Protecting Classified Information
Overview
A security clearance is a privilege, not a right. When you accept the privilege of
access to classified information, you are also accepting the responsibilities that
accompany this privilege. This guide informs you of your responsibilities and
provides information to help you fulfill them.
Your responsibility to protect the classified information that you learn about is a
LIFELONG obligation. It continues even after you no longer have an active
security clearance.
The Nondisclosure Agreement you signed when accepting your clearance is a
legally binding agreement between you and the U.S. Government in which you
agreed to comply with procedures for safeguarding classified information and
acknowledged that there are legal sanctions for violating this agreement.
Deliberate violation for profit may be prosecuted. This agreement assigned to the
U.S. Government the legal right to any payments, royalties or other benefits you
might receive as a result of unauthorized disclosure of classified information.
Your signed Nondisclosure Agreement is the only form held on file long after you
retire (50 years!).
The various topics in this module of the Security Guide discuss procedures for
handling, marking, safeguarding, and communicating classified information. The
regulatory basis for these procedures is Executive Order 12985, Classified
National Security Information, dated October 13, 1995, as amended March 28,
2003. National guidance for implementing this order is in the Information Security
Oversight Office (ISOO) Classified National Security Information Directive No. 1,
September 22, 2003. Many individual departments, agencies, and offices also
have their own implementing regulations, for example, Department of Defense
Regulation 5200.1, Information Security Program.
Failure to comply with these procedures may result in adverse administration
action including revocation of your security clearance. When we study the history
of foreign intelligence activities against the United States, one thing becomes
very clear. When our adversaries or competitors are successful in obtaining
classified or other sensitive information, it is usually due to negligence, willful
disregard for security, or betrayal of trust by our own personnel.
1
The Bottom Line
Pogo, a popular cartoon character from the 1960s, coined an oft-quoted
phrase: "We have met the enemy, and he is us." That sums it up. We – not
our foreign adversaries or competitors – are the principal source of the
problem, but we can also become the solution. You and I and all others
who hold a security clearance are the first line of defense against
espionage and other loss of sensitive information. Together, if we fulfill our
responsibilities, we have the power to protect our national security and
economic interests.
Need-to-Know
Your security clearance does not give you approved access to all classified
information. It gives you access only to:

Information at the same or lower level of classification as the level of the
clearance granted; AND that you have a "need-to-know" in order to
perform your work.
Need-to-know is one of the most fundamental security principles. The
practice of need-to-know limits the damage that can be done by a trusted
insider who goes bad. Failures in implementing the need-to-know principle
have contributed greatly to the damage caused by a number of recent
espionage cases.
Need-to-know imposes a dual responsibility on you and all other authorized
holders of classified information:

When doing your job, you are expected to limit your requests for
information to that which you have a genuine need-to-know. Under some
circumstances, you may be expected to explain and justify your need-toknow when asking others for information.

Conversely, you are expected to ensure that anyone to whom you give
classified information has a legitimate need to know that information. You
are obliged to ask the other person for sufficient information to enable you
to make an informed decision about their need-to-know, and the other
person is obliged to justify their need-to-know.

You are expected to refrain from discussing classified information in
hallways, cafeterias, elevators, rest rooms or smoking areas where the
discussion may be overheard by persons who do not have a need-to-know
the subject of conversation.
2
You are also obliged to report to your security office any co-worker who
repeatedly violates the need-to-know principle.
Need-to-know is difficult to implement as it
conflicts with our natural desire to be
friendly and helpful. It also requires a level
of personal responsibility that many of us
find difficult to accept. The importance of
limiting sensitive information to those who
have a need to know is underscored,
however, every time a trusted insider is
found to have betrayed that trust.
Here are some specific circumstances when you need to be particularly careful:

An individual from another organization may contact you and ask for
information about your classified project. Even though you have reason to
believe this person has the appropriate clearance, you are also obliged to
confirm the individual’s need-to-know before providing information. If you
have any doubt, consult your supervisor or security officer.

Difficult situations sometimes arise when talking with friends who used to
be assigned to the same classified program where you are now working.
The fact that a colleague formerly had a need-to-know about this program
does not mean he or she may have access to the information. There is no
"need" to keep up to date on sensitive developments after being
transferred to a different assignment.

The need-to-know principle also applies to placing classified information
on computer networks. Before doing so, make sure it is appropriate for
this information to be seen by all persons with access to the system.
Although every individual gaining access to a particular computer network
is cleared for the clearance level of that system, they may not have a need
to know all of the information posted on the system.
Classification Procedures
3
Original and Derivative Classification
Executive Order 12958, as amended March 25, 2003, sets U.S. Government
policy for classifying national security information that must be protected from
unauthorized disclosure. Information is classified in one of two ways -- originally
or derivatively.
Original classification is the initial determination that information requires
protection. Only U.S. Government officials to whom this authority has been
delegated in writing and who have been trained in classification requirements
have the authority for original classification. Original classification authorities
issue security classification guides that others use in making derivative
classification decisions. Most government employees and contractors make
derivative classification decisions.
Derivative classification is the act of classifying a specific item of information or
material on the basis of an original classification decision already made by an
authorized original classification authority. The source of authority for derivative
classification ordinarily consists of a previously classified document or a
classification guide issued by an original classification authority.
For example, Defense contractors make derivative classification decisions based
on the Contract Security Classification Specification that is issued with each
classified contract. If a contractor develops an unsolicited proposal or originates
information not in the performance of a classified contract, the following rules
apply. If the information was previously identified as classified, it should be
classified derivatively. If the information was not previously classified, but the
contractor believes the information may be or should be classified, the contractor
should protect the information as though classified at the appropriate level and
submit it to the agency that has an interest in the subject matter for a
classification determination. In such a case, the material should be marked
CLASSIFICATION DETERMINATION PENDING. Protect as though classified
(TOP SECRET, SECRET, or CONFIDENTIAL).
The full text of Executive Order 12958 is available at DSS website at
www.dss.mil/seclib/index.htm. Classification guidelines for defense contractors
are in Chapter 4 of the National Industrial Security Program Operating Manual.
Full text of the NISPOM is also available on the Defense Security Service
Internet site at, www.dss.mil/seclib/index.htm.
Classification Levels
Information that must be controlled to protect the national security is assigned
one of three levels of classification, as follows:
4



TOP SECRET information is information which, if disclosed without
authorization, could reasonably be expected to cause exceptionally grave
damage to the national security.
SECRET information is information which, if disclosed without
authorization, could reasonably be expected to cause serious damage to
the national security.
CONFIDENTIAL information is information which, if disclosed without
authorization, could reasonably be expected to cause damage to the
national security.
Atomic energy information is classified under the Atomic Energy Act of 1954, and
the procedures differ from those prescribed for national security information.
Atomic energy information is automatically classified and remains classified until
a positive action is taken to declassify it. It may be declassified only by the
Department of Energy. Consult your security officer for information on marking
and handling atomic energy information. There are two types:


RESTRICTED DATA covers "all data concerning (1) design, manufacture,
or utilization of atomic weapons; (2) the production of special nuclear
material; or (3) the use of special nuclear material in the production of
energy," except for data that has been declassified or removed from the
Restricted Data category.
FORMERLY RESTRICTED DATA is information which has been removed
from the Restricted Data category after Department of Energy and
Department of Defense have jointly determined that the information
relates primarily to the military utilization of atomic weapons and can be
adequately safeguarded as National Security Information. The word
"formerly" only means that such information is no longer subject to
controls under the Atomic Energy Act. Formerly Restricted Data remains
classified and subject to controls on national security information. Such
data may not be given to any other nation except under specially
approved agreements. It is identified and handled as RESTRICTED
DATA when sent outside the United States.
RESTRICTED DATA and FORMERLY RESTRICTED DATA should also be
marked with one of the three classification levels -- TOP SECRET, SECRET, or
CONFIDENTIAL.
Markings for the "Classified by," "Derived from," and
"Declassify on" Lines
All classified information shall be marked to reflect the source of the
classification, reason for the classification, and instructions for declassification or
downgrading. The markings used to show this information must appear toward
the bottom on the cover, first page, title page, or in another prominent position.
5
Nondocumentary material should show the required information on the material
itself or, if not practical, in related or accompanying documentation.
"Classified by" Line: The "Classified by" line is used only on originally classified
documents. It identifies the original classification authority by name or personal
identifier and position and cites justification for the classification. This is followed
by a "Reasons" line that cites by name or number one of the seven approved
classification categories specified in Executive Order 12958.
Example of
original
classification
"Derived from" Line: Any appropriately cleared employee has the authority to
derivatively classify a document. The "Derived from" line cites the source
document or classification guide which allowed you to determine that the
information in your document is classified. The date of the source document or
classification guide is to be included. If more than one source document,
classification guide, or combination of these provided the derivative classification
guidance, write "Multiple Sources" on the "Derived from" line. A record of these
multiple sources must be maintained on or with the file copy of the document.
6
Example of
derivative
classification
"Declassify on" Line: The classified by or derived from lines should be followed
by a line that identifies when the classified information is to be declassified. This
information is obtained from the "Declassify on _____" line of the source
document or from a classification guide. If your document classification is derived
from "Multiple Sources" and different declassification instructions apply, you must
use the most restrictive declassification instruction that applies.
Declassification
The Original Classification Authority has the following options for declassification
instructions for documents that were originally classified under Executive Order
12958.

