12 FAM 560
GENERAL INFORMATION SECURITY ADMINISTRATION
(CT:DS-323; 07-30-2019)
(Office of Origin: DS/SI)
12 FAM 561 SECURITY INSPECTION OF
PROPERTY Prior to Disposition
(CT:DS-322; 06-13-2019)
a. Bureau, office, or post custodial officers (CO) have
responsibility for property located in their assigned areas, including
continuously surveying property under their control to identify idle or
unneeded property for disposition processing. They must promptly identify U.S.
Government owned personal property that:
(1) Is no longer needed for official business
operations;
(2) Requires replacement with new similar property due
to replacement criteria being met; or
(3) Economical repair cannot occur.
b. COs should report such property in a timely manner
for disposition processing in order for the U.S. Government to achieve maximum
return on investment and maintain effective operations.
c. (State only) Each CO
reports Department accountable property using the Integrated Logistics
Management System (ILMS) Asset Management module to the accountable property
officer (APO). The APO may reassign the accountable property to another
custodial officer and ILMS Asset Management will generate the form DS-584,
Property Transaction.
d. (State only) Otherwise the CO
will generate form DS-132, Property Disposal Authorization and Survey Report
for the APO to approve in ILMS Asset Management module to begin the disposition
processes (see 14
FAH-1 H-720 Disposal Procedures for Department and Field Office (for U.S.
locations) or 14
FAH-1 H-710 Disposal Procedures at Post (for post locations)).
e. Before APO approval of form DS-132, the CO must
ensure that all property has been inspected for any classified, sensitive
information or material and form DS-132 has been completed before arranging
removal of the property.
f. Unless otherwise designated, unit security officers
(USOs) are responsible for the inspection of their units property to ensure
all classified and Sensitive But Unclassified (SBU) information has been
removed. Prior to disposal, the USO must:
(1) Ensure all non-volatile memory and removable media
(i.e., hard drives, CDs, USBs) are removed from computer equipment that has
been used for processing classified and SBU information. Inspect printers,
scanners, copiers, faxes, etc., to ensure they do not contain any classified or
SBU hardcopy information. See 12 FAH-10
H-262.5 for Media Sanitization requirements and 12 FAH-6
H-633.5-9 for Classified Information Processing Equipment (CIPE)
disposition;
(2) Complete form DS-586 Turn-In Property Inspection
Certification and affix to any item having drawers or electronic data storage
capability. Form DS-586 must be signed by the USO and one additional person;
(3) When inspecting safes, file cabinets, and desks,
completely remove all drawers from the furniture as paper tends to slide
underneath and behind drawers. Ensure all drawers function properly. If a
drawer cannot be opened, the inspection is incomplete and the equipment cannot
be certified (as being free of classified or SBU material); thus cannot be
physically released from Department control. For additional directions, see 14 FAH-1 H-722
Inspection of Personal Property Prior to Disposition (for U.S. locations) or 14 FAM 417.1-4
Inspection for Classified Material plus14 FAH-1 H-712
Reporting Property No Longer Required (for post locations); and
(4) Arrange for combinations on safes or padlocks to
be set to the factory combination.
g. If the USO is not present to inspect equipment prior
to or at the time of actual removal, the APO authorizing property to be removed
is responsible for the inspection of all material leaving an office to ensure
no classified or SBU material is inadvertently unprotected.
12 FAM 562 INFORMATION SECURITY
EDUCATION AND TRAINING PROGRAMS OPERATION
(CT:DS-322; 06-13-2019)
a. The Program Applications Division (DS/IS/APD) is
responsible for developing, defining, inspecting, and advising on facilities,
procedures and controls for safeguarding classified and administratively
controlled information, and for the enforcement of regulations as they pertain
to operations worldwide.
b. DS/IS/APD establishes inspection programs and
maintains active training and orientation programs for employees who require
access to classified information, to ensure each employee understands the
individual responsibility for exercising vigilance and care in complying with
the provisions of these regulations. These programs include a continuing
review of the implementation of these regulations to insure national security
information is properly safeguarded.
