UNCLASSIFIED (U)

5 FAM 760 

CLASSIFICATION OF WEB BASED DOCUMENTS

(CT:IM-324;   06-28-2024)
(Office of Origin:  A/GIS/PRV)

5 FAM 761  TYPES OF NETWORKS

(CT:IM-112;   02-01-2011)

There are two types of networks for general Department use:

(1)  OpenNet is an intranet with a portal to the Internet to include Email. OpenNet use is restricted to unclassified or sensitive but unclassified information.

(2)  ClassNet is a classified intranet which is not connected to the Internet but is connected to SIPRNet and POEMS.  ClassNet may process unclassified information, classified information up to and including SECRET, and information that has distribution restrictions. However, no Sensitive Compartmented Information (SCI) will be processed on ClassNet.

5 FAM 762  CLASSIFICATION MARKING

(CT:IM-112;   02-01-2011)

a. The requirements of E.O. 13526 concerning classified information apply to all physical formats and document types, including web pages and e-mails.  Marking the classification of each portion is particularly important for CLASSNET web postings, including unclassified portions, because users may copy or paraphrase information from web sites in new documents that require the correct derivative classification markings.  Refer to the definition of "information" in E.O. 13526, PART 6 Sec. 6.1.  Refer to the Department of State Classification Guide on CLASSNET exclusively and the A/GIS/IPS website for details on determining classification and classification markings.

b. 5 FAH-8 H-450 contains sample codes that can be used to ensure classified Web pages are properly marked for both display and printing.

5 FAM 763  HANDLING Protected Information in the InforMation Sharing Environment (ISE)

(CT:IM-324;   06-28-2024)

5 FAM 763.1  General

5 FAM 763.1-1  Purposes

(CT:IM-121;   10-14-2011)

a. An Information Sharing Environment (ISE) has been created by Executive Order 13388 and Congressional statute to promote and improve the sharing of terrorism-related information.  Executive Order 13388, “Further Strengthening the Sharing of Terrorism Information to Protect Americans,” requires Federal agencies to give the highest priority to the interchange of terrorism information, while protecting the information privacy and other legal rights of Americans.

b. The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), section 1016(d), as amended, calls for the issuance of guidelines to protect privacy and civil liberties in the development and use of information sharing activities.  In December 2006, pursuant to IRTPA, the Program Manager for the ISE (PM-ISE) released a set of privacy guidelines, entitled Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment (hereinafter “ISE Privacy Guidelines”).

c.  The ISE Privacy Guidelines require U.S. Government departments and agencies to designate an “ISE Privacy Official” to directly oversee implementation of the Guidelines.  Each Federal agency that is part of the ISE must also develop an ISE Privacy Protection Policy.

d. The policy articulated herein sets forth the ISE Privacy Protection Policy for the Department of State and governs how the Department disseminates protected information within the ISE.  This ISE Privacy Policy is consistent with the Department’s existing privacy policies required by other mandates, including the Privacy Act of 1974, as amended.

5 FAM 763.1-2  Scope

(CT:IM-121;   10-14-2011)

a. This policy applies to all Department of State personnel, as well as vendors, contractors, researchers, grant recipients, and others who have access to Department of State information or systems.

b. Specifically, the policy applies to information that:

(1)  Concerns U.S. persons as defined as “individual” by the Privacy Act of 1974;

(2)  Is subject to information privacy or other legal protections under the Constitution and Federal laws of the United States;

(3)  Is terrorism-related information as defined by Section 1016(a)(5), IRTPA, as amended; and

(4)  May be shared within the ISE among all levels of Federal, State, local, and tribal Government, with the private sector, and potentially with foreign partners.

c.  This policy may also apply to other information that the U.S. Government expressly determines by executive order, international agreement, or other similar instrument should fall into this category.

