General Security

Question 1

Risk management is a five-step process that provides a framework for collecting and evaluating information to:

Answer 1

• Assess assets (identify value of asset and degree of impact if asset is damaged or lost)
• Assess threats (type and degree of threat)
• Assess vulnerabilities (identification and extent of vulnerabilities)
• Assess risks (calculation of risks)
• Determine countermeasures (security countermeasure options that can reduce or mitigate risks cost effectively

Question 2

Assets can be assigned to one of five categories:

Answer 2

• People
• Information
• Equipment
• Facilities
• Activities & Operations

Question 3

T or F: The first step in the risk management process is to identify and assess your organization’s assets.

Answer 3

True

Question 4

T or F: An asset is anything of value or importance to the organization or an adversary, such as people, computers, buildings or strategic advantages.

Answer 4

True

Question 5

_____ is comprised of communications and the electronic and telemetry collection of information in the non-visible portion of the electromagnetic spectrum.

Answer 5

SIGINT (Signals Intelligence)

Question 6

_____ is intelligence derived from people through interviews, elicitation, or reports originating from people.

Answer 6

HUMINT (Human Intelligence)

Question 7

HUMINT insider – information collection techniques:

Answer 7

• Attempting to obtain information without need to know
• Making unusual use of or requests for classified publications
• Attempting to access classified databases
• Removing information without approval
• Placing classified material in a desk or briefcase
• Copying classified material in other offices
• Borrowing or making notes of classified material
• Bringing cameras or recording devices into cleared facilities
• Obtaining or attempting to obtain witness signatures on classified
destruction records
• Stockpiling classified or proprietary documents outside cleared area

Question 8

HUMINIT insider indicators - personnel who:

Answer 8

• Are disgruntled with management
• Are disgruntled with the U.S. Government
• Are fascinated with and have a strong desire to engage in spy
work
• Suddenly purchase high value items
• Suddenly settle large outstanding debts
• Travel to foreign countries repeatedly
• Make short trips overseas
• Have contact with foreign officials and representatives
• Attempt to conceal contacts with foreigners
• Have relatives or friends residing abroad
• Avoid or decline assignments requiring a counterintelligence-
oriented polygraph
• Work an unusual amount of overtime
• Sudden decline in work quality

Question 9

_____ involves using various sources, such as satellites, photos, infrared, imaging radar, and electro-optical for collecting image data.

Answer 9

IMINT (Imagery Intelligence)

Question 10

_____ It excludes signals intelligence and traditional imagery intelligence. When collected, processed, and analyzed, MASINT locates, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources. It includes the advanced data processing and exploitation of data from overhead and airborne imagery collection systems. MASINT data can be acquired from a variety of satellite, airborne, or ship borne platforms; remotely piloted vehicles; or from mobile or fixed ground-based collection sites.

Answer 10

MASINT (Measurement and Signatures Intelligence)

Question 11

_____ includes resources such as newspapers, internet, magazines, international conventions, Freedom of Information Act (FOIA) requests, seminars, and exhibits (e.g., CNN.com, The New York Times, Aviation Week, and Space & Technology).

Answer 11

OSINT (Open Source Intelligence)

Question 12

The Threat Level Decision Matrix requires assigning a level of critical (C), high (H), medium (M), or low (L) for each asset’s threat/adversary(s).

Answer 12

For example:

“yes + yes + yes” = critical

“no + no + no” = low

Question 13

Human Vulnerability Areas

Human vulnerability areas include persons who exhibit the following traits/issues:

Answer 13

• A big ego: Persons with a big ego may mishandle or improperly protect critical assets.
• Anger management problems: Persons with anger management problems may damage or destroy critical assets out of anger.
• Are ignorant of technology: Persons who are ignorant of technology fail to learn how to properly operate computers, secure telephones, etc. This may place sensitive
information at risk.
• Behavioral issues: Behavioral issues apply to disgruntled personnel, persons with personality disorders, etc. These persons may represent either a direct or indirect threat to assets.
• Boredom: Persons suffering from boredom may become careless.
• Greedy: Persons who are greedy may compromise or steal critical assets for personal gain.
• Loose lips: Persons with loose lips may compromise sensitive information.
• Mental illness: Persons with mental illness may represent a threat to critical assets or place critical assets in jeopardy either knowingly or unknowingly.
• Overworked: Persons who are overworked may become careless.
• Practice poor security: Persons practicing poor security fail to comply with security requirements and may place critical assets in jeopardy.
• Seek revenge: Persons who seek revenge may attack critical assets to get even for a perceived wrong.
• Substance abusers: Persons who are substance abusers may pose a threat to critical assets by selling them for cash or being careless while under the influence.

