12 FAM 440
POST SECURITY FUNCTIONS
(Office of Origin: DS/MGT/PPD)
12 FAM 441 ACCESS CONTROL
Posts must have an access control policy requiring implementation of appropriate access control procedures at all post facilities. At a minimum, the policy must address personnel identification media and procedures for visitor, vehicle, and after-hours access. This information should be distributed to all post personnel. See the Regional Security Officer (RSO) Security Management Console for examples.
12 FAM 441.1 Identification Cards
a. Personnel assigned to or serving at a post for more than 30 days must be assigned a post identification (ID) card and attend the RSO security briefing prior to issuance. The RSO may approve the issuance of an approved Department ID card to other personnel, as appropriate.
NOTE: Post guards operating under a contract or personal services agreement (PSA) must be issued an approved post ID card. The ID card must be returned immediately to the RSO when employment ends or expiration date is reached. For contract guards it is the responsibility of the contracting officer’s representative (COR) to ensure that the contractor collects the post ID cards and returns them to the COR or RSO. For PSA guards the surrender of ID cards should be part of standard post out-processing.
b. All personnel at Foreign Service missions, annexes, and facilities that have public access control points staffed by Marine security guards (MSGs) or other security personnel must present ID cards to gain access to the facility. All individuals must wear ID cards in plain view at all times while inside a facility.
c. Posts with automated access control systems (AACSs) must comply with AACS standards found in 12 FAH-6 H-621.
d. Temporary identification, such as visitor stickers, ID cards, or badges will be issued to all visitors before they enter the general work area (GWA) or controlled access area (CAA) of any Foreign Service mission, annex, or facility. Visitors must wear this temporary identification in plain view at all times while in the facility. Admitting offices must escort visitors who do not have appropriate security clearances (See 12 FAM 445.1 for handling exceptions.)
f. Department personal identity verification (PIV) cards must comply with Federal Information Processing Standards (FIPS) and associated Special Publications. All PIV, FLAC, and FAC ID media must be procured through appropriate Department Homeland Security Presidential Directive 12 (HSPD-12) procurement channels and managed and controlled by U.S. citizens.
12 FAM 441.2 After-Hours Access to Chancery and Consulate Buildings
a. In addition to showing proper identification, all employees must sign a register when entering or leaving a chancery or consulate building outside of regular working hours.
b. Uncleared personnel, including Foreign Service Nationals (FSNs), third-country nationals (TCNs), U.S. citizens, contractors, and interns, may work after hours in chancery or consulate (GWAs) and public access areas (PAAs) when the cleared U.S. supervisor authorizes the work and obtains written approval from the RSO or post security officer (PSO).
c. Uncleared authorized personnel entering and/or remaining in the chancery or consulate must be escorted in accordance with 12 FAH-6 H-311.8, 12 FAH-6 H-312.8, 12 FAH-6 H-313.8, and 12 FAH-6 H-314.8.
12 FAM 442 Members of Household
(Applies to Foreign Service Employees)
a. 3 FAM 4181 paragraph a defines the term “member of household” (MOH) as an individual who accompanies or joins a sponsoring employee, i.e., a direct hire employee under Chief of Mission (COM) authority, either Foreign Service, Civil Service or uniformed service member, who is permanently assigned to or stationed abroad at a U.S. mission, or at an office of the American Institute in Taiwan. A MOH is an individual who meets the following criteria:
(1) Not an eligible family member (EFM) and therefore not on the travel orders or approved through Form OF-126 Foreign Service Residence and Dependency Report of the sponsoring employee;
(2) Officially declared by the sponsoring U.S. Government employee to the COM as part of his or her household and approved by the COM; and
(3) Is a parent, grandparent, grandchild, unmarried partner, adult child, or foreign-born child in the process of being adopted, father, mother, brother, sister, father-in-law, mother-in-law, son-in-law, daughter-in-law, brother-in-law, sister-in-law, stepfather, stepmother, stepson, stepdaughter, stepbrother, stepsister, half-brother or half-sister; who falls outside the Department’s current definition of EFM (see 14 FAM 511.3). A MOH may or may not be a U.S. citizen. MOHs are by definition cohabitants. Therefore, if the MOH is not a U.S. citizen, employees who declare MOHs to the COM must ensure compliance with the provisions of 12 FAM 275 Reporting Cohabitation with and/or Intent to Marry a Foreign National.
