UNCLASSIFIED (U)

12 FAM 500 
INFORMATION SECURITY

12 FAM 510 

Safeguarding National Security and other Sensitive information

(CT:DS-333;   06-24-2020)
(Office of Origin:  DS/SI)

12 FAM 511  POLICY AND PURPOSE

12 FAM 511.1  Applicability

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

a. Unless otherwise noted, 12 FAM 500 applies to all national security and sensitive information that is owned by, originated by, produced by or for, or under the control of Foreign Affairs Agencies, at any and all Department-controlled locations regardless of physical form. For purposes of this FAM chapter, Foreign Affairs Agencies include:

(1)  The Department of State;

(2)  The United States Agency for International Development (USAID);

(3)  The Overseas Private Investment Corporation (OPIC);

(4)  The Trade and Development Program (USTDA); and

(5)  All other executive branch agency personnel located under the jurisdiction of a chief of mission.

b. Nothing in these regulations supersedes any requirement related to “Restricted Data” in the Atomic Energy Act of August 30, 1954, as amended, or Department of Energy regulations.

c.  Sensitive compartmented information (SCI), special access programs (SAPs), and communications security (COMSEC) information must be processed and controlled in accordance with applicable national authorities, directives, and policies. (See 12 FAM 530.)

12 FAM 511.2  Authorities

(CT:DS-163;   06-16-2011)
(Uniform State, AID, OPIC, USTDA)

a. Atomic Energy Act of 1954, as amended.

b. Executive Order 13526, Classified National Security Information.

c.  Information Security Oversight Office (ISOO)—32 CFR Parts 2001 and 2003, Directive No. 1.

d. The Omnibus Diplomatic Security and Antiterrorism Act of 1986, Public Law No. 99-399, codified at (22 U.S.C. 4802 et seq.).

12 FAM 512  IMPLEMENTATION AND OVERSIGHT RESPONSIBILITIES

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

a. E.O. 13526 provides that the Director of the Information Security Oversight Office (ISOO) must issue directives necessary to implement the Order, under the direction of the Archivist of the United States and in consultation with the Assistant to the President for National Security Affairs.

b. The ISOO Director has issued a directive (32 CFR Part 2001) that sets forth, in detail, procedures for implementing various provisions of the Order.  This subchapter reflects many of the requirements of the ISOO directive.

c.  Code of Federal Regulations may be found at the National Archives Web site.

12 FAM 512.1  Responsibilities

12 FAM 512.1-1  Senior Agency Officials

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

a. Individuals occupying the following positions are designated as senior agency officials for purposes of this chapter:

(1)  Department of State:

(a)  The Secretary has designated the Under Secretary for Management to be the Senior Agency Official. The Under Secretary for Management further designated that the Bureau of Administration and the Bureau of Diplomatic Security (DS) share the responsibility for implementation of E.O. 13526.

(b)  DS is responsible for all aspects of protecting and safeguarding classified information and special access programs, to include SCI.

(c)  The Bureau of Administration is responsible for other aspects of implementing E.O. 13526, including the classification, declassification, and marking of information classified under the Order as well as training and guidance in classification and declassification. (See 5 FAM 480.)

(2)  USAID:  USAID Office of Security;

(3)  OPIC:  Vice President, Office of Administrative Services; and

(4)  USTDA:  Assistant Director for Management.

b. Senior agency officials have the primary responsibility of overseeing their respective agency’s information security program. This includes the requirement to:

(1)  Ensure the protection from unauthorized disclosure of classified information, including intelligence information;

(2)  Review proposed classified disclosures of an exceptional nature bearing upon issues of concern to the Congress and the public;

(3)  Establish a security awareness program to educate employees concerning their duties and responsibilities with regard to the requirements of E.O. 13526;

(4)  Receive and take appropriate action on suggestions and complaints with respect to the agency’s administration of the Program;

(5)  Provide guidance concerning corrective or disciplinary action in unusually important cases involving unauthorized disclosure; and

(6)  Maintain liaison with the Director, ISOO, and report as required by E.O. 13526.

