UNCLASSIFIED (U)

12 FAM 560

GENERAL INFORMATION SECURITY ADMINISTRATION

(CT:DS-427;   07-16-2024)
(Office of Origin:  DS/SI)

12 FAM 561  SECURITY INSPECTION OF PROPERTY Prior to Disposition

(CT:DS-416;   09-19-2023)

a. Bureau, office, or post custodial officers (CO) have responsibility for property located in their assigned areas, including continuously surveying property under their control to identify idle or unneeded property for disposition processing.  They must promptly identify U.S. Government-owned personal property that:

(1)  Is no longer needed for official business operations;

(2)  Requires replacement with new similar property due to replacement criteria being met; or

(3)  Economical repair cannot occur.

b. COs should report such property in a timely manner for disposition processing in order for the U.S. Government to achieve maximum return on investment and maintain effective operations.

c.  (State only) Each CO reports Department accountable property using the Integrated Logistics Management System (ILMS) Asset Management module to the accountable property officer (APO).  The APO may reassign the accountable property to another custodial officer and ILMS Asset Management will generate the form DS-584, Property Transaction.

d. (State only) Otherwise, the CO will generate form DS-132, Property Disposal Authorization and Survey Report for the APO to approve in ILMS Asset Management module to begin the disposition processes (see 14 FAH-1 H-720 Disposal Procedures for Department and Field Office (for U.S. locations) or 14 FAH-1 H-710 Disposal Procedures at Post (for post locations)).

e. Before APO approval of form DS-132, the CO must ensure that all property has been inspected for any classified, sensitive information or material and form DS-132 has been completed before arranging removal of the property.

f.  Unless otherwise designated, unit security officers (USO) are responsible for the inspection of their unit’s property to ensure all classified and Sensitive But Unclassified (SBU) information has been removed.  Prior to disposal, the USO must:

(1)  Ensure all non-volatile memory and removable media (i.e., hard drives, CDs, USBs) are removed from computer equipment that has been used for processing classified and SBU information.  Inspect printers, scanners, copiers, faxes, etc., to ensure they do not contain any classified or SBU hardcopy information.  See 12 FAH-10 H-262.5 for Media Sanitization requirements and 12 FAH-6 H-633.5-9 for Classified Information Processing Equipment (CIPE) disposition;

(2)  Complete form DS-586 Turn-In Property Inspection Certification and affix to any item having drawers or electronic data storage capability.  Form DS-586 must be signed by the USO and one additional person;

(3)  When inspecting safes, file cabinets, and desks, completely remove all drawers from the furniture as paper tends to slide underneath and behind drawers.  Ensure all drawers function properly.  If a drawer cannot be opened, the inspection is incomplete, and the equipment cannot be certified (as being free of classified or SBU material); thus, cannot be physically released from Department control.  For additional directions, see 14 FAH-1 H-722 Inspection of Personal Property Prior to Disposition (for U.S. locations) or 14 FAM 417.1-4 Inspection for Classified Material and FAH-1 H-712 Reporting Property No Longer Required (for post locations); and

(4)  Arrange for combinations on safes or padlocks to be set to the factory combination.

g. If the USO is not present to inspect equipment prior to or at the time of actual removal, the APO authorizing property to be removed is responsible for the inspection of all material leaving an office to ensure no classified or SBU material is inadvertently unprotected.

12 FAM 562  INFORMATION SECURITY EDUCATION AND TRAINING PROGRAMS OPERATION

(CT:DS-416;   09-19-2023)

a. The Program Applications Division (DS/IS/APD) is responsible for developing, defining, inspecting, and advising on facilities, procedures and controls for safeguarding classified and administratively controlled information, and enforcement of regulations as they pertain to operations worldwide.

b. DS/IS/APD establishes inspection programs and maintains active training and orientation programs for employees who require access to classified information, to ensure each employee understands the individual responsibility for exercising vigilance and care in complying with the provisions of these regulations.  These programs include a continuing review of the implementation of these regulations to ensure national security information is properly safeguarded.