b. When an employee declares a person as an MOH to the COM, the employee must provide such biographic data to the RSO on the MOH as may be necessary to conduct appropriate investigative activities. In the case of U.S. citizens, this will be data sufficient for conducting a national agency check, and if the MOH is an expatriate, appropriate records must be checked with the host government. If the MOH is a non-U.S. citizen, a background investigation equal to that given to Foreign Service national (FSN) staff will be conducted. Should unfavorable information be developed as a result of investigative activities, the RSO must inform the COM immediately and recommend further steps based on these findings. MOHs are not exempt from employee and visitor access restrictions found in 12 FAH-6 H-300. If results of records checked or other investigative actions are favorable, the post may issue photo identification that permits access to post facilities for MOHs to attend activities, events, and programs open to EFMs as described in 3 FAM 4180. Unescorted access to residential compounds is also permissible.
c. Employees must encourage their MOHs to attend unclassified security briefings at post.
d. RSOs should inform employees that security criteria outlined in 3 FAM 4180 and personnel considerations that may be pertinent under 3 FAM 2440, Curtailment, may also have applicability regarding an employee’s relationship with an MOH.
12 FAM 443 SECURITY CLEARANCES
12 FAM 443.1 Personnel Assigned on Permanent Change of Station (PCS) Orders or Locally Hired
a. Except as provided in paragraph f, all U.S. citizen-U.S. Government employees either assigned through PCS or locally hired must hold a Top Secret (TS) clearance issued by their parent agency if they:
(1) Work within a CAA core area;
(2) Require unescorted access to a CAA core area; or
(3) Are appointed as career or career conditional Foreign Service employees.
NOTE: The TS clearance must be based upon a single-scope background investigation that meets the requirements of Standard B of the Investigative Standards for Background Investigations for Access to Classified Information, as promulgated by the assistant to the President for National Security Affairs, or in the case of temporary access at the TS level, the Investigative Standards for Temporary Eligibility for Access.
b. Except as provided in paragraph f, all U.S. citizen-U.S. Government employees either assigned through PCS or locally hired must hold a Secret clearance issued by their parent agency if they:
(1) Work within a CAA restricted area; or
(2) Require unescorted access to a CAA restricted area.
c. All U.S. citizen-U.S. Government employees not working within a CAA and not requiring unescorted access to a CAA must possess a security clearance and/or public trust certification appropriate for the sensitivity of the position they are occupying per 5 CFR 1400. They must also have been the subject of an investigation appropriate for the sensitivity of the position they are occupying and the area to which they are assigned.
d. The RSO or PSO serves as the central repository at post for collateral-level (i.e., non-SCI) security clearance data.
e. It is the responsibility of the individual agencies represented at post to provide clearance data on their PCS personnel to the RSO or PSO. The options for providing this data are:
(1) The agency representative provides the data to the RSO or PSO;
(2) The agency headquarters provides the data to the RSO or PSO by official communiqué; or
(3) The agency headquarters provides the data to the Office of Personnel Security and Suitability (DS/SI/PSS) Certification Unit at DSPSSCertTeam@state.gov, for transmission to post.
f. For all new construction or major renovations involving CAAs, security clearance requirements are specified in 12 FAH-6 sections H-311.14; H-312.14; H-313.14; and H-314.14.