12 FAM 512.1-2  Supervisors

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

The responsibility for safeguarding classified information rests with each supervisor to the same degree that the supervisor is charged with functional responsibility for the organizational unit. While certain employees may be assigned specific security responsibilities, such as Top Secret control officer or unit security officer, it is nevertheless the basic responsibility of supervisors to ensure that classified material entrusted to their organizational unit is handled in accordance with the procedures required by these regulations. Each supervisor should ensure that no single employee is assigned an unreasonable amount of security responsibilities in addition to his or her usual administrative or functional duties.

12 FAM 512.1-3  Employees

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

Each employee having access to and/or possession of classified material is responsible for maintaining the security of such material. For the purposes of these regulations, the term “employee” includes anyone who is certified and/or authorized access to classified information by virtue of a contract, consulting agreement, detail, grant, appointment to an advisory panel, or otherwise. Each employee must meet the requirements of a “cleared U.S. citizen” (see 12 FAM 091) for access to classified information.

12 FAM 512.1-4  Top Secret Control Officers

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

Employees appointed as Top Secret control officers (TSCOs) have the responsibility to ensure that Top Secret material is properly safeguarded, to include origination, marking, accountability, storage, duplication, transmission, and destruction. (See 12 FAM 535.)

12 FAM 512.1-5  Regional, Post, Bureau, or Unit Security Officers

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

Employees assigned as regional, post, bureau or unit security officers have the supervisory and/or the oversight responsibility to ensure that classified material entrusted to their organizational unit is handled in accordance with the procedures prescribed in this volume. (See 12 FAM 423).

12 FAM 512.2  Evaluations, Surveys, and Inspections

(CT:DS-163;   06-16-2011)
(Uniform State, USAID, OPIC, USTDA)

The executive director of each bureau, and each regional security officer (RSO), must maintain the program designed to ensure compliance with the provisions of these regulations. The executive director is responsible for ensuring that the bureau has a designated security officer and must work with that officer to ensure all employees are aware of the security requirements. Within USAID, the Office of Security is responsible for evaluating the effectiveness of the USAID Information Security Program and ensuring that all regulatory requirements are met.

12 FAM 513  Insider Threat PROGRAM

12 FAM 513.1  Policy and Purpose

(CT:DS-245;   12-21-2015)

a. Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, dated October 7, 2011, directs U.S. government executive branch departments and agencies to establish an Insider Threat Program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure.  The program is to include policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities and practices within agencies.

b. An insider is defined by the National Policy on insider threat as, “Any person with authorized access to any United States government resource to include personnel, information, networks, facilities, equipment or systems.”  This includes employees, defined as, “a person, other than the president and vice president, employed by, detailed or assigned to, a department or agency, including members of the Armed Forces; an expert or consultant to a department or agency; an industrial or commercial contractor, licensee, certificate holder, or grantee of a department or agency, including all subcontractors; a personal services contractor; or any other category of person who acts for or on behalf of a department or agency as determined by the appropriate department or agency head.  The terms “insider” and “employee” are interchangeable in the context of the Department Insider Threat Program (ITP).

c.  Insider threat is the threat that an insider will use his/her authorized access, wittingly or unwittingly, to do harm to the security of the United States.  This threat can include damage through espionage, terrorism, sabotage, violence, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.  Insider threat prevention and detection therefore focuses on the trusted insider who misuses his or her access to do damage to the Department.

d. The ITP is applicable to all Department insiders.  The goal of the ITP is to manage the risk associated with insider threat behavior and/or activity in a holistic fashion.

e. The purpose of the ITP is to effectively and efficiently:

(1)  Increase the awareness of employees to the vulnerabilities associated with the insider threat;

(2)  Deter employees from becoming insider threats;

(3)  Detect employees who pose an insider threat risk;

(4)  Prevent unauthorized disclosure of classified and sensitive but unclassified information; and

(5)  Mitigate the risks to the Department and its personnel using training; administrative and investigative measures; or other responses.