12 FAM 563  Domestic Bureau, Principal, AND UNIT SECURITY OFFICERS

(CT:DS-427;   07-16-2024)

12 FAM 563.1  Designation

(CT:DS-392;   11-07-2022)

a. Bureau executive directors may submit a request to DS/IS/APD to assign a bureau security officer (BSO) to serve as a principal security advisor to the bureau's assistant secretary.  The BSO serves as a subject matter expert to the assigned bureau on all matters that pertain to safeguarding classified and SBU material in the domestic environment.  Bureaus provide day-to-day direction to their assigned BSO, while DS/IS/APD provides overall management, supervision, and oversight.  BSO assignments are rotational and intended to be from 3 to 5 years in duration, after which another BSO will be assigned to serve as principal security advisor to that bureau.

b. In the absence of an assigned BSO, the executive director must designate a principal unit security officer (PUSO) to assist with security responsibilities.  Bureaus must notify DS/IS/APD in writing of any initial PUSO designations and all subsequent changes in personnel within 5 business days.

c.  Bureaus must also designate USOs to implement effective internal security controls within their assigned space.  Each unit is defined at the discretion of management and is an identifiable organizational element, usually located in a single definable geographical location such as a building, floor, wing, or suite.  In bureaus with BSOs, the BSO will advise and support USOs in carrying out security responsibilities.  Bureaus must notify DS/IS/APD in writing of any initial USO appointment and all subsequent changes in personnel within 5 business days.

d. Employees and contractors designated as PUSOs or USOs perform the security duties prescribed for them in addition to the duties of their regular positions.  Each USO maintains an active security training and orientation program to impress upon each employee with an individual responsibility for exercising vigilance and care in complying with the provisions of the security regulations.  USOs are trained by and maintain liaison with DS/IS/APD, either directly or indirectly, through contact with their BSO, where assigned.  When DS/IS/APD is notified by a bureau that a USO or PUSO has been appointed, DS/IS/APD contacts the individual directly to schedule USO training.

12 FAM 563.2  Roles and Responsibilities

12 FAM 563.2-1  Bureau Security Officer

(CT:DS-392;   11-07-2022)

Within their supported bureau(s), BSOs:

(1)  Ensure the proper safeguarding of classified national security and sensitive but unclassified information through management and administration of the Department's Information Security Program;

(2)  Provide guidance and support to the USO Program, designed to implement effective internal security controls throughout the Department.  In addition to day-to-day assistance, BSOs provide specialized and more detailed security specialist training to all assigned USOs;

(3)  Interpret and implement existing information security regulations and guidelines to develop or revise existing agency guidance;

(4)  Conduct information security surveys/inspections of Department offices and workspaces to ensure compliance with all Department security regulations associated with information security.  BSOs also support USOs in regular self-assessments of their spaces;

(5)  Investigate security incidents and cyber security incidents.  BSOs may delegate to the appropriate USO, the processing of apparent security infractions.  BSOs must not delegate investigations of apparent security violations.  BSOs continuously monitor and analyze all incidents to identify patterns that may indicate trends, which are brought to the attention of bureau management.  All cyber security incidents must be reported to the Cyber Incident Response Team (DS/CTS/CIRT) in accordance with 12 FAH-10 H-242.5;

(6)  Develop and provide formal training on information security and related issues to employees and managers.  Lead and participate in a comprehensive security awareness program, designed to encourage employees to fulfill the requirements of the Department's Information Security Program;

(7)  Facilitate, through assigned USOs, all access control requests for smart card entry; verifying that personnel given access possess the appropriate security clearance to have un-escorted access to bureau spaces.

(8)  Coordinate with assigned USOs to monitor access control lists and ensure they reflect current operational requirements.  Facilitate the repair of all access control and alarm systems within bureaus;

(9)  Develop, implement, and maintain the Sensitive Compartmented Information (SCI) access portfolio for the bureau.  Work with bureau management to verify and justify operational need for individual SCI access requests.  Facilitate the approval of all requests through the bureau executive director;

(10) Assist in the development, implementation, and maintenance of the information security portion of the Emergency Action Plan portfolios for the bureau, as it pertains to the disposition of classified and sensitive information in an emergency or exigency;

(11) Brief the bureau's senior leadership, as needed, on any security related issues;

(12) Participate in bureau management meetings as required; and

(13) Liaise between the bureau and Diplomatic Security entities, as needed, on security matters.