Whenever possible, the declassification date should be specified as a date
or event that corresponds to the lapse of the information's national security
sensitivity. However, the date or event must not exceed 25 years from the
date of the original classification.

If information should remain classified beyond 25 years, there are a
number of exemptions that may apply. This may be appropriate, for
example, if the information would reveal the identity of a confidential
human source, or a human intelligence source, or reveal information about
the application of an intelligence source or method.
7
Many older documents classified prior to Executive Order 12958 still carry the
declassification designation OADR -- Originating Agency's Determination
Required. When one of these documents is the source document for derivative
classification, the Declassify on line should read: Source document marked
"OADR" Date of source (insert date).
No U.S. document shall be downgraded below the highest level of foreign
government information contained in the document, nor shall it be declassified
without the written approval of the foreign government that originated the
information.
Classified Information Appearing in Public Media: The fact that classified
information has been made public does not mean it is automatically declassified.
Information remains classified unless and until it is formally declassified. If you
become aware of classified or other sensitive information appearing in the public
media, bring it to the attention of your security office.
Downgrading or Declassifying Classified Information: Information is
downgraded or declassified based on the loss of sensitivity of the information due
to the passage of time or on occurrence of a specific event. Declassification is
not automatically an approval for public disclosure.
Marking Downgraded or Declassified Material: Classified information that is
downgraded or declassified should be promptly and conspicuously marked to
indicate the change.
Classification Pending: Material that you generate, and that you believe may
be classified and for which no classification guidance is available, must be
protected and handled as though classified at the appropriate level until a
classification determination is obtained from the appropriate government
organization. This material should be marked as follows:
CLASSIFICATION DETERMINATION PENDING
PROTECT AS (APPROPRIATE CLASSIFICATION LEVEL)
The derivative and warning notice markings need not be applied in this situation.
Reproduction should be held to an absolute minimum until a classification
determination is received.
Challenging a Classification
Any approved holder of classified information who believes the information is
classified improperly or unnecessarily, or that current security considerations
justify downgrading to a lower classification or upgrading to a higher
classification, or that security classification guidance is improper or inadequate, is
encouraged and expected to challenge the classification status.
8
Government employees should pursue such actions through established agency
procedures that protect individuals from retribution for bringing such actions,
provide an opportunity for review by an impartial official or panel, and provide a
right of appeal to the Interagency Security Classification Appeals Panel.
Contractors should appeal such issues through their pertinent government
contracting authority.
Marking Classified Information
Physically marking classified information with appropriate classification and
control markings serves to warn and inform holders of the degree of protection
required. Other notations aid in derivative classification actions and facilitate
downgrading or declassification. It is important that all classified information and
material be marked to clearly convey the level of classification assigned, the
portions that contain or reveal classified information, the period of time protection
is required, and any other notations required for protection of the information or
material.
The following is a summary of the most commonly used document control
markings. More detailed information is available via the Internet from a variety of
sources.
Overall Classification Markings
The overall (i.e., highest) classification of a document is marked at the top and
bottom of the outside cover (if there is one), the title page (if there is one), the
first page, and the outside of the back cover (if there is one) or back side of the
last page.
Each interior page containing classified information is marked top and bottom
with the overall (i.e., highest) classification of the page. Each unclassified interior
page is marked 'Unclassified" at the top and bottom. Interior pages that are For
Official Use Only need to be marked only at the bottom. Blank pages require no
markings.
Attachments and annexes may become separated from the basic
document. They should be marked as if they were separate documents.
Additionally, every classified document must show, on the face of the document,
the agency and office that created it and date of creation. This information must
be clear enough to allow someone receiving the document to contact the
preparing office if questions or problems about classification arise.
U.S. documents that contain foreign government information shall be marked on
the front, "THIS DOCUMENT CONTAINS FOREIGN GOVERNMENT (indicate
level) INFORMATION."
9
Computer files must be marked with appropriate headers and footers to ensure
that anything that is transmitted or printed will have the applicable classification
and associated markings.
All removable storage media and devices such as diskettes, CD-ROMs,
cassettes, magnet tape reels, etc. must have an outer label with the appropriate
markings.
Each slide must be marked on the slide itself or slide cover, as well as on the
image that is projected.
Automated Information Processing Requirements
Use of automated information systems to route and control access to information
is forcing changes in how documents are marked. Within the Intelligence
Community, classification and control markings must now follow a specified
format that enables automated systems to recognize the markings.
The following formats apply only within the Intelligence Community.2 However,
similar rules are under consideration in the Defense Department and other
government organizations.
Any classified document, either in hard copy or automated, must contain a
header and footer with the classification, any control markings, and
declassification date or designation. These three elements -- classification,
control marking(s), and declassification date -- must be separated by two forward
slashes and no spaces. If multiple dissemination control markings are used, they
are separated by a comma and no spaces, except that multiple SCI controls are
separated by a single forward slash and no spaces. Declassification date must
be marked by an eight-digit number (year, month, day), exemption category
(such as X1), or as Manual Review (MR). This is illustrated by the following
examples:
SECRET//SI/TK//NOFORN//X1
SECRET//ORCON,PROPIN//20091231
A control marking such as FOR OFFICIAL USE ONLY cannot stand alone. It
must be preceded by a classification as in:
UNCLASSIFIED//FOR OFFICIAL USE ONLY
When marking foreign government classified information, the classification is
preceded by two forward slashes and countries are identified by an approved
three-letter designator, as in //NATO SECRET or //DEU SECRET for Germany.
10
Portion Marking
The title or subject of a classified document is marked with the appropriate
classification abbreviation in parentheses -- (TS), (S), (C), or (U) immediately
following and to the right of the title or subject.
Each section, part, paragraph, or similar portion of a classified document is to be
marked with the appropriate classification abbreviation in parentheses
immediately before the beginning of the portion. If the portion is numbered or
lettered, place the abbreviation in parentheses between the letter or number and
the start of the text.
Portions of U.S. documents containing foreign government information are
marked to reflect the foreign country of origin as well as the appropriate
classification, for example, (U.K.-C). Portions of U.S. documents containing
extracts from NATO documents are marked to reflect "NATO" or "COSMIC" as
well as the appropriate classification, for example, (NATO-S) or (COSMIC-TS).
Further information is available at Foreign Government Classified Information.
Release to Foreign Countries/Organizations
In support of homeland security and coalition warfare, the U.S. Government has
an increased need to share data with foreign countries, international
organizations, and multinational forces. This has led to recent changes in the use
of the "Released to..." (REL TO) control marking. This marking was previously
only for use on intelligence information, but it is now authorized for use on all
classified defense information.
Following the REL TO marking is a list of countries to which the information may
be released through proper disclosure channels to specified foreign governments
or international organizations. This list starts with USA and is followed by other
countries listed alphabetically by the approved country code(s), international
organization, or coalition force.
Example: TOP SECRET//REL TO USA, EGY and ISR
This format with // after the classification, a comma and space between each
country, and with a lower case "and" with no comma before the last country code
must be followed exactly to facilitate machine reading and sorting of the
document. The approved three-letter country codes are available on the Internet
at ftp.ripe.net/iso3166-countrycodes.txt. This marking shall appear at the top and
bottom of the front cover (if there is one), the title page (if there is one), the first
page and the outside of the back cover (if there is one). Each interior page
containing classified information is marked top and bottom with the overall (i.e.,
highest) classification of the page.
11
When portion marking individual titles or paragraphs, the countries do not need
to be listed unless they are different from the countries listed in the REL TO at
the top and bottom of the page. For example: (TS:REL). If information is
releasable to different countries than those listed in the overall REL TO marking,
all the countries and organizations should be listed in the portion marking. For
example: (S//REL TO USA, AUS, NZL and NATO).
The marking "Not Releasable to Foreign Nationals" (NOFORN) is still only
authorized for use on intelligence that requires originator approval before being
disclosed (see below).
Other Distribution Controls
In addition to its classification, intelligence information and certain scientific or
technical information may also be subject to other controls on its distribution and
handling. It is your responsibility to understand and comply with the control
markings on classified information. If you are not sure, contact your security
office. These control markings include:






