12 FAM 500
INFORMATION SECURITY
12 FAM 510
Safeguarding National Security and other Sensitive
information
(CT:DS-320; 05-17-2019)
(Office of Origin: DS/SI)
12 FAM 511 POLICY AND PURPOSE
12 FAM 511.1 Applicability
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
a. Unless otherwise noted, 12 FAM 500 applies to all
national security and sensitive information that is owned by, originated by,
produced by or for, or under the control of Foreign Affairs Agencies, at any
and all Department-controlled locations regardless of physical form. For
purposes of this FAM chapter, Foreign Affairs Agencies include:
(1) The Department of State;
(2) The United States Agency for International
Development (USAID);
(3) The Overseas Private Investment Corporation
(OPIC);
(4) The Trade and Development Program (USTDA); and
(5) All other executive branch agency personnel
located under the jurisdiction of a chief of mission.
b. Nothing in these regulations supersedes any
requirement related to Restricted Data in the Atomic Energy Act of August 30,
1954, as amended, or Department of Energy regulations.
c. Sensitive compartmented information (SCI), special
access programs (SAPs), and communications security (COMSEC) information must
be processed and controlled in accordance with applicable national authorities,
directives, and policies. (See 12 FAM 530.)
12 FAM 511.2 Authorities
(CT:DS-163; 06-16-2011)
(Uniform State, AID, OPIC, USTDA)
a. Atomic Energy Act of 1954, as amended.
b. Executive Order 13526, Classified National Security
Information.
c. Information Security Oversight Office (ISOO)32 CFR
Parts 2001 and 2003, Directive No. 1.
d. The Omnibus Diplomatic Security and Antiterrorism
Act of 1986, Public Law No. 99-399, codified at (22 U.S.C. 4802 et seq.).
12 FAM 512 IMPLEMENTATION AND OVERSIGHT
RESPONSIBILITIES
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
a. E.O. 13526 provides that the Director of the
Information Security Oversight Office (ISOO) must issue directives necessary to
implement the Order, under the direction of the Archivist of the United States
and in consultation with the Assistant to the President for National Security
Affairs.
b. The ISOO Director has issued a directive (32 CFR
Part 2001) that sets forth, in detail, procedures for implementing various
provisions of the Order. This subchapter reflects many of the requirements of
the ISOO directive.
c. Code of Federal Regulations may be found at the
National Archives Web site.
12 FAM 512.1 Responsibilities
12 FAM 512.1-1 Senior Agency
Officials
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
a. Individuals occupying the following positions are
designated as senior agency officials for purposes of this chapter:
(1) Department of State:
(a) The Secretary has designated the Under Secretary for
Management to be the Senior Agency Official. The Under Secretary for Management
further designated that the Bureau of Administration and the Bureau of Diplomatic
Security (DS) share the responsibility for implementation of E.O. 13526.
(b) DS is responsible for all aspects of protecting and
safeguarding classified information and special access programs, to include
SCI.
(c) The Bureau of Administration is responsible for
other aspects of implementing E.O. 13526, including the classification,
declassification, and marking of information classified under the Order as well
as training and guidance in classification and declassification. (See 5 FAM 480.)
(2) USAID: USAID Office of Security;
(3) OPIC: Vice President, Office of Administrative
Services; and
(4) USTDA: Assistant Director for Management.
b. Senior agency officials have the primary
responsibility of overseeing their respective agencys information security
program. This includes the requirement to:
(1) Ensure the protection from unauthorized disclosure
of classified information, including intelligence information;
(2) Review proposed classified disclosures of an
exceptional nature bearing upon issues of concern to the Congress and the
public;
(3) Establish a security awareness program to educate
employees concerning their duties and responsibilities with regard to the
requirements of E.O. 13526;
(4) Receive and take appropriate action on suggestions
and complaints with respect to the agencys administration of the Program;
(5) Provide guidance concerning corrective or
disciplinary action in unusually important cases involving unauthorized
disclosure; and
(6) Maintain liaison with the Director, ISOO, and
report as required by E.O. 13526.