Question 14

Operational Vulnerability Areas

Operational vulnerability areas include the following:

Answer 14

• Poor tradecraft practices that potentially place critical assets at risk. For example, failure to develop and operate a property control system places critical assets at risk
• Observables are practices, activities, or assets that can be surveilled. The information gained could be utilized to threaten critical assets. An example is an activity that uses roving security guard patrols at exact intervals. An adversary may be able to observe this fact and estimate a timeframe within which to infiltrate a facility.
• Other Operations Security (OPSEC) issues – OPSEC is an analytical process used to deny an adversary information, generally unclassified, concerning an organization’s intentions and capabilities by identifying, controlling, and protecting indicators associated with planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.
• Press exposure of sensitive information represents a potential vulnerability. For example, an activity with poor entry control procedures may be susceptible to loss/theft of property and may have implanted listening devices.

Question 15

Information Vulnerability Areas

Information vulnerability areas include the following:

Answer 15

• Information unnecessarily disseminated to a wide audience – the wider the dissemination the more difficult it is to protect.
• Failure to practice need-to-know - “Need-to-know” refers to the determination by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform an authorized governmental function.
• Poor program administration includes failure to properly safeguard sensitive information, improperly classifying information and failure to mark classified information.
• Failure to follow Freedom of Information Act (FOIA) requirements - Adversaries routinely request information through FOIA. Failure to properly evaluate information that has been requested for public release may pose a threat to critical assets

Question 16

Facility Vulnerability Areas

Facility vulnerability areas leave assets in jeopardy. These are some potential issues:

Answer 16

• Location – Areas designated as high crime areas or with a significant potential for natural disasters could be a concern.
• Poor perimeter fencing with holes, gaps, vegetation overgrowth, etc.
• Building design characteristics with floor plans that inhibit access control
measures, ground floor windows along a heavy pedestrian route, etc.
• Tunnels and drains that permit an avenue of approach by an adversary
• Unsecured doors that allow adversary access.
• Parking lots provide adversaries with a venue for observing a facility, perpetrating a crime, detonating mobile explosive devices, etc.
• Vehicle barriers – They must be reinforced and security personnel must be trained to be effective.
• Untrained guard forces may be ineffective in observing, preventing, or responding to an adversary attack. Guard forces must understand their duties and be trained to carry them out.
• Unsecured windows provide adversaries with a potential avenue of approach.
• Insufficient access control allows adversaries a potential means of entry either detected or undetected.
• Gates must be properly operated when in use, locked when not in use, and regularly evaluated to ensure they do not provide adversaries with a potential avenue of approach.

Question 17

Equipment Vulnerability Areas

Equipment vulnerability areas include the following:

Answer 17

• Signal interceptions that can occur when using devices like cell phones, wireless networked computers, and personal digital assistants (PDAs).
• TEMPEST emanations - TEMPEST is the short name referring to the investigation, study, and control of compromising emanations from telecommunications and information systems equipment. Computer equipment, typewriters, etc. emanate electronic signals that can be collected by an adversary. They can then interpret the signals and obtain the information that was being processed on the electronic equipment.
• Equipment tampering in which equipment is modified to permit collection of information by an adversary. For example, modifications to a reproduction machine might enable image storage of everything copied.
• Remote activation/operation that allows modifications or programming permitting an adversary to remotely activate and/or operate equipment.

Question 18

Additional sources that can assist with gathering vulnerability information include the following:

Answer 18

• Personnel who work at the “site”
• Existing site surveys
• Engineering drawings and blueprints
• Maps
• Security planning documents
• Surveys and audits
• Incident reports

Question 19

Regressive analysis is a five-step process:

Answer 19

1. Assess the asset’s vulnerabilities in a pure, unprotected state.
2. Reevaluate the asset’s vulnerabilities taking into consideration the efficacy of the existing countermeasures.
3. Identify the asset’s vulnerability differences between the unprotected and protected assessments.
4. Identify the ineffective countermeasures.
5. Identify and characterize the specific vulnerabilities that still exist, given the
   current countermeasures.

Question 20

T or F: The overall risk level varies with relation to the values of each item. The larger the risk area shared by assets, threats, and vulnerabilities, the higher the risk level.

