12 FAM 390
SECURITY EQUIPMENT AND MAINTENANCE
(CT:DS-343; 01-06-2021)
(Office of Origin: DS/C)
12 FAM 391 SCOPE AND AUTHORITY
12 FAM 391.1 Purpose
(CT:DS-343; 01-06-2021)
The Department provides security for U.S. Government diplomatic operations, including the protection of all U.S. Government personnel on official duty abroad under chief of mission (COM) authority. The Department also develops and implements technical and physical security programs and maintains and repairs security equipment installed at posts abroad. This policy does not address the alarm or access control systems domestically or those related to sensitive compartmented information facilities (SCIFs) at posts abroad.
12 FAM 391.2 Applicability
(CT:DS-343; 01-06-2021)
These regulations apply to all office facilities at U.S. posts abroad that have equipment as described in this subchapter. All posts must only use the Facility Security Engineering Division (DS/ST/FSE)-approved locking devices and the Physical Security Division (DS/PSP/PSD)-approved physical security equipment, in the physical security systems of these facilities.
12 FAM 391.3 Authorities
(CT:DS-343; 01-06-2021)
a. The Omnibus Diplomatic Security and Antiterrorism Act of 1986 (Public Law 99-399; 22 U.S.C. 4801, et seq. (1986)), as amended.
b. 12 FAH-5 H-020 Concepts and Philosophy.
c. 12 FAH-6 H-632 Intrusion Detection Alarm Standards.
d. Bureau of Diplomatic Security Classification Guide for Design and Construction of Overseas Facilities.
e. 3 FAM 4370 Disciplinary Action
12 FAM 392 SPECIAL PROTECTIVE EQUIPMENT
(CT:DS-343; 01-06-2021)
Security standards for issuing and controlling the Department special protective equipment (SPE) are codified in the 12 FAH-6, Overseas Security Policy Board (OSPB) Security Standards and Policy Handbook. You must address all requests for SPE to the Defensive Equipment and Armored Vehicles Division (DS/PSP/DEAV).
12 FAM 393 Physical and Technical SECURITY EQUIPMENT PROGRAM
(CT:DS-343; 01-06-2021)
The Bureau of Diplomatic Security (DS) and the Bureau of Overseas Buildings Operations (OBO) developed the Security Equipment Responsibilities Matrix, which lists the organizations responsible for physical security equipment installation, maintenance, and repair at U.S. posts abroad. The matrix is available on the Construction, Facility, and Security Management (OBO/CFSM) and the Office of Security Technology (DS/C/ST) Web sites.
12 FAM 394 Physical Security Intrusion Detection system and automated access control system information and data
12 FAM 394.1 Scope and Applicability
(CT:DS-343; 01-06-2021)
Physical security intrusion detection systems (IDSs) and automated access control systems (AACSs) are elements of the in-depth security infrastructure protecting Department personnel and resources. The information about those systems, as well as passwords and personal identification numbers (PINs) used to access and manipulate them, requires protection to ensure their operational effectiveness. This policy describes the controls and levels of protection required for information and data about Department IDS and AACS that is installed at posts abroad.
12 FAM 394.2 AACS and IDS Overview
(CT:DS-201; 01-08-2014)
The 12 FAH-5 describes the philosophy of tiered defense. AACS and IDS are two defensive measures that contribute to the protection of Department personnel and resources. While the measures may combine to protect the highest level of classified information, the classification of individual protective components varies from Unclassified to Secret. The Security Classification Guide for Design and Construction of Overseas Facilities describes classification requirements of design and operational aspects of these systems. This subchapter addresses the protection of IDS and AACS data and information not addressed in the Classification Guide. Refer questions about perceived conflicts between this subchapter and the Classification Guide to DS/C/ST.
12 FAM 394.3 IDS and AACS Control Equipment
(CT:DS-343; 01-06-2021)
All IDS control equipment and associated sensor cables protecting an area must reside within the protected space or in a space protected at a higher level. For IDS protecting a controlled access area (CAA), the control panel and associated sensor cables must reside within a space designated for storage at the highest level of classification that the IDS is protecting. Additionally, any data transmitted outside the CAA must be protected with DS-approved encryption or a DS-approved distribution system.
12 FAM 394.4 IDS and AACS PINs Internal Data
(CT:DS-201; 01-08-2014)
a. Installation per 12 FAM 394.3 provides a level of protection for the system data, but the typical IDS or AACS control equipment enclosure does not qualify as safe file containers for storage of classified information.
b. While the PINs, passwords, and programming data are not classified, those managing, handling, and using the data must protect it on a strict need-to-know basis to limit availability and ensure the effectiveness of the systems. Anyone entrusted with such information must not divulge or expose it to others. Users should memorize PINs and passwords and take positive measures to protect recorded information. Carrying PINs and passwords for personal convenience, such as in your wallet or purse, is strictly prohibited.
c. The RSO and Engineering Services Center (ESC)/Engineering Services Office (ESO) personnel must put in place safeguards such as maintaining and reviewing IDS audit logs, removing unused PINs, and securely storing PINs to protect against compromise. Hardcopy of PIN codes and other IDS-specific data must be stored in a General Services Administration (GSA)-approved safe controlled and used only by cleared American personnel with a “need-to-know.” Alternatively, IDS data may be stored on a stand-alone computer or on a protected network (like the Security Management System Enterprise Network (SMSeNet)), as long as the PC is both physically protected (in either a limited access area (LAA) or a CAA) and logically secured through user authentication. Do not store IDS or AACS data on an OpenNet or ClassNet workstation.
d. Those security personnel responsible for assigning IDS and AACS PINs and passwords to users must document PIN and password distribution. The receiving individuals must acknowledge receipt of the information and their responsibility to protect it by not divulging it to anyone. The 12 FAM Exhibit 394 provides a suggested format to document the process.
12 FAM 394.5 Authority to Secure and Penalty for Misuse
(CT:DS-343; 01-06-2021)
Failure to provide the prescribed protection for PINs, passwords, and other sensitive IDS or AACS information may result in disciplinary action (see 3 FAM 4370). The penalties for criminal misuse or subversion of this information for personal gain will be dealt with in accordance with 18 U.S.C. 641.
12 FAM 395 THROUGH 399 UNASSIGNED
12 FAM EXHIBIT 394
SAMPLE FORMAT FOR RECEIPT/SECURITY ACKNOWLEDGEMENT OF IDS AND AACS PINS AND
PASSWORDS
(CT:DS-201; 01-08-2014)
(Prepare on Department or Post Letterhead Stationery)
I hereby acknowledge receipt of all personal identification numbers (PINs) and passwords listed below and understand that:
(1) I am responsible for the protection of my PINs and passwords;
(2) I will comply with all applicable security standards; and
(3) I will not divulge my PINs or my passwords.
(4) Failure to provide the prescribed protection for PINs, passwords, and other sensitive IDS or AACS information may result in disciplinary action (see 3 FAM 4370). Penalties for criminal misuse or subversion of this information for personal gain will be handled in accordance with 18 U.S.C. § 641.
I further understand that I must immediately report to the Regional Security Office (RSO) if I have reason to suspect that one or more of my PINs or passwords have been compromised.
SYSTEM PIN/Password
_________________________________________________________________________________________________________________________________________________________________________________
Signature ___________________________________ Date ___________
Printed Name ________________________________________________
Office/Post ____________________________ Work Phone ___________
Security Manager’s Signature _____________________ Date _________