12 FAM 512.1-2 Supervisors
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
The responsibility for safeguarding classified information
rests with each supervisor to the same degree that the supervisor is charged
with functional responsibility for the organizational unit. While certain
employees may be assigned specific security responsibilities, such as Top
Secret control officer or unit security officer, it is nevertheless the basic
responsibility of supervisors to ensure that classified material entrusted to
their organizational unit is handled in accordance with the procedures required
by these regulations. Each supervisor should ensure that no single employee is
assigned an unreasonable amount of security responsibilities in addition to his
or her usual administrative or functional duties.
12 FAM 512.1-3 Employees
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
Each employee having access to and/or possession of
classified material is responsible for maintaining the security of such
material. For the purposes of these regulations, the term employee includes
anyone who is certified and/or authorized access to classified information by
virtue of a contract, consulting agreement, detail, grant, appointment to an
advisory panel, or otherwise. Each employee must meet the requirements of a
cleared U.S. citizen (see 12 FAM 091) for
access to classified information.
12 FAM 512.1-4 Top Secret Control
Officers
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
Employees appointed as Top Secret control officers (TSCOs)
have the responsibility to ensure that Top Secret material is properly
safeguarded, to include origination, marking, accountability, storage,
duplication, transmission, and destruction. (See 12 FAM 535.)
12 FAM 512.1-5 Regional, Post,
Bureau, or Unit Security Officers
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
Employees assigned as regional, post, bureau or unit
security officers have the supervisory and/or the oversight responsibility to
ensure that classified material entrusted to their organizational unit is
handled in accordance with the procedures prescribed in this volume. (See 12 FAM 423).
12 FAM 512.2 Evaluations, Surveys,
and Inspections
(CT:DS-163; 06-16-2011)
(Uniform State, USAID, OPIC, USTDA)
The executive director of each bureau, and each regional
security officer (RSO), must maintain the program designed to ensure compliance
with the provisions of these regulations. The executive director is responsible
for ensuring that the bureau has a designated security officer and must work
with that officer to ensure all employees are aware of the security
requirements. Within USAID, the Office of Security is responsible for
evaluating the effectiveness of the USAID Information Security Program and
ensuring that all regulatory requirements are met.
12 FAM 513 Insider Threat PROGRAM
12 FAM 513.1 Policy and Purpose
(CT:DS-245; 12-21-2015)
a. Executive Order 13587, Structural Reforms to Improve
the Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information, dated October 7, 2011, directs U.S.
government executive branch departments and agencies to establish an Insider
Threat Program for deterring, detecting, and mitigating insider threats,
including the safeguarding of classified information from exploitation,
compromise, or other unauthorized disclosure. The program is to include
policies, objectives, and priorities for establishing and integrating security,
counterintelligence, user audits and monitoring, and other safeguarding
capabilities and practices within agencies.
b. An insider is defined by the National Policy on insider
threat as, Any person with authorized access to any United States government
resource to include personnel, information, networks, facilities, equipment or
systems. This includes employees, defined as, a person, other than the president
and vice president, employed by, detailed or assigned to, a department or
agency, including members of the Armed Forces; an expert or consultant to a
department or agency; an industrial or commercial contractor, licensee,
certificate holder, or grantee of a department or agency, including all
subcontractors; a personal services contractor; or any other category of person
who acts for or on behalf of a department or agency as determined by the
appropriate department or agency head. The terms insider and employee are
interchangeable in the context of the Department Insider Threat Program (ITP).
c. Insider threat is the threat that an insider will
use his/her authorized access, wittingly or unwittingly, to do harm to the
security of the United States. This threat can include damage through
espionage, terrorism, sabotage, violence, unauthorized disclosure of national
security information, or through the loss or degradation of departmental
resources or capabilities. Insider threat prevention and detection therefore
focuses on the trusted insider who misuses his or her access to do damage to
the Department.
d. The ITP is applicable to all Department insiders. The
goal of the ITP is to manage the risk associated with insider threat behavior
and/or activity in a holistic fashion.