Answer 20

True

Question 21

The three risk factors are incorporated into a formula to determine and assign a more precise risk rating:

Answer 21

Risk = Impact x (Threat x Vulnerability) or (R = I [T x V])

Question 22

Countermeasure Cost Determination:

The costs of implementing countermeasures must be considered relative to the following:

Answer 22

• Dollars - Consider the purchase price and the life-cycle maintenance costs (e.g.
installation, preventive maintenance, repair/warranty, replacement, and training).
• Inconvenience - Consider whether the inconvenience caused is offset by the
measure of risk reduction gained. If a countermeasure is inconvenient, people will
find a way to circumvent it.
• Time - Include the time to implement and oversee the countermeasure and the time
to prepare for its implementation, as well as any time required for follow-up and
evaluation.
• Personnel - Consider the number of personnel needed to manage the
countermeasure as well as the skills, knowledge, and abilities of the personnel
involved. Also consider personnel training needs and costs.
• Other - Consider the adverse publicity, political repercussions, reduced operational
efficiency, and unfavorable working conditions resulting from countermeasure implementation.

Question 23

Information Security Program, Volume 3, Enclosure 5: Security Education and Training

Answer 23

• Initial Orientation
• Special Requirements
• Continuing Security Education/Refresher Training
• Termination Briefings
• Program Oversight

Question 24

Personnel Security Program, Section 9.2: Security Education

Answer 24

• Initial Briefings
• Refresher Briefing
• Foreign Travel Briefing
• Termination Briefing

Question 25

NISPOM, Chapter 3: Security Training and Briefings

Answer 25

• FSO Training
• Initial Security Briefings
• Refresher Training
• Debriefings

Question 26

DD Form 441

Answer 26

Contractual agreement establishing industry’s security responsibility

Question 27

NISPOM

Answer 27

The manual that includes the security education requirements for industry

Question 28

SF-312

Answer 28

The form all personnel must sign to access classified information

Question 29

DOD 5200.2-R

Answer 29

Regulation mandating training prior to access to classified information

Question 30

E.O. 12968

Answer 30

The overarching policy that mandates security education

Question 31

DoDM 5200.01

Answer 31

Regulation mandating security education for DoD employees

Question 32

______ is the uninterrupted assessment of an individual for retention of a security clearance and involves reinvestigation at given intervals. To maintain eligibility, employees must recognize and avoid behaviors that might jeopardize their security clearance. Employees, coworkers, supervisors, and managers all play an important role in the continuous evaluation program and all must receive training on their responsibilities.

Answer 32

Continuous evaluation

Question 33

Initial Briefing

Answer 33

• Varies by role and whether DoD or industry - Includes basic security roles and responsibilities
• Includes overview of classification system
• Discusses penalties for unauthorized disclosure

Question 34

Continuing Education

Answer 34

• Required for all cleared DoD personnel
• Supplement formal briefings
• Informational and promotional efforts
• Job performance aids

Question 35

Refresher Training

Answer 35

• Performed at least annually
• Reinforce contents of initial briefing, including:
  o Policies, principles, and procedures
  o Penalties for engaging in espionage
• Address new threats and techniques and changes in security regulations
• Address issues or concerns identified during self-inspections

Question 36

Termination Briefing

Answer 36

• Debrief employees when:
  o Employee terminates employment or is discharged
  o Employee’s access is terminated, suspended, or revoked
• Include:
  o Continued responsibility to protect classified information
  o Requirement to report unauthorized attempts to gain access
  o Prohibition against retaining materials
  o Civil and criminal penalties for violations

Question 37

T or F: A new SF-312 must be executed and recorded in JPAS each time an individual needs access to classified information.

Answer 37

False

If the individual already has an SF-312 recorded in JPAS, then it does not need to be executed again.

Question 38

T or F: Job-specific security procedures are usually included as part of an initial security briefing.

Answer 38

True

Question 39

T or F: Information on current security threats must be included as part of security training.

Answer 39

True

Question 40

T or F: Termination briefings should communicate the continued requirement for individuals to protect classified information, even after resigning or being discharged.

Answer 40

True

Question 41

T or F: Refresher training is required only for individuals who have violated security procedures.

Answer 41

False

Refresher training is required for ALL cleared personnel.

Question 42

Declassification authorities other than original classifiers must receive training addressing the standards, methods, and procedures for declassifying information as mandated by what executive orders and policies?

Answer 42

Executive Order 13526 and the DoDM 5200.01.

Question 43

T or F: Declassification authorities are always U.S. Government employees or military members who have specifically been given this responsibility.

