12 FAM 590
UNCLASSIFIED sECURITY INCIDENT PROGRAM
(Office of Origin: DS/IS/APD)
12 FAM 591 GENERAL
12 FAM 591.1 Purpose
The purpose of the Unclassified Security Incident Program is to enhance the protection of Department information and information systems by identifying, assessing, and assigning responsibility for failures in order to safeguard Department information and information systems in accordance with applicable laws and Department policies. For breaches of security impacting classified information, see 12 FAM 550.
12 FAM 591.2 Applicability
This program applies to all Department personnel as well as other U.S. Government personnel under chief of mission (COM) authority abroad including any of the aforementioned who do not possess a security clearance. Additionally, it applies to all Department information system users and any person authorized for logical access to Department information systems.
12 FAM 591.3 Authorities
a. Relevant legal authorities include:
(1) Omnibus Diplomatic Security and Antiterrorism Act of 1986, Public Law 99-399; 22 U.S.C. 4801, et seq. (1986), as amended;
(3) Computer Fraud and Abuse Act (1984), 18 U.S.C. § 1030, as amended;
(4) Privacy Act of 1974, 5 U.S.C. § 552a;
(5) Executive Order 13231, Critical Infrastructure Protection in the Information Age (2001), as amended by Executive Order 13286 (2003);
(6) Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 11, 2017; and
(7) National Security Decision Directive 298 (NSDD-298), National Operations Security Program.
b. Relevant FAM sections include, but may not be limited to:
(2) 3 FAM 7700, LE Staff Benefits, Disciplinary Actions and Separations
(2) 5 FAM 700, Internet and Intranet Use;
(3) 5 FAM 800, Information Systems Management;
(4) 5 FAM 1060, Information Assurance Management;
(5) 12 FAM 226.7-4, Unauthorized Disclosures;
(6) 12 FAM 540, Sensitive But Unclassified Information (SBU);
(7) 12 FAM 600, Information Security Technology;
(8) 12 FAH-10, Information Systems Security Controls; and
(9) 12 FAH-6 H-540, Overseas Security Policy Board (OSPB) Automated Information Systems (AISs).
12 FAM 592 Unclassified Security Incidents
a. Unclassified security incidents under this chapter relate to misuse of unclassified Department systems or mishandling of Sensitive/SBU or otherwise administratively controlled information. Incidents involving the mishandling of classified information or misuse of classified Department systems are addressed under 12 FAM 553, Reporting of Security Incidents.
b. An unclassified security incident occurs when there has been a contravention of any published Department policy, procedure or acceptable use guidelines and that contravention represents a failure to safeguard Department information or information systems, resulting in actual or elevated risk of damage to Department information systems, or actual or elevated risk of compromise or loss of control of administratively controlled Department information.
c. An unclassified security incident may be adjudicated as a violation or an infraction based on the risk and magnitude of the harm to Department information or information systems or the risk of harm to affected individuals.
12 FAM 592.1 Unclassified Security Infractions
An unclassified security infraction is an incident involving a contravention of law or Department policy that does not result in actual damage to Department information systems, or actual compromise or loss of control of administratively controlled Department information. Infractions are often committed inadvertently but may still put the information or information system at risk. Examples of unclassified security infractions include but are not limited to:
(1) Malware: A user unintentionally downloads malware to a Department information system but no harm results;
(2) E-mail: A user sends obscene or offensive e-mails;
(a) A manager shares his or her Department password with their special assistant;
(b) A system administrator sets a non-compliant password for a general user;
(c) A user writes down their password and does not secure it properly (e.g., leaves in desk, tapes to monitor);
(d) A user tries to learn another user’s password by watching a user type their password; and
(e) A user stores Department passwords on a Department information system of the same classification, but no harm results.
(a) An individual unintentionally leaves an SBU or personally identifiable information (PII) document in a public space (e.g., airport, Starbucks);
(b) A user intentionally changes file permissions on a SBU or PII document to allow an unauthorized user access; and
(c) A user attempts to obtain unauthorized access to data he/she is not authorized to view.
(5) Baseline: A user or system administrator performs an unauthorized change to the configuration baseline (e.g., downloads software to OpenNet that has not been approved by the Configuration Change Board (CCB));
(a) A user uses a Department account or Department information system, as defined in 12 FAM 013, to run their personal business, gamble, or visit or access sexually explicit material;
(b) A user uses their ClassNet account for personal use; and
(c) A user engages in personal use of Department information systems in contravention of established policy.