5 FAM 763.1-3  Authorities

(CT:IM-249;   11-21-2018)

Authorities pertaining to the ISE include:

(1)  OMB Memorandum M-05-08 dated February 11, 2005;

(2)  Privacy Act of 1974, (5 U.S.C. 552a), as amended;

(3)  E-Government Act of 2002, Public Law 107-347;

(4)  The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Public Law 108-458;

(5)  The Implementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53;

(6)  Executive Order 12333 (United States Intelligence Activities), as amended by Executive Orders 13284 (2003), 13355 (2004), and 13470 (2008);

(7)  Executive Order 13388 (Further Strengthening the Sharing of Terrorism Information to Protect Americans);

(8)  Presidential Decision Directive (PDD) 63, May 22, 1998;

(9)  OMB Circular A-130, Managing Information as a Strategic Resource;

(10) Federal Information Technology Acquisition Reform (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015;

(11) OMB Memorandum (M-15-14); Management and Oversight of Federal Information Technology; and

(12) Presidential Memorandum to Heads of Executive Departments and Agencies, Guidelines and Requirements in Support of the Information Sharing Environment, December 2005

5 FAM 763.1-4  Definitions

(CT:IM-121;   10-14-2011)

Breach - The loss of control, compromise, unauthorized disclosure, acquisition, access, or any similar term referring to situations in which persons other than authorized users, for an other than authorized purpose, have access or potential access to PII, whether physical or electronic.

Civil liberties - fundamental individual rights such as freedom of speech, press, or religion; due process of law; and other limitations on the power of the Government to restrain or dictate the actions of individuals.  They are the freedoms that are guaranteed by the Bill of Rights—the first ten Amendments—to the Constitution of the United States.  Civil liberties offer protection to individuals from improper Government action and arbitrary Governmental interference (as defined by the ISE Frequently Asked Questions.

Civil rights- those rights and privileges of citizenship and equal protection that the State is constitutionally bound to guarantee all citizens regardless of race, religion, sex, or other characteristics unrelated to the worth of the individual. Protection of civil rights imposes an affirmative obligation upon Government to promote equal protection under the law.  These civil rights to personal liberty are guaranteed to all U.S. citizens by the Thirteenth and Fourteenth Amendments and by acts of Congress.  Generally, the term civil rights involves positive (or affirmative) Government action to protect against infringement (as defined by the ISE Frequently Asked Questions).

Homeland security information - homeland security information (defined by the Homeland Security Act of 2002, Public Law 107-296, Section 892(f)(1) (codified at 6 U.S.C. 482(f)(1)) is defined as information derived from or possessed by a State, local, tribal, or Federal agency that:

(1)  Relates to a threat of terrorist activity;

(2)  Relates to the ability to prevent, interdict, or disrupt terrorist activity;

(3)  Would improve the identification or investigation of a suspected terrorist or terrorist organization;

(4)  Would improve the response to a terrorist act; or

(5)  Law enforcement information - is defined in the ISE Awareness Training and means any information obtained by or of interest to a law enforcement agency or official that is both:

(a)  Related to terrorism or the security of our homeland; and

(b)  Relevant to a law enforcement mission, including but not limited to:

Information pertaining to an actual or potential criminal, civil, or administrative investigation or a foreign intelligence, counterintelligence, or counter terrorism investigation;

An assessment of or response to criminal threats and vulnerabilities;

The existence, organizations, capabilities, plans, intentions, vulnerabilities, means, methods, or activities of individuals or groups involved or suspected of involvement in criminal or unlawful conduct or assisting or associated with criminal or unlawful conduct;

The existence, identification, detection, prevention, interdiction, or disruption of, or response to criminal acts and violations of the law;

Identification, apprehension, prosecution, release, detention, adjudication, supervision, or rehabilitation of accused persons or criminal offenders; or

Victim/witness assistance.

Data quality - the accuracy, timeliness, relevance, and completeness of information about individuals.

Data security - means physical, technical, and administrative measures used to safeguard protected information from unauthorized access, modification, use, disclosure, or destruction as defined in the ISE Privacy Guidelines and 12 FAM 091 under “Information Security.”

Information Sharing Environment (ISE) - an approach that facilitates the sharing of terrorism and homeland security information. The ISE was established by the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), and its definition was amended by The Implementing Recommendations of the 9/11 Commission Act of 2007.

Protected information - information about U.S. citizens and lawful permanent residents that is subject to information privacy or other legal protections under the U.S. Constitution and Federal laws of the United States. It is anticipated that, in most cases, protections will focus on PII (as defined in 5 FAM 460) about U.S. citizens and lawful permanent residents.

