UNCLASSIFIED (U)

12 FAM 600 
information security technology

12 FAM 610 

CYBER SECURITY Roles and responsibilities

(CT:DS-252;   02-03-2016)
(Office of Origin:  DS/SI/CS)

12 FAM 611  Purpose and Scope

12 FAM 611.1  Purpose

(CT:DS-250;   01-13-2016)

The subchapter identifies specific cyber security roles and responsibilities as they relate to the 1 FAM and the implementation of 12 FAM 600 policies and procedures.

12 FAM 611.2  Scope

(CT:DS-250;   01-13-2016)

The subchapter applies to all entities that manage, administer, support, protect, or access Department information and information systems that process strictly unclassified, Sensitive But Unclassified (SBU), and classified (up to Top Secret collateral) information.

12 FAM 612  AUTHORITIES

(CT:DS-250;   01-13-2016)

The following authorities apply (public laws are as amended):

a. Intelligence Reform and Terrorism Prevention Act of 2004, P.L. 108–458

b. Federal Information Security Management Acts of 2002 (Title III of P.L. 107-347) and 2014 (P.L. 113-283) (FISMA)

c.  Counterintelligence Enhancement Act of 2002, Title IX of P.L. 107-306

d. Privacy Act of 1974, 5 U.S.C. 552a(e)(10)

e. Federal Manager's Financial Integrity Act, 31 U.S.C. 1352

f.  Homeland Security Act of 2002, P.L. 107-296

g. Paperwork Reduction Act, 44 U.S.C. Chapter 35

h. Counterintelligence and Security Enhancements Act of 1994, Title VIII of P.L. 103-359

i.  Computer Fraud and Abuse Act of 1986, P.L. 99-474

j.  Omnibus Diplomatic Security and Antiterrorism Act of 1986, P.L. 99-399

k. Inspector General Act of 1978, 5 U.S.C. Appendix

l.  National Security Act of 1947, P.L. 80-253

m. Executive Order (E.O.) 13556, Controlled Unclassified Information, November 2010

n. E.O. 13636, Improving Critical Infrastructure Cyber Security, February 12, 2013

o. E.O. 13526, Classified National Security Information, December 29, 2009

p. E.O. 13467, Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information, June 30, 2008

q. E.O. 12829, National Industrial Security Program, January 6, 1993

r.  Homeland Security Presidential Directive No. 12, Policies for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004

s.  Presidential Policy Directive No. 21 (PPD-21), Critical Infrastructure Security and Resilience, February 12, 2013

t.  Office of Management and Budget Circular A-130 (OMB A-130)

u. Office of Management and Budget Circular A-123 (OMB A-123)

v. 12 FAH-6 H-540, Automated Information Systems (AISs) (Technical Threat Category) (All Threat Levels)

w. Delegation of Authority 247-1, dated August 14, 2004, Delegation of FISMA Authorities from the Secretary of State to the Chief Information Officer

X. Other authorities, as appropriate

12 FAM 613  Cyber security ROLES

(CT:DS-250;   01-13-2016)

Training requirements for some of the roles listed in this section can be found on the Office of Training and Performance Standards (DS/T/TPS) website.

12 FAM 613.1  System Owner

(CT:DS-250;   01-13-2016)

The system owner is responsible for the confidentiality, integrity, and availability of information system (s) under their purview.

12 FAM 613.2  Information Owner

(CT:DS-250;   01-13-2016)

Information owners have statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

12 FAM 613.3  System Administrator

(CT:DS-250;   01-13-2016)

System administrators and other information systems support roles that have elevated system privileges (e.g., network administrator, database administrator, programmer) are responsible for complying with and implementing all appropriate 12 FAM 600 cyber security policies and procedures to ensure both the security of the systems they support and the integrity of the privileged role in which they serve.

12 FAM 613.4  Information System Security Officer

(CT:DS-250;   01-13-2016)

Information Systems Security Officers (ISSOs) are responsible for implementing 12 FAM 600 policies and procedures on assigned information systems.  There are different types of ISSOs, to include:  Domestic ISSOs, and Application ISSOs.  See the ISSO website for additional information.

12 FAM 613.5  Information Management Officer

(CT:DS-250;   01-13-2016)

The information management officer (IMO) is responsible for overall information system management, to include cyber security, for Department systems at all post(s) under their purview.

12 FAM 613.6  Regional Cyber Security Officers (RCSOs)

(CT:DS-252;   02-03-2016)

Regional cyber security officers (RCSOs) are foreign service security engineering officers (SEOs) assigned overseas, and serve as Diplomatic Security representatives on all matters of computer security.  They conduct assessments of networks, provide advice and guidance to ISSOs, system owners, and system administrators, assist with regional security officer (RSO) cyber investigations, and facilitate the implementation of Department computer security policies.  See the RCSO website for additional information.

12 FAM 613.7  Regional and Post Security Officers

(CT:DS-250;   01-13-2016)

The regional or post security officer (RSO or PSO) is responsible for security, including cyber security, related to personnel and physical security at post.  This includes ensuring that appropriate personnel are in place and physical security measures are implemented (see 12 FAM 420 for more information).

12 FAM 613.8  Supervisor

(CT:DS-250;   01-13-2016)

Supervisors are responsible for authorizing system access and authorization levels for subordinate users based on business requirements.

12 FAM 613.9  User

(CT:DS-250;   01-13-2016)

Department computer users must abide by all Department cyber security policies and procedures.