12 FAM 563 Domestic Bureau, Principal,
AND UNIT SECURITY OFFICERS
12 FAM 563.1 Designation
(CT:DS-322; 06-13-2019)
a. Bureau executive directors may submit a request to
DS/IS/APD to assign a bureau security officer (BSO) to serve as a principal
security advisor to the bureau's assistant secretary. The BSO serves as a
subject matter expert to the assigned bureau on all matters that pertain to
safeguarding classified and SBU material in the domestic environment. Bureaus
provide day-to-day direction to their assigned BSO, while DS/IS/APD provides
overall management, supervision, and oversight. BSO assignments are rotational
and intended to be from 3 to 5 years in duration, after which another BSO will
be assigned to serve as principal security advisor to that bureau.
b. In the absence of an assigned BSO, the executive director
must designate a principal unit security officer (PUSO) to assist carrying out
security responsibilities. Bureaus must notify DS/IS/APD in writing of any
initial PUSO designations and all subsequent changes in personnel within 5
business days.
c. Bureaus must also designate USOs to implement
effective internal security controls within their assigned space. Each unit is
defined at the discretion of management and is an identifiable organizational
element, usually located in a single definable geographical location such as a
building, floor, wing, or suite. In bureaus with BSOs, the BSO will advise and
support USOs in carrying out security responsibilities. Bureaus must notify
DS/IS/APD in writing of any initial USO appointment and all subsequent changes
in personnel within 5 business days.
d. Employees and contractors designated as PUSOs or
USOs perform the security duties prescribed for them in addition to the duties
of their regular positions. Each USO maintains an active security training and
orientation program to impress upon each employee with an individual
responsibility for exercising vigilance and care in complying with the
provisions of the security regulations. USOs are trained by and maintain
liaison with DS/IS/APD, either directly or indirectly, through contact with
their BSO, where assigned. When DS/IS/APD is notified by a bureau that a USO
or PUSO has been appointed, DS/IS/APD contacts the individual directly to
schedule USO training.
12 FAM 563.2 Roles and
Responsibilities
12 FAM 563.2-1 Bureau Security
Officer
(CT:DS-322; 06-13-2019)
Within their supported bureau(s), BSOs:
(1) Ensure the proper safeguarding of classified
national security and sensitive but unclassified information through management
and administration of the Department's Information Security Program;
(2) Provide guidance and support to the USO Program,
designed to implement effective internal security controls throughout the
Department. In addition to day-to-day assistance, BSOs provide specialized and
more detailed security specialist training to all assigned USOs;
(3) Interpret and implement existing information
security regulations and guidelines to develop or revise existing agency
guidance;
(4) Conduct information security surveys/inspections
of Department offices and workspaces to ensure compliance with all Department
security regulations associated with information security. BSOs also support
USOs in regular self-assessments of their spaces;
(5) Investigate security incidents and cyber security
incidents. BSOs may delegate to the appropriate USO, the processing of
apparent security infractions. BSOs must not delegate the conduct of
investigations of apparent security violations. BSOs continuously monitor and
analyze all incidents to identify patterns that may indicate trends, which are
brought to the attention of bureau management. All cyber security incidents
must be reported to the Cyber Incident Response Team (DS/CTS/CIRT) in
accordance with 12 FAH-10
H-242.5;
(6) Develop and provide formal training on information
security and related issues to employees and managers. Lead and participate in
a comprehensive security awareness program, designed to encourage employees to
fulfill the requirements of the Department's Information Security Program;
(7) Facilitate, through assigned USOs, all access
control requests for smart card entry; verify personnel given access, possess
the appropriate security clearance to have un-escorted access to Bureau spaces.
(8) Coordinate with assigned USOs to monitor access
control lists and ensure they reflect current operational requirements.
Facilitate the repair of all access control and alarm systems within bureaus;
(9) Develop, implement, and maintain the Sensitive
Compartmented Information (SCI) access portfolio for the bureau. Work with bureau
management to verify and justify operational need for individual SCI access
requests. Facilitate the approval of all requests through the bureau executive
director;
(10) Assist in the development, implementation, and
maintenance of the information security portion of the Emergency Action Plan
portfolios for the bureau, as it pertains to the disposition of classified and
sensitive information in an emergency or exigency;
(11) Brief the bureau's senior leadership, as needed,
on any security related issues;
(12) Participate in bureau management meetings as required;
and
(13) Liaise between the bureau and Diplomatic Security entities,
as needed, on security matters.
12 FAM 563.2-2 Unit Security
Officer
(CT:DS-322; 06-13-2019)
Within their supported office(s), USOs:
(1) Implement and maintain the executive directors
security program.
(2) Implement closing-hours security check.
(3) Conduct security container inventory.
(4) Record and safeguard combinations.
(5) Change door and safe combinations as required.
