12 FAM 700
SECURITY POLICY FOR SENSITIVE COMPARTMENTED INFORMATION (SCI) WITHIN DEPARTMENT
OF STATE FACILITIES
12 FAM 710
security policy for sensitive Compartmented Information
(CT:DS-314; 12-17-2018)
(Office of Origin: DS/SI/IS)
12 FAM 711 General
12 FAM 711.1 Authorities
(CT:DS-258; 06-13-2016)
(1) National Security Act of 1947, as amended
(2) Intelligence Reform and Terrorism Prevention Act
(IRTPA) of 2004
(3) Executive Order 12333, as amended
(4) Executive Order 13526
(5) Executive Order 12968
(6) Public Law 100-204, as amended
(7) The Foreign Service Act of 1980
(8) The Omnibus Diplomatic Security and Anti-terrorism
Act of 1986 (22 U.S.C. 4801 et seq.)
(9) Intelligence Community Directives (ICD) and
related Standards and Policy Guidance
(10) Bureau of Intelligence and Research
(INR)/Diplomatic Security (DS) Memorandum of Agreement (MOA) Security
Responsibility for the Protection of Certain Intelligence-Related Matters,
April 18, 2016
12 FAM 711.2 Purpose
(CT:DS-258; 06-13-2016)
a. This subchapter implements security policies
established to protect national intelligence worldwide, as defined in section
1012 of IRTPA, designated by the Director of National Intelligence (DNI) as
Sensitive Compartmented Information (SCI), and intelligence sources and
methods. It describes the:
(1) Roles, responsibilities, and authorities of the
Assistant Secretary for INR as the Department Intelligence Community (IC)
element head as defined by the National Security Act of 1947, as amended, and E.O.
12333, as amended;
(2) Authorities of other agency IC element heads for
their facilities within Department buildings worldwide; and
(3) Responsibilities of all Department employees and
contractors indoctrinated into SCI access.
b. This subchapter further implements Department
worldwide security policies for National Intelligence as required by E.O. 13526,
E.O. 12968, ICDs, Intelligence Community Standards, Intelligence Community
Policy Guidance (ICPG), and other documents cited herein for guidance on
specific security functions. Users are referred to applicable DNI control
system manuals or directives for guidance on appropriate classification levels
and compartmented information.
12 FAM 711.3 Applicability
(CT:DS-258; 06-13-2016)
The policies in this subchapter must be applied by all
bureaus, posts, and personnel under the authority of the Secretary and chief of
mission (COM) for receiving, transmitting, handling, storing, processing,
discussing or otherwise using SCI.
12 FAM 712 RESPONSIBILITIES
12 FAM 712.1 Intelligence Community
(IC) Element Head
(CT:DS-258; 06-13-2016)
a. INR is the Departments IC element head. An IC
element head may delegate responsibility for the implementation of policies and
procedures defined in DNI ICDs and related guidance for the protection of SCI
to a Cognizant Security Authority (CSA).
b. DS, as delegated by INR, per the INR/DS MOA of April
18, 2016 must:
(1) Protect SCI from unauthorized disclosure
consistent with DNI guidance;
(2) Implement uniform security policies and procedures
in accordance with DNI directives and related guidance to ensure the proper
protection, handling, storage, dissemination, and destruction of SCI;
(3) Ensure reciprocity with other U.S. Government
agencies of personnel security access determinations or system or facility
accreditations when there are no waivers, conditions, or deviations to DNI
standards. Ensure other U.S. Government agencies receiving access
determinations or accreditations from the Department are informed of all
waivers;
(4) Ensure risk management is employed in implementing
SCI protection measures to minimize the potential for compromise while
maximizing the sharing of information between U.S. Government agencies;
(5) Ensure access to SCI is predicated on:
(a) A favorable determination of eligibility for access
made by an IC element head or their designee;
(b) A signed DNI-approved non-disclosure agreement
(NDA); and
(c) The need for access to national intelligence to
perform or assist in a lawful and authorized governmental function.
(6) Ensure security and counterintelligence elements
work together collaboratively for the protection of SCI;
(7) Ensure all personnel are vetted, trained, and
advised of their legal obligations, the ramifications of their security
responsibilities, and provided a secure work environment;
(8) Implement aggressive security and
counterintelligence initiatives to support identification, apprehension, and as
appropriate, prosecution of insiders who endanger national security concerns;
and
(9) Establish formal continuing security awareness
training and education programs to ensure comprehension of and compliance with
DNI guidance. Individuals must be indoctrinated into their security
responsibilities, and upon debrief, their life-long legal responsibilities to
protect SCI.
c. The Office of Information Security (DS/SI/IS)
performs duties as the Department's CSA for the protection of Classified
National Intelligence, Including Sensitive Compartmented Information, in
accordance with ICD 703, and as directed by INR [1 FAM 262.7-1]
with the exception of the following authorities:
(1) INR retains determination approval authority for
access to SCI under ICD 704, Personnel Security Standards Governing Access to
SCI; and
(2) INR retains authority to waive uniform security requirements
under ICD 705, Sensitive Compartmented Information Facilities (SCIF).
12 FAM 712.2 Special Security
Operations (DS/IS/SSO)
(CT:DS-258; 06-13-2016)
a. DS/IS/SSO is responsible for carrying out the DS
responsibilities under the INR/DS MOA of April 18, 2016. This includes
developing directives for the implementation of all relevant ICDs, DCIDs, and
related or subsequent guidance, and overseeing Department compliance with those
directives for the protection of SCI.
b. DS/IS/SSO division chief is the SCIF accrediting
official (AO) who coordinates, implements, and oversees policies, plans, and
procedures for the certification and accreditation of Department SCIFs in
accordance with applicable IC policies.
c. DS/IS/SSO processes SCI nominations for all
Department employees, contractors, and detailees for access to SCI. DS/IS/SSO
coordinates all Department related requests for SCI access with the designated
Determination Authority and the Office of Personnel Security and Suitability
(DS/SI/PSS) [1
FAM 262.7-1(C)].
d. DS/IS/SSO personnel are trained in DNI security
policy and procedures to allow them to provide advice, guidance, and assistance
on SCI security matters under their purview. This includes:
(1) Managing SCI security processes and procedures;
(2) Ensuring that SCI is properly controlled,
transmitted, packaged, safeguarded, destroyed, and when appropriate, brought
under accountability;
(3) Collaborating with information management
officers, information systems security officers, communications security
(COMSEC) officers and others to ensure security of SCI, SCIFs, and the
information systems housed therein;
(4) Reporting security incidents to the Program
Applications Division (DS/IS/APD) for investigation; and
(5) Coordinating with IC elements on SCI related
issues.
12 FAM 712.3 Special Security
Representative (SSR)
(CT:DS-258; 06-13-2016)
a. Each bureau executive director or post must appoint,
in writing, an SCI-indoctrinated person to serve as a primary SSR and an
assistant special security representative (ASSR) for each accredited Department
SCIF under their purview. DS/IS/SSO strongly recommends the appointed SSR work
within the office where the SCIF is located to ensure operational requirements
are met.
b. Once appointed, each SSR must receive SSR training
from DS/IS/SSO. DS/IS/SSO provides annual SSR training and is available to
provide periodic refresher training upon request. If possible, an SSR will
receive training by DS/IS/SSO before reporting to overseas posts.
c. The bureau executive director or post must notify
DS/IS/SSO of a change of appointment of an SSR or ASSR for each Department
SCIF.
d. SSRs are responsible for all security procedures and
activities associated with their appointed SCIF. These duties include
verifying current SCI access approvals or requesting SCI access approvals for
new arrivals, conducting orientation training, conducting annual refresher
training, reporting security violations/infractions, reporting modifications to
a SCIF, and ensuring that SCIF opening, closing, and access control procedures
are followed.
e. SSRs should consult with their bureau executive
office (EX), bureau security officer (BSO), or regional security officer (RSO)
regarding non-compliance with SCIF security procedures and requirements. SSRs
must report incidents or activities that meet the parameters of the reporting
requirements, as stated in 12 FAM 713.5-2
to the RSO overseas or the Counterintelligence Division (DS/ICI/CI)
domestically, with a copy of the report to DS/IS/SSO.
12 FAM 712.4 Sensitive Compartmented
Information (SCI) Users
(CT:DS-258; 06-13-2016)
a. Individuals with access to SCI must ensure the
proper protection, marking, handling, storage, dissemination, and destruction
of SCI as directed by DNI and this FAM.
b. Additionally, recipients of SCI within the
Department including contractors, consultants, or detailees from other
Government departments, agencies or entities, must follow the procedures
established by INR for protection, handling, accountability, dissemination, and
destruction of SCI.
12 FAM 713 security policy for SCI
access
12 FAM 713.1 General
(CT:DS-258; 06-13-2016)
Eligibility for access to SCI is governed by ICD 704 and
related DNI guidance. Eligibility determinations are made in accordance with
uniform personnel security standards and procedures to facilitate initial
vetting, continuing personnel security evaluation, and reciprocity throughout
the IC.
