conduct in business practices  Must not be in under foreign ownership, control, or influence, to the extent that granting FCL would be inconsistent with national interest

6. Facility Clearances - (FLC) Eligible Requirements (Continued)  Facility Security Officer (FSO) must be a U.S. Citizen employee  Senior Management and the FSO must have a Personal Clearance (PLC) = FLC

7. Personal Clearances  Single Scope Background Investigation (SSBI) – Required for Top Secret PCL  National Agency Check with Local Check and Credit Check – Required for Secret and Confidential PCL  Polygraph – Agency Dependent, coverage expanded upon surfacing concerns in effort to resolve the issues  Reciprocity – Previously granted PLC that meets or exceeds current clearance required provides basis without for further investigation unless significant information wasn’t known

8. Personal Clearances (Continued)  Contractor Based Clearances – Not permitted after January 1, 2004  Proof Of Citizenship Birth Certificate for US bornBirth Certificate for US born Certificate of NaturalizationCertificate of Naturalization Certificate of Citizenship by INSCertificate of Citizenship by INS Birth abroad of a Citizen of USBirth abroad of a Citizen of US Passport, Current or ExpiredPassport, Current or Expired

9. Converting PLC to Industrial Clearance  Investigation meets standards for equivalent clearance  No More Than 24 Months pass since termination of last investigation  No evidence of adverse information exists since last investigation  Q access authorization can be converted to a Top Secret PLC  L access authorization can be converted to a Secret PLC

10. Security Training & Briefings  FSO Training – Should be completed 1 year of appointment to position of FSO  Classified Information Nondisclosure Agreement – SF 312  Initial Security Briefings Threat Awareness BriefingThreat Awareness Briefing Defensive Security BriefingDefensive Security Briefing Overview of security classification systemOverview of security classification system Employee reporting obligations and requirementsEmployee reporting obligations and requirements Security procedures and duties applicable to job functionSecurity procedures and duties applicable to job function

11. Classification & Marking  Top Secret, Secret, Confidential, Unclassified  Terms such as “Official Use only” or “Administratively Confidential” are not applicable to national security information  Original Classification Falls within categories set by Executive Order 12958Falls within categories set by Executive Order 12958 May cause damage to National Security by itself or with other information – Classification cannot be given otherwiseMay cause damage to National Security by itself or with other information – Classification cannot be given otherwise Must State Reason on front pageMust State Reason on front page Must also set date for duration of classification if possible or marked with an exemption category of “X”Must also set date for duration of classification if possible or marked with an exemption category of “X” Viewer must have completed SF 312 and have “Need to Know”Viewer must have completed SF 312 and have “Need to Know” Apply the markings as document is being createdApply the markings as document is being created Preliminary documents must be handled as destroyed as if it had a classificationPreliminary documents must be handled as destroyed as if it had a classification

12. Derivative Classification Responsibilities  Manager at operational level where information is being produced or assembled determines classification  Employees are responsible for marking or challenging the classification when copying, extracting, reproducing, or translating a portion of or the totality of the document

13. Challenging the Classification  Information is classified improperly or unnecessarily  Current security considerations justify downgrading or upgrading classification Declassification is not automatically an approval for public disclosureDeclassification is not automatically an approval for public disclosure  Security classification guidance is improper or inadequate

14. Contractor Developed Information  Similar information previously identified as classified retain the associated level  Novel information the contractor believes should be classified, the contractor submits it to the appropriate agency that would have interest in it for classification determination

15. Identification & Overall Markings  Name & Address of Facility responsible for preparation  Date of Preparation  Overall marking should be on the front cover & back cover (if applicable), top and bottom  Markings are done by stamped, printed, etched, written engraved, painted or affixed by a adhesive tag (except on documents)

16. Page, Component, & Portion Marking  The top and bottom of the page is marked with the highest classification on that page  Components such as annex or an appendix can be given a one time classification marking of UNCLASSIFIED if it holds true for the entire component  Each portion, such as a paragraph shall be given the highest classification marking that exists within the portion with either a (TS) for Top Secret, (S) for Secret, (C) for Confidential and (U) for Unclassified

17. Portion Marking (Continued)  Foreign government information is marked with abbreviation for that nation and appropriate classification (UK – C)  NATO documents receive a mark of “NATO” or “COSMIC” with the appropriate classification (NATO – TS), (COSMIC – S)  Illustrations get marked with no abbreviations directly next to the illustration  Impractical marking and all portions are at same level, the document can have an overall classification as long as there is a full explanation included

18. Marking for Derivatively Classified Documents  Source of classification and declassification instructions need to be marked  The marking of “multiple sources” is acceptable  “Declassify on” may have the markings of the date to declassify, an X for unknown declassification date or “Original Agency’s Determination Required”

19. “Downgrade To” and “Reason Classified”  The classification to downgrade to upon a certain date can be given in advance and is marked downgraded subsequently on storage containers  The reason of Classification may sometimes be necessary upon original Classification

20. Marking Special Types of Material  Files, Folders or Groups of Document – Marked with highest classification when not stored  Messages – Electronically Transmitted – Need “Derived From” & some agencies require “Classified By” & “Reason Classified”  Microfilms – Unaided to the eye markings are necessary on container, Images shall also contain markings of classification so its properly disclosed upon printing  Translations – Only difference, U.S. must be indicated as country of origin