Redress - under these Guidelines means the policies and procedures established by the Department of State for addressing complaints about privacy, civil liberties, and/or civil rights arising from the sharing of protected information within the ISE.

Routine use - the use, sharing, or disclosure of protected information for a purpose compatible with the purpose for which the information was collected.

Terrorism-related information - terrorism information, identified as “terrorism-related information” throughout this policy, is defined by Section 1016(a)(5), IRTPA, as amended:

(1)  The existence, organization, capabilities, plans, intentions, vulnerabilities, means of finance or material support, or activities of foreign or international terrorist groups or individuals, or of domestic groups or individuals involved in transnational terrorism;

(2)  Threats posed by such groups or individuals to the United States, U.S. persons, or U.S. interests, or to those of other nations;

(3)  Communications of or by such groups or individuals;

(4)  Groups or individuals reasonably believed to be assisting or associated with such groups or individuals; and

(5)  Weapons of mass destruction information.

NOTE:  The “terrorism information” definition reflects the recent addition of “weapons of mass destruction information” incorporated by the Implementing Recommendations of the 9/11 Commission Act of 2007.

U.S. person - as defined in the Privacy Act of 1974 as an “individual,” meaning “a citizen of the United States or an alien lawfully admitted for permanent residence.”

Non-U.S. person - any person who falls outside the definition of “individual” as defined in the Privacy Act of 1974.

Weapons of mass destruction information - The term weapons of mass destruction information, defined in Section 1016(a)(6), IRTPA, means information that could reasonably be expected to assist in the development, proliferation, or use of a weapon of mass destruction (including a chemical, biological, radiological, or nuclear weapon) that could be used by a terrorist or a terrorist organization against the United States, including information about the location of any stockpile of nuclear materials that could be exploited for use in such a weapon that could be used by a terrorist or a terrorist organization against the United States.

5 FAM 763.2  Roles and Responsibilities

(CT:IM-249;   11-21-2018)

a. Secretary of State:  The roles and responsibilities of Federal agencies within the ISE are defined in the IRTPA and E.O. 12333. Within the ISE structure, the Secretary of State is specifically responsible for: (a) the collection (overtly or through public sources) of information relevant to U.S. foreign policy and national security; (b) the dissemination of reports received from U.S. diplomatic and consular posts; (c) the transmission of reporting requirements and taskings of the intelligence community to Chiefs of U.S. Missions abroad; and (d) the support of Chiefs of U.S. Missions in discharging their responsibilities under law and Presidential direction.

b. Senior Agency Official for Privacy:  The Assistant Secretary for Administration serves as the Senior Agency Official for Privacy (SAOP) and is responsible for overseeing, coordinating, and facilitating the Department’s compliance with privacy policy, as mandated by Federal legislation, and the Office of Management and Budget (OMB), as applied in 1 FAM 211.2 and 5 FAM 464. As the SAOP, the Assistant Secretary for Administration also chairs the Privacy Protection Governance Board (PPGB) and serves as the Department’s ISE Privacy Official.

c.  Privacy Protection Governance Board (PPGB):  The PPGB is a Department of State internal working body that addresses issues relating to PII from a Department-wide perspective and ensures the Department’s ability to respond to privacy-related White House directives, executive orders, and other authorities in a unified and timely manner.

d. Core Response Group:  The PPGB has established the Core Response Group (CRG), pursuant to OMB and Presidential recommendation, to act promptly and appropriately in the event of a data breach involving PII.  In the event of a suspected or confirmed data breach involving PII, the CRG will assist the relevant bureau or office with the development and implementation of an appropriate response to the breach incident.

e. The Privacy Division (A/GIS/PRV):  The Privacy Division serves as the Department’s steward of the E-Government Act of 2002, as well as executive orders, OMB directives, and Department policies that protect the collection, use, and disclosure of PII (see 1 FAM 214.3, Office of Information Programs and Services (A/GIS/IPS)).  The Privacy Division identifies all Department of State records systems from which information is retrieved by the name or personal identifier of an individual and publishes a system of records notice (SORN) for these record systems in the Federal Register.  A/GIS/PRV also conducts privacy impact assessments (PIAs) for the Department’s electronic information collections and information technology systems that contain PII in order to assess potential risk and determine ways to mitigate such risk (see 5 FAM 611).  Within the ISE, the Privacy Division is responsible for coordinating and disseminating ISE requirements concerning privacy and coordinating implementation of these requirements within the Department.

