UNCLASSIFIED (U)

12 FAM 560

GENERAL INFORMATION SECURITY ADMINISTRATION

(CT:DS-323;   07-30-2019)
(Office of Origin:  DS/SI)

12 FAM 561  SECURITY INSPECTION OF PROPERTY Prior to Disposition

(CT:DS-322;   06-13-2019)

a. Bureau, office, or post custodial officers (CO) have responsibility for property located in their assigned areas, including continuously surveying property under their control to identify idle or unneeded property for disposition processing.  They must promptly identify U.S. Government owned personal property that:

(1)  Is no longer needed for official business operations;

(2)  Requires replacement with new similar property due to replacement criteria being met; or

(3)  Economical repair cannot occur.

b. COs should report such property in a timely manner for disposition processing in order for the U.S. Government to achieve maximum return on investment and maintain effective operations.

c.  (State only) Each CO reports Department accountable property using the Integrated Logistics Management System (ILMS) Asset Management module to the accountable property officer (APO).  The APO may reassign the accountable property to another custodial officer and ILMS Asset Management will generate the form DS-584, Property Transaction.

d. (State only) Otherwise the CO will generate form DS-132, Property Disposal Authorization and Survey Report for the APO to approve in ILMS Asset Management module to begin the disposition processes (see 14 FAH-1 H-720 Disposal Procedures for Department and Field Office (for U.S. locations) or 14 FAH-1 H-710 Disposal Procedures at Post (for post locations)).

e. Before APO approval of form DS-132, the CO must ensure that all property has been inspected for any classified, sensitive information or material and form DS-132 has been completed before arranging removal of the property.

f.  Unless otherwise designated, unit security officers (USOs) are responsible for the inspection of their unit’s property to ensure all classified and Sensitive But Unclassified (SBU) information has been removed.  Prior to disposal, the USO must:

(1)  Ensure all non-volatile memory and removable media (i.e., hard drives, CDs, USBs) are removed from computer equipment that has been used for processing classified and SBU information.  Inspect printers, scanners, copiers, faxes, etc., to ensure they do not contain any classified or SBU hardcopy information.  See 12 FAH-10 H-262.5 for Media Sanitization requirements and 12 FAH-6 H-633.5-9 for Classified Information Processing Equipment (CIPE) disposition;

(2)  Complete form DS-586 Turn-In Property Inspection Certification and affix to any item having drawers or electronic data storage capability.  Form DS-586 must be signed by the USO and one additional person;

(3)  When inspecting safes, file cabinets, and desks, completely remove all drawers from the furniture as paper tends to slide underneath and behind drawers.  Ensure all drawers function properly.  If a drawer cannot be opened, the inspection is incomplete and the equipment cannot be certified (as being free of classified or SBU material); thus cannot be physically released from Department control.  For additional directions, see 14 FAH-1 H-722 Inspection of Personal Property Prior to Disposition (for U.S. locations) or 14 FAM 417.1-4 Inspection for Classified Material plus14 FAH-1 H-712 Reporting Property No Longer Required (for post locations); and

(4)  Arrange for combinations on safes or padlocks to be set to the factory combination.

g. If the USO is not present to inspect equipment prior to or at the time of actual removal, the APO authorizing property to be removed is responsible for the inspection of all material leaving an office to ensure no classified or SBU material is inadvertently unprotected.

12 FAM 562  INFORMATION SECURITY EDUCATION AND TRAINING PROGRAMS OPERATION

(CT:DS-322;   06-13-2019)

a. The Program Applications Division (DS/IS/APD) is responsible for developing, defining, inspecting, and advising on facilities, procedures and controls for safeguarding classified and administratively controlled information, and for the enforcement of regulations as they pertain to operations worldwide.

b. DS/IS/APD establishes inspection programs and maintains active training and orientation programs for employees who require access to classified information, to ensure each employee understands the individual responsibility for exercising vigilance and care in complying with the provisions of these regulations.  These programs include a continuing review of the implementation of these regulations to insure national security information is properly safeguarded.

