12 FAM 550
SECURITY INCIDENT PROGRAM
(CT:DS-312; 12-17-2018)
(Office of Origin: DS/SI/IS)
12 FAM 551 PURPOSe
(CT:DS-186; 02-08-2013)
The purpose of the Security Incident Program is to enhance
the protection of classified information by identifying, evaluating, and
assigning responsibility for breaches of security. The program implements
Executive Order 13526, Classified National Security Information, December 29,
2009.
12 FAM 552 SECURITY INSPECTIONS
(CT:DS-186; 02-08-2013)
a. Cleared U.S. citizen security personnel designated
by the Office of Information Security, Program Applications Division
(DS/IS/APD), regional security officers (RSOs), Marine security guards (MSGs),
and/or U.S. citizen contract guards are responsible for conducting security
inspections to ensure that classified information is properly protected.
b. Cleared security personnel must conduct such
security inspections routinely for all offices, buildings, or other facilities
that come under the jurisdiction of the Department worldwide, except those
exempted under interagency agreements.
c. During regular business hours, employees have
authority to lock desks and credenzas to secure personal items. After regular
business hours, employees must not lock desks, bookcases, and credenzas unless
the inspecting security office has a master key that affords access to perform
security inspections.
12 FAM 553 REPORTING OF SECURITY
INCIDENTS
12 FAM 553.1 Reporting Improperly
Secured Classified Information
(CT:DS-312; 12-17-2018)
a. Report all security incidents (see 12 FAM 090 definition) to DS/IS/APD. Employees must
inform the security officer, who is responsible for oversight of that office,
orally or in writing of any improper security practice that comes to the
employees attention, and the security officer must take remedial action.
b. Upon discovery of improperly secured classified
information or other security incidents, the responsible security officer must
ensure comprehensive and accurate completion of unclassified Form OF-117,
Notice of Security Incidents.
c. Abroad, the RSO or Post Security Officer at
constituent posts, must investigate the incident and complete Form OF-118, item
1, and forward it to the person(s) allegedly responsible for the incident. The
person(s) allegedly responsible for the incident must complete and sign Form OF-118,
item 2, within three workdays. Item 2 of Form OF-118 allows the employee to
provide any mitigating factors, such as lack of culpability, which he or she
believes are pertinent to the adjudication process. If the person(s) allegedly
responsible for the incident fail(s) or refuse(s) to sign the form within three
workdays, the RSO must document this fact in the security officer comments on
Form OF-118, item 3, and forward the form to DS/IS/APD. When the person(s)
allegedly responsible for the incident sign(s) item 2 of the form, the RSO must
give the form to the employees immediate supervisor for signature, complete
item 3, and send the form to DS/IS/APD. In item 3, the RSO reports the results
of his or her investigation in a brief summary, indicating his or her view that
there was a valid security incident, and, if so, whether it was a security
infraction (see 12
FAM 090 definition) or violation (see 12 FAM 090 definition). Forms OF-117 and OF-118 are
available on myData.
d. Domestically, when issuing Form OF-117 to an offender, the uniformed protection
officer (UPO) watch commander must submit a copy to DS/IS/APD. When DS/IS/APD
receives the record copy of Form OF-117, DS/IS/APD must complete item 1 of Form
OF-118, and forward it to the principal unit security officer (PUSO) or bureau
security officer (BSO) who has oversight for the person(s) allegedly
responsible for the incident. Only authorized investigative personnel assigned
to DS/IS/APD have the authority to investigate a potential security violation.
Unit security officers only have authority to process cases involving potential
security infractions. The PUSO or BSO must provide the Form OF-118 to the person(s) allegedly responsible for the
incident to complete and sign item 2 within three workdays. If the person(s)
allegedly responsible for the incident fail(s) or refuse(s) to sign Form OF-118,
the PUSO or BSO must indicate this omission in the security officer's comments
section in item 3, and return the form to DS/IS/APD. When the person(s)
allegedly responsible for the incident sign(s) item 2, the PUSO or BSO must
give the form to the employees immediate supervisor for signature. The PUSO
or BSO must then complete item 3 and submit the form to DS/IS/APD.
e. The RSO, PUSO, or BSO must give a copy of the
completed Form OF-118 to the person(s) allegedly responsible for the incident.