Answer 43

True

Question 44

Derivative classifiers, security managers and specialists, classification management officers, and others with responsibilities relating to the oversight of classified information, must receive training and education on the following topics:

Answer 44

the processes for classifying information originally and derivatively, and the standards applicable to each, the avoidance of over classification, proper and complete classification markings, and the authorities, methods and process for downgrading and declassifying information.

Question 45

A designated, cleared employee, whose principal duty is to transmit classified material to its destination. The classified material remains in the personal possession of the courier except for authorized overnight storage.

Answer 45

Courier

Question 46

A designated, cleared employee, who occasionally hand carries classified material to its destination in connection with a classified visit or meeting. The classified material remains in the personal possession of the handcarrier except for authorized overnight storage.

Answer 46

Handcarrier

Question 47

A designated, cleared person, who accompanies a shipment of classified material to its destination. The classified material does not remain in the personal possession of the escort but the conveyance in which the material is transported remains under the constant observation and control of the escort.

Answer 47

Escort

Question 48

_____ is TOP SECRET RESTRICTED DATA or SECRET RESTRICTED DATA that reveals the theory of operation or design of the components of a thermonuclear or implosion-type fission bomb, warhead, demolition, munitions, or test device.

Answer 48

Critical Nuclear Weapons Design Information, CNWDI

Question 49

In addition to TOP SECRET, SECRET, and CONFIDENTIAL, many foreign governments have a fourth classification level, known as ____________, for which there is no U.S. equivalent.

Answer 49

RESTRICTED

Question 50

_____ is classified information derived from intelligence sources and requiring special handling.

Answer 50

Sensitive Compartmented Information (SCI)

Question 51

_____ are additional security measures which may be used to ensure strict need-to-know protection when standard security measures are insufficient.

Answer 51

Alternative Compensatory Control Measures (ACCM)

Question 52

_____ is a process of identifying critical information and analyzing friendly actions attendant to military operations and other activities.

Answer 52

Operations Security (OPSEC)

Question 53

_____ are provided to personnel who will be traveling, either officially or unofficially, to foreign countries, professional meetings or conferences where foreign attendance is likely, and any other locations where there are concerns about possible foreign intelligence exploitation. This briefing is usually required for all personnel with SCI or SAP access.

Answer 53

Foreign Travel Briefing

Question 54

These individuals must be receiving training on international security and foreign disclosure guidelines by taking either the International Security Requirements course offered by USD(P)

Answer 54

Internation Programs

Question 55

Facility Security Officers / Roles and Responsibilities

Answer 55

• As deemed appropriate by CSA
• Based on facility’s involvement
• FSO Orientation for non-possessing facilities or FSO Program
Management course for possessing facilities
• Received within 1 year of appointment

Question 56

ISSM / Roles and Responsibilities

Answer 56

• Training to level commensurate with IS complexity
• Responsibility for providing IS security education for relevant personnel,
  prior to processing classified information on AIS

Question 57

Couriers / Roles and Responsibilities

Answer 57

• Who is authorized to handcarry/escort classified information
• Procedures for handling classified information while in transit
• Modes of transportation that may be used
• Where classified information may be carried
• Points of contact in case of an emergency while performing courier
responsibilities

Question 58

Personnel must participate in annual Cybersecurity awareness training:

Answer 58

• Threat identification
• Physical security
• Malicious content and logic
• Social engineering and other non-standard threats

Question 59

Antiterrorism

Answer 59

• Defensive measures used to reduce vulnerability to terrorist acts
• Actions taken to prevent or mitigate hostile actions against DoD
personnel, resources, facilities, and critical information
• AT Briefing Levels
1. Antiterrorism awareness
2. Antiterrorism officers (ATOs)
3. Pre-command antiterrorism training
4. Executive seminar

Question 60

Visits and Meetings

Answer 60

• Badges and escorts
• Physical security procedures
• Access areas
• Use of PEDs
• Verifying PCL
• Handling classified material
• Transmitting and/or transporting classified information
• Reporting requirements for security violations

Question 61

Must receive security education and training that addresses the process for deciding whether information should be classified and the standards information must meet in order to be classified.

Answer 61

Original Classification Authorities

Question 62

Must receive training on the procedures for handling classified information while in transit.

Answer 62

Couriers

Question 63

Are responsible for providing security education for relevant personnel prior to processing classified information on AIS.

Answer 63

Information System Security Managers

Question 64

T or F: A proactive program anticipates problems before they occur. On the other hand, a reactive program simply responds to problems after they occur, which in many cases is too late to prevent serious damage to national security.