Dissemination and Extraction of Information Controlled by Originator
(ORCON) or (OC) means that any additional distribution or inclusion in
another document must be approved by the originator of the document. It
is used on intelligence information that could permit identification of a
sensitive intelligence source or method.
Not Releasable to Contractors/Consultants (NOCONTRACT) has been
discontinued but is still seen on older documents. Check with the
originator of the document regarding any ongoing controls on the use of
such a document. This caveat was used on intelligence information that is
provided by a source on the express or implied condition that it not be
made available to contractors; or that, if disclosed to a contractor, would
actually or potentially give him/her a competitive advantage or cause a
conflict of interest with his/her obligation to protect the information.
Caution - Proprietary Information Involved (PROPIN) or (PR) is used
with or without a security classification to identify information provided by a
commercial firm or private source under an express or implied
understanding that the information will be protected as a trade secret or
proprietary data with actual value.
NOFORN is for intelligence information that may not be passed to foreign
nationals.
Authorized for Release to ____ (REL TO) signifies intelligence
information that is releasable to or has been released through proper
disclosure channels to the named foreign government or international
organization. See more specific guidance in previous section.
Sensitive Compartmented Information (SCI) applies to certain
intelligence sources, methods, or analytical processes that are subject to a
12




formal access control system established by the Director of Central
Intelligence. Special approval is required for access to SCI.
Communications Security (COMSEC) is the protection of all elements of
telecommunications -- encryption, transmission, emissions, and the
physical security of equipment and materials.
Cryptographic Material (CRYPTO) identifies information or materials that
must be handled through special cryptographic channels.
Warning Notice - Intelligence Sources or Methods Involved
(WNINTEL) has been discontinued but is still seen on older documents. It
was used on intelligence information that identifies or would reasonably
permit identification of an intelligence source or method that is susceptible
to countermeasures that could nullify or reduce its effectiveness.
Critical Nuclear Weapons Design Information (CNWDI) or (N) applies
to information that reveals the theory of operation or design of the
components of a thermonuclear or fission bomb, warhead, demolition
munition, or test device. Special handling procedures are required.
Department of Defense also uses the marking Alternative or Compensatory
Control Measures (ACCM) for classified information that requires special
security measures to safeguard classified intelligence or operations and support
information when normal measures are insufficient to achieve strict need-to-know
controls and where special access program (SAP) controls are not required.
ACCM measures are defined as the maintenance of lists of personnel to whom
the specific classified information has been or may be provided together with the
use of an unclassified project nickname. The ACCM designation is used in
conjunction with the security classification to identify the portion, page, or
document containing ACCM information.
Handling Classified Information
As an approved custodian or user of classified information, you are personally
responsible for the protection and control of this information. You must safeguard
this information at all times to prevent loss or compromise and unauthorized
disclosure, dissemination, or duplication. Unauthorized disclosure of classified
material is punishable under the Federal Criminal Statutes or organizational
policies.
Your security officer or supervisor will brief you on the specific rules for handling
classified information that apply to your organization. Here are some standard
procedures that apply to everyone.
Classified information that is not safeguarded in an approved security container
shall be constantly under the control of a person having the proper security
clearance and need-to-know. An end-of-day security check should ensure that all
classified material is properly secured before closing for the night.
13
If you find classified material left unattended (for
example, in a rest room, or on a desk), it is your
responsibility to ensure that the material is properly
protected. Stay with the classified material and notify
the security office. If this is not possible, take the
documents or other material to the security office, a
supervisor, or another person authorized access to
that information, or, if necessary, lock the material in
your own safe overnight.
Classified material shall not be taken home, and you
must not work on classified material at home.
Classified information shall not be disposed of in the waste basket. It must be
placed in a designated container for an approved method of destruction such as
shredding or burning.
E-mail and the Internet create many opportunities for inadvertent disclosure of
classified information. Before sending an e-mail, posting to a bulletin board,
publishing anything on the Internet, or adding to an existing Web page, you must
be absolutely certain none of the information is classified or sensitive unclassified
information. Be familiar with your organization's policy for use of the Internet.
Many organizations require prior review of ANY information put on the Internet.
Classified working papers such as notes and rough drafts should be dated when
created, marked with the overall classification and with the annotation "Working
Papers," and disposed of with other classified waste when no longer needed.
Computer diskettes, magnetic tape, CDs, carbon paper, and used typewriter
ribbons may pose a problem when doing a security check, as visual examination
does not readily reveal whether the items contain classified information. To
reduce the possibility of error, some offices treat all such items as classified even
though they may not necessarily contain classified information.
Foreign government material shall be stored and access controlled generally in
the same manner as U.S. classified material of an equivalent classification, with
one exception. See Foreign Government Classified Information.
Top Secret information is subject to continuing accountability. Top Secret control
officials are designated to receive, transmit, and maintain access and
accountability records for Top Secret information. When information is
transmitted from one Top Secret control official to another, the receipt is recorded
and a receipt is returned to the sending official. Each item of Top Secret material
is numbered in series, and each copy is also numbered.
14
Some classified Department of Defense information is subject to special controls
called Alternative or Compensatory Control Measures (ACCM). ACCM are
security measures used to safeguard classified intelligence or operations and
support information when normal measures are insufficient to achieve strict
need-to-know controls and where special access program (SAP) controls are not
required. ACCM measures include the maintenance of lists of personnel to whom
the specific classified information has been or may be provided, together with the
use of an unclassified nickname and ACCM designation used in conjunction with
the security classification to identify the portion, page, and document containing
such specific classified information.
Sensitive Controlled Information (SCI) is subject to special handling procedures
not discussed here.
Mailing and Carrying Classified Materials
The following procedures apply to mailing or carrying classified materials. These
procedures cover the most common circumstances but do not cover the
shipment of bulky materials. It is intended as general guidance only and is not a
substitute for review of the official regulations.
TOP SECRET material may not be sent through the mail under any
circumstances. It must be transmitted by cleared courier or approved electronic
means.
SECRET material may be transmitted by U.S. Postal Service registered mail or
express mail within and between the United States and its territories. However,
the "Waiver of Signature and Indemnity" block on the Express Mail Label 11-B
may not be executed, and the use of external (street side) express mail collection
boxes is prohibited. SECRET material may be sent through U.S. Postal Service
registered mail through Army, Navy, or Air Force Postal Service facilities outside
the United States, provided that the information does not at any time pass out of
U.S. citizen control and does not pass through a foreign postal system or any
foreign inspection. Federal Express may also be used for SECRET material for
urgent, overnight delivery only, but contractors must receive approval from their
government contracting authority to use this method.
CONFIDENTIAL material is subject to the same mailing procedures as Secret
material, with the following exceptions: 1) CONFIDENTIAL material may be sent
by U.S. Certified mail rather than by U.S. Registered mail. 2) Government
agencies (but not contractors) may also send CONFIDENTIAL material by First
Class mail between and among government agencies only. It cannot be sent to
contractors via First Class mail. Under all circumstances, the outer envelope
should be marked "Do Not Forward. Return to Sender." Under no circumstances
shall the USPS Express Mail label 11-B "Waiver of Signature and Indemnity" be
used.
15
Classified material must be mailed at the post office. Use of street mail collection
boxes is prohibited.
Wrapping
All classified material must be double-wrapped with opaque inner and outer
covers. It shall be marked as follows:

Mark the inner envelope top and bottom on both sides, preferably in red,
with the classification in capital letters. A box with classified material
should be marked with the classification on all surfaces of the inner
wrapping.

Write the complete mailing address and complete return address on the
inner envelope. The address on the inner envelope should have the name
of an appropriately cleared individual.

