General Questions Flashcards
Information Security
To promote the proper and effective way to classify, protect, and downgrade official information requiring protection in the interest of national security
Also promotes declassification of information no longer requiring protection
1940
1st information security executive order
EO 8381
EO 13526
2009
Current executive order on information security
Prescribes a uniform system for classifying, safeguarding, and declassifying national security information
Promotes declassification and public access to information as soon as national security considerations permit
Established National Declassification Center
Greater openness and transparency
Stronger OCA and derivative classifier training requirements
Derivative classifiers identified by name
Self-inspection programs to review samples of original and derivatively classified documents
Declassification exemptions of 50 and 75 years
ISOO
Information Security Oversight Office
Responsible for overseeing and managing the information security program under the guidance of the National Security Council (NSC)
NSC provides overall policy direction
ISOO is the operating arm
Annual report to the president about each agency’s security classification program, analysis and reports
SF-311
Agency Security Classification Management Program Data
USD(I)
Under Secretary of Defense for Intelligence
Has the primary responsibility for providing guidance, oversight, and approval authority of policies and procedures that govern the DoD Information Security Program
Guidance on Classification Management - marking, handling and protection
ISOO 32 CFR Parts 2001 and 2003
Classified National Security Information Final Rule
Provides guidance to all government agencies on classification, downgrading, declassification, and safeguarding of classified national security information
Information Security Program and Protection of Sensitive Compartmented Information
Establishes the basic information security policies for the DoD and provides a high-level framework for DoD implementation of national policy on classified national security information
Authorizes the publication of DoDM 5200.01 Vol 1-4, the DoD Information Security Program
DoD Instruction 5200.01
Handbook for Writing Security Classification Guidance
Provides detailed information on how to develop security classification guidance
DoD 5200-1.H
Requires protection form unauthorized disclosure
To be eligible - must be official government information that is owned by, produced by, produced for, or under the strict control of the US government
Classified Information
3 Levels of Classification
TS - grave damage to national security
S - serious damage to national security
C - damage to national security
Determination that information requires protection in the interest of national security
Either original or derivative
Classification
An initial determination that information requires protection against unauthorized disclosure in the interest of national security
Original Classification
OCA
Original Classification Authority
Request for OCA contains mission justification and position title
Delegated in writing by the president to the occupant of the position, not to an individual by name, not able to delegate further unless “acting”
Specifies the highest level of the OCA can classify a piece of information and their jurisdiction
Must go through training prior to exercising their authority and at least 1x a year
A demonstrable and continuing need for such authority at least 2x a year
6 steps to OCA decision process
Gov’t Info - Determine if the information is official government information or has it already been classified by another OCA
Eligibility - determine if the information is eligible for classification (not a smokescreen)
Impact/harm - determine if potential for damage to national security if release occurs
Designation - assign a level of classification
Duration - determine duration of classification
Guidance - communicate decision via SCG or properly marked source document
SCG
Security Classification Guide
A document issued by a OCA that provides derivative classification instructions
Describes the elements of information that must be protected as well as the level and duration of classification
SCG Format
General instructions Overall efforts Performance and capabilities Specifications Critical elements Vulnerabilities and weaknesses Administrative data Hardware
CPI
Critical Program Information
Includes both classified military information and controlled unclassified information
Needs to be protected from unauthorized or inadvertent destruction, transfer, alteration, or loss
Compromise of critical program information can significantly alter program direction, shorten combat effective life of the system, or require additional research, development, test, and evaluation resources to counter impact of its loss
DoD 5200.39
Compilation
Combining elements of information that are individually unclassified may be classified if the compiled information reveals an additional association or relationship that qualifies for classification under DoD policy
OCAs designate when and what types of information are classified through compilation
Explain the basis for classification by compilation on the face of the document or in the text
Mark each portion individually according to its classified content