f.  The ITP is based on the key pillars of: user activity monitoring (UAM), personnel security, foreign travel and contact reporting and analysis, reporting and response.

g. To ensure that ITP activities are conducted in accordance with legal authorities, there is close collaboration with Department legal counsel and privacy and civil liberties officials.  The acquisition and use of personal information to detect and prevent insider threats is authorized under the E.O. 13587 and other national policies.  Collected information is subject to oversight by civil liberties and privacy authorities to ensure that personally identifiable information is only gathered and used for legitimate and authorized purposes; such information must be strictly controlled within the ITP.

12 FAM 513.2  Authorities

(CT:DS-245;   12-21-2015)

a. The ITP implements the following national policies, orders, directives and memorandum:

(1)  Section 811 of the Intelligence Authorization Act for FY 1995, Public Law Number 103-359, 50 U.S.C. 402a;

(2)  Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, dated October 7, 2011;

(3)  Executive Order 13526, Classified National Security Information, dated December 29, 2009;

(4)  Executive Order 13467, Reforming Processes Related to Suitability for Government Employment, Fitness for Contract Employees, and Eligibility for Access to Classified National Security Information, dated June 30, 2008;

(5)  Executive Order 12333, United States Intelligence Activities as amended by Executive Orders 13284 (2003), 13355 (2004), and 13470 (2008);

(6)  Executive Order 12968, Access to Classified Information, dated August 2, 1995;

(7)  Executive Order 12829, National Industrial Security Program, dated January 6, 1993;

(8)  Executive Order 10450, Security Requirements for Government Employment, dated April 27, 1953

(9)  Presidential Decision Directive/NSC-12 Security Awareness and Reporting Foreign Contacts, August 5, 1993;

(10) White House Memorandum, Compliance with President’s Insider Threat Policy, July 19, 2013;

(11) White House Memorandum, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, dated November 21, 2012;

(12) White House Memorandum, Early Detection of Espionage and Other Intelligence Activities Through Identification and Referral of Anomalies, August 23, 1996;

(13) Committee on National Security Systems Directive (CNSSD) No. 504, Directive on Protecting National Security Systems from Insider Threat, dated February 4, 2014; and

(14) National Insider Threat Task Force (NITTF), 2014 Guide to Accompany the National Insider Threat Policy and Minimum Standards, dated September 2014.

12 FAM 513.3  Program Management

(CT:DS-245;   12-21-2015)

The Office of the Under Secretary for Management (M) has designated the Bureau of Diplomatic Security (DS) as the primary Department entity for preventing, detecting, and deterring insider threats.  The Assistant Secretary for Diplomatic Security has designated the Deputy Assistant Director for Domestic Operations (DS/DO) and the Senior Coordinator for Security Infrastructure (DS/SI) as the Senior Officials with the principal responsibility for establishing an ITP to address Prevention, Detection, Analysis and Mitigation.  The designated Senior Officials will be granted the authority to provide management, accountability, resources, and oversight of the Insider Threat Detection and Prevention Program in accordance with E.O. 13587.

12 FAM 513.3-1  Senior Officials’ Responsibilities

(CT:DS-320;   05-17-2019)

The Senior Officials will:

(1)  Establish a comprehensive ITP and implementation plan for the Department, and ensure that such policies and procedures are in accordance with national policy and interagency guidance;

(2)  Annually report to M on the progress and status of the ITP.  The reports will document annual accomplishments, resources allocated, insider threats identified, program goals, impediments, and/or challenges;

(3)  Collaborate with the Office of Legal Affairs (L), the Privacy Office (A/GIS/PRV) and the Office of Civil Rights (S/OCR) to ensure that all ITP activities are conducted in accordance with applicable laws and policies;

(4)  Establish oversight mechanisms or procedures to ensure proper handling and use of records and data described below; and ensure access to such records and data is restricted to personnel who require the information to perform their authorized functions;

(5)  Ensure the establishment of guidelines and procedures for the retention of records and document the Department’s insider threat policies and standards; and

(6)  Facilitate oversight reviews by cleared officials designated by M to ensure compliance with insider threat policy guidelines, as well as applicable legal, privacy and civil liberty protections.