e. The purpose of the ITP is to effectively and
efficiently:
(1) Increase the awareness of employees to the
vulnerabilities associated with the insider threat;
(2) Deter employees from becoming insider threats;
(3) Detect employees who pose an insider threat risk;
(4) Prevent unauthorized disclosure of classified and
sensitive but unclassified information; and
(5) Mitigate the risks to the Department and its
personnel using training; administrative and investigative measures; or other
responses.
f. The ITP is based on the key pillars of: user activity
monitoring (UAM), personnel security, foreign travel and contact reporting and analysis,
reporting and response.
g. To ensure that ITP activities are conducted in
accordance with legal authorities, there is close collaboration with Department
legal counsel and privacy and civil liberties officials. The acquisition and
use of personal information to detect and prevent insider threats is authorized
under the E.O. 13587 and other national policies. Collected information is
subject to oversight by civil liberties and privacy authorities to ensure that
personally identifiable information is only gathered and used for legitimate
and authorized purposes; such information must be strictly controlled within
the ITP.
12 FAM 513.2 Authorities
(CT:DS-245; 12-21-2015)
a. The ITP implements the following national policies,
orders, directives and memorandum:
(1) Section 811 of the Intelligence Authorization Act
for FY 1995, Public Law Number 103-359, 50 U.S.C. 402a;
(2) Executive Order 13587, Structural Reforms to
Improve the Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information, dated October 7, 2011;
(3) Executive Order 13526, Classified National
Security Information, dated December 29, 2009;
(4) Executive Order 13467, Reforming Processes Related
to Suitability for Government Employment, Fitness for Contract Employees, and
Eligibility for Access to Classified National Security Information, dated June
30, 2008;
(5) Executive Order 12333, United States Intelligence
Activities as amended by Executive Orders 13284 (2003), 13355 (2004), and 13470
(2008);
(6) Executive Order 12968, Access to Classified
Information, dated August 2, 1995;
(7) Executive Order 12829, National Industrial
Security Program, dated January 6, 1993;
(8) Executive Order 10450, Security Requirements for
Government Employment, dated April 27, 1953
(9) Presidential Decision Directive/NSC-12 Security
Awareness and Reporting Foreign Contacts, August 5, 1993;
(10) White House Memorandum, Compliance with
Presidents Insider Threat Policy, July 19, 2013;
(11) White House Memorandum, National Insider Threat
Policy and Minimum Standards for Executive Branch Insider Threat Programs,
dated November 21, 2012;
(12) White House Memorandum, Early Detection of
Espionage and Other Intelligence Activities Through Identification and Referral
of Anomalies, August 23, 1996;
(13) Committee on National Security Systems Directive
(CNSSD) No. 504, Directive on Protecting National Security Systems from Insider
Threat, dated February 4, 2014; and
(14) National Insider Threat Task Force (NITTF), 2014
Guide to Accompany the National Insider Threat Policy and Minimum Standards,
dated September 2014.
12 FAM 513.3 Program Management
(CT:DS-245; 12-21-2015)
The Office of the Under Secretary for Management (M) has designated
the Bureau of Diplomatic Security (DS) as the primary Department entity for
preventing, detecting, and deterring insider threats. The Assistant Secretary
for Diplomatic Security has designated the Deputy Assistant Director for
Domestic Operations (DS/DO) and the Senior Coordinator for Security
Infrastructure (DS/SI) as the Senior Officials with the principal
responsibility for establishing an ITP to address Prevention, Detection,
Analysis and Mitigation. The designated Senior Officials will be granted the
authority to provide management, accountability, resources, and oversight of
the Insider Threat Detection and Prevention Program in accordance with E.O.
13587.
12 FAM 513.3-1 Senior Officials
Responsibilities
(CT:DS-320; 05-17-2019)
The Senior Officials will:
(1) Establish a comprehensive ITP and implementation
plan for the Department, and ensure that such policies and procedures are in
accordance with national policy and interagency guidance;
(2) Annually report to M on the progress and status of
the ITP. The reports will document annual accomplishments, resources
allocated, insider threats identified, program goals, impediments, and/or
challenges;
(3) Collaborate with the Office of Legal Affairs (L),
the Privacy Office (A/GIS/PRV) and the Office
of Civil Rights (S/OCR) to ensure that all ITP activities are conducted in
accordance with applicable laws and policies;
(4) Establish oversight mechanisms or procedures to
ensure proper handling and use of records and data described below; and ensure
access to such records and data is restricted to personnel who require the
information to perform their authorized functions;
(5) Ensure the establishment of guidelines and
procedures for the retention of records and document the Departments insider
threat policies and standards; and
(6) Facilitate oversight reviews by cleared officials
designated by M to ensure compliance with insider threat policy guidelines, as
well as applicable legal, privacy and civil liberty protections.