On the outer envelope, write the complete mailing address and return
address. Do not indicate on the outer envelope that it contains classified
information. Classified mail or shipments should be addressed to the
Commander or other head of the organization by title, not by name, or to
an approved classified mailing address of a federal activity or to a cleared
contractor using the name and classified mailing address of the facility. An
individual's name should not appear on the outer envelope. Instead of a
person's name, use office code letters, numbers, or phrases in an
attention line to aid in internal routing. When necessary to direct material
to the attention of a particular individual, put the individual's name on an
attention line in the letter of transmittal or on the inner container or
wrapper.
For Official Use Only is a document control designation, not a classification. Such
material may be mailed in a single envelope.
Receipts
A receipt identifying the sender, the addressee, and the document should be
attached to or enclosed in the inner envelope as noted below. The receipt shall
contain no classified information. It should be signed and returned to the sender.
Top Secret material must be transmitted under a continuous chain of receipts
covering each individual who obtains custody.
For Secret material, a classified material receipt must be included with all
material transmitted outside the facility.
16
For Confidential material, a receipt must be included only if the sender deems it
necessary, or if the information is being transmitted to a foreign government.
Hand-Carrying Classified Material
For hand-carrying classified material, different procedures apply for surface
transportation, commercial air, government air, and for transportation outside the
continental U.S.
If you personally transport classified material
by car or foot to another location, you must
provide reasonable protection for the
information under all foreseeable
contingencies that might occur while in
transit.
Automobile accident, theft and sudden
illness are all foreseeable contingencies.
This means the classified information must
be double wrapped or packaged as though it
were being sent by mail, kept under your
constant control (i.e., not left in the trunk of
your car while you run another errand), and
delivered only to an authorized person. A
briefcase may serve as the outer wrapper
only if it is locked and approved for carrying
classified material. Prepare an inventory of
the material and leave one copy in your
office and another copy with a security officer
or other responsible person.
Carrying classified material on trips
that involve an overnight stopover is
not permitted without advance
arrangements for overnight storage in
a U.S. Government office or a cleared
contractor facility.
For air travel, a written letter of authorization from your security office is required.
Your security officer will advise you of appropriate procedures. Stricter
procedures are required for air travel outside the United States. For air travel, a
locked briefcase may not serve as the outer wrapper.
Appropriate Use Of Computer Systems
Misuse of an automated information system is sometimes illegal, often unethical,
and always reflects poor judgment or lack of care in following security rules and
regulations. Misuse may, unintentionally, create security vulnerabilities or cause
damage to important information. A pattern of inability or unwillingness to follow
rules for the operation of computer systems raises serious concerns about an
individual's reliability and trustworthiness.
17
As we store more and more information in computer data bases, and
as these data bases become more closely linked in networks, more people
have broader access to more information than ever before. Computer
technology has magnified many times the ability of a careless or
disaffected employee to cause severe damage.
This topic discusses rules for using your computer.
You should also read Computer Vulnerabilities,
which describes in nontechnical language the
security and other vulnerabilities of computer
networks that make some of these rules
necessary.
Owing to the magnitude of problems that can be
caused by misuse of computer systems, Misuse of
Technical Information Systems is now one of the
13 criteria used in adjudicating approval and
revocation of security clearances for access to
classified information.
Many aspects of computer use are governed by your organization's policy rather
than by federal government regulation. Many government agencies and defense
contractors specify the security procedures and prohibited or inappropriate
activities discussed below.
Security Rules
The following are basic rules for secure use of the computer.





Do not enter into any computer system without authorization.
Unauthorized entry into a protected or compartmented computer file is a
serious security violation and is probably illegal. It can be a basis for
revocation of your security clearance. Whether motivated by the challenge
of penetrating the system or by simple curiosity to see what is there,
unauthorized entry is a deliberate disregard for rules and regulations. It
can cause you to be suspected of espionage. At a minimum, it violates the
need-to-know principle and in some cases is an invasion of privacy.
Do not store or process classified information on any system not explicitly
approved for classified processing. See Security of Hard Drives.
Do not attempt to circumvent or defeat security or auditing systems
without prior authorization from the system administrator, other than as
part of a system test or security research authorized in advance.
Do not install any software on your computer without the approval of your
system administrator.
Do not use another individual’s userid, password, or identity.
18






Do not permit an unauthorized individual (including spouse, relative or
friend) access to any sensitive computer network. Do not leave sensitive
but unclassified work materials on a home computer to which other
persons have access.
Do not reveal your password to anyone -- not even your computer system
administrator. See Passwords
Do not respond to any telephone call from anyone whom you do not
personally know who asks questions about your computer, how you use
your computer, or about your userid or password. See "Social
Engineering."
If you are the inadvertent recipient of classified material sent via e-mail or
become aware of classified material on an open bulletin board or web site,
you must report this to the security office.
Do not modify or alter the operating system or configuration of any system
without first obtaining permission from the owner or administrator of that
system.
Do not use your office computer system to gain unauthorized access to
any other computer system.
Inappropriate Use
Many offices permit some, minimal personal use of office equipment when such
personal use involves minimal expense to the organization, is performed on your
personal non-work time, does not interfere with the office's mission, and does not
violate standards of ethical conduct.
The following activities are considered to be misuse of office equipment:






The creation, download, viewing, storage, copying, or transmission of
sexually explicit or sexually oriented materials can cause you to be fired
from your job. See discussion under E-Mail.
Annoying or harassing another individual, for example through uninvited email of a personal nature or using lewd or offensive language can cause
you to be fired from your job. See discussion under E-Mail.
Using the computer for commercial purposes or in support of "for-profit"
activities or in support of other outside employment, business activity (e.g.,
consulting for pay, sales or administration of business transactions, sale of
goods or services), or gambling.
Engaging in any outside fund-raising activity, endorsing any product or
service, participating in any lobbying activity, or engaging in any prohibited
partisan political activity.
The creation, copying, transmission, or retransmission of chain letters or
other unauthorized mass mailings.
Any activities that are illegal, inappropriate, or offensive to fellow
employees or the public. Such activities include hate speech or material
19