12 FAM 592.2 Unclassified Security Violations
An unclassified security violation is an incident involving a contravention of law or Department policy resulting in actual or imminent damage to Department information systems, or compromise or loss of control of administratively controlled Department information. Violations are often committed knowingly, willfully, or negligently. Examples of unclassified security violations include but are not limited to:
(a) A user unknowingly downloads malware to a Department information system, resulting in harm;
(b) A user knowingly downloads malware to a Department information system, regardless if harm results; and
(c) A user knowingly causes the transmission of a program, information, code, or command, and because of such conduct causes damage (i.e., compromises integrity, availability) to a Department information system.
(a) A user shares a Department information system password;
(b) A system administrator sets a non-compliant password for a system administrator account or uses the same password for multiple Department accounts (e.g., for their OpenNet and administrator accounts);
(c) A user who has elevated privileges (e.g., system administrators or users with access to restricted applications) on their account writes down the password and does not secure it properly (e.g., leaves in desk, tapes to monitor);
(d) A user stores Department passwords on a Department information system, resulting in harm; and
(e) A user stores Department passwords for a classified information system on a Department unclassified information system.
(a) An individual intentionally or negligently misuses a bureau or office resource (e.g., Consular Affairs (CA) database) which places PII at risk in violation of policies in place for that resource;
(b) An individual engages in a deliberate or negligent action that results in the unauthorized disclosure or loss of control of administratively controlled information;
(c) A user knowingly discards SBU or PII hardcopy documents without shredding them; and
(d) A user accesses data without authorization from the appropriate data owner or investigative authority.
(4) Baseline: A user or system administrator performs an unauthorized change to the configuration baseline (e.g., downloads software to OpenNet without CCB approval), and that action results in harm.
(5) Unauthorized access:
(a) A system administrator or user attempts to intentionally bypass Department information system security software without proper authorization;
(b) A user removes, replaces, or physically tampers with Department hardware/software without proper authorization;
(c) A user logs into another user’s account without their knowledge or without proper authorization;
(d) A user knowingly accesses a Department information system without proper authorization;
(e) A user knowingly exceeds their access level on a Department information system; and
(f) A user intentionally accesses a Department information system without authorization and as a result of such conduct causes damage and/or loss.
12 FAM 593 Reporting unclassified Security Incidents
a. Reporting potential unclassified security incidents is the responsibility of every individual with access to Sensitive/SBU or otherwise administratively controlled information within the Department or a Department information system. When Department personnel or other U.S. Government personnel under COM authority become aware of an improper security practice that may result in an unclassified security incident, they must report their concern to the Program Applications Division (DS/IS/APD), either abroad via the regional security officer (RSO) or domestically via the bureau security officer (BSO). Timely reporting is imperative so that remedial action may be taken. Reporting to DS/IS/APD ensures that all potential unclassified security incidents can be properly investigated and adjudicated. This does not supersede any other reporting obligations, such as requirements for certain incidents involving Department systems to be reported to the information systems security officer (ISSO) in accordance with 12 FAM 623.8 and 12 FAH-10 H-242.5.
b. Unclassified security incidents may also be detected and reported in the following manner:
(1) During the normal course of their duties, ISSOs will report anomalies and other suspicious activities to the DS Cyber Incident Response Team (CIRT). DS/IS/APD coordinates daily with the DS/CIRT, collecting and analyzing their data to determine which events should be investigated as potential unclassified security incidents. When potential unclassified security incidents are identified, DS/IS/APD will contact the appropriate RSO or BSO and advise them to initiate an unclassified security investigation;
(2) When the RSO or BSO identifies a possible unclassified security incident, they must immediately notify DS/IS/APD and, when appropriate, the ISSO, to initiate an unclassified security investigation; and
(3) When the ISSO identifies a possible unclassified security incident they must immediately notify the RSO or BSO, as appropriate, and the Bureau of Information Resources Management Directorate of Cyber Operations (IRM/CO) and the CIRT. Regional computer security officers (RCSOs) may also report potential unclassified security incidents to the ISSO and/or RSO, as appropriate.
c. Incidents that are required by federal mandate to be reported to the National Cybersecurity and Communications Integration Center (US-CERT/NCCIC) are reported in accordance with 12 FAH-10 H-240.