12 FAM 513.3-2 Insider Threat
Program Office
(CT:DS-245; 12-21-2015)
Senior Officials will establish and oversee an ITP office
to execute the mandates of E.O. 13587 and the National Insider Threat Policy
and minimum standards for Executive Insider Threat Programs to include:
(1) Build and maintain an insider threat analytic
capability to manually and/or electronically gather, integrate, centrally
analyze, and respond to all relevant information indicative of a potential
insider threat, to include information derived from:
Counterintelligence (CI);
Security;
Information Assurance (IA);
Human Resources (HR);
Law Enforcement (LE) and Protective Intelligence;
User Activity Monitoring (UAM); and
(Other sources as necessary and appropriate.
(2) Expand, enhance, and augment the user awareness
products and related defensive threat briefings to inform Department personnel
of the nature and scope of insider threats;
(3) Establish procedures for insider threat response
actions (whether administrative, security, or criminal) to clarify or resolve
insider threat matters, ensuring that response actions are centrally managed
and documented by the ITP Office;
(4) Establish and maintain guidelines and procedures
for the protection, retention, and destruction of records and documents
collected through the insider threat investigations;
(5) Ensure Department compliance with E.O. 13587 and
address future ITP mandates; and
(6) Report to the senior officials regarding ITP
policies, procedures, and investigations and make recommendations concerning response
actions.
12 FAM 513.3-3 Insider Threat
Program Board
(CT:DS-245; 12-21-2015)
a. The ITP office will establish a charter for a
cross-discipline, DS-led, ITP Program Board, drawn from relevant bureaus in the
Department relating to ITP goals. The Program Board will be responsible for
providing policy and practical advice and guidance to the ITP senior officials.
b. The Program Board will:
(1) Include senior personnel from the following
Department stakeholder Bureaus:
Bureau of Administration (A);
Diplomatic Security (DS);
Human Resources (HR);
Intelligence and Research (INR);
Information Resource Management (IRM);
Office of Legal Affairs (L);
Office of Medical Services (MED);
Office of the Inspector General (OIG); and
Other Departmental offices and U.S. agencies as necessary.
(2) Be chaired by Diplomatic Security (DS) and, using
subject matter expertise of the group members, act in an advisory capacity to
the senior officials, to ensure that policies, guidance, and operational
activities are conducted in accordance with standing legal and privacy
directives;
(3) Make a recommendation, upon request, for a course
of action on any insider threat allegation to the ITP Program Office or senior officials
based on the facts and background presented;
(4) Develop relationships between offices, leading to
better information sharing and cooperation; and
(5) In accordance with Section 9(a)(2) of the
Inspector General Act of 1978 (IG Act), as amended, and Section 209(a)(1) of
the Foreign Service Act of 1980, (FS Act), as amended, the Program Board shall
not transfer or assign any program operating responsibilities to OIG personnel
participating in the Program Board. OIG personnel may abstain from any Program
Board activity that, in the judgment of the OIG, might impair OIG independence
including, but not limited to, advising on policies, procedures, guidance, or
other actions that may be audited, inspected, evaluated, or otherwise reviewed
by the OIG.
12 FAM 513.3-4 Insider Threat
Program HUB
(CT:DS-245; 12-21-2015)
a. The ITP Office will establish the Insider Threat
HUB, the Departments centralized analysis and response capability for Insider
Threat. The HUB will be responsible for addressing operational aspects of the
ITP, including gathering and analyzing insider threat information, identifying
potential insider threat concerns, and ensuring that an appropriate inquiry is
conducted to resolve the concern.
b. The HUB will:
(1) Include personnel from DS, consulting with the
following primary stakeholder Department Bureaus:
A;
HR;
INR;
IRM;
L;
MED;
OIG; and
Other Department offices as appropriate.