that ridicules others on the basis of race, creed, religion, color, sex,
disability, national origin, or sexual orientation.
Use for posting office information to any external newsgroup, chat room,
bulletin board, or other public forum without prior approval.
Any personal use that could cause congestion, delay, or disruption of
service to any office equipment. This includes sending pictures, video, or
sound files or other large file attachments that can degrade computer
network performance.
The unauthorized acquisition, use, reproduction, transmission, or
distribution of any controlled information. This includes copyrighted
computer software; other copyrighted or trademarked material or material
with intellectual property rights (beyond fair use); privacy information; and
proprietary data or export-controlled data or software.
E-Mail
There are two big problems with e-mail. One is increased risk of accidental
security compromise. The other is sending inappropriate materials by e-mail,
which has caused many people to be fired from their jobs.
Security Risks with E-Mail
As a result of the Internet and e-mail, there has been a sharp increase in security
incidents involving the accidental disclosure of classified and other sensitive
information. One common problem occurs when individuals download a
seemingly unclassified file from a classified system, and then fail to carefully
review this file before sending it as an attachment to an e-mail message. Too
often, the seemingly unclassified file actually has some classified material or
classification markings that are not readily apparent when the file is viewed on
line. Sending such material by e-mail is a security violation even if the recipient
has an appropriate security clearance, as e-mail can easily be monitored by
unauthorized persons. See E-Mail Pitfalls in Computer Vulnerabilities.
More important, even if the downloaded file really is unclassified, the electronic
version of that file may have recoverable traces of classified information. This
happens because data is stored in "blocks." If a file does not take up an entire
block, the remainder of that block may have recoverable traces of data from
other files. (See Security of Hard Drives for further explanation of this problem.)
Your system administrator must follow an approved technical procedure for
removing these traces before the file is treated as unclassified.
Some organizations have found it necessary to lock their computer drives to
prevent any downloading of files from the classified system. If an individual
wishes to download and retransmit an unclassified file from a classified system,
the file must be downloaded and processed by the system administrator to
remove electronic traces of other files before it is retransmitted.
20
Inappropriate Materials
Sending e-mail is like sending a postcard through the mail. Just as the mailman
and others have an opportunity to read a postcard, network eavesdroppers can
read your e-mail as it passes through the Internet from computer to computer. Email is not like a telephone call, where your privacy rights are protected by law.
The courts have repeatedly sided with employers who monitor their employees'
e-mail or Internet use. A 2005 survey found that 63% of corporations with 1,000
or more employees either employ or plan to employ staff to read or otherwise
analyze outbound email. 27% of the companies reported terminating an
employee due to email misuse during the previous year. 35% investigated a
suspected email leak of confidential information during the past year. In addition
to protection of their intellectual property, companies were concerned about
compliance with financial disclosure regulations.4 Organizations also monitor
email to protect themselves against lawsuits, as the organization can be held
liable for abusive, harassing, or otherwise inappropriate messages sent over its
computer network.
In the past couple years, The New York Times fired 23 employees for
exchanging off-color e-mail. Xerox fired 40 people for inappropriate Internet use.
Dow Chemical fired 24 employees and disciplined another 230 for sending or
storing pornographic or violent material by e-mail. 1
Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who
successfully brought a suit of sexual harassment, in part because an employee
sent an e-mail to coworkers listing the reasons why beer is better than women. 2
Security of Hard Drives
Secrets in the computer require the same protection as secrets on paper. This is
because information can be recovered from a computer hard drive even after the
file has been deleted or erased by the computer user. It is estimated that about a
third of the average hard drive contains information that has been "deleted" but is
still recoverable. 3
When you delete a file, most computer operating systems delete only the
"pointer" which allows the computer to find the file on your hard drive. The file
itself is not deleted until it is overwritten by another file. This is comparable to
deleting a chapter heading from the table of contents of a book, but not removing
the pages on which the chapter is written. Some networks may be configured to
"wipe" or purge the hard drive when information is deleted, but most are not.
Computers on which classified information is prepared must be kept in facilities
that meet specified physical security requirements for processing classified
information. If necessary to prepare classified information on a computer in a
21
non-secure environment, use a removable hard drive or laptop that is secured in
an approved safe when not in use. Alternatively, use a typewriter.
Check with your security office concerning rules for traveling with a laptop on
which classified or other sensitive information has been prepared. Laptop
computers are a particular concern owing to their vulnerability to theft.
Computer Passwords
Passwords are used to authenticate an individual’s right to have access to
certain information. Your password is for your use only. Lending it to someone
else is a security violation and may result in disciplinary action against both
parties. Never disclose your password to anyone. Memorize it – do not put it
in writing. If you leave your terminal unattended for any reason, log off or use a
screen lock. Otherwise, someone else could use your computer to access
information they are not authorized to have. You will be held responsible if
someone else uses your password in connection with a system transaction.
As hackers and scammers develop more clever ways to steal passwords, it
becomes more important that passwords be changed regularly. Use a password
with at least six and preferably eight characters and consisting of a mix of upper
and lower case letters, numbers, and special characters such as punctuation
marks This mix of various types of characters makes it more difficult for a hacker
to use an automated tool called a "password cracker" to discover your password.
Cracking passwords is a common means by which hackers gain unauthorized
access to protected systems.
For additional information on selecting a strong password and why this is so
important, see Passwords and the case studies in Computer Vulnerabilities.
"Social Engineering"
"Social engineering" is hacker-speak for conning legitimate computer users into
providing useful information that helps the hacker gain unauthorized access to
their computer system.
The hacker using social engineering usually poses as a legitimate person in the
organization (maintenance technician, security officer, inexperienced computer
user, VIP, etc.) and employs a plausible cover story to trick computer users into
giving useful information. This is usually done by telephone, but it may also be
done by forged e-mail messages or even in-person visits.
Most people have an incorrect impression of computer break-ins. They think they
are purely technical, the result of technical flaws in computer systems which the
intruders are able to exploit. The truth is, however, that social engineering often
plays a big part in helping an attacker slip through security barriers. Lack of
22
security awareness or gullibility of computer users often provides an easy
stepping stone into the protected system if the attacker has no authorized access
to the system at all.
For additional information see "Social Engineering" and the two case studies in
Computer Vulnerabilities.
Protecting Your Home Computer
If you access your office network from home or do work at home that is then
emailed to the office or brought to the office on any removable storage media,
this can affect the security of the office network. You have an obligation to take
standard procedures for protecting your home computer against viruses and
other problems that might be transmitted to your office network. These include
installing a virus checker with automatic updates, installing a personal firewall,
turning off or uninstalling any options that significantly increase security risk, and
keeping your computer's operating system up-to-date with security fixes as they
become available.
Glossary of Definitions
Most of the following definitions of security-related terms are from the National
Industrial Security Program Operating Manual (NISPOM), Appendix C. Some are
from other sources.
A---B---C---D---E---F---G---H---I---J---K---L---M
N---O---P---Q---R---S---T---U---V---W---X---Y---Z
Access. The ability and opportunity to obtain knowledge of classified information.
Access Authorization (Security Clearance). Authority permitting an employee
performing on government work and having need-to-know to have access to
classified information at a stipulated level of classification. Authorization for
access at one level of classified information automatically authorizes an
individual for lower levels.
Access List. A listing of names used to designate those persons authorized to
enter a controlled area or to have access to a particular classified document.
Accountability. Obligation for keeping an accurate record of custodians,
documents, and material, not necessarily vested in the person having possession
of the items.
23
Adverse Information. Any information that adversely reflects on the integrity or
character of a cleared employee, that suggests that his or her ability to safeguard
classified information may be impaired, or that his or her access to classified
information clearly may not be in the interest of national security.
Affiliate. Any entity effectively owned or controlled by another entity.
AIS Access. The ability and the means to approach, communicate with (input to
or receive output from), or otherwise make use of any material or component in
an Automated Information System.
Alien. Any person not a citizen or national of the United States. An immigrant
alien is a person lawfully admitted into the United States under an immigration
visa for permanent residence. See Foreign National.
Alternative or Compensatory Control Measures (ACCM). ACCM are security
measures used to safeguard classified intelligence or operations and support
information when normal measures are insufficient to achieve strict need-to-know
controls and where special access program (SAP) controls are not required.
ACCM measures are defined as the maintenance of lists of personnel to whom
the specific classified information has been or may be provided together with the
use of an unclassified nickname, and "ACCM" used in conjunction with the
security classification to identify the portion, page, and document containing such
specific classified information.
Approved Access Control Device. An access control device that meets the
requirements of this Manual as approved by the FSO.
Approved Built-in Combination Lock. A combination lock, equipped with a topreading dial that conforms to Underwriters' Laboratories, Inc. Standard Number,
UL 768, Group 1R.
Approved Combination Padlock. A three-position dial-type changeable
combination padlock listed on the GSA Qualified Products List as meeting the
requirements of Federal Specification FF-P-110.
Approved Electronic, Mechanical, or Electro-Mechanical Device. An