The process of using existing classified information to create new material and marking that newly developed material consistent with the classification markings that apply to the source information
The incorporating, paraphrasing, restating, or generating in new form any information that is already classified
Not an authority, an assumed responsibility
Does not include duplication or reproduction of existing classified information
Must receive training at least once every 2 years
Derivative Classification
5 Requirements of Derivative Classification
Observe and respect the OCA’s original classification determination
Apply required markings
Use only authorized sources (SCG and source documents)
Use caution when paraphrasing - required knowledge of subject
Take steps to resolve doubts
Authorized Sources
SCG, properly marked source documents, DD254
When there is a conflict, the SCG takes precedence
Extracting
When information is taken directly from an authorized classification guidance source and is stated verbatim in a new or different document
Paraphrasing/restating
When information is taken from an authorized source and is re-worded in a new of different document
Be careful to ensure that the classification has not been changed
Generating
When information is taken from an authorized source and generated into another form or medium, such as a video, DVD, or CD
Contained in
Applied when derivative classifiers incorporate classified information from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information
Revealed by
Applies when derivative classifiers incorporate classified information from an authorized source into a new document that is not clearly or explicitly stated in the source document but a reader can deduce the classified information from the new document by performing some level of additional interpretation or analysis
Declassification
The authorized change in the status of information from classified to unclassified
Instructions are placed on the front of a document and usually appear as declassify on and the date or declassify on and the event
Instructions not applied to RD (determined by DOE) or FRD (detered by DOE and DoD)
4 Declassification Systems
Scheduled - instructions assigned by the OCA are followed by date or event
Automatic - set up through EO 13526; applies to records that have “historical value” under Title 44 of US Code; Dec 31st of year 25 years from original classification; 9 categories of exceptions
Mandatory - the declassification system where the public can ask for classified information to be reviewed for declassification and public release
Systematic - permanently valuable classified records are reviewed for declassification after they reach a specific age; information exempted from automatic declassification is reviewed for possible declassification
Declassification Exceptions
Information marked 25X, 50X, 75X + exemption category
50X HUM - no date of declassification - reveals human intelligence source
50X2 WMD - no date of declassification - reveals design of weapons of mass destruction
SF-312
Classified Information Non-Disclosure Agreement
Contractual agreement between the US Gov’t and cleared employee that must be executed as a condition of access
Agreement to never disclose classified information to an unauthorized person (clearance, NTK, SF-312)
SF-701
Activity Security Checklist
Verify you didn’t leave classified materials unsecure as well as ensure the area is safe and secure
SF-702
Security Container Check Sheet
Used to record opening and closing of container
SF-703
Coversheet for TS
SF-704
Coversheet for S
SF-705
Coversheet for C
DD Form 2501
Courier Authorization Card
Unauthorized Disclosure could…
Inhibit our national defense capabilities
Adversely affect our foreign relations
DoD Component Requirements
Agencies add their own requirements to ensure security measures are effective for their unique missions
Designate a Senior Agency Official to oversee the program
Appoint a Security Manager for education and training
ISCAP
Interagency Security Classifications Appeals Panel
Established by EO 12958
Receives guidance from EO 13526
Provides public and users of the classification system with a forum for further review of classification decisions
Classification challenges
Exceptions from Automatic Declassification “File Exemption Series”
Mandatory Declassification Review Appeals
Inform Decisions
Custodian
Someone who is in possession of and charged with safeguarding classified information
Required to verify clearance eligibility, access level, NTK and SF-312 completed before providing to another person
Knowing, willful, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information
Knowing, willful, or negligent action to classify or continue to classify information contrary to the EO 13526
Knowing, willful, or negligent action to create or continue a SAP contrary EO 13526
Security Violation
Involves failure to comply with EO 13526 which cannot reasonably be expected to an does not result in loss, suspected compromise, or actual compromise of classified information
Security Infraction
Incident Reporting
Incidents that result in significant consequence or may become public must be promptly reported to the OUSD(I)
Espionage
Unauthorized disclosure to public media
Involving creation or continuation of a SAP against regulation
Defense operations that could cause harm to national security
COMSEC
Crypto, emission, transmission, physical security
Protect telecommunications
Deny unauthorized persons information of value