12 FAM 513.3-2  Insider Threat Program Office

(CT:DS-333;   06-24-2020)

Senior Officials will establish and oversee an ITP office to execute the mandates of E.O. 13587 and the National Insider Threat Policy and minimum standards for Executive Insider Threat Programs to include:

(1)  Build and maintain an insider threat analytic capability to manually and/or electronically gather, integrate, centrally analyze, and respond to all relevant information indicative of a potential insider threat, to include information derived from:

·         Counterintelligence (CI);

·         Security;

·         Information Assurance (IA);

·         Global Talent Management (GTM);

·         Law Enforcement (LE) and Protective Intelligence;

·         User Activity Monitoring (UAM); and

·         (Other sources as necessary and appropriate.

(2)  Expand, enhance, and augment the user awareness products and related defensive threat briefings to inform Department personnel of the nature and scope of insider threats;

(3)  Establish procedures for insider threat response actions (whether administrative, security, or criminal) to clarify or resolve insider threat matters, ensuring that response actions are centrally managed and documented by the ITP Office;

(4)  Establish and maintain guidelines and procedures for the protection, retention, and destruction of records and documents collected through the insider threat investigations;

(5)  Ensure Department compliance with E.O. 13587 and address future ITP mandates; and

(6)  Report to the senior officials regarding ITP policies, procedures, and investigations and make recommendations concerning response actions.

12 FAM 513.3-3  Insider Threat Program Board

(CT:DS-333;   06-24-2020)

a. The ITP office will establish a charter for a cross-discipline, DS-led, ITP Program Board, drawn from relevant bureaus in the Department relating to ITP goals.  The Program Board will be responsible for providing policy and practical advice and guidance to the ITP senior officials.

b. The Program Board will:

(1)  Include senior personnel from the following Department stakeholder Bureaus:

·         Bureau of Administration (A);

·         Diplomatic Security (DS);

·         Global Talent Management (GTM);

·         Intelligence and Research (INR);

·         Information Resource Management (IRM);

·         Office of Legal Affairs (L);

·         Office of Medical Services (MED);

·         Office of the Inspector General (OIG); and

·         Other Departmental offices and U.S. agencies as necessary.

(2)  Be chaired by Diplomatic Security (DS) and, using subject matter expertise of the group members, act in an advisory capacity to the senior officials, to ensure that policies, guidance, and operational activities are conducted in accordance with standing legal and privacy directives;

(3)  Make a recommendation, upon request, for a course of action on any insider threat allegation to the ITP Program Office or senior officials based on the facts and background presented;

(4)  Develop relationships between offices, leading to better information sharing and cooperation; and

(5)  In accordance with Section 9(a)(2) of the Inspector General Act of 1978 (IG Act), as amended, and Section 209(a)(1) of the Foreign Service Act of 1980, (FS Act), as amended, the Program Board shall not transfer or assign any program operating responsibilities to OIG personnel participating in the Program Board. OIG personnel may abstain from any Program Board activity that, in the judgment of the OIG, might impair OIG independence including, but not limited to, advising on policies, procedures, guidance, or other actions that may be audited, inspected, evaluated, or otherwise reviewed by the OIG.

12 FAM 513.3-4  Insider Threat Program HUB

(CT:DS-333;   06-24-2020)

a. The ITP Office will establish the Insider Threat HUB, the Department’s centralized analysis and response capability for Insider Threat.  The HUB will be responsible for addressing operational aspects of the ITP, including gathering and analyzing insider threat information, identifying potential insider threat concerns, and ensuring that an appropriate inquiry is conducted to resolve the concern.

b. The HUB will:

(1)  Include personnel from DS, consulting with the following primary stakeholder Department Bureaus:

·         A;

·         GTM;

·         INR;

·         IRM;

·         L;

·         MED;

·         OIG; and

·         Other Department offices as appropriate.