12 FAM 563.2-2  Unit Security Officer

(CT:DS-322;   06-13-2019)

Within their supported office(s), USOs:

(1)  Implement and maintain the executive director’s security program.

(2)  Implement closing-hours security check.

(3)  Conduct security container inventory.

(4)  Record and safeguard combinations.

(5)  Change door and safe combinations as required.

(6)  Arrange escorts for visitors.

(7)  Understand the Department’s classification system.

(8)  Inspect excess property.

(9)  Understand any special programs in the office.

(10) Cooperate with the respective BSO to facilitate the investigative process of security incidents, if asked.

(11) Familiarize new employees with applicable security requirements.

(12) Perform other security-related tasks, as assigned.

12 FAM 563.3  Regional and Post Security Officers Abroad

(CT:DS-416;   09-19-2023)

a. With respect to the information security program at post, the regional security officer (RSO) receives advice, guidance, and direction from DS/IS/APD.  RSOs serve as the program manager for the information security program at post under their cognizance.

b. Post security officers (PSO) are appointed by, and maintain liaison with, the RSO.  They assist in the general administration of the security program within the assigned area of jurisdiction.  In addition, the PSO performs other security duties as required by the RSO.

c.  RSO and PSO duties are further defined in 12 FAM 420.

12 FAM 564  Information Security BRIEFINGS

(CT:DS-416;   09-19-2023)

The information security education program applies to all personnel authorized or expected to be authorized access to classified and/or SBU information.  At a minimum, the program is designed to:

(1)  Advise personnel of the adverse effects on national security that could result from unauthorized disclosure, and of their personal and legal responsibility to protect classified information within their knowledge, possession, or control;

(2)  Indoctrinate personnel in the principles, criteria and procedures of proper control and accountability, storage, destruction, and transmission of classified information and material;

(3)  Familiarize personnel with procedures for challenging classification decisions believed to be improper;

(4)  Familiarize personnel with the security requirements of their particular assignment;

(5)  Advise personnel of the strict prohibition against discussing classified information over an unsecure telephone or in any other manner that permits interception by unauthorized persons;

(6)  Inform personnel of the penalties for violation or disregard of the provisions of this regulation; and

(7)  Instruct personnel that individuals having knowledge, possession, or control of classified information must determine, before disseminating such information, that the prospective recipient has been cleared for access by competent authority; needs the information to perform his or her official duties; and can properly protect (or store) the information.

12 FAM 564.1  Initial Briefing

(CT:DS-416;   09-19-2023)

a. All employees must be afforded a briefing on the Government-wide regulations governing protection of classified information and Department procedures for protection of classified and sensitive but unclassified information.  Each new employee is required to read and sign form SF-312, Nondisclosure Agreement, at the time of entrance on duty and prior to being issued a badge that affords access to classified national security information.

b. Domestically, DS/IS/APD provides this comprehensive briefing.

c.  At posts abroad, the RSO must provide this briefing to all newly cleared employees entering on duty (i.e., interns, FSN staff, eligible family members and new hires).  In addition, it is the responsibility of post and PSOs to ensure that all newly assigned or newly employed personnel are briefed on security matters specific to a post or area.  RSOs must provide DS/IS/APD with a copy of the executed form SF-312.

12 FAM 564.2  Annual Refresher

(CT:DS-416;   09-19-2023)

In accordance with Executive Order 13526, all Department employees and contractors with a security clearance must complete the Foreign Service Institute (FSI) course, Mandatory Training for Classifiers and Users of National Security Information (PK400) once each calendar year.  PK400 is available on OpenNet through the FSI course catalog.

12 FAM 564.3  Special Access

(CT:DS-416;   09-19-2023)

Indoctrination briefings for SCI or Intelligence Community (IC) Special Access Program (SAP) will be conducted by the Special Security Operations Division (DS/IS/SSO) on behalf of the Bureau of Intelligence and Research (INR).  Non-IC SAP indoctrinations will be conducted by the program manager for the SAP.