12 FAM 594 Investigating and Processing unclassified Security Incidents
a. The RSO (abroad) or BSO (domestically), or DS/IS/APD if no BSO is assigned, herein referred to as “the investigator,” will investigate potential unclassified security incidents. The investigator may require technical assistance from the ISSO, system manager, the DS Directorate of Cyber and Technology Security (DS/CTS) or others. The investigation will attempt to determine:
(1) If a potential criminal act or instance of serious employee misconduct has occurred (in which case the matter will immediately be referred to the relevant DS Office);
(2) The validity of the incident (does it meet the definition of an unclassified security incident as defined in 12 FAM 013);
(3) The gravity of the incident;
(4) Mitigating and aggravating factors; and
(5) Identity of individual(s) suspected of the incident ("suspected individual").
b. When the investigator has collected sufficient information to conclude the investigation:
(1) The investigator will prepare a Form OF-118, Record of Incident, completing Part 1A or 1B (as applicable) in its entirety;
(2) The investigator will present the Form OF-118 to the suspected individual for execution of their portion of Part 2 – Statement of Person Suspected of Incident and their signature. At that time, the investigator will discuss the contents of the form and potential ramifications. Form OF-118 allows the suspected individual to provide any mitigating factors, such as lack of culpability, which they believe would be pertinent to the adjudication process;
(3) The suspected individual shall return the signed Form OF-118 to the investigator as soon as possible, but not later than three working days. If the suspected individual fails or refuses to sign the form within three working days, the investigator will document this fact in the security officer comments on Form OF-118 Part 3 - Comments of Unit/Post/Regional Security Officer; and
(4) The investigator will then give the Form OF-118 to the suspected individual’s immediate supervisor for review and signature within three working days.
c. After the supervisor has signed and returned the form:
(1) The investigator will complete Part 3; reporting the results of the investigation in a brief summary, indicating whether the suspected individual should be a held accountable for this incident; and
(2) The investigator will submit their investigative findings, any additional supporting documentation, and the Form OF-118 to DS/IS/APD for adjudication.
d. At a constituent post, the post security officer (PSO) may perform these duties on behalf of the RSO and forward all investigative documentation and the Form OF-118 to the responsible RSO.
e. The investigator must provide a copy of the completed Form OF-118 to the individual(s) suspected of the incident.
f. In investigations where an investigator seeks to interview an employee who is a member of a collective bargaining unit for which a union representative has exclusive representation rights, and the employee reasonably believes that the interview may result in disciplinary action against him/her, the employee may request that such representative be included in the interview and the investigating official shall comply. This right is known as the Weingarten Right. When the employee invokes the Weingarten Right, the investigating official will allow a reasonable amount of time for a union representative to attend the interview.
12 FAM 595 Evaluation of Unclassified Security Incidents
a. Once the investigator has concluded the investigation, they will provide the completed OF-118 and all related information to DS/IS/APD for adjudication.
b. DS/IS/APD evaluates and adjudicates all reported unclassified security incidents to determine:
(1) Whether the reported incident is valid;
(2) Whether the reported incident constitutes an infraction or violation;
(3) Whether the reported incident requires additional documentation or coordinating action; and
(4) Whether the individual suspected of the incident is culpable.
c. Individuals found culpable in valid unclassified security incidents will be held accountable for their actions or negligence. Supervisors found to be aware of the commission of unclassified security incidents by subordinates without taking corrective action may also be held culpable for failing to provide effective organizational security oversight.
d. When the nature of the incident or mitigating circumstances result in assigning culpability to no one individual, DS/IS/APD may still adjudicate the incident as valid without holding any specific individual culpable.
e. Upon completion of the adjudication, DS/IS/APD will notify in writing the culpable individual(s) of the adjudication results specific to them, as well as appeal options. DS/IS/APD will also notify the appropriate RSO, BSO, or principal unit security officer (PUSO), who will provide a copy of the adjudication to the individual’s supervisor.
f. In cases where a potential unclassified security incident represents an immediate and ongoing risk to Department information or information systems, DS/IS/APD may direct the immediate suspension of systems access until the matter can be fully explored and the ongoing vulnerability mitigated.
12 FAM 596 Appeals
a. An individual found culpable in a valid unclassified security incident may appeal either the validity of the incident or their culpability in the incident by submitting the appeal to the division chief, DS/IS/APD. This appeal request must be submitted in writing within 10 working days after receiving written notification of the DS/IS/APD adjudication decision. An individual may request an extension of time in which to submit an appeal, but that extension request must be submitted within the 10 working day timeframe.
NOTE: The statement provided on form OF-118 is considered pre-adjudicative and considered part of the investigation. It does not constitute an appeal even if it states an intent to appeal.
b. DS/IS/APD will forward for decision any appeal along with the complete investigative record to the director of the Office of Information Security (DS/SI/IS). The director of DS/SI/IS will provide a final decision and no further appeals are available.