(2)  Act as the initial processing point for any potential insider threat information gathered from automated reporting mechanisms;

(3)  Use monitoring anomalies, administrative or criminal investigations, analytical capabilities, and any additional means for determining the merits of pursuing a preliminary inquiry regarding a potential insider threat;

(4)  Refer all analyzed data to the ITP Office to support a recommendation for a course of action on any insider threat allegation to the senior officials based on the facts and background presented;

(5)  Task actions, or recommend actions, to the appropriate investigative or administrative unit to further develop the investigation, and provide regular updates on the investigation to the senior officials to assist in their determination for continuing the insider threat investigation after the senior officials determine there is sufficient cause to continue a formal investigation into a potential insider threat, or in appropriate cases, refer the matter to the OIG.  In accordance with Section 3(a) of the IG Act and Section 209(a)(1) of the FS Act, no investigation tasked or recommended by HUB will prevent or prohibit the OIG from initiating, carrying out, or completing an OIG investigation;

(6)  Include members trained in the following topics and regulations in accordance with their area of expertise:

(a)  Counterintelligence, law enforcement, and security fundamentals;

(b)  Administrative and criminal misconduct;

(c)  Department procedures for conducting insider threat response actions;

(d)  Applicable laws and regulations regarding the gathering, integration, retention, and disposition of records and documents collected through the insider threat investigations;

(e)  Applicable civil liberties and privacy laws, regulations, and policies; and

(f)   The investigative referral requirements of Section 811 of the Intelligence Authorization Act for Fiscal Year 1995.

12 FAM 513.3-5  Access to Information

(CT:DS-333;   06-24-2020)

a. The Senior Officials will:

(1)  Direct all Department bureaus and diplomatic missions to securely provide to ITP personnel all relevant information necessary to perform insider threat analysis, as well as detect, react, and respond to security risk issues;

(2)  Provide guidance and direction to all Department bureaus and posts, who will establish procedures within their respective offices to ensure that authorized information determined to be of relevance is accessible to and shared with the appropriate ITP personnel.  Such access and information includes but is not limited to the following:

(a)  Counterintelligence and security - All relevant data and files, including but not limited to: personnel security files, facility access records, foreign travel and contacts, and security violations as may be necessary for resolving or clarifying insider threat matters;

(b)  Security auditing and user activity monitoring - Data collected and analyzed to assist in identifying abnormal behavior related to the actions of a workstation user, including use and access to applications, services, networks, and data in the IT environment.  User workstation activities will be monitored consistent with the Department’s 12 FAM 600 Cyber security policy;

(c)  Information Assurance (IA) - All relevant network information generated by IA elements to include but not limited to personnel usernames, levels of network access, unauthorized use of removable media, network or system logs and other data needed for clarification or resolution of an insider concern; and

(d)  Global Talent Management  - All relevant GTM data and files, including but not limited to personnel files, payroll files, disciplinary files, and personal contacts records as may be necessary for resolving or clarifying insider threat matters.

(3)  Establish procedures for access requests by the ITP office involving particularly sensitive or protected information, such as medical records, information held by special access, law enforcement, inspector general, or other investigative sources or programs, which may require that access be provided upon the request of the senior officials; and

(4)  Ensure the ITP office has timely access, as otherwise permitted, to available U.S. government intelligence and counterintelligence reporting information and analytic products pertaining to adversarial threats.

12 FAM 513.3-6  Monitoring User Activity on Networks

(CT:DS-245;   12-21-2015)

Senior Officials shall:

(1)  Develop, utilize, and maintain a capability to monitor user activity on Department-managed networks at all security domains in order to detect activity indicative of insider threat behavior, in consultation with L and the privacy office;

(2)  Develop and implement policies and procedures for properly protecting, interpreting, storing, and limiting dissemination of user activity monitoring (UAM) information and UAM methods to authorized personnel;

(3)  Ensure agreements are signed by all insiders with access to Department systems, acknowledging that their activity on any agency network, to include government portable electronic devices, is subject to monitoring and could be used against them in a criminal, security, or administrative proceeding.  Agreement language will be developed in coordination with L.; and

(4)  Ensure classified and unclassified network banners are employed within the Department, informing consenting users that the network is being monitored for lawful U.S. government-authorized purposes, which can result in criminal or administrative actions against the user.  Banner language will be developed in consultation with L.