Answer 64

True

Question 65

When creating a training and education program of any kind, it is beneficial to practice sound instructional design. Instructional design is a systematic approach to designing and developing training courses and programs. The most basic and universally used of these models is known as the ______ model. This model is a five-step process that involves:

Answer 65

ADDIE model

• Analysis:
• Design:
• Development:
• Implementation:
• Evaluation:

Question 66

The ADDIE model is a five-step process that involves:

Answer 66

• Analysis: The determination of the program’s needs and overall purpose
• Design: The selection of the most appropriate instructional methods
• Development: The creation of the actual training materials
• Implementation: The delivery of the training
• Evaluation: The assessment of the training’s effectiveness

Question 67

When your organization signed the DD Form ____ , it became a contractual responsibility to establish an effective security program and the responsibility to protect classified information fell on your shoulders as a Facility Security Officer.

Answer 67

DD Form 441

Question 68

Newsletters

Answer 68

• Get input from employees
• Gather content and success stories
• Provide rewards for participating
• Use graphics

Question 69

T or F: Only security experts should be involved in developing security education programs.

Answer 69

False

Question 70

T or F: Security education programs should be proactive rather than reactive.

Answer 70

True

Question 71

T or F: Creative and fun components of security education programs can motivate employees to participate.

Answer 71

True

Question 72

T or F: Security education programs should be considered an expense rather than an investment.

Answer 72

False

Question 73

T or F: Senior management should be involved in solving problems faced in development of a security education program.

Answer 73

True

Question 74

(Match each ADDIE phase on the left with the statement that best describes it on the right) - Create security awareness posters, hire a company to build an eLearning course, and prepare PowerPoint slides for your next initial security briefing.

Answer 74

Development

ADDIE Model

Question 75

(Match each ADDIE phase on the left with the statement that best describes it on the right) - Perform program oversight, assessing the effectiveness of the security education program, reporting any issues found and revising the training materials accordingly.

Answer 75

Evaluation

ADDIE Model

Question 76

(Match each ADDIE phase on the left with the statement that best describes it on the right) - Write learning objectives for your next component of your security education program and decide that a series of round-table discussions is the most appropriate delivery method.

Answer 76

Design

ADDIE Model

Question 77

(Match each ADDIE phase on the left with the statement that best describes it on the right) - Distribute an e-newsletter with the latest threat information.

Answer 77

Implementation

ADDIE Model

Question 78

(Match each ADDIE phase on the left with the statement that best describes it on the right) - Establish overall program goals and identify target audience.

Answer 78

Analysis

ADDIE Model

Question 79

_____ is the process of selecting and implementing security countermeasures to achieve an acceptable level of risk at an acceptable cost.

Answer 79

Risk Management

Question 80

What is the difference between Risk Avoidance and Risk Management?

Answer 80

Risk Avoidance assumes all opponents are aggressive threats, counters ALL vulnerabilities, and plans for worst-case scenarios.

Risk Management on the other hand is a process that integrates the assessment of assets, threats and vulnerabilities and weighs the calculated risk against the projected cost of security.

Question 81

The Risk Management Model incorporates a five-step process that will:

Answer 81

• Identify the critical assets that require protection
• Identify undesirable events and expected impacts
• Value and prioritize assets based on the consequence of loss
• Assess the risks and
• Determine countermeasures

Question 82

Assets fall into 5 categories:

Answer 82

• People
• Information
• Equipment
• Facilities and
• Activities and Operations

Question 83

_____ indicates that compromise to the assets targeted would have grave consequences leading to loss of life, serious injury, or mission failure. The rating scale is from 50-100.

Answer 83

Critical

Question 84

A _____ value indicates that a compromise to assets would have serious consequences resulting in the loss of classified or highly sensitive data that could impair operations affecting national interests for a limited period of time. The rating scale is from 13-50.

Answer 84

High

Question 85

An asset value of _____ indicates that a compromise to the assets would have moderate consequences resulting in the loss of confidential, sensitive data or costly equipment/property that would impair operations affecting national interests for a limited period of time. The rating scale is from 3-13.

Answer 85

Medium

Question 86

A _____ value indicates that there is little or no impact on human life or the continuation of operations affecting national security or national interests. The rating scale is from 1-3.

Answer 86

Low

Question 87

Threats are rated using the same four criteria of Critical, High, Medium and
Low.

The rating scale is set at 75-100%.

Answer 87

Critical

Question 88

Threats are rated using the same four criteria of Critical, High, Medium and
Low.

The rating scale is 50-74%.

Answer 88

High

Question 89

Threats are rated using the same four criteria of Critical, High, Medium and
Low.