f.  Bureau of Diplomatic Technology (DT):  The Bureau of Information Resource Management is responsible for the Department’s data and information systems domestically and abroad.  DT’s range of responsibilities includes data sharing, data quality, information systems development, internet and intranet use, and, in accordance with DT and Bureau of Diplomatic Security (DS) guidelines, the integrity and security of data and information systems (5 FAM 800).

g. Bureau of Diplomatic Security:  The Directorate of Threat Investigations and Analysis (DS/TIA) is the primary focal point for all threat investigations, analysis, and dissemination.  TIA is comprised of the Offices of Intelligence and Threat Analysis (DS/TIA/ITA), the Diplomatic Security Command Center (DS/TIA/CC), the Overseas Security Advisory Council (DS/TIA/OSAC), and Protective Intelligence and Investigations (DS/TIA/PII), which includes the Rewards for Justice Program (DS/TIA/PII/RFJ).  Additionally, the Security Infrastructure Directorate (DS/SI) supports the ISE initiatives mandated by the IRTPA, as amended. DS/SI policy analysts participate in numerous ISE working groups and initiatives (1 FAM 262).

h. ISE Working Group:  The Department of State’s internal ISE working group (ISEWG) is chaired by the Department’s senior official responsible for implementing ISE mandates and composed of representation from relevant bureaus involved with or participating in the sharing of terrorism-related information.

i.  Office of the Legal Adviser (L):  The office of the Legal Adviser furnishes advice on all legal issues, domestic and international, arising in the course of the Department’s work.

j.  Department ISE Privacy Official:  The Senior Agency Official for Privacy (SAOP) serves as the Department of State ISE Privacy Official.  The ISE Privacy Official is the Department of State’s senior official with overall agency-wide responsibility for information privacy issues (as designated by statute or executive order, or as otherwise identified in response to OMB Memorandum M-05-08 dated February 11, 2005).  The ISE Privacy Official directly oversees the agency’s implementation of and compliance with the ISE Privacy Guidelines.  The ISE Privacy Official is responsible for ensuring that:

(1)  The agency’s policies, procedures, and systems are appropriately designed and executed in compliance with the ISE Privacy Guidelines, and

(2)  Changes are made as necessary.

k. Department Senior Official for the ISE:  The Department’s representative at interagency meetings where ISE policies are discussed and developed.  This senior official is responsible for managing the Department’s ISE efforts.

l.  Department ISE Standing Committee:  A Deputy Assistant Secretary (DAS) level standing committee that communicates ISE developments across the Department, proposes ISE-driven Department policies, and recommends how the Department should prioritize ISE-related funding priorities.  This Committee is chaired by the Department’s Senior Official for the ISE.

m. ISE Privacy Guidelines Committee:  The ISE Privacy Guidelines Committee will be chaired by the Program Manager (PM-ISE) or a senior official designated by the PM-ISE, and will consist of privacy officials from agencies involved in the ISE.  The ISE Privacy Guidelines Committee should request legal or policy guidance on questions relating to the implementation of these Guidelines from those agencies having responsibility or authorities for issuing guidance on such questions; any such requested guidance must be provided promptly by the appropriate agencies.

n. System Owner:  The system owner is the owner of a locally developed information system at the post or bureau level. Domestically, the system owner is the bureau-designated senior executive responsible for the system. Abroad, the system owner is the Charge, Deputy Chief of Mission, Consul General, Principal Officer or equivalent, or the bureau-designated senior executive responsible for the system.  The system owner is responsible for performance, privacy, and security issues for the system throughout its lifecycle (see 5 FAM 825).

5 FAM 763.3  Protected Information

(CT:IM-324;   06-28-2024)

5 FAM 763.3-1  Identification of Protected Information to be shared through the ISE

(CT:IM-324;   06-28-2024)

a. Protected information that may be shared with another Federal agency, a State, local, or tribal agency, with the private sector, or a foreign partner is subject to three basic requirements:

(1)  Identification;

(2)  Prior review; and

(3)  Notification.