12 FAM 713.2 Access Approvals
12 FAM 713.2-1 Approval Authority
(CT:DS-258; 06-13-2016)
a. INR, as the Department IC element head, approves
requests for access to SCI for Department personnel in accordance with ICD
704. Unless specifically delegated, approval authority for access to
information derived from certain SCI programs is retained by the cognizant
program manager, executive agent, or national authority. IC element heads are
responsible for issuing administrative procedures governing the granting of SCI
accesses in their organizations.
b. The Department will accept SCI access determinations
from other U.S. Government agencies without further adjudication unless an
exception to personnel security standards has been granted by the parent
agency.
12 FAM 713.2-2 Access Approvals
(CT:DS-258; 06-13-2016)
a. Department personnel requiring SCI access must have
a final Top Secret (TS) clearance.
b. Access is only granted when INR (see 12 FAM 713.2-1
paragraph a) determines an individual requires access to SCI to perform or
assist in a lawful and authorized governmental function, including repairs or
maintenance (see 12 FAM
715.4-1(D) paragraph d and 12 FAM 717.2-3
paragraph d).
c. The Department will not grant SCI access solely to
enable an individual to act as a custodian for SCI in non-SCIF areas or for the
purpose of gaining unescorted access to a SCIF.
d. SCI access is based on the needs of the individuals
current position and is not permanent. Each bureau and post must establish
check-in/check-out procedures to ensure that an individuals requirement for
continued access to SCI is revalidated before the individual departs the
assignment. Any changes in requirements for access due to position changes
during an assignment must be reported to DS/IS/SSO.
12 FAM 713.2-3 Nomination
(CT:DS-258; 06-13-2016)
a. Department employees (including but not limited to
Foreign Service, Civil Service, When-Actually-Employed, and Personal Services
Contract):
(1) An SCI access nomination letter, found at the DS/IS/SSO
Web site, must be submitted by the bureau EX or post deputy chief of mission
(DCM) directed to INR via DS/IS/SSO for newly assigned personnel who require
access to SCI, or when requested by DS/IS/SSO. Bureau EX or post DCM must
submit a nomination letter to DS/IS/SSO for all personnel regardless of their
previous SCI access status (except as stated in (3), below). The access
request must state the justification for the need for SCI access and be
approved by the bureau EX or post DCM;
(2) Bureau EX or post DCM may submit the nomination
letter no sooner than 30 days prior to the individuals arrival. Nomination
letters for Department employees are available on DS/IS/SSO Web site or from
DS/IS/SSO Access Control Team. Bureau EX or post DCM can reach the Access
Control Team via email at DS_SSO on either CLASSNET or OPENNET; and
(3) An SSR may contact a gaining bureau EX, post SSR
or RSO to determine if a person transferring to a new assignment will require
continued SCI access. The SSR must send this email request to DS/IS/SSO Access
Control Team (DS_SSO). If the need for continued access is confirmed by email
from the gaining bureau or post, DS/IS/SSO will allow the person to remain
indoctrinated, and a nomination letter will not be required. If the person
does not require continued SCI access, the person departing the bureau or post
must receive a debriefing (see 12 FAM 713.7
Removal of Access).
b. Contractors:
(1) The Government sponsor will advise the contracting
officer's representative (COR) or his/her designee of the need for access to
SCI by a contractor employee. Only nominate a contractor employee for access
to SCI to perform assigned duties under a specific contract where there is a
need to handle, process, or discuss SCI. Do not submit SCI nominations solely
for gaining unescorted facility access;
(2) Only when SCI access is required, the contract
under which the contractor employee is working must include the requirement for
TS/SCI access for designated personnel. If the contract is not at the TS level
and does not include the overall requirement for SCI access specifically
related to the requirements identified in item 12 FAM 713.2-3
paragraph b(1) above, the COR must contact the government contracting officer
(CO), in writing, to request a modification to the contract to include the need
for SCI access. Once the request and justification have been reviewed/approved
by the CO and coordinated with the Office of Industrial Security (DS/IS/IND),
the contract will be modified. A revised (Form DD-254, Contract Security
Classification Specification), which includes the SCI requirements, will be
issued to the contracting company; and
(3) The COR will submit the Contractor SCI Access
Nomination Letter to DS/IS/IND. Nomination letters for contractors are
available on the DS/IS/SSO Web site or from DS/IS/SSO Access Control Team
DS/IS/IND will work with the contracting company to obtain the required
paperwork and will coordinate verification of each contractors suitability
with (DS/SI/PSS). If the nominee meets suitability standards and is eligible
for access to SCI, DS/SI/PSS will complete the package and forward it to
DS/IS/SSO. DS/IS/SSO will coordinate final SCI access approval with INR, then
notify the COR and employee of the approval. At that time, the contractor
employee will be eligible for an SCI indoctrination briefing.
c. Other agency personnel (including detailees to
Department and tenant agency personnel):
(1) The parent agency, to include bureau executive
directors, must approve all SCI access requests for non-Department employees
and the parent agency must ensure that personnel clearances and access
approvals are passed to DS/IS/SSO;
(2) INR will review all requests for access to SCI
within the Department for employees of other agencies who were approved for
access by exception; and
(3) DS/IS/SSO will advise the requesting bureau or
post once the SCI access is granted.
12 FAM 713.2-4 Access
Determination
(CT:DS-258; 06-13-2016)
a. Access to SCI is contingent on meeting DNI personnel
eligibility requirements as measured by investigative standards prescribed in
ICPG 704.1 and the application of specific adjudicative guidelines contained in
ICPG 704.2.
b. Once approved for SCI access, DS/IS/SSO will notify
the individual, the requestor and the BSO, SSR and/or RSO, as appropriate, in
writing. Personnel assigned domestically will be directed to attend an
indoctrination briefing. The RSO will coordinate briefings for personnel at
posts abroad.
c. An individual that is denied access will also be
notified in writing in accordance with the provisions of ICPG 704.3 providing
the reasons for this decision along with instructions on recourse.
d. Continuous personnel security and
counterintelligence evaluation is required of all personnel granted SCI access.
12 FAM 713.2-5 Sensitive
Compartmented Information Nondisclosure Agreement (NDA)
(CT:DS-258; 06-13-2016)
a. As a condition of access to SCI, individuals must
sign a DNI-authorized form NDA-4414, Sensitive Compartmented Information
Nondisclosure Agreement (See 12 FAM Exhibit
713.2-5). The NDA establishes explicit obligations of the individual
signer for the protection of SCI. NDA 4414 was revised in 2013, but all
agreements signed before this date continue to be in effect as the provisions
are consistent with and do not supersede, conflict with, or otherwise alter the
employee obligations, rights, or liabilities created by existing statute or E.O.
b. Prior to signing an NDA or being afforded access to
SCI, personnel approved for SCI access will:
(1) Receive a non-SCI-revealing brief on the general
nature and procedures for protecting the SCI to which they will be exposed;
(2) Be advised of their obligations to protect
information and report matters of security concern; and
(3) Be advised of penalties, criminal and
administrative, for non-compliance with security directives.
c. Personnel will be allowed to express any
reservations concerning the NDA or access to SCI. Unwillingness to sign the
NDA or to accept SCI security obligations is cause for denial or revocation of
existing SCI access.
d. The briefer must scan and email or fax the completed
NDA to DS/IS/SSO at DS_SSO on either CLASSNET or OPENNET. The signed hard copy
NDA must be forwarded to DS/IS/SSO for filing and retention.
e. These provisions are consistent with and do not
supersede, conflict with, or otherwise alter the employee obligations, rights,
or liabilities created by existing statute or EO relating to:
(1) Classified information;
(2) Communications to Congress;
(3) The reporting to an Inspector General of a
violation of any law, rule, or regulation, or mismanagement, a gross waste of
funds, an abuse of authority, or a substantial and specific danger to public
health or safety; or
(4) Any other whistleblower protection. The
definitions, requirements, obligations, rights, sanctions, and liabilities
created by controlling EOs and statutory provisions are incorporated into this
agreement and are controlling.
12 FAM 713.3 Security
Indoctrination And Education
(CT:DS-258; 06-13-2016)
a. Department personnel approved for access to SCI will
be briefed in accordance with DNI requirements as directed by DS/IS/SSO.
b. Initial security indoctrinations will include:
(1) The need for and purpose of SCI, and the adverse
effect on national security that could result from unauthorized disclosure;
(2) The continuing obligation to protect SCI, even
after the individual no longer has access to SCI;
(3) The mission of the Department to include the use
of intelligence information in furtherance of that mission;
(4) The administrative, personnel, physical, and other
procedural security requirements of the Department and those requirements
peculiar to specific duty assignments, including information on who to consult
to determine if particular outside employment or activity might be of concern;
(5) The individuals classification management
responsibilities as described in appropriate directives and regulations to
include classification/ declassification guidelines and marking requirements;
(6) The definitions and criminal penalties for
espionage, including harboring or concealing persons; gathering, transmitting,
or losing defense information; gathering or delivering defense information to
aid foreign governments; photographing and sketching defense installations;
unauthorized disclosure of classified information (18 U.S.C. 792 through 18
U.S.C. 795, 18 U.S.C. 797 and 18 U.S.C. 798), the Internal Security Act of 1950
(50 U.S.C. 783), the Intelligence Identities Protection Act of 1982 (50 U.S.C.