12 FAM 614  Organizational responsibilities

(CT:DS-250;   01-13-2016)

The chief information officer (CIO), along with the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS), have the primary responsibilities for implementing 12 FAM 600 policies and procedures.  Responsibilities and policies of IRM are located, among other places, in Volume 5 of the FAM and FAH, and 12 FAM 614.2.

12 FAM 614.1  Bureau of Diplomatic Security (DS)

12 FAM 614.1-1  Senior Coordinator for Security Infrastructure (DS/SI)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.7 for DS/SI responsibilities.  These include providing management oversight and support for:  the Office of Cybersecurity (DS/SI/CS); the Office of Information Security (DS/SI/IS); and the Office of Personnel Security and Suitability (DS/SI/PSS).  See the DS/SI website for additional information.

12 FAM 614.1-1(A)  Office of Cybersecurity (DS/SI/CS)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.7-2 for DS/SI/CS responsibilities.  These include implementing 12 FAM 600 policies and procedures in the areas of:  Cyber Threat Analysis; Engineering Security Services; Monitoring and Incident Response; and Cyber Security Policy and Awareness.  See the DS/SI/CS website for additional information.

12 FAM 614.1-1(B)  Office of Information Security (DS/SI/IS)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.7-1 for DS/SI/IS responsibilities.  These include implementing 12 FAM 600 policies and procedures in the areas of:  National Industrial Security; and the Cyber Security Incident Program (CSIP).  See the DS/SI/IS website for additional information.

12 FAM 614.1-1(C)  Office of Personnel Security and Suitability (DS/SI/PSS)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.7-3 for DS/SI/PSS responsibilities.  These include implementing 12 FAM 600 policies and procedures in the area of personnel security and suitability.  See the DS/SI/PSS website for additional information.

12 FAM 614.1-2  Deputy Assistant Secretary and Assistant Director for Countermeasures (DS/C)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.1 for DS/C responsibilities.  These include assisting in the implementation of the Department’s Cyber Security Program and providing management oversight and support for:  the Office of Security Technology (DS/C/ST) and the Office of Physical Security Programs (DS/C/PSP).  See the DS/C website for additional information.

12 FAM 614.1-2(A)  Office of Security Technology (DS/C/ST)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.1-2 for DS/C/ST responsibilities.  These include implementing 12 FAM 600 policies and procedures in the areas of:  technical surveillance countermeasures and TEMPEST.  See the DS/C/ST website for additional information.

12 FAM 614.1-2(B)  Office of Physical Security Programs (DS/C/PSP)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.1-1 for DS/C/PSP responsibilities.  These include implementing 12 FAM 600 policies and procedures in the area of worldwide physical security standards.  See the DS/C/PSP website for additional information.

12 FAM 614.1-3  Deputy Assistant Secretary and Assistant Director for Training (DS/T)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.5 for DS/T responsibilities.  These include assisting in the implementation of the Department’s role-based cybersecurity program and providing management oversight and support for DS/T/TPS.  See the DS/T website for additional information.

12 FAM 614.1-4  Office of Training and Performance Standards (DS/T/TPS)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.5-2 for DS/T/TPS responsibilities.  These include implementing 12 FAM 600 policies and procedures in the area of role-based cybersecurity training.  See the DS/T/TSP website for additional information.

12 FAM 614.1-5  Deputy Assistant Secretary and Assistant Director for Domestic Operations (DS/DO)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.4 for DS/DO responsibilities.  These include providing management oversight and support for the Office of Investigations and Counterintelligence (DS/DO/ICI).  See the DS/DO website for additional information.

12 FAM 614.1-6  Office of Investigations and Counterintelligence (DS/DO/ICI)

(CT:DS-250;   01-13-2016)

See 1 FAM 262.4-1 for DS/DO/ICI responsibilities.  These include implementing 12 FAM 600 policies and procedures in the area of criminal investigations.  See the DS/DO/ICI website for additional information.

12 FAM 614.2  Bureau of Information Resource Management (IRM)

12 FAM 614.2-1  Chief Information Officer (CIO)

(CT:DS-250;   01-13-2016)

See FISMA, Delegation of Authority 247-1, and 1 FAM 271 for the CIO responsibilities.  The CIO has primary responsibility for all information technology, including cybersecurity, matters within the Department.  Organizationally, the CIO provides management oversight and support for:  the Office of Information Assurance/Chief Information Security Officer (CISO IRM/IA) and Deputy Chief Information Officer for Operations/Chief Technology Officer (DCIO IRM/OPS).  See the CIO website for additional information.

12 FAM 614.2-2  Office of Information Assurance/Chief Information Security Officer (CISO IRM/IA)

(CT:DS-250;   01-13-2016)

See 1 FAM 272 for CISO IRM/IA responsibilities.  These include implementing 12 FAM 600 policies and procedures in the areas of:  Certification & Accreditation; FISMA compliance; and the Information System Security Officer (ISSO) Program, which provides guidance and direction to ISSOs.  See the CISO IRM/IA website for additional information.

12 FAM 614.2-3  Deputy Chief Information Officer for Operations/Chief Technology Officer (DCIO IRM/OPS)

(CT:DS-250;   01-13-2016)

See 1 FAM 275 for DCIO IRM/OPS responsibilities.  These include implementing 12 FAM 600 policies and procedures in the area of information resources management operations.  See the DCIO IRM/OPS website for additional information.

12 FAM 615  THROUGH 619 UNASSIGNED

UNCLASSIFIED (U)