(2) Act as the initial processing point for any
potential insider threat information gathered from automated reporting
mechanisms;
(3) Use monitoring anomalies, administrative or
criminal investigations, analytical capabilities, and any additional means for
determining the merits of pursuing a preliminary inquiry regarding a potential
insider threat;
(4) Refer all analyzed data to the ITP Office to
support a recommendation for a course of action on any insider threat
allegation to the senior officials based on the facts and background presented;
(5) Task actions, or recommend actions, to the
appropriate investigative or administrative unit to further develop the investigation,
and provide regular updates on the investigation to the senior officials to
assist in their determination for continuing the insider threat investigation
after the senior officials determine there is sufficient cause to continue a
formal investigation into a potential insider threat, or in appropriate cases,
refer the matter to the OIG. In accordance with Section 3(a) of the IG Act and
Section 209(a)(1) of the FS Act, no investigation tasked or recommended by HUB
will prevent or prohibit the OIG from initiating, carrying out, or completing
an OIG investigation;
(6) Include members trained in the following topics
and regulations in accordance with their area of expertise:
(a) Counterintelligence, law enforcement, and security
fundamentals;
(b) Administrative and criminal misconduct;
(c) Department procedures for conducting insider threat
response actions;
(d) Applicable laws and regulations regarding the
gathering, integration, retention, and disposition of records and documents
collected through the insider threat investigations;
(e) Applicable civil liberties and privacy laws,
regulations, and policies; and
(f) The investigative referral requirements of Section
811 of the Intelligence Authorization Act for Fiscal Year 1995.
12 FAM 513.3-5 Access to
Information
(CT:DS-245; 12-21-2015)
a. The Senior Officials will:
(1) Direct all Department bureaus and diplomatic
missions to securely provide to ITP personnel all relevant information
necessary to perform insider threat analysis, as well as detect, react, and respond
to security risk issues;
(2) Provide guidance and direction to all Department
bureaus and posts, who will establish procedures within their respective
offices to ensure that authorized information determined to be of relevance is accessible
to and shared with the appropriate ITP personnel. Such access and information
includes but is not limited to the following:
(a) Counterintelligence and security - All relevant data
and files, including but not limited to: personnel security files, facility
access records, foreign travel and contacts, and security violations as may be
necessary for resolving or clarifying insider threat matters;
(b) Security auditing and user activity monitoring -
Data collected and analyzed to assist in identifying abnormal behavior related
to the actions of a workstation user, including use and access to applications,
services, networks, and data in the IT environment. User workstation
activities will be monitored consistent with the Departments 12 FAM 600 Cyber
security policy;
(c) Information Assurance (IA) - All relevant network
information generated by IA elements to include but not limited to personnel
usernames, levels of network access, unauthorized use of removable media,
network or system logs and other data needed for clarification or resolution of
an insider concern; and
(d) Human Resources - All relevant HR data and files,
including but not limited to personnel files, payroll files, disciplinary
files, and personal contacts records as may be necessary for resolving or
clarifying insider threat matters.
(3) Establish procedures for access requests by the
ITP office involving particularly sensitive or protected information, such as
medical records, information held by special access, law enforcement, inspector
general, or other investigative sources or programs, which may require that
access be provided upon the request of the senior officials; and
(4) Ensure the ITP office has timely access, as
otherwise permitted, to available U.S. government intelligence and
counterintelligence reporting information and analytic products pertaining to
adversarial threats.