421 through 50 U.S.C. 426) and, when appropriate, the Atomic Energy Act
(Sections 224 through 227);
(7) These provisions are consistent with and do not
supersede, conflict with, or otherwise alter the employee obligations, rights,
or liabilities created by existing statute or EO relating to:
(a) Classified information;
(b) Communications to Congress;
(c) The reporting to an inspector general of a violation
of any law, rule, or regulation, or mismanagement, a gross waste of funds, an
abuse of authority, or a substantial and specific danger to public health or
safety; or
(d) Any other whistleblower protection. The
definitions, requirements, obligations, rights, sanctions, and liabilities
created by controlling EOs and statutory provisions are incorporated into this
agreement and are controlling.
(8) An overview of the Department Security Incident
Program (12 FAM
550);
(9) A review of the techniques employed by foreign
intelligence organizations in attempting to obtain national security
information; and
(10) Identification of the elements within the
Department to which matters of security interest are to be referred.
c. Individual security responsibilities include:
(1) Observing the prohibition against discussing SCI
in an unauthorized area, over an unauthorized telephone, or in any other manner
that permits access by unauthorized persons;
(2) The need to exercise caution to avoid unauthorized
disclosure of SCI when communicating with members of professional, commercial,
scholarly or advocacy organizations that publish or discuss information on
intelligence, defense, or foreign affairs; and
(3) The continuing obligation to submit for review any
planned articles, books, speeches or public statements that contain or purport
to contain SCI or information relating to or derived from SCI as outlined in
the NDA.
d. All persons granted SCI access by the Department
will receive periodic SCI security education and awareness refresher training
advising them of:
(1) Their continuing security responsibilities and of
security threats they may encounter;
(2) Foreign intelligence threats (including risks
associated with foreign travel and foreign associations);
(3) Technical threats;
(4) Terrorist threats;
(5) Personnel, physical, information systems, and
procedural security;
(6) Classification management;
(7) Individual security responsibilities; and
(8) Criminal penalties and administrative sanctions.
12 FAM 713.4 Access to Sensitive
Compartmented Information Systems
12 FAM 713.4-1 System Access
Request
(CT:DS-258; 06-13-2016)
INR is the sole approval authority for any access to
Department SCI systems. If an individuals position requires use of an SCI
system, the bureau EX/post DCM must submit, via DS/IS/SSO for verification of
access, an access request to INR for approval.
12 FAM 713.4-2 Training
Requirements
(CT:DS-258; 06-13-2016)
All personnel granted access to a Department SCI system
must complete initial SCI Cyber Security Awareness training. Failure to
complete the subsequent annual SCI Cyber Security Awareness training will
result in loss of access to the SCI system.
12 FAM 713.5 Individual
Responsibilities
12 FAM 713.5-1 Need-To-Know Policy
(CT:DS-258; 06-13-2016)
Holders of SCI must determine that a prospective recipient
of the information has appropriate access approvals and has a need for access
to specific SCI to perform or assist in a lawful and authorized governmental
function. Holders of SCI must ensure the recipient can properly protect the
information. Holders of SCI must challenge requests for information that do
not appear to be legitimate.
12 FAM 713.5-2 Reporting
Requirements
(CT:DS-258; 06-13-2016)
a. All personnel under Department authority with SCI
access are obligated to report to proper authorities all activities or conduct
concerning themselves or of another individual who has access to SCI as stated
below in 12
FAM 713.5-3 through 12 FAM 713.5-5.
b. Employees of other agencies must also comply with
their parent agencys reporting requirements.
12 FAM 713.5-3 Prepublication
Review
(CT:DS-258; 06-13-2016)
a. Department employees, contractors, and former
employees are obligated by their signed NDA to submit for security review any
writing or other preparation in any form (speeches, public statements, internet
postings, etc., including works of fiction) that contain or purport to contain
any SCI, description of activities that produce or relate to SCI, or there is
reason to believe derive from SCI. This is a continuing obligation that
applies during the course of any access to SCI and after. Current employees,
including When Actually Employed (WAE) status, and contractors must submit
material via the Bureau of Public Affairs (PA) Reviews Web site. Former
employees and contractors must submit material for review to the Office of
Information Programs and Services (A/GIS/IPS) at classification@state.gov.
Personnel must obtain written authorization from the Department prior to
release to any unauthorized person or public disclosure.
b. Prepublication review is also necessary to avoid
potential damage that would result from confirmation of SCI information
previously published without authorization. Individuals with SCI access may
not publicly cite such information especially in conjunction with military
title, U.S. Government position, or contractual relationships with SCI
programs.
c. Department employees and contractors must submit
material for review in accordance with 3 FAM 4170,
Review of Public Speaking, Teaching, Writing and Media Engagement. The review
office will coordinate with DS/IS/SSO on the review of materials submitted by
personnel with SCI access.
12 FAM 713.5-4 Foreign National
Contacts
(CT:DS-258; 06-13-2016)
12 FAM 262
states the Departments policy on reporting of foreign contacts. 12 FAM 274 and 12 FAM 274.2
provide additional guidance. 12 FAM 275
provides guidance for reporting intent to marry or cohabit. All individuals
under Department authority with SCI access must report foreign contacts as
directed in the FAMs.
12 FAM 713.5-5 Sensitive
Compartmented Information Travel Security Policy
(CT:DS-258; 06-13-2016)
All individuals under Department authority with SCI access
granted by the Department must report personal foreign travel in accordance
with the reporting procedures contained in 12 FAM 276 and 12 FAM 264.2
paragraph(g).
12 FAM 713.6 Special Personnel
Security Investigations
(CT:DS-314; 12-17-2018)
The Office of Special Investigations (DS/ICI/OSI) may
conduct special personnel security investigations in accordance with and as
defined in 12 FAM
226. Results of investigations involving Department employees and
contractors with SCI access will be provided to DS/IS/SSO and INR for their
determination on suitability of employees and contractors to retain access to
SCI.
12 FAM 713.7 Removal of Access
(CT:DS-258; 06-13-2016)
a. All personnel who retire or resign from the
Department are required to notify DS/IS/SSO so that a debriefing by DS/IS/SSO
or by a designated security entity can take place prior to their departure.
Personnel who will remain at the Department, but no longer need SCI access for
the performance of their duties shall notify DS/IS/SSO and be promptly
debriefed. It is the responsibility of the supervisor to ensure that DS/IS/SSO
is informed. Debriefed personnel will sign the debrief block of an form NDA-4414
(see 12 FAM
Exhibit 713.2-5).
b. Debriefed personnel will be reminded of their
continuing obligation to protect national intelligence and comply with the
terms of the NDA, including the continuing obligation to submit for review any
planned articles, books, speeches, or public statements that contain or purport
to contain SCI or information relating to or derived from SCI.
c. Personnel who depart without signing the debriefing
acknowledgement or who refuse to sign a debriefing acknowledgment are still
obligated by the terms of the original signed NDA. Those personnel will be
administratively debriefed by DS/IS/SSO and the record of the debriefing will
be entered into all applicable databases and files.
d. The completed NDA must be scanned and emailed or
faxed to DS/IS/SSO at DS_SSO on either CLASSNET or OPENNET. The debriefer must
forward the signed hard copy NDA to DS/IS/SSO for filing and retention.
12 FAM 713.8 Recording
Indoctrinations And Debriefings
(CT:DS-258; 06-13-2016)
a. The names of all individuals with SCI access are
posted on an Intelligence Community (IC) database called Scattered Castles.
Access to Scattered Castles is restricted to security elements in each agency
that need to verify SCI access information. The IC Scattered Castles
repository, or successor database, must be the authoritative source for
personnel security access approval verifications regarding SCI and other
controlled access programs, visit certifications, and documented exceptions to
personnel security standards.
b. Department personnel that need to verify an
individuals SCI access should contact their BSO, RSO, or DS/IS/SSO at DS_SSO
on OPENNET or CLASSNET. DS/IS/SSO is responsible for passing all SCI accesses
to other Government agencies.
12 FAM 714 SECURITY VIOLATIONS,
COMPROMISES, AND UNAUTHORIZED DISCLOSURES
12 FAM 714.1 Responsibilities
(CT:DS-258; 06-13-2016)
a. Department personnel and contractors are required to
report to their respective SSR, BSO, or RSO:
(1) Any possible or actual security violation or
compromise involving SCI. Individuals who learn of violations or compromise
must report matters and take immediate action to protect SCI found in an
unsecure environment, until it can be restored to SCI control;
(2) Publication in the media of actual or apparent SCI
information. Respective SCI security/control officers must report incidents through
appropriate channels to DS/IS/SSO who will advise the Department IC element
head; and
(3) Any unauthorized revelation or exposure of SCI
that might reasonably be expected to result in publication of the SCI.
b. All such reports must be forwarded immediately to DS
in accordance with 12
FAM 550. As provided in 12 FAM 554, any
security incident involving the mishandling of SCI material will be deemed a
security violation rather than an infraction, even when occurring in a
controlled access area (CAA) abroad or within the equivalent of a CAA
domestically.