f. Form OF-118 is unclassified and must include the
information that the form's instructions, printed on the reverse side,
require. Any classified supplemental information must be submitted under a
separate classified memorandum sent to DS/IS/APD via email to DS_APD_SP on
ClassNet with the Form OF-118.
g. If a security incident investigation includes the
personal interview of an employee who is covered by a collective bargaining
unit for which a union has exclusive representation rights, and the employee
reasonably believes that the interview may result in disciplinary action, the
investigating official must give the employee the opportunity to be represented
by the exclusive representative, if the employee so requests. This right
is extended irrespective of the employee's union membership and is known as the
Weingarten Right. When the employee invokes the Weingarten Right, the
investigating official must allow a reasonable time period for a union
representative to attend the interview. At any time during the investigation,
an employee may choose to invoke his or her Weingarten Right (see 12 FAM 091 for definition). The Department advises such
employees of their Weingarten Right on an annual basis.
12 FAM 553.2 Examples of Security
Incidents
(CT:DS-312; 12-17-2018)
a. This section contains examples of security
incidents, in accordance with 12 FAM 500, that affect the protection of
classified information. The examples are illustrative and indicate the wide
range of possible security incidents in this area. (See 12 FAM 553.3 for information systems security incidents.)
b. Examples of security incidents include, but are not
limited to:
(1) Failing to properly escort, i.e., maintaining
continuous visual and/or physical control over uncleared personnel (e.g.,
uncleared visitors or janitorial/maintenance personnel) in an area where
classified information is processed, discussed, viewed, or stored, or allowing
improper access to Department controlled facilities (see 12 FAM 534.1);
(2) Taking classified material out of the building
without proper double-wrap protection (see 14 FAM 733.3 and 14 FAH-4 H-320);
(3) Crossing international borders with classified
material without courier authorization (see 12 FAM 536.9-1);
(4) Failing to secure containers with classified
material (see 12
FAM 539.1 paragraph e);
(5) Storing classified materials in desk drawers or
other improper containers (e.g., a non-barlock file cabinet) (see 12 FAM 539.1 paragraph h);
(6) Reading classified material in any public area
(see 12 FAM
536.9-4 paragraph e);
(7) Transmitting classified material on unclassified
facsimile machines (see 12 FAM 536.9-2 and 536.9-3);
(8) Losing control of classified material by leaving
it in non-secure areas (e.g., hotel rooms, taxis, or restaurants) (see 12 FAM 533.1 and 534.1);
(9) Discussing classified information on unsecure
telephones (see 12
FAM 536.8 paragraph c); and
(10) Failing to perform daily checks on supplemental
entry verification systems (SEVs)(see 12 FAH-6
H-311.11 paragraph d, H-312.11 paragraph
d, H-313.11 paragraph d, and H-314.11 paragraph d).
12 FAM 553.3 Information System
Security Incidents
(CT:DS-253; 02-19-2016)
This subsection contains examples of security incidents,
in accordance with 12 FAM 600, that affect the protection of classified
information with respect to information systems. The examples are illustrative
and indicate the wide range of possible security incidents in this area:
(1) Failure to remove and properly secure media, which
users normally control, such as classified data storage media (e.g. flash
drive, USB storage drive, hard drives, CD ROM, etc.; see 12 FAM 632.1-6
paragraph a);
(2) Failure to prevent uncleared persons from viewing
a classified screen and/or printer output (see 12 FAM 633.2-2);
(3) Improper storage of passwords to classified
automated information systems (see 12 FAM 632.1-4 paragraph k.);
(4) Unauthorized connectivity between classified and
unclassified hardware (e.g., modems, central processing units, printers, and
switch boxes) (see 12 FAH-10
H-272.16); and
(5) Introducing classified information or media into
an unclassified system (see 12 FAM 635, for
authorized exception).
12 FAM 553.4 Incidents Involving
Administratively Controlled (Sensitive But Unclassified (SBU)) Material
(CT:DS-186; 02-08-2013)
The security procedures in this subchapter are for
incidents related to classified information, and not applicable to incidents
involving Sensitive But Unclassified (SBU) material. Do not issue Form OF-117
for incidents involving SBU materials.
12 FAM 554 SPECIAL CATEGORY SECURITY
VIOLATIONS
(CT:DS-186; 02-08-2013)
a. The Departments communications security (COMSEC)
incident program, including its reporting procedures, is in 5 FAH-6 H-530.