12 FAM 513.3-6 Monitoring User
Activity on Networks
(CT:DS-245; 12-21-2015)
Senior Officials shall:
(1) Develop, utilize, and maintain a capability to
monitor user activity on Department-managed networks at all security domains in
order to detect activity indicative of insider threat behavior, in consultation
with L and the privacy office;
(2) Develop and implement policies and procedures for
properly protecting, interpreting, storing, and limiting dissemination of user activity
monitoring (UAM) information and UAM methods to authorized personnel;
(3) Ensure agreements are signed by all insiders with
access to Department systems, acknowledging that their activity on any agency
network, to include government portable electronic devices, is subject to
monitoring and could be used against them in a criminal, security, or
administrative proceeding. Agreement language will be developed in
coordination with L.; and
(4) Ensure classified and unclassified network banners
are employed within the Department, informing consenting users that the network
is being monitored for lawful U.S. government-authorized purposes, which can
result in criminal or administrative actions against the user. Banner language
will be developed in consultation with L.
12 FAM 513.3-7 Protective
Measures for Sensitive Data Collection
(CT:DS-320; 05-17-2019)
The Senior Officials will:
(1) Protect the information, documents, files, and
other material submitted to the HUB by Department stakeholder offices in
accordance with current and applicable federal laws, rules, regulations, and
policy;
(2) Establish oversight mechanisms or procedures to ensure
proper handling and safeguarding of records and data collected, while ensuring
that access to such records or data is restricted to ITP personnel who require
the information to perform their authorized functions;
(3) Ensure that the programs policies and procedures,
in coordination with L and the Privacy Division (A/GIS/PRV), will confirm that
legal, civil liberties, and privacy protections are incorporated throughout the
Departments ITP; and
(4) Establish guidelines and procedures for the
protection of records and documents necessary in accordance with Department
policies and procedures required in 5 FAM 460 - The
Privacy Act and Personally Identifiable Information.
12 FAM 513.4 Employee
Responsibility to Report Potentially Vulnerable Activities
(CT:DS-245; 12-21-2015)
All employees have a responsibility and obligation to
protect Department personnel, information, facilities and systems and should be
aware of the following:
(1) The importance of detecting insider threats;
(2) The importance of reporting suspected activity,
i.e., espionage, unauthorized disclosure of national security information,
terrorism, sabotage, violence in the workspace, to insider threat personnel;
(3) Methodologies used by adversaries to recruit
trusted insiders and collect classified information;
(4) Indicators of insider threat behavior and procedures
to report such behavior; and
(5) Counterintelligence and security reporting
requirements, including:
(a) Foreign Travel and Contact Reporting (12 FAM 262.2);
(b) Personnel Security and Suitability reportable
actions (12 FAM
270) and
(c) Employees who believe they have identified an
insider threat must report their concerns immediately. Domestically, the
office to report insider threat concerns is the Counterintelligence Division
(DS/ICI/CI) in the Bureau of Diplomatic Security (DS). Overseas, all insider
threat reports should be made to the regional security officer. The following
email boxes have been created to assist employees with their reporting
requirement: InsiderThreatReporting@state.gov (unclassified network), and
InsiderThreatReporting@state.sgov.gov (classified network).
12 FAM 513.5 Employee Training and
Awareness
(CT:DS-245; 12-21-2015)
The senior officials will ensure that:
(1) Mandatory insider threat awareness training will,
at a minimum, be provided to all employees within 30 days of entering on duty
(EOD) or following the granting of access to classified information, and
annually thereafter, and will address the following topics:
(a) The importance of detecting the many types of
potential insider threats (espionage, unauthorized disclosure of national
security information, terrorism, sabotage, violence in the workplace) and
reporting suspected activity to insider threat personnel or other designated officials;
(b) Counterintelligence and security reporting
requirements, as applicable;
(c) Procedures for reporting observed suspicious or
abnormal behavior by persons who access and/or use national security systems;
(d) Methods used by adversarial organizations to recruit
or co-opt persons who have access to national security systems and the
information that resides thereon;
(e) Indicators of suspected espionage on national
security systems; and
(f) Prior espionage incidents involving the compromise
of national security systems and information.
(2) An internal network site is established and
promoted to all authorized users of the network to provide insider threat
reference material, including indicators of insider threat behavior, applicable
reporting requirements and procedures, and provide a secure electronic means of
reporting matters to the ITP office; and
(3) The Department continues to expand, enhance, and
augment its threat briefings and related user awareness products to inform
employees of the nature and scope of insider threats.
12 FAM 514 through 519 UNASSIGNED