12 FAM 714.2 Investigations
(CT:DS-258; 06-13-2016)
a. In accordance with 12 FAM 550, DS
will conduct investigations of security incidents involving the mishandling of
SCI. The 1
FAM 262.7-1(A) authorizes The Program Applications Division (DS/IS/APD) to
conduct incident investigations involving SCI within the Department, and
coordinate investigations within DS and with other agency investigative
elements, as required.
b. An investigation will be conducted to identify full
details of the violation/compromise, and to determine specific information
involved, damage, and whether culpability was involved. Investigations must
determine if there is a reasonable likelihood that SCI material was
compromised, the identity of the person(s) responsible for the unauthorized
disclosure, and the need for remedial measures to prevent a recurrence. The
adjudication of security incidents will apply a risk-based analysis, which will
assess intent, location of incident, risk of compromise, sensitivity of
information, and mitigating factors.
c. If a compromise occurs, DS/IS/SSO will advise INR.
INR must immediately report the compromise to the appropriate IC SCI program
manager.
d. If an inadvertent disclosure occurs, DS/IS/SSO will
determine whether the interests of SCI security are served by seeking a written
inadvertent NDA from non-indoctrinated persons to whom SCI has been disclosed. If
DS/IS/SSO determines that an inadvertent NDA is necessary, the person(s)
involved will be requested to sign an inadvertent NDA. Copies of the NDA will
be maintained in the files of both DS/IS/SSO and the appropriate IC program
manager.
e. Security violations will be recorded in security
files in accordance with 12 FAM 557.
Disciplinary actions will be conducted in accordance with 12 FAM 557.
DS/IS/APD will provide reports of security violations to INR for review and
determination of an individuals continued eligibility for SCI access.
f. Investigating officers will advise DS/IS/SSO of
weaknesses in security programs and recommend corrective action(s). DS/IS/SSO
is responsible for ensuring corrective action is taken in all cases of actual
security violations and compromises related to the protection of SCI.
12 FAM 715 Sensitive compartmented
information facility (scif)
12 FAM 715.1 Sensitive
Compartmented Information Facility Policy
(CT:DS-258; 06-13-2016)
a. The process, storage, use, and discussion of SCI
will only occur within accredited SCI facilities (SCIFs). The term SCIF
includes the types of facilities that are described in 12 FAM 715.2,
below. All SCIFs must be accredited by that agency's Accrediting Office (AO)
prior to use for SCI operations. Accreditation is the beginning of a
life-cycle process of continuous monitoring and evaluation, periodic
re-evaluations and documentation reviews to ensure the SCIF is maintained in
accordance with ICD 705 and all related standards.
b. All SCIFs must comply with uniform security
requirements as established by DNI directives and related issuances for
physical and technical security of SCIFs. Physical security standards for the
construction and protection of such facilities are prescribed in the current
ICD 705 and related guidance. ICD 705 allows the use of mitigation strategies
to meet the intent of the standards without requiring written waivers.
c. Department SCIFs are accredited up to the Special
Intelligence (or Signals Intelligence)/Talent Keyhole/Gamma/Human Intelligence
Control System (SI/TK/G/HCS) level. DS/IS/SSO must be notified in advance of
the requirement to use a Department SCIF for other SCI programs. DS/IS/SSO
will determine if a compartmented area (CA) needs to be created inside the SCIF
for the additional SCI programs.
d. An explanation of SCI compartmented programs is
contained in the separate unclassified SCI Indoctrination briefing package
located on DS/IS/SSO website.
e. All existing SCIFs within Department bureaus, posts,
or other facilities as of the date of this subchapter will continue to operate
in accordance with security requirements applicable at the time of the most
recent accreditation. Upon reaccreditation an existing SCIF must be compliant
with current requirements unless a waiver is granted by the IC element head or
designee in accordance with ICD 705. The IC element head or designee may
accredit, re-accredit, and de-accredit SCIFs and may grant waivers to
standards.
f. A SCIF accreditation may be suspended or revoked if
there is a danger of SCI being compromised due to unsatisfactory security
conditions.
12 FAM 715.2 Sensitive
Compartmented Information Facility Types
(CT:DS-258; 06-13-2016)
a. SCIFs that are authorized by the AO to store SCI are
denoted as one of the following types of storage:
(1) Closed storage: All SCI
material is stored within General Services Administration (GSA) approved
security containers when the SCIF is unoccupied. This includes storage of hard
drives used to process SCI and any other SCI-related media;
(2) Continuous operations:
The SCIF is manned 24 hours a day, every day. The capability must exist for
storage of all SCI in GSA approved security containers; and
(3) Temporary SCIF (T-SCIF):
An area, room, group of rooms, building, or installation accredited for
SCI-level processing, storage and discussion, that is used for operational
exigencies (actual or simulated) for a specified period of time not exceeding
one year.
b. Two additional facilities authorized for SCI work
but not storage are the secure working area (SWA), and the temporary secure
working area (TSWA):
(1) A SWA is an area accredited for handling,
discussion, and/or processing of classified information to include SCI but not
for the storage of SCI; and
(2) A TSWA is a facility temporarily accredited to
handle, process, or discuss classified information to include SCI that may not
be used more than 40 hours per month and the accreditation may not exceed 12
months. SCI may not be stored in a TSWA.
(a) The SSR will maintain a record of the use of the
facility as a TSWA;
(b) When not in use at the SCI level, a TSWA must be
secured with an approved key or combination lock, and
(c) Access must be limited to U. S. personnel cleared at
a minimum to Secret.
c. Open storage, which allows SCI to be openly stored
and processed within the SCIF without storing material in GSA approved storage
containers when the SCIF is unoccupied, is not authorized at Department of
State facilities.
12 FAM 715.3 Security In Depth
(CT:DS-258; 06-13-2016)
a. In addition to existing construction security
standards, security in depth (SID) describes the factors that enhance the
probability of detection before actual penetration of the SCIF occurs. The
existence of a layer or layers of security that offer mitigations for risks may
be accepted by the AO. The AO may develop additional strategies to mitigate
risk and increase probability of detection of unauthorized entry.
b. SID requires that at least one of the following
mitigations is applied:
(1) Military installations, embassy compounds, U.S.
Government compounds, or contractor compounds with a dedicated response force
of U.S. persons;
(2) Controlled buildings with separate building access
controls, alarms, elevator controls, stairway controls, etc., required to gain
access to the buildings or elevators. These controls must be fully coordinated
with a formal agreement or managed by the entity that owns the SCIF;
(3) Controlled office areas adjacent to or surrounding
SCIFs that are protected by alarm equipment installed in accordance with
manufacturers instructions. These controls must be fully coordinated with a
formal agreement or managed by the entity that owns the SCIF; or
(4) Fenced compounds with access controlled vehicle
gate and/or pedestrian gate.
12 FAM 715.4 Requirements for
Department Sensitive Compartmented Information Facilities
(CT:DS-258; 06-13-2016)
INR will determine when there are clear operational
requirements for new Department SCIFs and when existing SCIFs are not adequate
to support the requirement. INR will also revalidate the requirements for an
existing Department SCIF when an office moves to a new location. DS/IS/SSO
must document and maintain the requirements justifying a new SCIF or
revalidating a relocated SCIF with accreditation records by DS/IS/SSO.
12 FAM 715.4-1 Domestic Sensitive
Compartmented Information Facilities
12 FAM 715.4-1(A) Concept
Approval
(CT:DS-258; 06-13-2016)
a. Bureaus requesting establishment of a new SCIF or to
relocate a SCIF within their office must submit a request in writing to
DS/IS/SSO stating the purpose and requirements for the SCIF. This request will
be reviewed by DS/IS/SSO and coordinated with other offices falling under the
Office of the Under Secretary of Management (M). DS/IS/SSO will submit a
request to INR to approve the SCIF concept.
b. All costs associated with the establishment of a
SCIF, including construction and travel for surveys and inspections will be
borne by the requesting bureau.
12 FAM 715.4-1(B) Survey
(CT:DS-258; 06-13-2016)
Once the SCIF concept has been approved by the IC element
head, DS/IS/SSO will conduct a physical survey of the space to determine
requirements for meeting SCIF physical security standards. DS/IS/SSO must
approve all designs for new SCIF construction.
12 FAM 715.4-1(C) Waivers
(CT:DS-258; 06-13-2016)
The requesting bureau is responsible for submitting a
written waiver request to DS/IS/SSO if any requirement of ICD 705 cannot be met
or mitigated. DS/IS/SSO will submit the requested waiver to INR for approval.
12 FAM 715.4-1(D) Changes To
Existing Sensitive Compartmented Information Facilities
(CT:DS-258; 06-13-2016)
a. The SSR must contact DS/IS/SSO prior to initiating
any construction or modification to a Department SCI facility that requires
physical alteration. DS/IS/SSO must approve the plans for all renovations and
physical modifications of existing SCIFs.
b. The requesting bureau SSR must notify DS/IS/SSO
before the introduction of equipment (fire equipment, alarm equipment, fax
machines, telecommunications equipment, etc.) into a Department SCIF.