12 FAM 443.2 Temporary Duty Personnel
a. All agencies that initiate travel messages and travel authorizations for the temporary duty (TDY) assignment of their personnel (employees and contractors) to a mission abroad must include in the travel message and in the travel authorization the necessary level of security clearance. In cases of TDY travel from one mission to another mission abroad, the sending post is responsible for providing verification of the security clearance level. The RSO at the receiving post must perform due diligence to verify the security clearance level.
b. Temporary duty personnel for whom clearance has not been provided to the post will not be given unescorted access to U.S. Government facilities or access to classified or controlled information. Address requests for security clearance verification to DS/SI/PSS with an information copy to the regional bureau and, in the case of other agency personnel, to the appropriate agency.
c. The RSO serves as the control officer for the visits of short-term TDY personnel on various security-related matters, such as emergency security support teams (see 12 FAM 444). Except in countries that are clearly on record as rejecting the accreditation of personnel assigned TDY for short periods or where attempted notification could cause other complications, the RSO will request that the COM or principal officer (PO) notify the host country’s foreign ministry of the impending visit of all security-related TDY visitors and request temporary accreditation for the duration of the visit.
12 FAM 444 EMERGENCY SECURITY SUPPORT
12 FAM 444.1 Policy
DS provides rapid operational response in emergency situations where specially trained teams of DS officers are required to supplement available overseas post or domestic office resources. Most often, the team deployment will be in response to a terrorist incident or an immediate threat of terrorist or criminal activity. The team may also be activated for natural disasters and other unusual events.
12 FAM 444.2 Implementation
a. Regional Directors of International Programs (DS/IP) and High Threat Programs (DS/HTP) directorates determine the scope and work priorities of all emergency support missions. The Office of Mobile Security Deployments (DS/T/MSD) provides support to posts for emergency situations and training to U.S. Government personnel and dependents at posts abroad.
b. DS/T/MSD dispatches personnel and equipment quickly. To minimize the drain on post resources, the team will be as self-sufficient as possible. Posts are to arrange, to the extent possible, airport visas for team members and unimpeded entry and transportation of equipment to the mission. The team and equipment should be enroute to a post within 24 hours of a decision to deploy.
12 FAM 445 IDENTIFICATION MEDIA EXCEPTIONS AND SAFEGUARDS
12 FAM 445.1 Exception to Required Identification
a. In certain areas of Department missions, annexes and facilities, implementing this mandatory policy would inhibit operational effectiveness. Information resource centers (IRCs), publicly accessible libraries maintained by public affairs offices and portions of the Consular sections are examples of these areas. In these specific instances, the RSO or PSO, in coordination with the COM, decides which areas are exempt from this policy. This policy is meant to enhance the post’s security posture and posts should carefully weigh their security needs when determining whether to make an exception for a specific area or section.
b. If a post determines that an exception to this policy is required for a specific area or section, the RSO or PSO must provide a detailed explanation to DS/IP or DS/HTP. The RSO or PSO report must indicate the specific exception and the reason for the exception.
12 FAM 445.2 Safeguards
a. Use a security container with a DS-approved security padlock to secure blank identification media. Only personnel responsible for managing the program are allowed access to this container.
b. The RSO or PSO must account for all cards, badges and passes by serial number.
c. A card, badge or pass log must reflect the name, office, level of clearance (status) and expiration date for each card, badge or pass issued. The log is a permanent part of the regional or post security office files.
d. The issuing officer must issue written instructions with each card, badge or pass issued. The instruction must address the proper use and safeguarding of the ID media, specifically stressing the security precautions concerning the wearing of the ID media outside the facility.
e. If ID cards, badges or passes are lost or stolen, the employee must report the circumstances to the RSO or PSO, who will record the circumstances.
12 FAM 446 UNCLASSIFIED OFFICE FACILITY LOCK AND LEAVE (L&L) POLICY
12 FAM 446.1 Policy
a. This L&L policy supplements 12 FAH-5, Physical Security Handbook, and 12 FAH-6, Overseas Security Policy Board (OSPB) Security Standards and Policy Handbook, and addresses the minimum requirements and procedures for securing U.S. diplomatic facilities (including commercial office space) against the crime threat where no classified material is stored, discussed or processed and without 24-hour presence inside the building. Risk management may dictate technical and physical security enhancements beyond the minimum requirements.