electronic, mechanical, or electro-mechanical device that meets the requirements
of this Manual as approved by the FSO.
Approved Key-Operated Padlock. A padlock, which meets the requirements of
MIL-SPEC-P-43607 (shrouded shackle), National Stock Number 5340-00-7998248, or MIL-SPEC-P-43951 (regular shackle), National Stock Number 5340-00799-8016.
24
Approved Security Container. A security file container, originally procured from
a Federal Supply Schedule supplier that conforms to federal specifications and
bears a "Test Certification Label" on the locking drawer attesting to the security
capabilities of the container and lock. Such containers will be labeled "General
Services Administration Approved Security Container" on the face of the top
drawer. Acceptable tests of these containers can be performed only by a testing
facility specifically approved by GSA.
Approved Vault. A vault that has been constructed in accordance with this
Manual and approved by the CSA.
Approved Vault Door. A vault door and frame unit originally procured from the
Federal Supply Schedule (FSC Group 71, Part III, Section E, FSC Class 7110),
that meets Federal Specification AA-D-600.
Authorized Person. A person who has a need-to-know for classified information
in the performance of official duties and who has been granted a personnel
clearance at the required level.
Automated Information System. An assembly of computer hardware, software,
and firmware configured for the purpose of automating the functions of
calculating, computing, sequencing, storing, retrieving, displaying,
communicating, or otherwise manipulating data, information and textual material.
Automated Information System Security. All security safeguards needed to
provide an acceptable level of protection for Automated Information Systems and
the classified data processed.
Cipher Lock. An electronic security device that releases an electric door latch
when buttons are pressed in a correct sequence.
Classification Authority. The authority that is vested in a government official to
make an initial determination that information requires protection against
unauthorized disclosure in the interest of national security.
Classified Contract. Any contract that requires or will require access to
classified information by a contractor or his or her employees in the performance
of the contract. (A contract may be a classified contract even though the contract
document is not classified.) The requirements prescribed for a "classified
contract" also are applicable to all phases of precontract activity, including
solicitations (bids, quotations, and proposals), precontract negotiations, postcontract activity, or other GCA program or project which requires access to
classified information by a contractor.
Classification Guide. A document issued by an authorized original classifier that
prescribes the level of classification and appropriate declassification instructions
25
for specific information to be classified on a derivative basis. (Classification
guides are provided to contractors by the Contract Security Classification
Specification.)
Classified Information. The term includes National Security Information,
Restricted Data, and Formerly Restricted Data.
Classified Information Procedures Act. A law that provides a mechanism for
the courts to determine what classified information the defense counsel may
access.
Classification Markings. Plain and conspicuous stamps or printing affixed to an
element of a page, document, or item to indicate level of classification thereof.
Such markings must be larger than the text type, except for paragraph
classification, which may be the same as text type.
Classified Visit. A visit during which the visitor will require, or is expected to
require, access to classified information.
Classifier. Any person who makes a classification determination and applies a
classification category to information or material. The determination may be an
original classification action or it may be a derivative classification action.
Contractors make derivative classification determinations based on classified
source material, a security classification guide, or a Contract Security
Classification Specification.
Cleared Commercial Carrier. A carrier that is authorized by law, regulatory
body, or regulation to transport SECRET material and has been granted a
SECRET facility clearance.
Cleared Employees. All contractor employees granted a personnel security
clearance (PCL) and all employees in-process for a PCL.
Closed Area. An area that meets the requirements of this Manual, as approved
by the CSA, for the purpose of safeguarding classified material that, because of
its size or nature, or operational necessity, cannot be adequately protected by
the normal safeguards or stored during nonworking hours in approved
containers.
Cognizant Security Agency (CSA). Agencies of the Executive Branch that have
been authorized by E.O. 12829 to establish an industrial security program for the
purpose of safeguarding classified information under the jurisdiction of those
agencies when disclosed or released to U.S. Industry. These agencies are: The
Department of Defense, the Department of Energy, the Central Intelligence
Agency, and the Nuclear Regulatory Commission. The Secretary of Defense
(SECDEF) has been designated as Executive Agent for the NISP. Heads of the
26
Executive Branches are required to enter into agreements with the SECDEF that
establish the terms of the SECDEF's responsibilities on behalf of these agency
heads for administration of industrial security on their behalf.
Cognizant Security Office (CSO). The office or offices delegated by the Head
of a CSA to administer industrial security in a contractor's facility on behalf of the
CSA.
Colleges and Universities. All educational institutions that award academic
degrees, and related research activities directly associated with a college or
university through organization or by articles of incorporation.
Communications Intelligence. Technical and intelligence information derived
from foreign communications by other than the intended recipient.
Communications Security. Protective measures taken to deny unauthorized
persons information derived from telecommunications of the U.S. Government
relating to national security and to ensure the authenticity of such
communications.
Company. A generic and comprehensive term which may include sole
proprietorships, individuals, partnerships, corporations, societies, associations,
and organizations usually established and operating to commonly prosecute a
commercial, industrial or other legitimate business, enterprise, or undertaking.
Compromise. The disclosure of classified information to an unauthorized
person.
CONFIDENTIAL. The designation that shall be applied to information or material
the unauthorized disclosure of which could be reasonably expected to cause
damage to the national security that the original classification authority is able to
identify or describe.
Consignee. A person, firm, or government activity named as the receiver of a
shipment; one to whom a shipment is consigned.
Consignor. A person, firm, or government activity by whom articles are shipped.
The consignor is usually the shipper.
Constant Surveillance Service. A transportation protective service provided by
a commercial carrier qualified by MTMC to transport CONFIDENTIAL shipments.
The service requires constant surveillance of the shipment at all times by a
qualified carrier representative, however, a facility clearance is not required for
the carrier. The carrier providing the service must maintain a signature and tally
record for the shipment.
27
Continental Limits of the United States. U.S. territory, including the adjacent
territorial waters located within the North American continent between Canada
and Mexico.
Contract Security Classification Specification (Form DD 254). Provides the
security classification requirements to be applied to information. This is issued by
the User Agency, or prime contractor, which furnishes an RFP or a classified
contract. When work is subcontracted to a supplier/vendor who requires access
to or generation of classified material, a DD Form 254 will be provided to the
supplier and cognizant security offices.
Contracting Officer. A government official who, in accordance with
departmental or agency procedures, currently is designated as a contracting
officer with the authority to enter into and administer contracts, and make
determinations and findings with respect thereto, or any part of such authority.
The term also includes the designated representative of the contracting officer
acting within the limits of his or her authority.
Contracting Officer/Contracting Officers Representative (CO/COR). An
officer or civilian employee of any User Agency who is designated a contracting
officer (and whose designation has not been terminated or revoked), with the
authority to enter into and administer contracts and make determinations and
findings with respect to such contracts.
Contractor. Any industrial, educational, commercial, or other entity that has
been granted an FCL by a CSA.
Courier. A cleared employee, designated by the contractor, whose principal duty
is to transmit classified material to its destination. The classified material remains
in the personal possession of the courier except for authorized overnight storage.
Conversion Rights. The right inherent in the ownership or holding of particular
securities to exchange such securities for voting securities.
Critical Nuclear Weapon Design Information. A DoD category of weapon data
designating TOP SECRET Restricted Data or SECRET Restricted Data revealing
the theory of operation or design of the components of a thermonuclear or
implosion-type fission bomb, warhead, demolition munitions, or test device.
Crypto. A designation or marking which identifies classified operational keying
material, and which indicates that this material requires special consideration
with respect to access, storage, and handling.
Cryptographic. Of or pertaining to the various means and methods of rendering
plain text unintelligible and reconverting cipher text into intelligible form.
28
Custodian. An individual who has possession of, or is otherwise charged with,
the responsibility for safeguarding classified information.
DD Form 254. The completed DD Form 254 is the basic document conveying to
a contractor the contract security classification specifications and guidelines for
the classification, regrading, and downgrading of documents used in the
performance of a classified contract.
Declassification. The determination that classified information no longer
requires, in the interest of national security, any degree of protection against
unauthorized disclosure, together with removal or cancellation of the
classification designation.
Declassification Event. An event that eliminates the need for continued
classification of information.
Defense Transportation System. Military controlled terminal facilities, Military
Airlift Command controlled aircraft, Military Sealift Command controlled or
arranged sealift and Government controlled air or land transportation.
Department of Defense. The Office of the Secretary of Defense (OSD)
(including all boards, councils, staffs, and commands), DoD agencies, and the
Departments of Army, Navy, and Air Force (including all of their activities).
Derivative Classification. A determination that information is in substance the
same as information currently classified and the application of the same
classification markings. Persons who only reproduce, extract, or summarize
classified information, or who only apply classification markings derived from
source material or as directed by a classification guide, need not possess original
classification authority. Persons who apply derivative classification markings shall
observe and respect original classification decisions and carry forward to any
newly created documents any assigned authorized markings.
Destruction. Disposal of classified material by prescribed procedures.
Document. Any recorded information, regardless of its physical form or