12 FAM 513.3-7  Protective Measures for Sensitive Data Collection

(CT:DS-320;   05-17-2019)

The Senior Officials will:

(1)  Protect the information, documents, files, and other material submitted to the HUB by Department stakeholder offices in accordance with current and applicable federal laws, rules, regulations, and policy;

(2)  Establish oversight mechanisms or procedures to ensure proper handling and safeguarding of records and data collected, while ensuring that access to such records or data is restricted to ITP personnel who require the information to perform their authorized functions;

(3)  Ensure that the program’s policies and procedures, in coordination with L and the Privacy Division (A/GIS/PRV), will confirm that legal, civil liberties, and privacy protections are incorporated throughout the Department’s ITP; and

(4)  Establish guidelines and procedures for the protection of records and documents necessary in accordance with Department policies and procedures required in 5 FAM 460 - The Privacy Act and Personally Identifiable Information.

12 FAM 513.4  Employee Responsibility to Report Potentially Vulnerable Activities

(CT:DS-245;   12-21-2015)

All employees have a responsibility and obligation to protect Department personnel, information, facilities and systems and should be aware of the following:

(1)  The importance of detecting insider threats;

(2)  The importance of reporting suspected activity, i.e., espionage, unauthorized disclosure of national security information, terrorism, sabotage, violence in the workspace, to insider threat personnel;

(3)  Methodologies used by adversaries to recruit trusted insiders and collect classified information;

(4)  Indicators of insider threat behavior and procedures to report such behavior; and

(5)  Counterintelligence and security reporting requirements, including:

(a)  Foreign Travel and Contact Reporting (12 FAM 262.2);

(b)  Personnel Security and Suitability reportable actions (12 FAM 270) and

(c)  Employees who believe they have identified an insider threat must report their concerns immediately.  Domestically, the office to report insider threat concerns is the Counterintelligence Division (DS/ICI/CI) in the Bureau of Diplomatic Security (DS).  Overseas, all insider threat reports should be made to the regional security officer.  The following email boxes have been created to assist employees with their reporting requirement: InsiderThreatReporting@state.gov (unclassified network), and InsiderThreatReporting@state.sgov.gov (classified network).

12 FAM 513.5  Employee Training and Awareness

(CT:DS-245;   12-21-2015)

The senior officials will ensure that:

(1)  Mandatory insider threat awareness training will, at a minimum, be provided to all employees within 30 days of entering on duty (EOD) or following the granting of access to classified information, and annually thereafter, and will address the following topics:

(a)  The importance of detecting the many types of potential insider threats (espionage, unauthorized disclosure of national security information, terrorism, sabotage, violence in the workplace) and reporting suspected activity to insider threat personnel or other designated officials;

(b)  Counterintelligence and security reporting requirements, as applicable;

(c)  Procedures for reporting observed suspicious or abnormal behavior by persons who access and/or use national security systems;

(d)  Methods used by adversarial organizations to recruit or co-opt persons who have access to national security systems and the information that resides thereon;

(e)  Indicators of suspected espionage on national security systems; and

(f)   Prior espionage incidents involving the compromise of national security systems and information.

(2)  An internal network site is established and promoted to all authorized users of the network to provide insider threat reference material, including indicators of insider threat behavior, applicable reporting requirements and procedures, and provide a secure electronic means of reporting matters to the ITP office; and

(3)  The Department continues to expand, enhance, and augment its threat briefings and related user awareness products to inform employees of the nature and scope of insider threats.

12 FAM 514  through 519 UNASSIGNED

UNCLASSIFIED (U)