b. The L&L policy provides protection to unclassified office facilities on the basis of high-value assets and risk management as determined by the parent agency and agreed to by the RSO. High-value assets are defined as items of which the compromise or loss will severely affect post operations (personnel or payroll data, safes containing funds, etc.).
c. At posts where U.S. Marines or other cleared U.S. presence are able to respond on a 24-hour basis to any alarmed condition or incident outside the main chancery, but on the post compound, buildings on the post compound with high-value assets are not considered L&L facilities within the context of this policy.
d. Classified facility L&L standards are addressed in 12 FAH-6 H-910.
e. The DS Lock and Leave Application Guidelines for L&L Facilities, which are available separately from the Office of Security Technology (DS/C/ST), will prescribe the methodologies and equipment used to implement this policy.
12 FAM 446.2 Designation of Unclassified Lock and Leave (L&L) Office Facilities
a. Upon completion of new construction or major renovation, the accreditation and commissioning process of unclassified new office buildings (NOBs) and newly acquired buildings (NABs) designated by the parent agency to possess high-value assets, DS and the Bureau of Overseas Buildings Operations (OBO) will issue a notice of substantial compliance and certification of occupancy to officially designate the new facility as an unclassified L&L office facility.
b. Existing unclassified L&L office facilities with high-value assets, as determined by the parent agency and agreed to by the RSO, will require an initial inspection by the servicing Engineering Services Center or Engineering Services Office (ESC/ESO). A report of the inspection will be provided to the Physical Security Division (DS/PSP/PSD) and the Overseas Support Branch (DS/STO/OSB) for approval. Existing unclassified L&L office facilities with major security issues will require a team survey to identify security deficiencies and solutions in accordance with paragraphs d, e, and f in this section.
c. Before a new unclassified office facility can achieve L&L status, a team survey of the site must be performed in accordance with paragraphs d, e, and f in this section and survey recommendations implemented.
d. The survey team will be composed of at least one member each from DS/PSP/PSD, the Facility Security Engineering Division (DS/ST/FSE), the servicing ESC/ESO, OBO, and tenant agencies, as applicable. The team will work in close cooperation with post management and the RSO/PSO.
e. The survey report represents the risk-managed security solutions required to provide an acceptable level of protection for the high-value assets. It should detail the underlying basis for recommended security improvements, and to retain value over time, document any assumptions made by the authors regarding risk-managed decisions. Therefore, the survey report will include, at a minimum, the following information:
(1) A compilation of general post information and specifications;
(2) Site information pertinent to the decision process (e.g., location of local police stations; list of neighboring structures; history of security incidents; political significance of site; building setback from surrounding roads; perimeter structures; and existing security measures);
NOTE: Risk decision factors (e.g., historical security incidents that may be representative of the future or of likely change; a list of security incident scenarios considered during the survey; team judgments on the relative likelihood of those scenarios occurring; assumptions made; and recommendations, if any, on which assumptions may change and warrant future monitoring);
(3) A detailed description of the building’s structural limitations and composition, with emphasis on exterior walls, doors and windows;
(4) Floor layout drawings, including areas of special interest (e.g., proposed L&L and bypass door locations; public access control location; security interface cabinet (SIC) room; proposed technical equipment layout; description of typical personnel traffic flow; description of probable paths, routes, and entry locations of intruders; and applicable high-value item locations);
(5) A list of technical and physical security hardware required to bring the building into compliance with the L&L policy;
(6) A full description of the proposed L&L door and bypass door (e.g., type, existing hardware, swing) as defined in 12 FAH-5, Appendix G;
(7) If the survey team determines that digital video recorder (DVR) and closed-circuit television (CCTV) coverage is required, then CCTV coverage and DVR recording will include all normal points of entry or exit to the area protecting the high-value items, the L&L perimeter door, the exterior of the bypass door, and any other points of entry or exit likely (realistically) to be used by an intruder to gain access to the high-value items. Additionally, DVR equipment will be installed in the SIC room and powered by an uninterruptible power supply (UPS). The required duration of backup supplied by the UPS should consider factors relevant to the likely security incidents and the availability/reliability of local power, whether or not a backup generator is in use at the facility. Any additional CCTV coverage recommended by the team should be supported by narration explaining the purpose of the camera view and the necessity, if any, of recording the view;
(8) Post-specific alarm response procedures (e.g., post personnel, guards, local police, or 24-hour remote monitoring);
(9) Post L&L operation management plan for a particular building; and
(10) Proposed action offices/agencies to implement the recommendations.