In 5 FAH-6
Exhibit H-533, there is a complete list of reportable incidents.
b. DS/IS/APD evaluates all COMSEC incident reports and
renders an adjudication based on evidence of the degree of national security
information compromised. DS/IS/APD provides a copy of the notification letter
to the Cryptographic Services Branch (ITI/SI/CSB).
c. Although the COMSEC program's administrative
aspects (e.g., timely accounting of inventories) are important, failure to
perform such aspects will not be investigated as a security violation or
infraction under the security incident program when there is no evidence of a
direct effect to direct effect to the system's security.
12 FAM 555 SECURITY INCIDENTS INVOLVING
NONDEPARTMENT EMPLOYEES AND CONTRACTORS
(CT:DS-186; 02-08-2013)
a. Report security incidents involving employees of
other Federal agencies or organizations and/or their contractors in the same
manner as described in 12 FAM 553. The
RSOs abroad report such security incidents on Forms OF-117 and OF-118, and send
the forms to DS/IS/APD. DS/IS/APD coordinates any further investigation
necessary to complete the report of findings. DS/IS/APD must forward this
report to the parent agency of the employee allegedly responsible for the
incident, and the parent agency handles the adjudication and disposition.
b. Report security incidents involving Department
contractors in the same manner as described in 12 FAM 553,
except DS/IS/APD forwards Forms OF-117 and OF-118 to the employer and sends a
copy of each form to the DS Office of Information Securitys Industrial Security
Division (DS/IS/IND).
12 FAM 556 EVALUATION OF SECURITY
INCIDENTS
(CT:DS-186; 02-08-2013)
a. Adjudication has three possible outcomes: valid,
unfounded, and valid but not culpable. DS/IS/APD performs the final
adjudication of all security incident investigations, including administrative
(i.e., non-criminal) investigations that the Office of Inspector General
conducts and investigations conducted by other DS investigative entities
involving the possible or actual failure to protect classified national
security information. This requirement is not meant to include cases presented
to the Department of Justice for criminal
prosecution. After DS/IS/APD's affirmative adjudication that an employee
committed a valid security violation, DS/IS/APD initiates any 12 FAM 557 administrative action required.
b. A basic premise for adjudication is to hold
individuals responsible for their actions. However, in certain incidents,
DS/IS/APD's adjudication may include having supervisors held responsible for
failing to provide effective organizational security procedures. This might
occur, for example, when abnormal conditions interrupt routine security
procedures and supervisors do not implement remedial controls, or when the
incident relates to controls that are not normally the sole responsibility of
an individual.
c. When the security incident investigation does not
warrant implicating a specific individual, DS/IS/APD may still adjudicate the
incident as valid without holding a specific individual accountable, provided
that:
(1) Mitigating circumstances generally prevent
narrowing responsibility to an individual; and
(2) The DS/IS/APD chief approves this type of
adjudication.
d. Upon completion of the adjudication, DS/IS/APD
notifies the individual(s) implicated in the incident, in writing, of the
adjudication results specific to them. DS/IS/APD also notifies the
appropriate RSO, BSO, or PUSO, who provides a copy to the individuals
supervisor.
12 FAM 557 ADMINISTRATIVE ACTIONS
12 FAM 557.1 Record Keeping and
Administrative Action Framework
(CT:DS-186; 02-08-2013)
a. DS/IS/APD permanently maintains files on all
personnel who have incurred security incidents. Upon an employee's
termination, DS/IS/APD will retire the records. Information from these files
is available to the Director General of the Foreign Service or the Bureau of
Human Resources (HR), as needed, for future nominations or other personnel
decisions, and included in full field investigation reports on candidates for
Presidential appointment.
b. Disciplinary and security clearance actions for
security incidents are made on a case-by-case basis. However, repeat offenses
affect these actions, becoming more serious following additional incidents.
c. An employees adverse security incident history may
result in the curtailment of a current assignment or denial of a future
assignment.
d. Foreign Service Selection Boards receive a copy of
the current security incident history report for each employee competing for
promotion to grade FS-01 and above, senior performance pay, and/or Presidential
awards. The report is limited to incidents adjudicated as valid that
occurred within the previous 5-year period. DS/SI provides the entire history
to the Office of the Director General for Presidential nominations. Data provided
for each incident is limited is limited to:
(1) A tracking number;
(2) Office or post where the incident took place;
(3) Name of the employee involved in the incident;
(4) Whether the incident was an infraction or a
violation;
(5) Date and time of the incident;
(6) Date Diplomatic Security (DS) completed the Form OF-118,
Report of Incident;
(7) Status of the incident;
(8) Level of classified material involved; and
(9) A short description of the incident, e.g.,
unsecured documents or unsecured hard drive.
e. Department and tenant agency employees and
contractors may request a copy of their entire security incident history, at
any time, via the DS Security History email box at (DSH@state.gov).