Ensure the authenticity of communication
National Security Telecommunication and Information Systems Security Instruction (NSTISSI) No. 4001
Transportation/Mailing
DoDM 5200.01 V3
TS - face to face, cryptographic, or courier
S - USPS registered mail, USPS express mail authorized only when it is the most effective means considering security, time, cost, and accountability
C - USPS certified mail, ESPS first class mail. DCS (Defense Courier Service), USPS registered mail
Inner Mailing Wrapping
Address to official gov’t activity or contractor
Complete return address to your office
Conspicuously marked with the highest level of classified information
Include applicable special markings “RD”
Sealed to minimize possibility of access without leaving evidence of tampering
Outer Mailing Wrapping
Insert inner envelope within outer and seal to minimize possibility of access without leaving evidence of tampering
Address to an official gov’t or DoD contractor
DO NOT address to individual’s name on inner wrapping
Put your office’s full return address
DO NOT put any markings or notations on the outer envelope to indicate contents are classified
Handcarrying
Must be done by an appropriately cleared gov’t or contractor employee
Written authorization always required
Letter of authorization if traveling on commercial airline
Written statement (DD Form 2501) if another mode of transportation
Material should be double wrapped - briefcase is outer layer if locked
Items may be opened en route as a last resort if required by customs or police but must be opened out of sight of the general public
Authorized Destruction
Burning, shredding, pulverizing, disintegration, pulping, melting, chemical decomposition, mutilation
NSA maintains listing of evaluated destruction and degaussing products that have been tested and meet performance requiremetns
Shredders cross-cut capability 1mm x 5mm
Atomic Energy Information
Control markings that have RD or FRD marked in accordance with the Atomic Energy Act of 1954 as amended
SCI
Sensitive Compartmented Information
Classified information derived from intelligence sources methods
Handled in accordance with formal access control systems established by the Director of National Intelligence
SAP
Special Access Program
Established in accordance with DoDM 5200.01 Information Security Program
Only created when absolutely necessary to protect nation’s most sensitive and critical information or when required by statues
DoD program or activity employing enhanced security measures exceeding those normally required for information at the same classification level
May only be approved by the Secretary of Defense or the Deputy Secretary of Defense
NATO
Alliance of 28 countries since 1949
Marked and safeguarded in accordance with the US Security Authority for NATO or USSAN
Patent Secrecy Act
Secretary of Defense may determine that discourse of an invention by granting of a patent would be detrimental to national security
Subject to special secrecy order
FOIA
Freedom of Information Act
To be exempt from mandatory release, it must fit into one of the qualifying categories and there must be a legitimate gov’t purpose to withhold it
FOUO is a designation that applies to Unclassified that may be exempt from mandatory release
FOIA Exemptions
Exemption 1: Information that is classified to protect national security.
Exemption 2: Information related solely to the internal personnel rules and practices of an agency.
Exemption 3: Information that is prohibited from disclosure by another federal law.
Exemption 4: Trade secrets or commercial or financial information that is confidential or privileged.
Exemption 5: Privileged communications within or between agencies, including: Deliberative Process Privilege, Attorney-Work Product Privilege, Attorney-Client Privilege
Exemption 6: Information that, if disclosed, would invade another individual’s personal privacy.
Exemption 7: Information compiled for law enforcement purposes that:
7(A). Could reasonably be expected to interfere with enforcement proceedings
7(B). Would deprive a person of a right to a fair trial or an impartial adjudication
7(C). Could reasonably be expected to constitute an unwarranted invasion of personal privacy
7(D). Could reasonably be expected to disclose the identity of a confidential source
7(E). Would disclose techniques and procedures for law enforcement investigations or prosecutions
7(F). Could reasonably be expected to endanger the life or physical safety of any individual
Exemption 8: Information that concerns the supervision of financial institutions.
Exemption 9: Geological information on wells.
STIP
Scientific and Technical Information Program
Not a control marking but a program that implements distribution control statements on scientific and technical information
Improves acquisition data sources
Disseminated technical information efficiently
Prevents loss of technical information to US adversaries and competition
Aids transfer of technical information to qualified researches in industry and gov’t
Initial Orientation
DoDM 5200.01 Vol 3
Required prior to allowing access to classified information
All personnel in the organization (civilians, military, contractor support)
Topics:
Controlled Unclassified Information
Basic security policies and procedures
Individual security responsibilities and sanctions for non-compliance
Need to review unclassified info prior to public access
Identify DoD Senior Agency Official and Security Manager