(6) Arrange escorts for visitors.
(7) Understand the Departments classification system.
(8) Inspect excess property.
(9) Understand any special programs in the office.
(10) Cooperate with the respective BSO to facilitate
the investigative process of security incidents, if asked.
(11) Familiarize new employees with applicable security
requirements.
(12) Perform other security-related tasks, as assigned.
12 FAM 563.3 Regional and Post
Security Officers Abroad
(CT:DS-322; 06-13-2019)
a. With respect to the information security program at
post, the regional security officer (RSO) receives advice, guidance and
direction from DS/IS/APD. RSOs serve as the program manager for the
information security program at post under their cognizance. RSO duties are
further defined in 12
FAM 420.
b. Post security officers (PSOs) are appointed by, and
maintain liaison with, the RSO. They assist in the general administration of
the security program within the assigned area of jurisdiction. In addition,
the PSO performs other security duties as required by the RSO.
12 FAM 564 Information Security
BRIEFINGS
(CT:DS-322; 06-13-2019)
The information security education program applies to all
personnel authorized or expected to be authorized access to classified and/or
SBU information. At a minimum, the program is designed to:
(1) Advise personnel of the adverse effects on
national security that could result from unauthorized disclosure, and of their
personal and legal responsibility to protect classified information within
their knowledge, possession, or control;
(2) Indoctrinate personnel in the principles, criteria
and procedures of proper control and accountability, storage, destruction, and
transmission of classified information and material;
(3) Familiarize personnel with procedures for
challenging classification decisions believed to be improper;
(4) Familiarize personnel with the security
requirements of their particular assignment;
(5) Advise personnel of the strict prohibition against
discussing classified information over an unsecure telephone or in any other
manner that permits interception by unauthorized persons;
(6) Inform personnel of the penalties for violation or
disregard of the provisions of this regulation; and
(7) Instruct personnel that individuals having
knowledge, possession, or control of classified information must determine,
before disseminating such information, that the prospective recipient has been
cleared for access by competent authority; needs the information in order to
perform his or her official duties; and can properly protect (or store) the information.
12 FAM 564.1 Initial Briefing
(CT:DS-322; 06-13-2019)
a. All employees must be afforded a briefing on the
government-wide regulations governing protection of classified information and
the Department of State procedures for protection of classified and sensitive
but unclassified information. Each new employee is required to read and sign form
SF-312, Nondisclosure Agreement, at the time of entrance on duty and prior to
being issued a badge that affords access to classified national security information.
b. Domestically, DS/IS/APD provides this comprehensive
briefing.
c. At posts abroad, the RSO must provide this briefing
to all newly cleared employees entering on duty (i.e., interns, FSN staff,
eligible family members and new hires). In addition, it is the responsibility
of post and PSOs to insure that all newly assigned or newly employed personnel
are briefed on security matters specific to a post or area. RSOs must provide
DS/IS/APD with a copy of the executed form SF-312.
12 FAM 564.2 Annual Refresher
(CT:DS-322; 06-13-2019)
In accordance with Executive Order 13526, all State
Department employees and contractors with a security clearance must complete
the Foreign Service Institute (FSI) course, Mandatory Training for Classifiers
and Users of National Security Information (PK400) once each calendar year.
PK400 is available on OpenNet through the FSI course catalog.
12 FAM 564.3 Special Access
(CT:DS-323; 07-30-2019)
Indoctrination briefings for SCI or Intelligence Community
(IC) Special Access Program (SAP) will be conducted by DS/IS/SSO on behalf of INR. Non IC SAP
indoctrinations will be conducted by the program manager for the SAP.
12 FAM 564.4 Termination
(CT:DS-322; 06-13-2019)
a. The Security Debriefing Acknowledgement on the back
of form SF-312 will be completed by the employee and witnessed by the servicing
human resources section whenever an employee is terminating employment or is
otherwise to be separated for a continuous period of 60 days or more. While a
security briefing is not required, the Security Debriefing Acknowledgement is
mandatory to ensure that separating personnel are aware of the requirement to
return all classified material and of a continuing responsibility to safeguard
their knowledge of any classified information. If a security briefing is not
provided when the acknowledgement is signed, the employee must strike out the
word have" in the acknowledgment (e.g., I have have not received a
security briefing).
b. The completed form SF-312 will be filed in the
employees electronic official personnel folder (eOPF).
12 FAM 565 THROUGH 569 UNASSIGNED