Equipment must be authorized by DS prior to introduction and use.
c. The requesting bureau SSR must also notify
DS/IS/SSO before automated information systems or other forms of electronic
processing systems within the SCIF are added or changed. The equipment must be
authorized by DS and the system must be accredited as required by ICD 503 and
related guidance before it is used for SCI.
d. Routine maintenance (such as changing light bulbs,
copier repairs, and computer maintenance) is the responsibility of each bureau
and does not require prior coordination with DS/IS/SSO, however proper security
procedures for uncleared personnel must be followed. Department personnel must
notify the requesting bureau BSO or the facility SSR prior to any routine
maintenance work.
12 FAM 715.4-1(E) Site Security
Manager (SSM)
(CT:DS-258; 06-13-2016)
A site security manager (SSM) is the single point of
contact regarding SCIF security and is the individual responsible for all
security aspects of the SCIF construction. Within the Department, the duties
of the SSM may be carried out by a Facilities Security Division (DS/PSP/FSD)
project manager. The SSM is responsible for the following:
(1) Ensure SCIF security requirements are implemented
and advise DS/IS/SSO of compliance or variances;
(2) In consultation with DS/IS/SSO, develop a
construction security plan (CSP) regarding implementation of SCIF security
standards. (This document will include actions required to document the
project from start to finish);
(3) Conduct periodic security inspections for the
duration of the project to ensure compliance with the CSP;
(4) Document security violations or deviations from
the CSP and notify DS/IS/SSO within three business days; and
(5) Ensure that procedures to control site access are
implemented.
12 FAM 715.4-1(F) Risk
Assessment
(CT:DS-258; 06-13-2016)
DS/IS/SSO and the SSM must evaluate each proposed SCIF for
threats, vulnerabilities, and assets to determine the most efficient
countermeasures required for physical and technical security. Based on a risk
assessment, mitigation of a standard may be more practical or efficient.
Mitigations are verifiable, non-standard methods that are approved by DS/IS/SSO
to effectively meet the physical/technical security protection level(s) of the
standard. DS/IS/SSO will document its approval to confirm that the mitigation
is at least equal to the physical/technical security level of the standard.
12 FAM 715.4-1(G) Accreditation
(CT:DS-258; 06-13-2016)
DS/IS/SSO will accredit the space as a SCIF upon
completion of construction. DS/IS/SSO will notify the requestor of the
accreditation, allowing operations to begin. SCIF operations may not commence
until DS/IS/SSO grants the final accreditation. DS/IS/SSO retains copies of
all documentation for Department SCIFs.
12 FAM 715.4-1(H) Construction
Security Plan (CSP)
(CT:DS-258; 06-13-2016)
a. The project manager will develop a CSP for each
project that will be approved by DS/IS/SSO (see 12 FAM Exhibit
715.4-1(H)) prior to any modification of space for a new SCIF, renovations
of an existing SCIF, or awarding a construction contract to build a SCIF.
b. A CSP outlines security protective measures that
will be applied to each phase of the construction project. The requirements
described in this plan provide the baseline for construction security
activities and may be supplemented as required but may not be reduced without
coordination and approval from DS/IS/SSO.
c. Construction security plans and all related
documents will be handled and protected in accordance with the security
classification guidance stated in the CSP.
d. For SCIF renovation projects within an existing
SCIF, barriers must be installed to segregate construction workers from
operational activities and provide protection against unauthorized access and
visual observation. Specific guidance must be contained in the CSP.
e. The SSM or designee will conduct periodic security
inspections for the duration of the project to ensure compliance with
construction design and security standards.
f. Construction and design of SCIFs should be
performed by U.S. companies using U.S. citizens to reduce risk, but may be
performed by U.S. companies using a non-U.S. citizen who has been lawfully
admitted for permanent residence as defined in 8 U.S.C. 1101(a)(20), or who is
a protected individual as defined by 8 U.S.C. 1324b(a)(3). DS/IS/SSO will
ensure mitigations are implemented when using non-U.S. citizens. These
mitigations must be documented in the CSP.
g. When SCIF renovations require that construction
personnel enter an operational SCIF, they must be cleared or be escorted by
personnel cleared to the accreditation level of the SCIF. SCI indoctrinated
escorts may not be required when a barrier has been constructed to separate the
SCIF from the areas identified for construction.
h. The CSP must document all site control measures.
Among the control measures that may be considered are:
(1) Identity verification;
(2) Random searches at site entry and exit points;
(3) Signs at all entry points listing prohibited and
restricted items (e.g., cell phones, cameras, explosives, drugs, etc.).
Firearms are also prohibited except for law enforcement, military and other
civilian personnel authorized to carry official firearms; and
(4) Physical security barriers to deny unauthorized
access.
12 FAM 715.4-2 Sensitive
Compartmented Information Facilities Abroad
(CT:DS-258; 06-13-2016)
The process for establishing or modifying a SCIF overseas
is similar to the process for domestic SCIFs. Posts must keep in mind,
however, that in addition to ICD 705, all OSPB requirements must be met.
Additionally, all requests must be coordinated with the Bureau of Overseas
Building Operations (OBO).
12 FAM 715.4-2(A) Concept
Approval
(CT:DS-258; 06-13-2016)
a. Posts requesting establishment of a new SCIF or to
relocate a SCIF within their space must submit a request in writing to
DS/IS/SSO stating the purpose and requirements for the SCIF. DS/IS/SSO will
review the request and coordinate with any other stakeholders, and submit it to
INR to approve the SCIF concept.
b. All costs associated with the establishment of a
SCIF, including construction and travel for surveys and inspections will be
borne by the requesting post.
12 FAM 715.4-2(B) Survey
(CT:DS-258; 06-13-2016)
Once the SCIF concept has been approved by the IC element
head, DS/IS/SSO will conduct a physical survey of the space to determine
requirements for meeting SCIF physical security standards. DS/IS/SSO must
approve all designs for new SCIF construction.
12 FAM 715.4-2(C) Waivers
(CT:DS-258; 06-13-2016)
The requesting post is responsible for submitting a
written waiver request to DS/IS/SSO if any requirement of ICD 705 cannot be met
or mitigated. DS/IS/SSO will submit the requested waiver to INR for approval.
All SCIFs abroad that fall under COM authority must also comply with 12 FAH-6 H-626
and other OSPB standards. When conflict between requirements occurs, the
stricter requirement applies. OSPB exception requests must be submitted to the
Physical Security Division (DS/PSP/PSD) in accordance with 12 FAH-5 H-210.
12 FAM 715.4-2(D) Changes To
Existing Sensitive Compartmented Information Facilities
(CT:DS-258; 06-13-2016)
a. The SSR must contact DS/IS/SSO prior to initiating
any construction or modification to a Department SCI facility that requires
physical alteration. DS/IS/SSO must approve the plans for all renovations and
physical modifications of existing SCIFs. Post will coordinate construction
with OBO and DS in accordance with 12 FAM 360 and
DS/IS/SSO.
b. The requesting bureau SSR must notify DS/IS/SSO
before the introduction of equipment (fire equipment, alarm equipment, fax
machines, telecommunications equipment, etc.) into a Department SCIF.
Equipment must be authorized by DS prior to introduction and use.
c. The requesting post SSR must also notify DS/IS/SSO
before automated information systems or other forms of electronic processing
systems within the SCIF are added or changed. The equipment must be authorized
by DS and the system must be accredited as required by ICD 503 and related
guidance before it is used for SCI.
d. Routine maintenance (e.g, changing light bulbs,
copier repairs, and computer maintenance) is the responsibility of each post
and does not require prior coordination with DS/IS/SSO, however proper security
procedures for uncleared personnel must be followed. Department personnel must
notify the RSO or the facility SSR prior to any routine maintenance work.
12 FAM 715.4-2(E) Site Security
Manager (SSM)
(CT:DS-258; 06-13-2016)
OBO will appoint an (SSM) for construction of Department
SCIFs at post. The SSM is the single point of contact regarding SCIF security
and is the individual responsible for all security aspects of the SCIF
construction. The SSM is responsible for the following:
(1) Ensure SCIF security requirements are implemented
and advise DS/IS/SSO of compliance or variances;
(2) In consultation with DS/IS/SSO, develop a
construction security plan (CSP) regarding implementation of SCIF security
standards. This document will include actions required to document the project
from start to finish;
(3) Conduct periodic security inspections for the
duration of the project to ensure compliance with the CSP;
(4) Document security violations or deviations from
the CSP and notify DS/IS/SSO within three business days; and
(5) Ensure that procedures to control site access are
implemented.
12 FAM 715.4-2(F) Risk
Assessment
(CT:DS-258; 06-13-2016)
DS/IS/SSO and the SSM should evaluate each proposed SCIF
for threats, vulnerabilities, and assets to determine the most efficient
countermeasures required for physical and technical security. Based on a risk
assessment, mitigation of a standard may be more practical or efficient.
Mitigations are verifiable, non-standard methods that are approved by DS/IS/SSO
to effectively meet the physical/technical security protection level(s) of the
standard. DS/IS/SSO will document its approval to confirm that the mitigation is
at least equal to the physical/technical security level of the standard.