12 FAM 564.4  Termination

(CT:DS-416;   09-19-2023)

a. The Security Debriefing Acknowledgement on the back of form SF-312 will be completed by the employee and witnessed by the servicing human resources section whenever an employee is terminating employment or is otherwise to be separated for a continuous period of 60 days or more.  While a security briefing is not required, the Security Debriefing Acknowledgement is mandatory to ensure that separating personnel are aware of the requirement to return all classified material and of a continuing responsibility to safeguard their knowledge of any classified information.  If a security briefing is not provided when the acknowledgement is signed, the employee must strike out the word “have" in the acknowledgment (e.g., I have not received a security briefing).

b. The completed form SF-312 will be filed in the employee’s electronic official personnel folder (eOPF).

12 FAM 565  DOMESTIC SECURE MOBILE COMMUNICATIONS

(CT:DS-427;   07-16-2024)

a. The Secure Mobile Communications program will address the needs of personnel in the National Capital Region who do not fall under the Secretary’s Mobile Communication Team’s support to access secure communications while not on official premises.

b. Domestically, when a bureau determines that the deployment of secure mobile communications capabilities is necessary to meet operational requirements, a request may be submitted to Diplomatic Technology (DT) through DS/IS/APD.  The request must be submitted via the electronic user request form and endorsed by the bureau Assistant Secretary.  Only requests made as part of an DT and DS approved program, and which include technical, physical, and personnel control measures appropriate to the environment as required by 32 CFR 2001.45, will be considered.  Secure mobile communications are not authorized overseas except as covered under the Secretary’s Technical and Information Security Travel Policy version 18.1 dated 12/10/2018.

c.  All requests must include a thorough justification that fully articulates why the secure mobile communications capability is necessary to meet the operational requirements of the Department.  Once endorsed by the requesting bureau's Assistant Secretary, the requesting bureau's Front Office will forward the request to DS/IS/APD.  DS/IS/APD will review the form to ensure that all requisite details are provided, and if no additional information is required, DS/IS/APD will sign the form and forward it to DT.

d. IRM is responsible for installation, and the device will be activated upon installation.  Should the installer identify any significant concerns that require DS attention, DS/IS/APD can coordinate prompt support upon request.

e. Each user must sign a user agreement and complete end-user training prior to the activation of secure mobile communications capabilities.  Key provisions from the agreement are outlined in 12 FAM 534.4DT information systems security officer end-user training is required every six months to ensure all device users are aware of the approved uses of the equipment and any evolving security threats.

f.    When the need for the capability is no longer applicable, DT will remove the equipment, and DS/IS/APD will document that it has been returned to Department of State control.  The individual must maintain an active security clearance at the Secret level or higher as long as this device is assigned to them; if the clearance is revoked or suspended, DS/IS/APD will provide a notice of rescission and coordinate return of the device.

12 FAM 566  OPERATIONS SECURITY

(CT:DS-427;   07-16-2024)

12 FAM 566.1  General

(CT:DS-427;   07-16-2024)

12 FAM 566.1-1  Purpose

(CT:DS-416;   09-19-2023)

The purpose of the Department’s Operations Security (OPSEC) Program is to enhance the protection of critical information by identifying and protecting the planning and execution of operations, activities, projects, and missions, thus denying our adversaries information about and indicators of our capabilities and intentions.

12 FAM 566.1-2  Applicability

(CT:DS-416;   09-19-2023)

The Department’s OPSEC program and requirements apply to all Department personnel as well as other U.S. Government personnel under chief of mission (COM) authority abroad, including personnel who do not possess a security clearance.  Additionally, it applies to all Department information system users and any person authorized for logical access to Department information systems.

12 FAM 566.1-3  Authorities

(CT:DS-416;   09-19-2023)

Relevant authorities include, but may not be limited to:

(1)  Omnibus Diplomatic Security and Antiterrorism Act of 1986, as amended (Public Law 99-399; 22 U.S.C. 4801, et seq.); and

(2)  National Security Presidential Memorandum 28 (NSPM - 28), The National Operations Security Program, January 13, 2021.