The rating scale is set from 25-49%.

Answer 89

Medium

Question 90

Threats are rated using the same four criteria of Critical, High, Medium and
Low.

The rating scale is set at 0-24%.

Answer 90

Low

Question 91

Information which is originated by or for the DoD, or its Agencies, or is under their jurisdiction or control, and which requires protection in the interests of national security.

Answer 91

Classified military information (CMI)

Question 92

CMI is designated TOP SECRET, SECRET, and CONFIDENTIAL as described in Executive Order (EO) ________ .

Answer 92

Executive Order (EO) 13526

Question 93

T or F: CMI may be found in DoD acquisition programs, intelligence programs, or in military operations.

Answer 93

True

Question 94

There are eight categories of CMI.

Answer 94

The categories of information can occur in various situations depending on the circumstance.

• CMI categories 2, 3, and 4 typically apply to DoD acquisitions programs.
• CMI Categories 1, 5, 6, and 7 typically apply to DoD operations programs.
• CMI Category 8 typically supports Operations and applies to DoD intelligence.

Question 95

Categories of CMI

Answer 95

Category 1 – Organization, Training, and Employment of Military Forces

Category 2 – Military Materiel and Munitions

Category 3 – Applied Research and Development Information and Materiel

Category 4 – Production Information

Category 5 – Combined Military Operations, Planning, and Readiness

Category 6 - U.S. Order of Battle

Category 7 – North American Defense

Category 8 – Military Intelligence

Question 96

A Principal Disclosure Authority (PDA) is a

Answer 96

is a senior military or government official, appointed in writing, by the head of an OSD organizational element or a DoD Component, as the senior foreign disclosure authority for that OSD organizational element or Component, and who is responsible for the establishment of an effective Foreign Disclosure Program.

Question 97

A Designated Disclosure Authority (DDA) is a

Answer 97

is a military or civilian government official who is appointed, in writing, by the head of an OSD organizational element or a DoD Component, or by their PDA, and delegated authority to control disclosure of CMI to foreign governments and international organizations for that element or Component. The DDA is an official of such grade and position that the person has access to the appointing PDA, or Head of the OSD Organizational element or DOD Component.

Question 98

_______ is the key criteria from which all other foreign disclosure criteria are then considered. It lists the delegated authority levels for specific countries to receive CMI.

Answer 98

NDP-1’s Annex A

Question 99

Who are the only DoD officials who have original authority to grant exceptions to the policy contained in DoDD 5230.11 for CMI Categories 1-8

Answer 99

The Secretary of Defense and the Deputy Secretary of Defense

Note: The Secretary of Defense has delegated authority to the NDPC to consider and grant requests for exceptions to policy in compliance with DoDD 5230.11

Question 100

A written confirmation, by a responsible foreign government official, that the recipient of the information is approved by the government for access to information of the security classification involved on behalf of the government, and possesses the requisite security clearance and need-to-know for the classified information to be disclosed.

Answer 100

Security Assurance

Note: The Security Assurance certifies that the recipient government will protect the information in accordance with the international agreement between the United States and the foreign government.

Question 101

_____ is the program established to process visits and assignments of foreign nationals to the DoD Components, and cleared contractor facilities. The program ensures classified information to be disclosed to visitors has been properly authorized for disclosure to their governments.

Answer 101

The International Visits Program (IVP)

Note: It ensures the requesting foreign government provides a Security Assurance when classified information is involved, and it facilitates administrative arrangements – such as date, time, and place - for the visit or assignment.

Question 102

Government disclosure methods also include sales, leases, loans, and grants of defense articles and services. These are known as _____

Answer 102

These are known as Foreign Military Sales (FMS). Prior to the sale, lease, loan, or grant of defense articles and services, the appropriate DDA must provide disclosure authorization and prescribe transfer arrangements.

Question 103

Programs that comprise one or more specific cooperative projects with a foreign government or international organization whose arrangements are defined in a written agreement between the parties covering research, development, test, and evaluation; and joint production.

Answer 103

Cooperative Programs

Question 104

What governs the export of defense articles and services and related technical data?

Answer 104

Arms Export Control Act (AECA)

Question 105

Form _____ is used for the export or temporary import of classified defense articles and services and any classified technical data.

Answer 105

Department of State form DSP-85

Question 106

_______ is a government-to-government agreement negotiated through diplomatic channels. It states that each party to the agreement will afford to classified information provided by the other, substantially the same degree of security protection afforded to the information by the providing party.