These requirements will enable ISE participants to handle the shared information in accordance with applicable legal requirements.

b. Identification and Prior Review. To meet these requirements the Department’s Senior Official for the ISE, working with DT and Department system owners, must identify those data holdings that contain protected information that may be shared within the ISE and develop reasonable procedures to ensure that the information has been reviewed before it is shared.  System owners are responsible for reviewing their own information, in conjunction with the Department’s Senior Official for the ISE, and consulting compliance documents provided by DT and the ISE Privacy Official.  The review and the ISE notification will allow ISE participants to determine whether:

(1)  The information pertains to a U.S. citizen or lawful permanent resident;

(2)  There are limitations on the reliability or accuracy of the information;

(3)  The information is subject to specific privacy or other restrictions on access, use, or disclosure, and if so, the nature of such restrictions; and

(4)  The SORN and Privacy Impact Assessment (PIA) programs in the Privacy Division meet the requirements for identification and prior review and constitute the basic source for the information required for an ISE notification.  (See 5 FAM 460.) Based on SORN/PIA data, the ISE Privacy Official will prepare an ISE notification, addressing items (1) through (3) above when an ISE request is made for protected information in the Department’s shared system list.

c.  Notice - In accordance with existing regulations or any regulations established in the future, the Department of State will give notice of the nature of the individual records, data, databases, or Systems of Records which it creates, maintains, or makes available to other agencies through the ISE by providing a header, cover sheet, electronic caption, or appropriate portion mark, which must State if the information provided:

(1)  Contains protected information pertaining to a U.S. person, a non-U.S. person protected by treaty or international agreement, or a person/organization whose U.S. person status is undetermined; or

(2)  Is subject to legal restrictions on its access, use, or disclosure, describing the restriction and the pertinent law, regulation, or policy; or

(3)  Is generally reliable and accurate, and if not, describing the reason for limited confidence in source reliability or content validity (e.g., notice from previous recipient of the data, independent review, or inconsistency with other data).

c   Offices within the Department of State must provide point of contact information to A/GIS/PRV for reports/records/data/systems they have been disseminating in the ISE.  Such information must include, at a minimum, the name of the originating department, component, or subcomponent and the title and contact information for the person to whom questions regarding the information should be directed.

5 FAM 763.3-2  Compliance with Laws

(CT:IM-121;   10-14-2011)

In compliance with the development and use of the ISE, the Department of State must, without exception, comply with the U.S. Constitution and all applicable laws and executive orders relating to protected information.

5 FAM 763.3-3  Rules Assessment

(CT:IM-249;   11-21-2018)

a. Prior to entering into information sharing agreements, system owners will follow the review procedures for data holdings as containing protected information.  System owners must notify the Department’s Senior Official for the ISE, A/GIS/PRV, and the Office of the Legal Adviser (L) if any information sharing agreements identify:

(1)  An issue that poses a significant risk to information privacy rights or other legal protections; or

(2)  A restriction on sharing privacy-protected information imposed by internal Department of State policy that significantly impedes the sharing of terrorism, homeland security, or law enforcement information in a manner that does not appear to be required by applicable laws or to protect information privacy rights or provide other legal protections; or

(3)  A restriction on sharing privacy-protected information, other than one imposed by internal Department of State policy, that significantly impedes the sharing of information in a manner that does not appear to be required to protect information privacy rights or provide other legal protections.

b. Upon receipt and validation of this information, A/GIS/PRV, in coordination with the Office of the Legal Adviser, must review such impediments with the Department’s ISE Standing Committee.  If appropriate internal resolution cannot be developed, the ISE Standing Committee must review such restriction with the ISE Privacy Guidelines Committee.  If an appropriate resolution is still not developed, the Standing Committee must bring the restriction to the attention of the Attorney General and the Director of National Intelligence, through the Secretary of State.  The Attorney General, DNI, and the Secretary of State must review any such restriction and jointly submit any recommendations for changes to the Assistant to the President for Homeland Security and Counterterrorism, the Assistant to the President for National Security Affairs, and the Director of the Office of Management and Budget for further review.