12 FAM 566.1-4  Definitions

(CT:DS-416;   09-19-2023)

The terms used herein are defined as follows:

(1)  Operations security (OPSEC) – A security discipline designed to deny adversaries the ability to collect, analyze, and exploit information that might provide an advantage against the United States by preventing inadvertent compromise of critical information through a process of continual assessment that identifies and analyzes critical information, vulnerabilities, risks, and external threats;

(2)  OPSEC cycle – A cycle established to support continuous oversight.  The components of the OPSEC cycle are: identification of critical information and OPSEC indicators; identification and analysis of relevant threats; analysis of vulnerabilities; assessment of risks; application of appropriate countermeasures; and periodic assessment of effectiveness;

(3)  Critical information – Unclassified or classified information important to the achievement of the Department’s objectives, missions, intentions, and capabilities that requires safeguarding or dissemination controls.  Unauthorized access to, or modification of, critical information could adversely affect national interest or national security, the conduct of Federal programs or operations, or individual privacy and identity management; and

(4)  Identity management – An OPSEC capability that seeks to mitigate risks to personnel, organizations, missions, and capabilities through the discovery, examination, analysis, assessment, and management of an individual's or organization’s identity in public or non-public records, databases, social media, and other structured data sources.

12 FAM 566.2  Responsibilities

(CT:DS-427;   07-16-2024)

12 FAM 566.2-1  Bureau of Diplomatic Security

(CT:DS-416;   09-19-2023)

a. The Undersecretary for Management has designated the Bureau of Diplomatic Security (DS) to lead, manage, and operate the Department’s OPSEC program in accordance with National Security Presidential Memorandum-28 and related guidance.

b. The senior coordinator for security infrastructure (DS/SI) serves as the OPSEC senior official with authority to provide management, accountability, and oversight of the Department’s OPSEC program.

c.  The Program Applications division (DS/IS/APD) chief serves as the OPSEC program manager and is responsible for the implementation of the Department’s OPSEC Program.

d. The OPSEC program manager appoints an OPSEC program coordinator to chair a Department working group to establish the OPSEC cycle, and coordinate with the National OPSEC Program (NOP) office as appropriate to support OPSEC activities.

12 FAM 566.2-2  Operations Security Working Group

(CT:DS-427;   07-16-2024)

a. The Operations Security Working Group (OPSECWG) is comprised of stakeholders committed to implementing and incorporating the OPSEC cycle into the Department's operations, processes, and activities.

b. The OPSECWG meetings are held periodically and are chaired by the OPSEC program manager, the OPSEC program coordinator, or designee.

c.  The goal of the OPSECWG is to provide recommendations for the integration of OPSEC procedures throughout the Department, advise on the effectiveness of the OPSEC program, and assist in the implementation of the OPSEC cycle.

d. The OPSECWG is composed, at a minimum, of representatives from DS, DT, and INR.  Additional bureaus and offices will be invited to attend based on the topic(s) being discussed.

12 FAM 566.2-3  Department Personnel

(CT:DS-416;   09-19-2023)

a. All Department personnel and Department information system users are required to protect critical information concerning the Department’s capabilities, intentions, and activities from adversaries.

b. The specific list of critical information that must be protected from adversaries is located in the Department’s Critical Information List (CIL), which is published on the DS/IS/APD SharePoint site.

c.  Individuals must familiarize themselves with the Department's CIL on an annual basis.

d. Individuals are required to adhere to OPSEC practices provided in training, education, and awareness products.

12 FAM 566.3  OPSEC Training, Education, and Awareness

(CT:DS-416;   09-19-2023)

The primary goals of the OPSEC program are to educate the workforce about OPSEC; ensure employees understand critical information that must be protected; and to ensure adherence to policy regarding the protection of information.  To achieve these goals, DS/IS/APD will:

(1)  Develop and disseminate OPSEC education and awareness materials (Department Notices, bulletins, and articles);

(2)  In coordination with appropriate offices, develop and administer computer-based and in-person trainings; and

(3)  Act as a liaison with the NOP and other U.S. Government agencies on OPSEC training standards.