f. A copy of the L&L survey report will be retained by the servicing ESC/ESO and RSO/PSO, and a copy will be forwarded to DS/PSP/PSD and DS/ST/OSB via electronic or other means. DS/PSP/PSD will provide copies to OBO and tenant organizations, as appropriate, and confirm that responsible parties have implemented changes prior to designation as an L&L facility.
12 FAM 446.3 Physical Security Requirements
a. Each L&L office facility will have only one door, designated as the L&L door, for use after normal business hours. This door will be the last point of exit/initial point of entry of an L&L building. As an alternative, to facilitate the use of the public access area by local guards after normal business hours, the interior hard-line door between the public access area and the general work area may be designated and equipped as the L&L door. Restroom facilities should be available to local guards or procedures implemented to relieve guards for appropriate breaks. Locking hardware for this door is identified in 12 FAH-5, Physical Security Handbook, as security hardware 18 (SHW-18) (opaque door) or SHW-18A (transparent door).
b. All exterior forced-entry (FE) doors must have the door manufacturer’s threshold plate installed and be in accordance with the manufacturer’s specifications.
c. Facilities with non-FE exterior doors will be secured with a DS-approved 1-inch throw deadbolt or equivalent locking device.
d. If the L&L door has an electrical or mechanical lockout, a separate door equipped with bypass hardware will be provided. The L&L bypass door hardware requirements consist of FE locks with external keyways and a locked and alarmed DS-approved key container located adjacent to the bypass door that contains, in addition to keys, a switch to temporarily disable electrical or electro-mechanical locks on the bypass door.
12 FAM 446.4 Technical Security Requirements
a. All unclassified office facilities with high-value assets will require the installation of a separate DS-approved intrusion detection alarm system (IDS) dedicated to L&L for the purpose of monitoring designated alarm points. The system must adhere to the following requirements:
(1) The IDS control panels, L&L access control system panels, keypads used for programming either system, and any associated power supplies must be located in the SIC room. Additionally, all IDS control panels must be protected by a volumetric sensor and configured so that the IDS panel protects itself. If a SIC room does not exist, one of appropriate size must be constructed to house the equipment. The room must provide the necessary electrical service, cooling and ventilation. Walls must be constructed floor to ceiling using 3/4 inch plywood plus sheetrock. The SIC room door will be solid core wood or hollow metal and be equipped with the SHW-17 hardware in accordance with 12 FAH-5, Appendix G;
(2) The SIC room door must be monitored by the IDS;
(3) Power for the technical security systems must be regulated and supported by battery backup or uninterruptible power supply (UPS) system. The required duration of backup supplied by the UPS should consider factors relevant to the likely security incidents and the availability/reliability of local power whether or not a backup generator is in use at the facility;
(4) The IDS will be deployed as the dedicated alarm system for building or facility alarms, SIC rooms and other areas as required;
(5) A dedicated power supply with a backup battery of at least 6.5 ampere hour (AH) must be provided for the L&L door when using SHW-18 or SHW-18A hardware. The required duration of backup supplied by the UPS should consider factors relevant to the likely security incidents and the availability/reliability of local power;
(6) At minimum, a door contact and one DS-approved detection technology will be used to protect all ingress and egress points of the area to be protected (generally the suites within the building);
(7) All building exterior doors and interior office doors under control of the U.S. Government and containing high-value items must be monitored by the IDS;
(8) All alarm devices will be configured as separately identifiable alarm points;
(9) At posts with critical and high-crime threats, volumetric protection will be provided for office areas containing high-value assets. At posts with low- and medium-crime threats, office facilities that do not meet exterior FE protection for walls, doors and windows that are accessible (i.e., without climbing tools or within 16 feet above a publicly and easily accessible surface) also require volumetric protection for office areas containing high-value assets;
(10) All volumetric detectors must be tamper alarmed. Tampers report as separate alarm points;
(11) IDS will have two methods of reporting all system events, such as real-time printer, alarm-panel down-loadable event memory or other DS-approved methods;
(12) The L&L alarm system must be armed and disarmed using personal identification numbers (PINs) that are unique to each individual user. The alarm system keypad must be located on the interior wall adjacent to the L&L door, positioned to preclude visual compromise from the building exterior and protected by a volumetric detection device;
(13) The assigned PIN pad numbers must consist of five or more random digits/characters;
(14) The L&L alarm system keypad status indicator must display system activity and/or errors. All such activity must be acknowledged and/or cleared by a user with the appropriate permission level;
(15) The alarm system must have date and time stamping that can be used to determine when an intrusion occurred; and
(16) A keypad must be installed within the SIC room (one for each IDS control panel) for system programming. Alarm system keypads not located within the SIC room must be configured so that they cannot be used to program or reprogram the system.