12 FAM 557.2 Disciplinary Actions
and Security Clearance Review Referral for Security Infractions
(CT:DS-186; 02-08-2013)
After DS/IS/APD affirms adjudication of security
infractions within a moving 3-year (36-month) window (see 12 FAM 090 definitions), DS takes the following actions,
at a minimum:
(1) First infractionThe
DS/IS/APD chief sends a letter of notification to the employee, requiring a
signed reply acknowledging that the employee understands the policies and
consequences of future security incidents. The RSO or PSO abroad, or BSO or
USO domestically, must provide the employee with a security briefing;
(2) Second infractionThe
Office of Information Security (DS/SI/IS) director sends a letter to the
employee that describes the actions DS and HR take in the event of future
security incidents. This requires a signed reply from the employee, indicating
that he or she understands the policies and consequences of future security
incidents. The RSO or PSO abroad, or BSO or USO domestically, must provide the
employee with an additional security briefing;
(3) Third infraction within the 36-month windowDS/IS/APD refers the matter to the
Office of Employee Relations (HR/ER) for appropriate disciplinary action.
DS/IS/APD also refers the matter to the director of the DS Office of Personnel
Security and Suitability (DS/SI/PSS) for action relating to the employees
security clearance; and
(4) Subsequent infractions within the
36-month windowDS/IS/APD refers the matter to HR/ER for disciplinary
action. DS/IS/APD also refers the matter to the DS/SI/PSS director for action
relating to the employees security clearance.
12 FAM 557.3 Disciplinary Actions
and Security Clearance Review Referral for Security Violations
(CT:DS-186; 02-08-2013)
After DS/IS/APD affirms adjudication of an employee's
security violation, DS/IS/APD refers the incident, along with a summary of
mitigating or aggravating factors and other security incidents within the
moving 3-year window, to DS/SI/PSS and HR/ER. DS/SI/PSS and/or HR/ER takes or
initiates one or more of these actions against the violator:
(1) DS/SI/PSS issues a letter of notification, reviews
the security clearance of the violator, suspends or revokes the violators
security clearance; and/or
(2) HR/ER issues a letter of admonishment or a letter
of reprimand, suspends the violator without pay, or terminates the violators
employment.
12 FAM 557.4 Appeals
(CT:DS-186; 02-08-2013)
a. Without prejudice to any other procedures, an
employee who wants to appeal the validity or categorization of a security
incident must submit the appeal in writing to DS/IS/APD. This appeal request
may occur after receiving the written notice that DS/IS/APD has adjudicated the
incident.
NOTE: An employee
statement on Form OF-118 does not initiate an appeal procedure.
b. DS/IS/APD forwards the appeal request along with any
other pertinent data to DS/SI/IS, for a final appeal decision.
12 FAM 558 CRIMINAL LAWS
(CT:DS-312; 12-17-2018)
Incidents involving intentional or grossly negligent
release or mishandling of classified information may result in criminal
penalties. An illustrative list of criminal statutes establishing penalties of
fine and imprisonment for the release of classified information is in 12 FAM Exhibit 558.
12 FAM 559 UNASSIGNED
12 FAM EXHIBIT 558 CRIMINAL LAWS
(CT:DS-312; 12-17-2018)
Statutes establish penalties of fine and imprisonment for
the unauthorized disclosure, dissemination, communication, furnishing,
transmission, or other unlawful release of certain classified information, and
for making false or fraudulent statements to an agency of the government. The
Department recommends that employees read the following provisions of such
laws:
(1) 18 U.S.C. 641. Public money, property or records
(2) 18 U.S.C. 793. Gathering, transmitting or losing
defense information
(3) 18 U.S.C. 794. Gathering or delivering defense
information to aid foreign government
(4) 18 U.S.C. 798. Disclosure of Classified
Information
(5) 18 U.S.C. 952. Diplomatic codes and correspondence
(6) 50 U.S.C. Chapter 15
Subchapter IV-Protection of Certain National Security Information
(7) 50 U.S.C. 783. Offenses