characteristics, including, without limitation, written or printed matter, tapes,
charts, maps, paintings, drawing, engravings, sketches, working notes and
papers; reproductions of such things by any means or process; and sound, voice,
magnetic, or electronic recordings in any form.
Document Control. A system of records and regulations whereby control is
maintained over the origination, reproduction, transmission, receipt, and
destruction of classified documents.
Double Wrap. To enclose material in an inner container and an outer container.
29
Downgrade. A determination that classified information requires, in the interest
of national security, a lower degree of protection against unauthorized disclosure
than currently provided, together with a changing of the classification designation
to reflect a lower degree of protection.
Effectively Owned or Controlled. A foreign government or any entity controlled
by a foreign government has the power, either directly or indirectly, whether
exercised or exercisable, to control the election, appointment or tenure of the
Offers officers, or a majority of the Offers board of directors by any means; e.g.,
ownership, contract, or operation of law (or equivalent power for unincorporated
organizations).
Embedded System. An AIS that performs or controls a function, either in whole
or in part, as an integral element of a larger system or subsystem such as,
ground support equipment, flight simulators, engine test stands, or fire control
systems.
Entity. Any U.S. or foreign person.
Escort. A cleared employee, designated by the contractor, who accompanies a
shipment of classified material to its destination. The classified material does not
remain in the personal possession of the escort but the conveyance in which the
material is transported remains under the constant observation and control of the
escort.
Evaluated Products List. A documented inventory of equipment, hardware
software, and/or firmware that have been evaluated against the evaluation
criteria found in DoD 5200.28-STD.
Facility. A plant, laboratory, office, college, university, or commercial structure
with associated warehouses, storage areas, utilities, and components, that, when
related by function and location, form an operating entity. (A business or
educational organization may consist of one or more facilities as defined herein.)
For purposes of industrial security, the term does not include Government
installations.
Facility (Security) Clearance. An administrative determination that, from a
security viewpoint, a facility is eligible for access to classified information of a
certain category (and all lower categories).
Firmware. A method of organizing control of an AIS in a microprogrammed
structure in addition to, or rather than, software or hardware. Microprograms are
composed of microinstructions, normally resident in read-only memory, to control
the sequencing of computer circuits directly at the detailed level of the single
machine instruction.
30
Foreign Government. Any national governing body organized and existing
under the laws of any country other than the United States and its possessions
and trust territories and any agent or instrumentality of that government.
Foreign Government Information. Information that is: a. Provided to the U.S.
by a foreign government or governments, an international organization of
governments, or any element thereof with the expectation, expressed or implied,
that the information, the source of the information, or both, are to be held in
confidence; or b. Produced by the U.S. pursuant to, or as a result of, a joint
arrangement with a foreign government or governments, an international
organization of governments or any element thereof, requiring that the
information, the arrangement, or both are to be held in confidence.
Foreign Interest. Any foreign government, agency of a foreign government, or
representative of a foreign government; any form of business enterprise or legal
entity organized, chartered or incorporated under the laws of any country other
than the U.S. or its possessions and trust territories, and any person who is not a
citizen or national of the United States.
Foreign Nationals. Any person who is not a citizen or national of the United
States.
Foreign Person. Any foreign interest and any U.S. person effectively owned or
controlled by a foreign interest.
Foreign Recipient. A foreign government or international organization, to whom
the U.S. is providing classified material.
Foreign Representatives. Citizens or nationals of the United States or
immigrant aliens who are acting as representatives, officials, or employees of a
foreign government, firm, corporation, or person.
Formerly Restricted Data. Classified information jointly determined by the DOE
and its predecessors and the DOD to be related primarily to the military utilization
of atomic weapons and removed by the DOE from the Restricted Data category
pursuant to section 142(d) of the Atomic Energy Act of 1954, as amended, and
safeguarded as National Security Information, subject to the restrictions on
transmission to other countries and regional defense organizations that apply to
Restricted Data.
Freight Forwarder (Transportation Agent). Any agent or facility designated to
receive, process, and transship U.S. material to foreign recipients. In the context
of this Manual, an agent or facility cleared specifically to perform these functions
for the transfer of U.S. classified material to foreign recipients.
31
Government-To-Government Channels. Transfers by government officials
through official channels or through other channels specified by the governments
involved.
Government Contracting Activity. An element of an agency designated by the
agency head and delegated broad authority regarding acquisition functions.
Guarded Perimeter. Outer-boundary enclosure which deters entry to a structure
or area except at entrances which are locked or guarded.
Handcarrier. A cleared employee, designated by the contractor, who
occasionally handcarries classified material to its destination in connection with a
classified visit or meeting. The classified material remains in the personal
possession of the handcarrier except for authorized overnight storage.
Home Office Facility. The headquarters facility of a multiple facility organization.
Immigrant Alien. See Alien.
Independent Research and Development. A contractor funded research and
development effort that is not sponsored by, or required in performance of, a
contract or grant that consists of projects falling with the areas of basic research;
applied research; development; and systems, and other concept formulation
studies.
Indoctrination. The initial security instructions/briefing given a person prior to
granting access to classified information.
Industrial Security. That portion of information security which is concerned with
the protection of classified information in the custody of U.S. industry.
Information. Any information or material, regardless of its physical form or
characteristics.
Information Security. The result of any system of administrative policies and
procedures for identifying, controlling, and protecting from unauthorized
disclosure, information the protection of which is authorized by executive order.
Information Systems Security Representative. The contractor employee
responsible for the implementation of Automated Information Systems security,
and operational compliance with the documented security measures and
controls, at the contractor facility.
Intelligence. Intelligence is the product resulting from the collection, evaluation,
analysis, integration, and interpretation of all available information, that concerns
32
one or more aspects of foreign nations or of areas of foreign operations, and that
is immediately or potentially significant to military planning and operations.
Intelligence Information. Information that is under the jurisdiction and control of
the Director of Central Intelligence or a member of the Intelligence Community.
Intelligent Terminal. An AIS term that means a terminal that is programmable,
able to accept peripheral devices, able to connect with other terminals or
computers, able to accept additional memory, or which may be modified to have
these characteristics.
Interim Access Authorization. Authority to permit an employee access to
classified information at a stipulated level of classification while the required
investigation is completed. Normally, only granted to avoid crucial delay in
contract performance. Not valid for access to RESTRICTED DATA or COMSEC
information unless such access is specifically authorized by the government.
Letter of Consent. The form used by the CSA to notify a contractor that a PCL
or a Limited Access Authorization has been granted to an employee.
Letter of Offer and Acceptance (LOA). United States Department of Defense
Offer and Acceptance that, when executed, provides that the U.S. offers to sell,
subject to terms and conditions contained therein, defense material to a foreign
government, and the foreign government accepts the offer, subject to those
terms and conditions.
Limited Access Authorization. Security access authorization to
CONFIDENTIAL or SECRET information granted to non-U.S. citizens requiring
such limited access in the course of their regular duties.
Marking. Stamping, printing, or tagging security classification designations on
documents or material according to prescribed procedures.
Material. Any product or substance on, or in which, information is embodied.
Military Export Sales. Military Export Sales may by divided into Foreign Military
Sales (FMS) under the AECA, sales under Section 607 of the Foreign Assistance
Act (FAA) and Direct Commercial Sales. FMS and FAA are government-togovernment transactions. For these sales, the DoD purchases articles and
services from U.S. firms, takes title to the equipment, or has title to the articles to
be sold from U.S. stocks, and sells the articles or services to the foreign buyer.
For direct commercial sales, the U.S. firm sells directly to the foreign government
or international organization.
Multiple Facility Organization. A legal entity (single proprietorship, partnership,
association, trust, or corporation) that is composed of two or more facilities.
33
National of the United States. A national of the United States is: a. A citizen of
the United States, or, b. A person who, though not a citizen of the United States,
owes permanent allegiance to the United States.
NOTE:8 U.S.C. 1101(a) (22). 8 U.S.C. 1401, subsection (a) lists in paragraphs (1) through (7)
categories of persons born in and outside the United States or its possessions who may qualify
as nationals of the United States. This subsection should be consulted when doubt exists as to
whether or not a person can qualify as a national of the United States.
National Security. The national defense and foreign relations of the United
States.
National Security Information. Any information that has been determined
pursuant to E.O. 12958 or any predecessor order to require protection against
unauthorized disclosure and is so designated. The classifications TOP SECRET,
SECRET, and CONFIDENTIAL are used to designate such information and it is
referred to as "classified information."
NATO Information. Information bearing NATO markings, indicating the
information is the property of NATO, access to which is limited to representatives
of NATO and its member nations unless proper NATO authority has been
obtained to release outside of NATO.
Need-to-Know. A determination made by the possessor of classified information
that a prospective recipient has a requirement for access to, knowledge of, or
possession of the classified information to perform tasks or services essential to
the fulfillment of a classified contract or program.
Network. An AIS term meaning a network composed of a communications
medium and all components attached to that medium whose responsibility is the
transference of information. Such components may include AISs, packet
switches, telecommunications controllers, key distribution centers, and technical
control devices.