Answer 106

The General Security Agreement, or GSA, also called a General Security of Information Agreement, or GSOIA

Note: The GSA or GSOIA also provides that both parties agree to report any compromise, or possible compromise, of classified information provided by the other party and states that both parties will permit visits by security experts of the other party for the purpose of conducting reciprocal security surveys.

Question 107

______ is a subset of the agreements previously mentioned and is narrowly focused on CMI produced by or for DoD.

Answer 107

A General Security of Military Information Agreement (GSOMIA)

Question 108

_____ reporting expedites the disclosure authorization process by providing a comprehensive historical record of foreign disclosure decisions, including visits, exceptions to National Disclosure Policy, NDPC Records of Action, and licensing decisions.

Answer 108

Security Policy Automation Network (SPAN)

Note: SPAN comprises several component systems, two of which are depicted here

Question 109

SPAN comprises several component systems, two of which are depicted here.

Answer 109

The Foreign Visit System (FVS)

The National Disclosure Policy System (NDPS)

Question 110

T or F: NOFORN is used only for intelligence information and to indicate that such disclosure is prohibited. Only the originator may authorize its disclosure.

Answer 110

True

Note: The control marking NOT RELEASABLE TO FOREIGN NATIONALS (NOFORN) is authorized for use only on intelligence and intelligence-related information.

Question 111

When an authorized disclosure authority determines CMI is eligible for foreign disclosure, that authorization is indicated with what control marking?

Answer 111

REL TO

Question 112

Note: Within the DoD, the use of NOFORN outside of intelligence information is limited only to Naval Nuclear Propulsion Information and the NDP-1 and documents marked in accordance with the NDP-1 Security Classification Guide. No other types of DoD information are authorized to use the NOFORN marking.

Answer 112

Note only

Question 113

NOT RELEASABLE TO FOREIGN NATIONALS (NOFORN)

Answer 113

• Is authorized for use ONLY on intelligence and intelligence-related information and products under the purview of the DNI, in accordance with DNI policy
• Is not authorized for use within DoD on non-intelligence information with the exception of:
     o Naval Nuclear Propulsion Information (NNPI)
     o TheNationalDisclosurePolicy(NDP-1)and documents marked in accordance with the NDP-1 Security Classification Guide

Question 114

Authorized Distribution Statements

Answer 114

DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.

DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government Agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government Agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).

DISTRIBUTION STATEMENT D. Distribution authorized to the DoD and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).

DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).

DISTRIBUTION STATEMENT F. Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.

Question 115

Export Control Warning

Answer 115

All technical documents that are determined to contain export-controlled technical data must also be marked with this export-control statement.

Question 116

Sanitization

Answer 116

As you learned earlier, when a foreign disclosure is made, the disclosure is limited to the information necessary to meet the disclosure’s purpose. As such, foreign disclosure often requires documents to be sanitized. Text, charts, graphs, and entire sections may need to be removed before a document is provided to a foreign government.

Question 117

Before CMI may be disclosed to a foreign government, that government must demonstrate intent and capability to safeguard the information. All international transfers must take place through government-to-government channels or channels agreed upon by the governments involved with the transfer.

Answer 117

Transmission and Transportation

Question 118

Through the Foreign Military Sales process, the U.S. sells some fighter aircraft, along with their associated classified components and technical data, to a friendly foreign nation. What Category of CMI is the equipment and data?

Answer 118

Category 2: Military Materiel and Munitions

Question 119

In support of a coalition operation, a coalition partner asks the U.S. for classified order of battle information about the forces of another coalition partner. What Category of CMI is this information?

Answer 119

Category 5: Combined Military Operations, Planning, and Readiness

Question 120

The U.S. discloses classified radar track data on unidentified flying objects entering U.S. airspace. What Category of CMI is this data?

Answer 120

Category 7: North American Defense

Question 121

To support the training of a foreign special operations unit, the U.S. provides a classified tactics manual used to train U.S. military forces. What Category of CMI is the manual?

Answer 121

Category 1: Organization, Training, and Employment of Military Forces

Question 122

The foreign ally involved in the joint research project on new radar search techniques now enters into co-production program with the U.S. to build a new radar system, and requests copies of the classified U.S. design blueprints for the new system. What Category of CMI is this data?

Answer 122

Category 4: Production Information

NOTE: The data owner would have to request an Exception to NDP-1, approved by the NDPC, to disclose this information because there is no delegated disclosure authority for Category 4 CMI for any nation.