5 FAM 763.3-4  Non-Federal Entities

(CT:IM-121;   10-14-2011)

The Department of State will work with non-Federal entities seeking access to protected information through the ISE and ensure that such non-Federal entities have appropriate policies and procedures that provide protections at least as comprehensive as this FAM chapter prior to sharing protected information.

5 FAM 763.4  Data Quality

(CT:IM-121;   10-14-2011)

a. Privacy Act policies aimed at preventing errors in protected information are set forth in 5 FAM 462 and in frequent reminders to employees through Department Notices.  A/GIS/PRV also works closely with system owners to develop and update SORNs and PIAs in tandem with a system’s Certification and Accreditation every three years.  Renewed emphasis on these programs improves the quality of the data collected and stimulates awareness of PII in State Department records and systems.

b. Accuracy - Bureaus that engage in information collection must ensure that protected information meets the standards of accuracy, completeness, and consistency required to further the purpose(s) for which the information is collected and used (see 5 FAM 630 on Data Management).  Quality checks are conducted against the submitted documentation at every stage, and administrative policies must be established to minimize instances of inaccurate data (see generally, 7 FAM 1300, Passport Services, and specifically 7 FAM 1320, Identity of the Passport Applicant (SBU)).

c.  Notice of Errors - If the Department of State engages in the matching or merging of protected information about an individual from two or more sources, the Department must ensure the following actions occur:

(1)  The merged/matched records relate to the same individual;

(2)  Data errors, inconsistencies and deficiencies are investigated in a timely manner and corrected or deleted;

(3)  Data that is outdated or not pertinent to the purpose of the collection is updated or deleted in a timely manner;

(4)  Data that is pending correction, updating, or deletion is marked indicating this status; and

d. In the event the Department determines that protected information originating from another agency may be erroneous, includes incorrectly merged information, or lacks adequate context such that the rights of the individual may be affected, the following actions will occur:

(1)  The potential error or deficiency must be communicated in writing to the Department of State Senior Agency Official for Privacy (SAOP) as well as to the other agency’s POC for that information or its ISE Privacy Official; and

(2)  The communication must include information that clarifies, limits, contradicts, or qualifies the information deemed to be erroneous or deficient.

(3)  The Department must withhold from disclosure or access any potentially erroneous protected information originating from another agency until a review is conducted by the originating agency, and this information can be updated and corrected or deleted entirely.

e. In the event the Department determines that protected information originating within the Department and shared with the ISE community is or may be erroneous and knows or has reason to believe (based on logs or other audit function) that the information was accessed by another agency, the originating Bureau must take the following steps:

(1)  Provide written notice to the Department of State SAOP of the error or suspected error, to include an assessment of the extent to which the protected information has been disseminated; to the extent they can be identified, notify recipients of the information of the errors or possible errors, including information that clarifies, limits, contradicts, or qualifies the information deemed to be erroneous or deficient; and

(2)  Correct or delete the erroneous information or, when appropriate, delete the entire report.  When it is not certain that the protected information is erroneous, delete the report in its entirety or note known limitations on accuracy in the data field containing the protected information.

f.  Any Department of State bureau that shares protected information either erroneously and/or in a manner inconsistent with this instruction must immediately rescind this information by contacting all recipients of the information and request immediate destruction of all copies of the information, whether electronic or physical (5 FAM 430 and 5 FAM 460).

5 FAM 763.5  Data Securities

(CT:IM-324;   06-28-2024)

a. It is the policy of the Department of State to establish and maintain an effective automated information system (AIS) security program for the protection of Department information (see 12 FAM 600).  This mission of data security within the Department of State is shared by the Bureau of Diplomatic Security (see 1 FAM 266.2, now the new Cyber and Technology Security Directorate (DS/CTS), 1 FAM 266.1, the Office of Information Security (DS/SI/IS), and the Bureau of Information Resource Management (see 1 FAM 276.2, Information Technology Infrastructure Office (DT/FO/ITI) and 5 FAM 1060, Information Assurance (DT/IA)).  These bureaus are responsible for the administration and management of the information security program for the Department of State, domestically and abroad, and for other Federal agencies under the authority of a chief of mission or principal officer as defined in this section.  The policies and procedures that address breaches involving protected information collected, processed, or maintained by the Department are set forth in 5 FAM 467, Breach Response Policy.  All Department of State employees and contractors are responsible for knowing, understanding, and following these policies and procedures, including the requirement to promptly report any suspected breach of PII.  All employees and contractors with access to PII in the performance of their official duties are also responsible for following the Rules of Behavior for Protecting PII set forth in 5 FAM 469.  The possible penalties for failure to follow these policies and procedures are described in 5 FAM 469.6, Consequences for Failure to Safeguard Personally Identifiable Information (PII).