b. Wiring for all technical security systems must be fully contained within ferrous metal electrical conduit installed in accordance with the National Electrical Code or local electrical code, whichever is more stringent.
c. A test of the L&L technical security system must be performed at least twice per calendar year and after the occurrence of any suspected unauthorized intrusion. Inspection should include all exterior door-locking systems and all security alarm systems, including checks of applicable doors/window sensors and walk tests of volumetric detection devices. The test must be performed by technically competent DS-authorized personnel.
12 FAM 446.5 Operational Security Requirements
a. Post management and the RSO/PSO will develop a standard operating procedure for securing the building in accordance with the L&L policy. (See 12 FAM 446 for recommended procedures for securing lock and leave facilities.)
b. The RSO/PSO will establish appropriate post-specific methods and procedures for notification and/or response to any L&L alarm events or anomalies with technical security systems.
c. After each L&L alarm activation, the RSO/PSO, or a designated trained cleared U.S. citizen, will log the time and date of the discovery and retain applicable event records. Unexplained findings will be reported immediately to the RSO for appropriate action and the servicing ESC/ESO.
d. All malfunctions and anomalies of the L&L systems will be reported immediately to the RSO for analysis and resolution.
e. When exiting the L&L office facility:
(1) The designee responsible for lockdown (a cleared U.S. citizen as determined by the RSO or the PSO) must ensure that the building is void of all personnel;
(2) All exterior FE doors (with the exception of the L&L doors) will be internally secured by engaging the FE locks;
(3) Entries into a L&L log book (or equivalent DS-approved logging and/or access control methodology) must be made upon initial lockup or opening for all entries or departures after business hours; and
(4) The L&L alarm system must be activated via a PIN pad or other DS-approved device prior to exiting the building.
f. The RSO/PSO must control and maintain the L&L door combination, exterior key container combination, and all access control and IDS system access codes in DS-approved secure containers.
g. The non-FE L&L bypass doors must have a DS-approved 1-inch deadbolt lock with external keyway.
h. Emergency exit doors that are also used as bypass doors must be fitted with DS-approved hardware as instructed in the DS Lock and Leave Applications Guide for unclassified posts.
i. Removable lock cores of all exterior doors must be inspected periodically and replaced if there is any evidence of tampering.
j. The following key controls apply:
(1) The external removable cores of the FE locks on the L&L bypass door and SIC room must be keyed differently with no master or grandmaster key;
(2) The facility bypass door keys must reside in a locked and tamper-alarmed DS-approved depository container located adjacent to the bypass door. It will be anchored or imbedded securely to the hardline wall; and
(3) Keys to the SIC room will be tracked during business hours and secured at the end of each workday by the RSO/PSO. Only cleared U.S. citizens are allowed unescorted access to the SIC room and possession of its keys.
12 FAM 447 THROUGH 449 UNASSIGNED