12 FAM 563  Domestic Bureau, Principal, AND UNIT SECURITY OFFICERS

12 FAM 563.1  Designation

(CT:DS-322;   06-13-2019)

a. Bureau executive directors may submit a request to DS/IS/APD to assign a bureau security officer (BSO) to serve as a principal security advisor to the bureau's assistant secretary.  The BSO serves as a subject matter expert to the assigned bureau on all matters that pertain to safeguarding classified and SBU material in the domestic environment.  Bureaus provide day-to-day direction to their assigned BSO, while DS/IS/APD provides overall management, supervision, and oversight.  BSO assignments are rotational and intended to be from 3 to 5 years in duration, after which another BSO will be assigned to serve as principal security advisor to that bureau.

b. In the absence of an assigned BSO, the executive director must designate a principal unit security officer (PUSO) to assist carrying out security responsibilities.  Bureaus must notify DS/IS/APD in writing of any initial PUSO designations and all subsequent changes in personnel within 5 business days.

c.  Bureaus must also designate USOs to implement effective internal security controls within their assigned space.  Each unit is defined at the discretion of management and is an identifiable organizational element, usually located in a single definable geographical location such as a building, floor, wing, or suite.  In bureaus with BSOs, the BSO will advise and support USOs in carrying out security responsibilities.  Bureaus must notify DS/IS/APD in writing of any initial USO appointment and all subsequent changes in personnel within 5 business days.

d. Employees and contractors designated as PUSOs or USOs perform the security duties prescribed for them in addition to the duties of their regular positions.  Each USO maintains an active security training and orientation program to impress upon each employee with an individual responsibility for exercising vigilance and care in complying with the provisions of the security regulations.  USOs are trained by and maintain liaison with DS/IS/APD, either directly or indirectly, through contact with their BSO, where assigned.  When DS/IS/APD is notified by a bureau that a USO or PUSO has been appointed, DS/IS/APD contacts the individual directly to schedule USO training.

12 FAM 563.2  Roles and Responsibilities

12 FAM 563.2-1  Bureau Security Officer

(CT:DS-322;   06-13-2019)

Within their supported bureau(s), BSOs:

(1)  Ensure the proper safeguarding of classified national security and sensitive but unclassified information through management and administration of the Department's Information Security Program;

(2)  Provide guidance and support to the USO Program, designed to implement effective internal security controls throughout the Department.  In addition to day-to-day assistance, BSOs provide specialized and more detailed security specialist training to all assigned USOs;

(3)  Interpret and implement existing information security regulations and guidelines to develop or revise existing agency guidance;

(4)  Conduct information security surveys/inspections of Department offices and workspaces to ensure compliance with all Department security regulations associated with information security.  BSOs also support USOs in regular self-assessments of their spaces;

(5)  Investigate security incidents and cyber security incidents.  BSOs may delegate to the appropriate USO, the processing of apparent security infractions.  BSOs must not delegate the conduct of investigations of apparent security violations.  BSOs continuously monitor and analyze all incidents to identify patterns that may indicate trends, which are brought to the attention of bureau management.  All cyber security incidents must be reported to the Cyber Incident Response Team (DS/CTS/CIRT) in accordance with 12 FAH-10 H-242.5;

(6)  Develop and provide formal training on information security and related issues to employees and managers.  Lead and participate in a comprehensive security awareness program, designed to encourage employees to fulfill the requirements of the Department's Information Security Program;

(7)  Facilitate, through assigned USOs, all access control requests for smart card entry; verify personnel given access, possess the appropriate security clearance to have un-escorted access to Bureau spaces.

(8)  Coordinate with assigned USOs to monitor access control lists and ensure they reflect current operational requirements.  Facilitate the repair of all access control and alarm systems within bureaus;

(9)  Develop, implement, and maintain the Sensitive Compartmented Information (SCI) access portfolio for the bureau.  Work with bureau management to verify and justify operational need for individual SCI access requests.  Facilitate the approval of all requests through the bureau executive director;

(10) Assist in the development, implementation, and maintenance of the information security portion of the Emergency Action Plan portfolios for the bureau, as it pertains to the disposition of classified and sensitive information in an emergency or exigency;

(11) Brief the bureau's senior leadership, as needed, on any security related issues;

(12) Participate in bureau management meetings as required; and

(13) Liaise between the bureau and Diplomatic Security entities, as needed, on security matters.

12 FAM 563.2-2  Unit Security Officer

(CT:DS-322;   06-13-2019)

Within their supported office(s), USOs:

(1)  Implement and maintain the executive director’s security program.

(2)  Implement closing-hours security check.

(3)  Conduct security container inventory.

(4)  Record and safeguard combinations.

(5)  Change door and safe combinations as required.