12 FAM 715.4-2(G) Accreditation
(CT:DS-258; 06-13-2016)
DS/IS/SSO will accredit the space as a SCIF upon
completion of construction. DS/IS/SSO will notify the requestor of the accreditation,
allowing operations to begin. SCIF operations may not commence until DS/IS/SSO
grants the final accreditation. DS/IS/SSO retains copies of all documentation
for Department SCIFs.
12 FAM 715.4-2(H) Construction
Security Plan (CSP)
(CT:DS-258; 06-13-2016)
a. The project manager will develop a CSP for each
project that will be approved by DS/IS/SSO (see 12 FAM Exhibit
715.4-1(H)) prior to any modification of space for a new SCIF, renovations
of an existing SCIF, or awarding a construction contract to build a SCIF.
b. A CSP outlines security protective measures that
will be applied to each phase of the construction project. The requirements
described in this plan provide the baseline for construction security
activities and may be supplemented as required but may not be reduced without
coordination and approval from DS/IS/SSO.
c. Construction security plans and all related
documents will be handled and protected in accordance with the security
classification guidance stated in the CSP.
d. For SCIF renovation projects within an existing
SCIF, barriers must be installed to segregate construction workers from
operational activities and provide protection against unauthorized access and
visual observation. Specific guidance must be contained in the CSP.
e. The SSM or designee will conduct periodic security
inspections for the duration of the project to ensure compliance with
construction design and security standards.
f. Construction and design of SCIFs should be
performed by U.S. companies using U.S. citizens to reduce risk, but may be
performed by U.S. companies using non-U.S. citizens (an individual who has been
lawfully admitted for permanent residence as defined in 8 U.S.C. 1101(a)(20) or
who is a protected individual as defined by Title 8 U.S.C. 1324b(a)(3)).
DS/IS/SSO will ensure mitigations are implemented when using non-U.S.
citizens. These mitigations must be documented in the CSP.
g. When SCIF renovations require that construction
personnel enter an operational SCIF, they must be cleared or be escorted by
personnel cleared to the accreditation level of the SCIF. SCI indoctrinated
escorts may not be required when a barrier has been constructed to separate the
SCIF from the areas identified for construction.
h. The CSP must document all site control measures.
Among the control measures that may be considered are:
(1) Identity verification;
(2) Random searches at site entry and exit points;
(3) Signs at all entry points listing prohibited and
restricted items (e.g., cell phones, cameras, explosives, drugs, etc.).
Firearms are also prohibited except for law enforcement, military, and other
civilian personnel authorized to carry official firearms; and
(4) Physical security barriers to deny unauthorized
access.
12 FAM 715.5 Tenant Agency SCIFs
(CT:DS-258; 06-13-2016)
a. Other U.S. Government agencies have SCIFs located in
Department facilities. These tenant SCIFs are accredited by the tenant AO.
AOs are responsible for complying with ICD 705. AOs are allowed to use
mitigation strategies to meet the requirements of ICD 705. A tenant IC element
head may also grant waivers to ICD 705.
b. Tenant agencies will coordinate with DS/IS/SSO to
establish SCIFs in domestic Department facilities.
c. All SCIFs abroad that fall under COM authority must
comply with 12
FAH-6 H-626, other OSPB standards and ICD 705. When conflict between
requirements occurs, the stricter requirement applies. Exception requests must
be submitted to DS/PSP/PSD in accordance with 12 FAH-5 H-210
if SCIFS do not meet OSPB standards. Use of mitigation strategies or waivers
of ICD 705 standards do not require exception requests so long as the facility
meets 12 FAH-6 H-500
OSPB standards.
d. The requesting tenant agency will bear all costs
associated with the establishment of a tenant SCIF.
12 FAM 715.6 Emergency Response to
SCIFS
(CT:DS-258; 06-13-2016)
a. The bureau or post must develop, have approved, and
maintain an emergency response plan for each accredited SCIF to satisfactorily
address entrance of emergency personnel (e.g., police and firefighters) into a
SCIF, the physical protection of those working in such SCIFs including
evacuation plans for personnel, and secure removal or emergency destruction of
SCI.
b. Emergency personnel and equipment will be allowed
access to SCIFs and be escorted to the degree practical consistent with safety
considerations as determined by the senior emergency responder on site. If
exposed to classified information, they will be asked to sign an inadvertent
disclosure statement when feasible.
12 FAM 715.7 Technical Surveillance
Countermeasures
(CT:DS-258; 06-13-2016)
DS/IS/SSO will ensure technical surveillance
countermeasures surveys of Department SCIFs are conducted in accordance with
ICD 702, Technical Surveillance Countermeasures, (TSCM) and related standards.
DS/IS/SSO will coordinate with the Technical Surveillance Countermeasures
Branch (DS/CMP/TSC) on the requirements for and the conduct of all TSCM surveys
of SCIFs. Government-owned equipment needed to conduct SCIF inspections will
be admitted into the SCIF without delay.
12 FAM 715.8 TEMPEST
(CT:DS-258; 06-13-2016)
Certified TEMPEST technical authorities (CTTAs) will:
(1) Review Department SCIF construction or renovation
plans to determine if TEMPEST countermeasures are required and recommend
solutions. To the maximum extent practicable, TEMPEST mitigation requirements
will be incorporated into the SCIF design; and
(2) Provide DS/IS/SSO with documented results of the
review with recommendations.
12 FAM 715.9 Reciprocity And
Co-Utilization
(CT:DS-258; 06-13-2016)
a. Department SCIFs accredited without a waiver of DNI
security requirements are available for reciprocal use unless exempted based on
conditions or deviations from DNI standards or mission need.
b. Department SCIFs may be co-utilized by other
agencies provided they have a co-utilization agreement approved by the AO or
designee. Co-utilization is the mutual agreement among two or more Government
organizations to share the same SCIF. Organizations desiring to co-utilize a
SCIF must accept current accreditations unless there is a waiver of DNI
standards. Visitors from other agencies may provide briefings in a SCIF
without a co-utilization agreement.
12 FAM 715.10 Termination And
De-Accreditation
(CT:DS-258; 06-13-2016)
When a bureau or post determines that a Department SCIF is
no longer required, they must contact DS/IS/SSO to initiate action to terminate
the accreditation of the facility. The bureau must send a request memo to
DS/IS/SSO requesting termination of the accreditation of the facility.
DS/IS/SSO will provide guidance on procedures regarding termination.
12 FAM 715.11 General Physical
Security
(CT:DS-258; 06-13-2016)
a. SCIF entrance doors must have with an access control
device (either an electronic card reader or a DS-approved day-time access
lock), an alarm sensor, and a DS-approved three-position dial-type combination
lock with deadbolt that meets Federal Specifications FF-L 2740A (combination
lock) and FF-L 2890 (deadbolt). SCIFs may also have emergency exits equipped
with deadbolt locking panic hardware, and a local enunciator. At no time may a
door be propped open or left ajar.
b. Combinations to locks and access control devices
should be changed when first installed or used, when a person has been
debriefed and no longer requires access, or whenever there is a possibility
that the combination is compromised. Combinations to three-position dial-type
combination locks installed on SCIF doors, access control devices (e.g.,
Unicam), and SCIF security containers containing SCI must be recorded on a
Standard Form (form SF-700, Security Container Information). Form SF-700 will
be filled in/prepared in a SCIF, marked TS/SCI, and transported in accordance
with SCI control procedures and stored in another SCIF. DS/IS/SSO will provide
assistance if a second SCIF is not available to store the form SF-700.
c. Only authorized personnel with SCI access and
appropriate lock training may change lock combinations.
d. The form SF-700 on file will be updated periodically
to reflect changes in personnel and their contact information.
e. SCIFs located domestically must have an alarm system
monitored by the Security Support Division (DS/DFP/SSD). SCIFs located abroad
must have an alarm system monitored by Marine security guards (MSGs). SCIFs in
COM facilities abroad without a 24/7 MSG may have additional separate remote
monitoring capabilities, as approved by DS.
f. Department SCIFs:
(1) DS/IS/SSO must be advised of any serious problems
with Department SCIFs (such as repeated lock failures or alarm activations),
lengthy delays when locks and/or alarms cannot be activated, and when the
problem has been solved; and
(2) The SSR must report alarm/IDS equipment, door,
lock, or other malfunctions of Department SCIFs to the facility SSR or bureau
BSO domestically or to the RSO or security engineering officer (SEO) when
located overseas.
g. SCIFs that cannot be properly secured by combination
locks afterhours must be monitored by a SCI-authorized individual physically
present either inside the SCIF or outside the closed door until the lock is
fixed. SCIFs with nonfunctioning alarms must be locked after hours and
inspected a minimum of hourly to ensure the door is secured.
h. Only SCI-indoctrinated personnel may have access to
SCIF alarms for opening and closing the SCIF. Once SCI access has been
confirmed, the SSR will request that badges be programmed for card reader
access (if applicable) and/or operation of the SCIF alarm system.