b. The combined information security policies and procedures of DS and DT ensure the use of appropriate physical, technical, and administrative measures to safeguard protected information shared through the ISE.  These measures protect against the unauthorized access, disclosure, modification, use, or destruction of information and maintain the overall data security of the Department.

5 FAM 763.6  Accountability, Enforcement, and Audit

(CT:IM-121;   10-14-2011)

a. The ISE Privacy Official is responsible for coordinating ISE-related audits or reviews within the Department and for developing and promoting “best practices” and business process changes that enhance privacy protections of protected information.  The Privacy Division will also incorporate training in the development and use of ISE in its existing and future training programs.

b. The Bureau of Information Resource Management is responsible for incorporating PII protection and privacy-enhancing technologies into the design, development, and acquisition of new information systems and into the operation of existing systems.

c.  All Department of State bureaus, which participate in the sharing of information, are responsible for cooperating with all ISE protected information audits and reviews conducted by officials.

5 FAM 763.7  Redress

(CT:IM-121;   10-14-2011)

a. Any U.S. person who believes that their protected information may have been inappropriately shared or received by the Department of State in violation of applicable law, policy, or Executive Order may file a complaint per guidance described in the Department of State Information Access Guide/Manual.

b. U.S. persons, when applicable, can file for Privacy Act redress through a “Privacy Act Request” submitted to A/GIS/IPS.  They can also request amendment of records about themselves that are not accurate, timely, relevant, or complete through a request for amendment to A/GIS/IPS.  This information and additional guidance are available on the Department’s public and internal websites under “Privacy.”  A/GIS/IPS processes the requests for data changes in coordination with the Bureau of Information Resource Management.

5 FAM 763.8  Execution, Training, and Technology

(CT:IM-324;   06-28-2024)

a. Execution - the ISE Privacy Official is responsible for ensuring that privacy protections dictated by this FAM chapter are implemented as appropriate through training, business process changes, and system designs.  The ISE Privacy Official will coordinate with DS and DT to ensure that these safeguards are maintained and updated.

b. Training - Training is a critical component of the ISE effort. The Foreign Service Institute (FSI/EX/REG) has created an online “core” training program.  “Core” training will provide a common understanding of the ISE and so must be the same for all Federal departments and agencies.  This training will also serve as guidance and a model for State, local, and tribal government and private-sector officials. This Information Sharing Environment course serves as the “core” training course and contains the following objectives:

(1)  Examine the importance of sharing terrorism information;

(2)  Describe how Congress and the President have mandated expanded access to terrorism-related information through the ISE, while maintaining and increasing information security and protecting privacy and civil liberties;

(3)  Recognize that there are key interagency and inter-Governmental efforts underway to promote information sharing across U.S. Government agencies; promote information sharing activities; and

(4)  Serve as core training for all U.S. Department of State direct hire employees who are charged with sharing terrorism-related information or supporting such sharing.

c.  Technology - As privacy-enhancing technologies arise, the Department will consider them in light of their effect on the privacy protections required by the ISE.  When reasonably feasible and appropriate, the Department will implement new privacy-enhancing technologies.

5 FAM 763.9  Awareness

(CT:IM-121;   10-14-2011)

The Privacy Division should make publicly available information regarding procedures for complaints implicating protected information shared in the ISE, to include the following:

(1)  An explanation of the nature of the complaints accepted;

(2)  The point of contact/ address for filing a complaint; and

(3)  The redress available.

5 FAM 764  THROUGH 769 UNASSIGNED

UNCLASSIFIED (U)