(6)  Arrange escorts for visitors.

(7)  Understand the Department’s classification system.

(8)  Inspect excess property.

(9)  Understand any special programs in the office.

(10) Cooperate with the respective BSO to facilitate the investigative process of security incidents, if asked.

(11) Familiarize new employees with applicable security requirements.

(12) Perform other security-related tasks, as assigned.

12 FAM 563.3  Regional and Post Security Officers Abroad

(CT:DS-322;   06-13-2019)

a. With respect to the information security program at post, the regional security officer (RSO) receives advice, guidance and direction from DS/IS/APD.  RSOs serve as the program manager for the information security program at post under their cognizance.  RSO duties are further defined in 12 FAM 420.

b. Post security officers (PSOs) are appointed by, and maintain liaison with, the RSO.  They assist in the general administration of the security program within the assigned area of jurisdiction.  In addition, the PSO performs other security duties as required by the RSO.

12 FAM 564  Information Security BRIEFINGS

(CT:DS-322;   06-13-2019)

The information security education program applies to all personnel authorized or expected to be authorized access to classified and/or SBU information.  At a minimum, the program is designed to:

(1)  Advise personnel of the adverse effects on national security that could result from unauthorized disclosure, and of their personal and legal responsibility to protect classified information within their knowledge, possession, or control;

(2)  Indoctrinate personnel in the principles, criteria and procedures of proper control and accountability, storage, destruction, and transmission of classified information and material;

(3)  Familiarize personnel with procedures for challenging classification decisions believed to be improper;

(4)  Familiarize personnel with the security requirements of their particular assignment;

(5)  Advise personnel of the strict prohibition against discussing classified information over an unsecure telephone or in any other manner that permits interception by unauthorized persons;

(6)  Inform personnel of the penalties for violation or disregard of the provisions of this regulation; and

(7)  Instruct personnel that individuals having knowledge, possession, or control of classified information must determine, before disseminating such information, that the prospective recipient has been cleared for access by competent authority; needs the information in order to perform his or her official duties; and can properly protect (or store) the information.

12 FAM 564.1  Initial Briefing

(CT:DS-322;   06-13-2019)

a. All employees must be afforded a briefing on the government-wide regulations governing protection of classified information and the Department of State procedures for protection of classified and sensitive but unclassified information.  Each new employee is required to read and sign form SF-312, Nondisclosure Agreement, at the time of entrance on duty and prior to being issued a badge that affords access to classified national security information.

b. Domestically, DS/IS/APD provides this comprehensive briefing.

c.  At posts abroad, the RSO must provide this briefing to all newly cleared employees entering on duty (i.e., interns, FSN staff, eligible family members and new hires).  In addition, it is the responsibility of post and PSOs to insure that all newly assigned or newly employed personnel are briefed on security matters specific to a post or area.  RSOs must provide DS/IS/APD with a copy of the executed form SF-312.

12 FAM 564.2  Annual Refresher

(CT:DS-322;   06-13-2019)

In accordance with Executive Order 13526, all State Department employees and contractors with a security clearance must complete the Foreign Service Institute (FSI) course, Mandatory Training for Classifiers and Users of National Security Information (PK400) once each calendar year.  PK400 is available on OpenNet through the FSI course catalog.

12 FAM 564.3  Special Access

(CT:DS-323;   07-30-2019)

Indoctrination briefings for SCI or Intelligence Community (IC) Special Access Program (SAP) will be conducted by DS/IS/SSO on behalf of INR.  Non IC SAP indoctrinations will be conducted by the program manager for the SAP.

12 FAM 564.4  Termination

(CT:DS-322;   06-13-2019)

a. The Security Debriefing Acknowledgement on the back of form SF-312 will be completed by the employee and witnessed by the servicing human resources section whenever an employee is terminating employment or is otherwise to be separated for a continuous period of 60 days or more.  While a security briefing is not required, the Security Debriefing Acknowledgement is mandatory to ensure that separating personnel are aware of the requirement to return all classified material and of a continuing responsibility to safeguard their knowledge of any classified information.  If a security briefing is not provided when the acknowledgement is signed, the employee must strike out the word “have" in the acknowledgment (e.g., I have have not received a security briefing).

b. The completed form SF-312 will be filed in the employee’s electronic official personnel folder (eOPF).

12 FAM 565  THROUGH 569 UNASSIGNED

UNCLASSIFIED (U)