12 FAM 716 AUTOMATED INFORMATION
SYSTEMS (AIS) SECURITY
(CT:DS-258; 06-13-2016)
a. An authorizing official (AO) must accredit all AIS
used for processing SCI information in accordance with ICD 503. In accordance
with INR/DS MOA dated 18 April 2016, the chief of IT for INR is the AO for
Department SCI systems that fall under the requirements of ICD 503.
b. The AO must approve all Department AIS operational
capabilities (e. g., print, scan, USB and/or other types of data ports, CD
and/or DVD drives, etc.) for State SCI systems.
c. Other Government agencies with SCI level AIS in
Department SCIFs will accredit their own systems and provide documentation of
system certification to DS/SI/IS. Tenant agencies that accredit their space as
SCIFs and operate independent AIS do not need to provide system accreditations
to DS/SI/IS.
12 FAM 717 Sensitive compartmented
information facility OPERATIONS
12 FAM 717.1 Sensitive
Compartmented Information Facility Use
12 FAM 717.1-1 Opening a
Sensitive Compartmented Information Facility
(CT:DS-258; 06-13-2016)
Record initials and dates of all openings and closings of
a Department SCIF on form SF-702, Security Container Check Sheet. Retain form SF-702
for 90 days from the date of last entry and then destroy unless an incident has
occurred that would warrant longer retention. Forms involved in investigations
will be retained until completion of the investigation.
12 FAM 717.1-2 Facilities In-Use
Condition
(CT:DS-258; 06-13-2016)
a. To preclude entry by unauthorized personnel, access
to an accredited SCIF must be controlled. When the SCIF is in-use, an
SCI-indoctrinated person must be present in the SCIF at all times when the SCIF
is open or the SCIF must be under visual control (line of sight) of an
SCI-indoctrinated person at all times to prevent unauthorized entry.
b. Use of automated access control systems to control
access to in-use SCIFs may be permitted where continuous visual observation is
not possible. DS/IS/SSO must specifically authorize all such procedures in
writing.
c. The door(s) to the SCIF must be closed and all
windows covered during operations to prevent visual observation of classified
material (SCI or collateral).
12 FAM 717.1-3 Facilities Not
In-Use Condition
(CT:DS-258; 06-13-2016)
When not in-use, the SCIF entrance must be closed and
secured (alarmed and locked with the combination lock.) The access control
device by itself is not adequate to secure a SCIF when it is unattended (i.e.,
when the SCIF is unoccupied and the SCIF entrance is not under the visual
control of an SCI-indoctrinated individual.) Leaving a SCIF unsecured is a
security violation.
12 FAM 717.2 Sensitive
Compartmented Information Facility Access
12 FAM 717.2-1 New Staff, New
Arrivals
(CT:DS-258; 06-13-2016)
Bureau or post SSRs must provide an orientation brief
discussing procedures and guidelines for using the Department SCIF to all
newly-arrived personnel after DS/IS/SSO grants or confirms their access to SCI.
12 FAM 717.2-2 Access Rosters
(CT:DS-258; 06-13-2016)
The SSR will maintain current access rosters located
inside the door at the SCIF point of entry. The access rosters will list all
persons who are authorized access to the SCIF.
12 FAM 717.2-3 Visitors
(CT:DS-258; 06-13-2016)
a. A visitor is any individual, indoctrinated into SCI
or not, who is not employed by or detailed to the bureau or post and/or who is
not listed on the SCIF access roster. Conduct access by foreign national
employees to post SCIFs in compliance with 12 FAH-6 H-500 OSPB
standards. Enter all visitors into the visitor log (see 12 FAM 717.2-4,
below).
b. Department employees, contractors, and other
authorized personnel with a five on their domestically issued Department
badge have SCI (SI/TK/G/HCS) access. The five is preceded by an S (for
Department employee), N (for contractor), and O (for other Government
organizations). Do not assume a visitor has SCI access. Verify SCI access
using the RSO Security Management Console, or through the DS/IS/SSO Access
Control Team. The Access Control Team can also be reached via email at
DS_SSO on either CLASSNET or OPENNET.
c. In some cases, Five Eyes (FVEY) visitors may have
reciprocal SCI access; however these visitors will not be approved for access
to all compartments. The office sponsoring the visitor should contact
DS/IS/SSO as soon as they are made aware of the visitor's access requirements,
as guidance will be provided on a case-by-case basis.
d. Non-SCI indoctrinated personnel (including all
maintenance and cleaning crews) may enter the SCIF only when SCI material is
not present, or the SCIF is sanitized (i.e., SCI discussions, handling, and
electronic processing cease, and all SCI documents are covered or stored).
e. Prior to granting access to non-SCI indoctrinated
personnel, there should be an announcement or notification to all SCIF
occupants that there will be non-SCI indoctrinated personnel entering the
facility. All TS/SCI material, operations and discussions must cease until the
uncleared personnel have departed. This includes covering or securing all
TS/SCI material, turning off all TS/SCI systems, and ceasing all SCI
conversations. Non-SCI indoctrinated personnel entering the SCIF must be
continuously escorted (close proximity, never left unattended in the
facility). An SCI indoctrinated person from the bureau or post familiar with
the security procedures of that SCIF must escort the non-SCI indoctrinated
person at all times to prevent a compromise. All visitors must be under the
continuous escort ratio of one appropriately TS/SCI personnel to two escorted
persons.
f. Before entering the SCIF, visitors must be asked by
the person granting access if they have Portable Electronic Devices (PEDs) (see
12 FAM 718)
in their possession. If so, they cannot enter until the device has been
secured outside/away from the facility and preferably turned off. Many facilities
provide boxes for this purpose.
g. Emergency personnel and equipment will be allowed
access to SCIFs escorted to the degree practical consistent with safety
considerations as determined by the senior emergency responder on site.
Emergency personnel will be asked to sign an inadvertent nondisclosure
agreement when feasible (see 12 FAM 715.6
paragraph b) if exposed to classified information.
12 FAM 717.2-4 Visitor Logs
(CT:DS-258; 06-13-2016)
All visitors, regardless of clearance/access level, must
be recorded in the SCIF visitors log when entering the SCIF. The visitor log
must list the visitors full printed name, organization, citizenship, badge
number (if applicable), point of contact, date and time of visit, and the
reason for the visit. The visitor log must be retained for two years after the
date of last entry and then destroyed. Where applicable, Government-issued
identification will be required as positive identification.
12 FAM 718 PORTABLE ELECTRONIC DEVICES
(PEDS)
12 FAM 718.1 Personally Owned
Portable Electronic Devices
12 FAM 718.1-1 Personally Owned
Portable Electronic Devices Policy
(CT:DS-258; 06-13-2016)
a. Personally owned PEDs with recording (photographic,
video or audio) or transmission (radio frequency, wireless, wi-fi, etc.)
capabilities are prohibited in Department SCIFs, including but not limited to
cell phones, PDAs, tablets, personal computers, MP3 players, iPods, e-readers,
mobile hotspots, wireless fitness devices, personal GPS, Bluetooth devices,
smartwatches, Fitbits, and devices such as Google Glasses.
b. The prohibition against PEDs in Department SCIFs
does not apply to equipment needed for medical or health reasons. The SSR must
document these items with DS/IS/SSO via a signed memo.
c. In an emergency situation, admit equipment used by
emergency responders (e.g., fire, police, medical personnel, etc.) into a SCIF
without restriction or inspection.
d. This guidance is in addition to the requirements
stated in 12
FAH-6 H-652 for posts.
12 FAM 718.1-2 Other Personally
Owned Electronic Devices Permitted in SCIFs
(CT:DS-258; 06-13-2016)
Other electronic devices without recording or transmission
capabilities such as calculators, electronic spell-checkers, wristwatches, data
diaries not equipped with data-ports, receive-only pagers, receive-only radios,
and audio and video equipment with no record features, etc., are permitted in
a Department SCIF. Introduction of such electronic devices must be coordinated
with the BSO, facility SSR, or RSO:
(1) Due to the possibility of technical compromise,
electronic equipment approved for introduction into a SCIF should not be
routinely removed from and re-introduced into the SCIF; and
(2) Such items are subject to technical and/or
physical inspection at any time.
12 FAM 718.2 GOVERNMENT-OWNED
PORTABLE ELECTRONIC DEVICES (PED)
12 FAM 718.2-1 Domestic
Facilities
(CT:DS-258; 06-13-2016)
Government-owned PEDs are not permitted in any Department
SCIFs without the express written approval of DS/IS/SSO. When possible, use
existing approved PEDs and make all efforts to transmit briefing material by
secure means (electronic, CD, etc.) instead of introducing outside equipment
into a SCIF. When it is necessary to use an outside PED for the presentation
of briefings, DS/IS/SSO must be contacted at least three days in advance by the
bureau SSR. This allows time for DS/IS/SSO to coordinate security requirements
with the SSR.
12 FAM 718.2-2 Posts Abroad
(CT:DS-258; 06-13-2016)
Government PEDs are not permitted in any Department SCIFs
without the express written approval of the RSO in accordance with 12 FAH-6 H-540.