21. Marking Transmittal Documents  Classified documents are noted with highest classification information  Unclassified documents that transmit classified data as an attachment get marked as “Unclassified when Separated from Classified Enclosures”  Classified Documents get marked similarly as follows “Secret when Separated from Enclosures”

22. Upgrading and Automatic Downgrading  Appropriately upgraded material removes all indication of previous classification  Authority & date of upgrade is marked  Notification to all who obtained information is required for further correct dissemination  Automatic downgrading (such as based on date) remove all indication of previous classification with new classification  No further dissemination is necessary when it is automatic

23. Miscellaneous Actions (Improperly handled Information)  Determine who has it (their clearance) and should they have it (the information’s discovered classification)  Determine who has control of information  Determine whether control has been lost  If recipients have the correct clearance – issue notices promptly of classified information  If not, report incident to Cognizant Security Agency (CSA) DoD – Incident Response for National Security Matters

24. Safeguarding Classified Information  Safeguarding Oral Communication – prohibited: unsecured phone lines, public conversations, any other interception by unauthorized personnel  End of Day Security Checks – At the close of each day – ensure all classified data is securely storedAt the close of each day – ensure all classified data is securely stored At the end of each shift – ensure all classified data is securely stored except when facility is in 24 hour contiguous operationAt the end of each shift – ensure all classified data is securely stored except when facility is in 24 hour contiguous operation

25. Perimeter Control (Physical Security)  Inspections must be done in random nature guided by legal advice  All individuals are subject to inspection Must be done within facility groundsMust be done within facility grounds Inspections are not necessary for highly personal – purse, wallet, clothing etc.Inspections are not necessary for highly personal – purse, wallet, clothing etc.

26. External Receipt and Dispatch Records  The date of the material  The date of receipt or dispatch  The classification  An Unclassified description  Identify the activity that resulted in the retrieval of the material or to which the material was dispatched  Receipt and dispatch records are kept for 2 years

27. Receiving Classified Material  Top Secret & Secret Classified data needs signature receipt  Confidential doesn’t, but if signature is required, it must be given  If tampering is detected (TS, S) – should be reported promptly to sender

28. Generation of Classified Material  Classified working papers Dated when createdDated when created Marked with classificationMarked with classification Marked with “working papers”Marked with “working papers” Destroyed when no longer neededDestroyed when no longer needed Classified as finished documents whenClassified as finished documents when  Transmitted out of facility  Retained for more than 180 days  Contractor produced Top Secret material – Record must be produced Completed DocumentCompleted Document Retained for 30 daysRetained for 30 days Transmitted Outside facilityTransmitted Outside facility

29. General Services Administration (GSA)  Top Secret material – Stored in GSA approved security container, approved vault or approved closed area  Secret Material – Stored similar to Top Secret without the GSA approval In a safe, steel file cabinet, automatic locking, 4 sides welded, riveted, or bolted to indicate visible evidence of tampering (Until October 1, 2012)In a safe, steel file cabinet, automatic locking, 4 sides welded, riveted, or bolted to indicate visible evidence of tampering (Until October 1, 2012)

30. Restricted Areas  Necessary impractical or impossible to store otherwise due to unusual characteristic  Clearly defined perimeter – No barriers necessary  Personnel within the area are responsible for challenging all individuals who may lack proper authority

31. Intrusion Detection Systems  Guard Patrol – 2 hours for Top Secret Material, 4 hours for Secret  GSA approved containers need no supplemental security if in an area deemed “with security-in-depth”

32. Protection of Combinations  Record of Names with combinations maintained  All containers are locked if not under the direct supervision of an authorized person  Combination is dependent upon classification of contents, upgrade in classification destroys previous combinations

33. Changing Combinations  Initial use of container  Termination of employee or clearance is withdrawn, suspended or revoked  Compromise of security container Unlocked, UnattendedUnlocked, Unattended

34. Supervision of Keys  Key and lock custodian is appointed  Key and lock control register center  Key and lock audit every month  Keys inventoried with every change of custody  Keys and spare locks protected as classified  Locks and keys rotated at least once a year  Master Keys prohibited

35. Automated Access Control System  Manufactures must meet these requirements Chances of unauthorized access are no more than one in 10,000Chances of unauthorized access are no more than one in 10,000 Chances of authorized access being rejected in no more than 1 in 1,000Chances of authorized access being rejected in no more than 1 in 1,000 Locations of access and there storage must be protectedLocations of access and there storage must be protected Tamper alarm protection is mandatory for Top Secret Closed AreaTamper alarm protection is mandatory for Top Secret Closed Area

36. Automated Access Control System Continued  Personal Identification Identification can be obtained by ID with PIN badge or personal identityIdentification can be obtained by ID with PIN badge or personal identity  ID Badge – must use embedded sensors, integrated circuits magnetic stripes etc  Fingerprint  Hand geometry  Handwriting  Retina  Voice Recognition

37. Summary  Purpose & Overall Authority  Security Clearances - Authorization  Security Training & Briefings  Classification & Marking  Safeguarding Classified Information  Automated Access Control System