Nondisclosure Agreement (NDA). An agreement between the individual being
granted access and the U.S. government legally binding the individual to properly
safeguard, store, handle, transport or destroy classified material.
Official Information. Information which is owned by, produced for or by, or is
subject to the control of the United States Government. All classified information
is considered official information.
Original Classification. An initial determination that information requires, in the
interest of national security, protection against unauthorized disclosure, together
with a classification designation signifying the level of protection required. (Only
government officials, who have been designated in writing, may apply an original
classification to information.)
34
Parent Corporation. A corporation that owns at least a majority of another
corporation's voting securities.
Perimeter, Guarded. See Guarded Perimeter.
Personnel (Security) Clearance. An administrative determination that an
individual is eligible, from a security point of view, for access to classified
information of the same or lower category as the level of the personnel clearance
being granted.
Personnel Security Questionnaire (PSQ). Refers to related information forms
used for the processing of an individual for access to classified information.
Possessions. U.S. possessions are the U.S. Virgin Islands, Guam, American
Samoa, Swain's Island, Howland Island, Baker Island, Jarvis Island, Midway
Islands (this consists of Sand Island and Eastern Island), Kingman Reef,
Johnston Atoll, Navassa Island, Swan Island, Wake Island, and Palmyra Island.
Prime Contract. A contract let by a GCA to a contractor for a legitimate
government purpose.
Prime Contractor. The contractor who receives a prime contract from a GCA.
Proscribed Information.
a. Top Secret information;
b. Communications Security (COMSEC) information, except classified keys used
to operate secure telephone units (STU IIIs);
c. Restricted Data as defined in the U.S. Atomic Energy Act of 1954, as
amended;
d. Special Access Program (SAP) information; or
e. Sensitive Compartmented Information
Protective Security Service. A transportation protective service provided by a
cleared commercial carrier qualified by the Military Traffic Management
Command (MTMC) to transport SECRET shipments.
Public. Any contractor, subcontractor, Government official, or other individual
who does not require access to information (classified or unclassified) in
furtherance of the performance of the classified contract under which the
information was provided to the contractor.
35
Public Disclosure. The passing of information and/or material pertaining to a
classified contract to the public, or any member of the public, by any means of
communication.
Reference Material. Documentary material over which the GCA, who lets the
classified contract, does not have classification jurisdiction, and did not have
classification jurisdiction at the time the material was originated. Most material
made available to contractors by the Defense Technical Information Center and
other secondary distribution agencies is reference material as thus defined.
Regrade. To assign a higher or lower security classification to an item of
classified material.
Remote Terminal. A device for communication with an automated information
system from a location, that is not within the central computer facility.
Representative of a Foreign Interest (RFI). A citizen or national of the United
States, who is acting as a representative of a foreign interest. (See "Foreign
Interest.")
Reproduction. Act or process of producing copies by any means.
Restricted Area. A controlled access area established to safeguard classified
material, that because of its size or nature, cannot be adequately protected
during working hours by the usual safeguards, but that is capable of being stored
during non-working hours in an approved repository or secured by other methods
approved by the CSA.
Restricted Data. All data concerning the design, manufacture, or utilization of
atomic weapons; the production of special nuclear material; or the use of special
nuclear material in the production of energy, but shall not include data
declassified or removed from the RD category pursuant to section 142 of the
Atomic Energy Act of 1954, as amended.
SECRET. The designation that shall be applied only to information or material
the unauthorized disclosure of which reasonably could be expected to cause
serious damage to the national security that the original classification authority is
able to identify or describe.
Security Clearance. See Access or Personnel (Security) Clearance.
Security Cognizance. The Government office assigned the responsibility for
acting for CSAs in the discharge of industrial security responsibilities.
36
Security in Depth. A determination made by the CSA that a contractor's security
program consists of layered and complementary security controls sufficient to
deter and detect unauthorized entry and movement within the facility.
Security Violation. Failure to comply with the policy and procedures in a manner
that reasonably could result in the loss or compromise of classified information.
Sensitive Compartmented Information. All Intelligence Information and
material that requires special controls for restricted handling within
compartmented channels and for which compartmentation is established.
Shipper. One who releases custody of material to a carrier for transportation to a
consignee. (See "Consignor.")
Short Title. An identifying combination of letters and numbers assigned to a
document or equipment for purposes of brevity.
Source Document. A classified document, other than a classification guide, from
which information is extracted for inclusion in another document.
Special Access Program. Any program that is established to control access,
distribution, and to provide protection for particularly sensitive classified
information beyond that normally required for TOP SECRET, SECRET, or
CONFIDENTIAL information. A Special Access Program can be created or
continued only as authorized by a senior agency official delegated such authority
pursuant to E.O. 12958.
Standard Practice Procedures. A document(s) prepared by a contractor that
implements the applicable requirements of the NISPOM for the contractor's
operations and involvement with classified information at the contractor's facility.
Subcontract. Any contract entered into by a contractor to furnish supplies or
services for performance of a prime contract or a subcontract. For purposes of
the NISPOM, a subcontract is any contract, subcontract, purchase order, lease
agreement, service agreement, request for quotation (RFQ), request for proposal
(RFP), invitation for bid (IFB), or other agreement or procurement action between
contractors that requires or will require access to classified information to fulfill
the performance requirements of a prime contract.
Subcontractor. A supplier, distributor, vendor, or firm that furnishes supplies or
services to or for a prime contractor or another subcontractor, who enters into a
contract with a prime contractor. For purposes of this Manual, each subcontractor
shall be considered as a prime contractor in relation to its subcontractors.
Subsidiary Corporation. A corporation in which another corporation owns at
least a majority of its voting securities.
37
System Software. Computer programs that control, monitor, or facilitate use of
the AIS; for example, operating systems, programming languages,
communication, input-output control, sorts, security packages and other utilitytype programs. Considered to also include off-the-shelf application packages
obtained from manufacturers and commercial vendors, such as for word
processing, spreadsheets, data base management, graphics, and computeraided design.
Technical Data. Information governed by the International Traffic in Arms
Regulation (ITAR) and the Export Administration Regulation (EAR). The export of
technical data that is inherently military in character is controlled by the ITAR, 22
CFR 120.1-130.17 (1987). The export of technical data that has both military and
civilian uses is controlled by the EAR, 15 CFR 368.1-399.2 (1987).
TOP SECRET. The designation that shall be applied only to information or
material the unauthorized disclosure of which reasonably could be expected to
cause exceptionally grave damage to the national security that the original
classification authority is able to identify or describe.
Transclassification. When information has been removed from the RD category
by a joint determination of DOE and DOD and placed in the FRD category in
accordance with section 142d of the Atomic Energy Act.
Transmission. The sending of information from one place to another by radio,
microwave, laser, or other nonconnective methods, as well as by cable, wire, or
other connective medium. Transmission also includes movement involving the
actual transfer of custody and responsibility for a document or other classified
material from one authorized addressee to another.
Transshipping Activity. A government activity to which a carrier transfers
custody of freight for reshipment by another carrier to the consignee.
Two-Person Rule. A requirement that the contractor have at least two properly
cleared and briefed persons present whenever certain classified material is not
secured in an approved storage container.
Unclassified Visitor. See Visitor.
United States and Its Territorial Areas. The 50 states, the District of Columbia,
the Commonwealth of Puerto Rico, Guam, American Samoa, the Virgin Islands,
the Trust Territory of the Pacific Islands (also called Micronesia), Midway Island,
Wake Island, Johnston Atoll, Kingman Reef, Swain's Island, and Palmyra Island.
Unauthorized Person. A person not authorized to have access to specific
classified information.
38
United States. The 50 states and the District of Columbia.
United States Citizen (Native Born). A person born in one of the following
locations is considered to be a U.S. citizen for industrial security purposes: the 50
United States; District of Columbia; Puerto Rico; Guam; American Samoa;
Northern Mariana Islands; U.S. Virgin Islands; Panama Canal Zone (if the father
or mother (or both) was, or is, a citizen of the U.S.); the Federated States of
Micronesia; and the Republic of the Marshall Islands.
U.S. Person. Any form of business enterprise or entity organized, chartered or
incorporated under the laws of the United States or its possessions and trust
territories and any person who is a citizen or national of the United States.
Upgrade. A determination that certain classified information, in the interest of
national security, requires a higher degree of protection against unauthorized
disclosure than currently provided, coupled with a changing of the classification
designation to reflect such a higher degree.
Visitor. Any person entering a cleared facility who is not an employee of that
facility is a visitor. A classified visitor is one who, in the national interest and in
the performance of a classified contract or other approved program, requires
access to classified information. An unclassified visitor is one who has no access
authorization status and/or need-to-know, but has a legitimate need to enter a
facility.
Voting Securities. Any securities that presently entitle the owner or holder
thereof to vote for the election of directors of the issuer or, with respect to
unincorporated entities, individuals exercising similar functions.
Working Hours. The period of time when:
a. There is present in the specific area where classified material is located, a
work force on a regularly scheduled shift, as contrasted with employees working
within an area on an overtime basis outside of the scheduled workshift; and
b. The number of employees in the scheduled work force is sufficient in number
and so positioned to be able to detect and challenge the presence of
unauthorized personnel. This would, therefore, exclude janitors, maintenance
personnel, and other individuals whose duties require movement throughout the
facility.
39