Existing approved PEDs should be used when possible. Make all efforts to
transmit briefing material by secure means (e.g., electronic, CD, etc.) instead
of introducing outside equipment into a SCIF. When it is necessary to use a
PED for briefings, the post RSO must be contacted at least three days in
advance by the SSR. This allows time for the RSO to coordinate security
requirements with the SSR.
12 FAM 718.2-3 General
(CT:DS-258; 06-13-2016)
a. Once approval is granted to bring a Government PED
into a Department SCIF, an SCI-indoctrinated person must maintain control over
the PED during the entire time it is in the SCIF and ensure it is removed at
the conclusion of the briefing.
b. PEDs are not allowed to be connected to any
information system within the SCIF.
12 FAM 719 Information Security
12 FAM 719.1 Standard
Classification Marking Requirements For Sensitive Compartmented Information
(CT:DS-258; 06-13-2016)
a. SCI documents are classified as Confidential,
Secret, or Top Secret. Classification guides issued by SCI compartment program
managers are used to classify SCI information. SCI control system(s) markings
(below) will always follow the classification and be spelled out or abbreviated
as indicated.
b. Apply standard security classification markings
(i.e., classification authority and declassification markings) to SCI according
to ICD 710 and supporting guidance. The classification and control markings
system established by ICD 710 is implemented through the Controlled Access
Program Coordination Offices (CAPCO) Authorized Classification and Control
Markings Register and the Intelligence Community Classification and Control
Markings Implementation Manual.
12 FAM 719.2 Control Markings For
Sensitive Compartmented Information Documents
(CT:DS-258; 06-13-2016)
a. The following are proper SCI control system markings
including sample header/footer markings and portion (paragraph) markings. (See
12 FAM Exhibit
719.2 for proper placement of SCI headers, footers, and portion markings).
Dissemination controls, such as NOFORN (NF) and ORCON (OC), may be required in
the headers, footers, and portion markings of SCI documents but are not unique
to SCI. The classification, control system markings, and dissemination
controls will be separated by double forward slashes. Multiple control system
markings or dissemination controls will be divided by single forward slashes
(see Combined Control Markings, below.)
|
HCS-P
(HUMINT Control System)
Always NOFORN
Header/Footer: SECRET//HCS-P//NOFORN
Portion Marking: S//HCS-P//NF
|
|
SI
(Special Intelligence/Signals Intelligence))
Header/Footer: SECRET//SI
Portion Marking: S//SI
|
|
-GAMMA
(Sub-compartment of SI)
Always Top Secret, always hyphenated with SI, always ORCON
Header/Footer: TOP SECRET//SI-G//ORCON
Portion Marking: TS//SI-G//OC
|
|
TK
(Talent Keyhole)
Always Secret or Top Secret
Header/Footer: TOP SECRET//TK
Portion Marking: TS//TK
|
|
Combined Control Markings
Header/Footer:
TOP SECRET/HCS-P//SI-G/TK//NOFORN/ORCON
Potion Marking: TS//HCS-P/SI-G/TK//NF/OC
|
b. Other SCI compartments or caveats no longer in use
may appear in historical documents, e.g., COMINT, BYE, UMBRA, SPOKE, ZARF,
RUFF, or Handle Via [SCI compartment] Channels Only (e.g., HVCCO meaning Handle
Via COMINT Channel Only) or Handle Via [two or more SCI compartments] Channels
Jointly (HVCTKCJ meaning COMINT and TK channel.) These documents must be
treated as SCI unless clearly marked as unclassified or no longer controlled by
an SCI control system. Contact the Document Control Branch (DS/SSO/DCB) for
guidance on any unfamiliar caveats.
c. Classification and control requirements apply to
information regardless of the medium (e.g., text, image, graphics, and
electronic documents, including web pages, wikis, and blogs).
12 FAM 719.3 Sensitive Compartment
Information Letters, Memoranda And Facsimile Transmissions
(CT:DS-258; 06-13-2016)
a. Transmittal cover letters or memoranda that are
unclassified or of a lower classification must include a banner line with the
highest classification level and most restrictive controls of any classified
information attached or enclosed, portion marks, and a classification authority
block for the aggregate of all information transmitted. The transmittal
document shall also include conspicuously on its face the following
instruction: "Upon removal of Attachments, this document is
[Classification level]."
b. Conspicuously mark the top and bottom of individual
header sheets used to precede the transmission of SCI material by secure
facsimile with the highest security classification of the transmitted
material. Mark appropriate classification and control markings prominently on
header sheets.
12 FAM 719.4 Specialized Media
Labeling Requirements For Sensitive Compartmented Information
(CT:DS-258; 06-13-2016)
Graphic arts material (e.g., visual aids, maps, art work,
blueprints, videos, etc.) must be marked with the assigned classification and
applicable SCI control system under the legend, title block, or scale, and at
the top and bottom in such a manner as to be reproduced on all copies.
12 FAM 719.5 Cover Sheets
(CT:DS-258; 06-13-2016)
a. In order to be readily identifiable, SCI documents
should have either a colored-broken border coversheet or color-coded bars in
the upper right-hand corner on the cover page. The color coding indicates the
different SCI compartments. The broken borders are red for COMINT or SI; black
for TK, and blue for HCS.
b. When SCI coversheets are not present, look for the
control system marking after the classification as described above. SCI
coversheets can be obtained from unit security officers, SSR, or DS/SSO/DCB.
NOTE: Collateral (non-SCI
classified) coversheets (orange, red, or deep blue solid borders) used for Top
Secret, Secret, and Confidential documents are not authorized for use with SCI.
12 FAM 719.6 Sensitive
Compartmented Information Handling Policies
(CT:DS-258; 06-13-2016)
a. Only SCI-indoctrinated individuals may handle SCI in
accredited SCIFs. Only SCI-indoctrinated individuals may transport SCI from
one SCIF to another. SCI must be transmitted from one SCIF to another in a
manner that ensures it is properly protected.
b. Domestic handling:
(1) Transport SCI between SCIFs or SWAs within a
Department building in a locked container (briefcase or pouch [key removed]) or
double wrapped. Double wrap SCI when transported outside a building; a locked
container may serve as the outer wrapper;
(2) The outer wrapper or locked container must be
marked with a notation such as "PROPERTY OF THE US GOVERNMENT TO BE
RETURNED UNOPENED TO [name of appropriate organization and a telephone number
that will be manned at all times]." Mark the inner wrapper with the
classification of the contents and the address of the recipient; and
(3) Coordinate with DS/SSO/DCB before transferring
hard copy SCI out of the Department. When transporting SCI outside of
Department buildings, a written record (form DS-112, Classified Material
Receipt may be used) of the SCI transported from a building must be retained in
the senders office.
c. Overseas handling:
(1) SCI is not authorized for transport overseas and
will be transmitted electronically on authorized systems; and
(2) SCI material may be hand carried between SCIFs
within overseas posts. Proper wrapping procedures must be followed when this
occurs. SCI material cannot be left unattended in non-SCIF mission offices or
in the custody of personnel not indoctrinated into SCI access. Mission
personnel will not be granted access to SCI solely for the purpose of acting as
custodians of SCI material. SCI cleared personnel are responsible for control
of SCI material and will be held accountable for any inappropriate handling of
SCI material.
12 FAM Exhibit 713.2-5
Form NDA 4414, Sensitive Compartmented Information NonDisclosure Agreement
(CT:DS-258; 06-13-2016)
12 FAM Exhibit 715.4-1(H)
Construction Security Plan
(CT:DS-258; 06-13-2016)
a. Site Security Manager:
(identify the SSM and contact information)
b. Statement of Construction Project:
(provide a description of the proposed work)
c. Existing SCIF ID (if
project is associated with currently accredited SCIF)
d. Location of Work:
(address/location)
e. Estimated Start Date:
(estimated date construction will begin)
f. Estimated Completion Date: (estimated
date construction will end)
g. Has a Risk Assessment Been
Completed: (if yes, attach copy)
h. Security in Depth (SID)
Documentation: (Document the layers of protection offered at the site,
such as security fencing or walls, roving guards, CCTV coverage, and controlled
and/or limited access buffers to facility)
i. Adjacencies to Consider:
(include a description of adjacent facilities to include other classified
agencies, activities, and presence of foreign nationals operating in adjacent
spaces on all six sides of the proposed SCIF)
j. Control of Construction Plans and
Documents: (Describe how construction plans and all related documents
will be handled and protected)
k. Control of Operations if a
Renovation Project: (describe barriers that will be installed to
segregate construction workers from operational activities)
l. Procurement, Shipping and Storage
of Building/Finishing Material: (If required by the SSO, describe
security measures to ensure integrity of building materials and/or finishing
materials.)
m. Construction Workers: (for
construction workers, provide information to verify U.S. citizen/person status,
clearances if required, and/or mitigations employed.)
n. Site Security: (Identify
plans to secure construction site, to include any proposed fences, guards,
CSTs, escorts, etc.)
o. Security Administration:
(list security documentation and retention requirements that will be maintained
by the SSM (i.e., visitor logs, names of construction workers, security
incidents, etc.)
12 FAM Exhibit 719.2
Control Markings for SCI Documents
(CT:DS-258; 06-13-2016)