12 FAM 597 Referrals for DISCIPLINARY and personnel Security Action
12 FAM 597.1 Referral for Actions Related to Infractions (U.S. Direct Hire Employees)
a. Upon adjudication of a valid unclassified security infraction(s), and affirmation of that adjudication following any appeal, DS/IS/APD will take the following actions:
(1) If the infraction is the employee’s first incident in the current five-year moving window (see 12 FAM 013 for definition), DS/IS/APD will send a letter of notification to the employee, requiring a signed reply acknowledging that the employee understands the policies contravened in the incident and the potential consequences of future security incidents, including referral to the Bureau of Global Talent Management (GTM) for appropriate disciplinary action, and the DS Office of Personnel Security and Suitability for action relating to the employee’s security clearance. The RSO or PSO abroad, or BSO, PUSO, or unit security officer (USO) domestically, must ensure the employee receives appropriate remedial security instruction;
(2) If the infraction is the employee’s second in the current five-year window, the Office of Information Security (DS/SI/IS) will send a letter to the employee that describes the actions DS and GTM will take in the event of future security incidents. This requires a signed reply from the employee indicating they understand the respective policies and consequences of future security incidents. The RSO or PSO abroad, or BSO or USO domestically, must provide the employee with an additional appropriate security briefing;
(3) If the infraction is the employee’s third (or more) incident in the current five-year window, DS/IS/APD will refer the complete security incident history of a Department Foreign Service (FS) or Civil Service (CS) employee to:
(b) The Office of Personnel Security and Suitability (DS/SI/PSS) for action relating to the employee’s security clearance.
b. DS/SI/PSS may issue a letter of notification, review the security clearance of the individual, and/or suspend or revoke the individual’s security clearance.
12 FAM 597.2 Referral for Actions Related to Violations (U.S. Direct Hire Employees)
a. Upon adjudication of any valid unclassified security violation, and affirmation of that adjudication following any appeal, DS/IS/APD will refer the complete security incident history of a Department FS or CS employee to:
(2) DS/SI/PSS for action relating to the employee’s security clearance.
b. DS/SI/PSS may issue a letter of notification, review the security clearance of the violator, suspend or revoke the violator’s security clearance.
12 FAM 597.3 Referral for Actions Related to Unclassified Security Incidents (Locally Employed Staff)
For Locally Employed Staff (LE Staff), DS/IS/APD will refer the complete security incident history to post’s HR officer for appropriate disciplinary action. This security incident history will be sent to the RSO for appropriate action regarding the security certificate. LE Staff discipline should be consistent with 3 FAM 7720, 7730, and local law.
12 FAM 597.4 Referral for Actions Related to Unclassified Security Incidents (Other Agencies’ Employees)
Security incidents involving employees of other Federal agencies or organizations or their contractors are reported, investigated, and adjudicated in the same manner as described for Department employees in 12 FAM 595. DS/IS/APD will notify the individual’s parent agency of any valid adjudication.
12 FAM 597.5 Referral for Actions Related to Unclassified Security Incidents (Personal Services and Third Party Contractors (TPCs))
a. Unclassified security incidents PSCs and TPCs are reported, investigated, and adjudicated in the same manner as described for Department employees in 12 FAM 595. DS/IS/APD will notify the Industrial Security Division (DS/IS/IND) of any valid adjudication.
b. DS/IS/IND will advise the Department’s contracting officer's representative of the nature and seriousness of the incident, and provide details of any derogatory information to the cognizant security clearance investigative authority.
12 FAM 598 ADMINISTRATIVE ACTION FRAMEWORK: Record Keeping
a. DS/IS/APD will maintain incident investigation and adjudication files and documentation on all unclassified security incidents, including records of involved individuals. Information from these files will be made available to the Director General of the Foreign Service and director of Global Talent Management (DGTM) or other appropriate Department officials with a need-to-know for deliberation of nominations or other personnel decisions. Unclassified security incident information will be included in Single-Scope Background investigation reports on candidates for Presidential appointments, and may be disseminated to others consistent with the Privacy Act and other governing law. DS/IS/APD will retain these records in accordance with Department Records Disposition Schedules and U.S. National Archives and Records Administration (NARA) requirements.
b. At posts abroad, a record of each security incident must be kept on file in accordance with the Department Records Disposition Schedules and NARA requirements, for at least 36 months. The record, which may be destroyed after 36 months, should include a copy of:
(1) Completed Form OF-118 and OF-117 (if applicable);
(2) Signed DS/IS/APD statement of understanding from culpable individual; and
(3) Any relevant supporting documentation or email correspondence.
c. An individual’s security incident history may result in the curtailment of a current assignment or denial of future assignments.
12 fam 599 criminal laws
Incidents involving potential criminal activity such as the deliberate introduction of risk or damage to Department information systems or networks or any other criminal act, or deliberate or negligent contraventions of the Privacy Act of 1974, will be immediately forwarded to the Office of Special Investigation (DS/DO/OSI) for consideration and may be subject to criminal prosecution.