Question 123

Due to a regime change, the once-friendly nation that received U.S.-built fighter aircraft under a Foreign Military Sales case has become hostile to U.S. interests, and the U.S. now needs to disclose classified information on the current capabilities of those fighter aircraft to our allies. What Category of CMI is this information?

Answer 123

Category 8: Military Intelligence

NOTE: Even though the U.S. originally built the aircraft, once they enter the inventory of the foreign nation, any classified information about their capabilities becomes Category 8 CMI.

Question 124

U.S. military aircraft are stationed in the allied country of Bandaria. The U.S. provides Bandaria with classified information on the numbers and types of aircraft deployed at various airbases in Bandaria. What Category of CMI is this information?

Answer 124

Category 6: U.S. Order of Battle

Question 125

A foreign ally involved in a joint research project on new radar search
techniques requests classified U.S. data. What Category of CMI is this data?

Answer 125

Category 3: Applied Research and Development Information and Materiel

Question 126

Requires appointment, in writing, of disclosure authorities and recording of disclosure determinations.

Answer 126

DoDD 5230.11

Note: DoDD 5230.11 requires appointment, in writing, of disclosure authorities and recording of disclosure determinations.

Question 127

Contains the procedures for disclosure of U.S. classified military information to foreign governments and international organizations

Answer 127

NDP-1

National Disclosure Policy (NDP-1) contains the procedures for disclosure of U.S. classified military information to foreign governments and international organizations.

Question 128

Governs the export of defense articles and services and related technical data and is the legal basis for most international activities

Answer 128

AECA

The Arms Export Control Act (AECA) governs the export of defense articles and services and related technical data and is the legal basis for most international activities.

Question 129

T or F: International agreements must be in writing.

Answer 129

False

In addition to written agreements, any oral agreement that meets the criteria is also an international agreement.

Question 130

T or F: Approval authority over international agreements may be delegated.

Answer 130

True

Approval authority over international agreements may be delegated.

Question 131

T or F: International agreements involving classified military information must be consistent with NDP-1.

Answer 131

True

International agreements involving classified military information must be
consistent with NDP-1.

Question 132

T or F: An international agreement is always required before sharing any U.S. CMI.

Answer 132

False

Delegated disclosure authority is required, but not necessarily an international agreement.

Question 133

T or F: Foreign disclosure determinations should consider foreign availability.

Answer 133

True

Foreign availability may decrease the implications of providing U.S. systems.

Question 134

T or F: Foreign disclosure must support a lawful and authorized U.S. Government purpose.

Answer 134

True

Foreign disclosure must support a lawful and authorized U.S. Government purpose.

Question 135

T or F: Foreign disclosure of classified military information is made by the originator or controlling agency.

Answer 135

True

Foreign disclosure of classified military information is made by the originator or controlling agency.

Question 136

T or F: Classified military information must be marked with both the proper classification markings and control markings prior to disclosure.

Answer 136

True

CMI must be marked with both the proper classification markings and control markings prior to disclosure.

Question 137

T or F: Distribution statements include a listing of the document portions that were extracted during sanitization.

Answer 137

False

Distribution statements contain the authorized audience, reason for restriction, DoD Controlling Office (DCO), and date of publication.

Question 138

T or F: Foreign transfer of classified military information must occur within government-to-government channels or channels agreed upon by the governments involved with the transfer.

Answer 138

True

Foreign transfer of classified military information must occur within government- to-government channels or channels agreed upon by the governments involved with the transfer.

Question 139

T or F: When a document is authorized for foreign disclosure, it must be disclosed in its entirety.

Answer 139

False

Foreign disclosure is limited to the information necessary to the meet the disclosure’s purpose. In many cases, this requires portions of the document to be redacted or sanitized.

Question 140

Senior Foreign Disclosure and Release Authority (SFDRA):

Answer 140

The senior civilian or military official(s) within an IC element designated in writing by an IC element head as responsible for that element’s disclosure and release program and other U.S. Government officials as may be designated by the DNI.

Question 141

Foreign Disclosure and Release Officer (FDRO):

Answer 141

IC element personnel to whom a SFDRA has delegated in writing the authority to approve or deny requests for authorization to disclose and release intelligence under that SFDRA’s jurisdiction or as authorized by the disclosure or release markings on the intelligence information.

Question 142

RELIDO

Answer 142

The control marking RELEASABLE BY INFORMATION DISCLOSURE OFFICIAL (RELIDO) is only used in conjunction with intelligence. By using this control marking, the originator indicates that he/she authorizes designated disclosure authorities in other Departments or Agencies to make further release determinations in accordance with existing foreign disclosure policies, guidance, and procedures.