12 FAM 566.4  Critical Information Lists

(CT:DS-416;   09-19-2023)

a. The Department’s CIL is a broad list of capabilities, activities, and intentions that are necessary for the day-to-day successful application, administration, and execution of the Department’s mission.  The Department’s CIL must be controlled at the SBU level.

b. If a bureau, embassy, consulate, U.S. mission, or office needs a subsequent CIL with a specific list of capabilities, activities, and intentions that are necessary for the day-to-day successful application, administration, and execution of its mission, the publication of that CIL must be coordinated with the Department’s OPSEC Program (DS/IS/APD).  These CILs have an inherent level of specificity regarding capabilities, activities, and intentions and therefore must be classified at the appropriate security classification level.

12 FAM 566.5  The OPSEC Cycle

(CT:DS-416;   09-19-2023)

a. The OPSEC cycle is an ongoing, continuous cycle that must be repeated to maintain vigilance and effectiveness.  The OPSEC cycle is comprised of six components which include identification of critical information and OPSEC indicators; identification and analysis of relevant threats; analysis of vulnerabilities; assessment of risks; application of appropriate countermeasures; and periodic assessment of effectiveness.  The OPSEC cycle is not intended to be adhered to in a sequential order.  A recognizable benefit of the OPSEC cycle is to be fluid in its administration.

b. Identifying critical information involves an examination of the totality of an activity to determine what exploitable but unclassified evidence of classified activity could be acquired in light of known collection capabilities of potential adversaries.  Such evidence usually derives from openly available data.  Certain indicators may be pieced together or interpreted to discern critical information.  Indicators most often stem from routine administrative, physical, or technical actions taken to prepare for or execute a plan or activity.  Once identified, they are analyzed against the threat to determine the extent to which they may reveal critical information.  These threat and vulnerability analyses and risk assessments can then be used to select and adopt appropriate countermeasures.

c.  The OPSEC cycle must be incorporated into the planning, execution, and assessment of operations, processes, and activities to ensure the proper safeguarding of the Department’s critical information.

12 FAM 566.6  OPSEC Capabilities

(CT:DS-416;   09-19-2023)

DS/IS/APD is available to provide direct OPSEC support to the Department in the form of policy and procedural reviews and surveys.  Its policy and procedural reviews are conducted in an advisory capacity and will include OPSEC best practices, Identity Management Principles, and the protection of personal identifiable information.  Bureaus and offices can contact DS/IS/APD to request OPSEC support by emailing DSAPD@state.gov.

12 FAM 567  Open Storage in Domestic facilities

(CT:DS-416;   09-19-2023)

a. Open storage is the storage of classified information and/or equipment within an approved facility not requiring use of Department-approved storage containers.

b. Domestic offices within the Department may request open storage at the Secret or below collateral level.  Open storage of Top Secret is rarely approved.  Per 12 FAM 715.2, open storage of Sensitive Compartmented Information (SCI) is strictly prohibited in Department SCI facilities (SCIF).

c. The bureau executive director, with input from the bureau security officer/principal unit security officer, must submit a written request for open storage to DS/IS/APD.  Requests for open storage of Secret or below collateral (non-SCI) information within a Department SCIF must be additionally reviewed by the Department's SCIF accrediting official.

d. The request must fully articulate why open storage is necessary to meet the operational requirements of the office.

e. DS/IS/APD and Security Standards and Compliance Branch (DS/FSD/SSC) will jointly conduct a survey of the space to determine compliance with applicable security standards.  If the space meets all applicable physical security standards, DS/FSD/SSC will issue a Compliance Memorandum.

f.  Once the Compliance Memorandum has been issued, DS/IS/APD will provide an Approval Memorandum, which will outline procedural requirements for operating as an open storage space.  Open storage operations cannot begin until DS/IS/APD issues the Approval Memorandum.

g. The approval is valid for a three-year period.  Within that period, if there is a change to the intended use of the space (e.g., employees wish to store information at a different classification level), or a change to the physical configuration of the space, the occupant must contact DS/IS/APD to recertify the space.  Occupants my contact DSAPD@state.gov for additional information or clarification.

h. If open storage is no longer required, the office must notify DS/IS/APD to rescind the approval.

i.  Open storage at overseas posts is controlled by the Overseas Policy Board (OSPB) Security Standards and Policy Handbook.  Please refer to 12 FAH-6 H-313 and 12 FAH-6 H-540 concerning current policies and procedures.

12 FAM 568  THROUGH 569 UNASSIGNED

UNCLASSIFIED (U)