Presentation on theme: "Department of the Navy Information Security Program"— Presentation transcript:
1Department of the Navy Information Security Program SECNAV MDepartment of the Navy Information Security Program
2PurposeEstablishes policy and procedures for handling and destroying classified informationProvides guidance on security education and industrial security programs.
3Applicability Applies to all uniformed sailors DON civilian personnel Military personnel are subject to sanctions under the UCMJ and/or Federal sanctions and civilians are subject to Federal Statues in the event of improper mishandling of classified material.
4Authorities The President of the United States. National Security Council(NSC)Information Security Oversight Office (ISOO)Central IntelligenceFBIThe President bears all executive decisions based on national security.NSC provides policy guidance on security matters.The Director of the ISOO issues directives for issuing classification and markings of classified information.The Director of the Central Intelligence Office issues directives or statements affecting policies and activities.The FBI is the government internal security agency.
5Types of classified information Communications Security (COMSEC) InformationSensitive Compartmented Information (SCI)Special Access Programs (SAPs)Single Integrated Operational Plan (SIOP) and Single Integrated Operational Plan-Extremely Sensitive Information (SIOP-ESI)Naval Nuclear Propulsion Information (NNPI)Restricted Data (RD) and Formerly Restricted Data (FRD)Critical Nuclear Weapons Design Information (CNWDI)Foreign Government Information (FGI)North Atlantic Treaty Organization (NATO) Information
6Types of unclassified information For Official Use Only (FOUO)Department of State (DOS) Sensitive But Unclassified (SBU) (formerly Limited Official Use (LOU)) informationDoD and DOE Unclassified Controlled Nuclear Information (UCNI)Drug Enforcement Administration (DEA) Sensitive InformationUnclassified information in technical documents requiring distribution statementsNational Geospatial Intelligence Agency Limited Distribution Information
7Command Security Responsibility and Authority Standards Risk ManagementDelegationThe commanding officer is responsible for the effective management of the ISP within the command. Commanding officers shall ensure that personnel in their commands receive the security education necessary to ensure properexecution of their security responsibilities.The commanding officer may impose more stringent requirements within the command or upon subordinates if thesituation warrants. The commanding officer shall not, however, unilaterally establish requirements that impact on other commands or cleared DoD contractors, or that contradict this policy manual.Each commanding officer shall apply risk management principles to determine how best to attain the required levels of protection based on the situation at the command.The commanding officer shall designate, in writing, certain security personnel directly involved in programImplementation.The commanding officer shall designate, in writing, a command security manager. The security manager is responsible for implementing the ISP and shall have direct access to the commanding officer.The command security manager may be assigned full-time, part-time or as a collateral duty and must be an officer or a civilian employee, GS-11 or above, with sufficient authority and staff to manage the program for the command. The security manager must be a U.S. citizen and have been the subject of a favorably adjudicated Single Scope Background Investigation (SSBI) completed within five years prior to assignment.
8COMMAND SECURITY INSTRUCTION PART ONE: EMERGENCY PLANPART TWO: EMERGENCY DESTRUCTION SUPPLEMENTPart One: Commanding officers shall develop an emergency plan for the protection of classified information in case of a natural disaster or civil disturbance. This plan may be prepared in conjunction with the command's disaster preparedness plan.Part Two: Commands located outside the U.S. and its territories and units that are deployable, require an emergency destruction supplement for their emergency plans.
9Classification levels Top SecretSecretConfidentialTop Secret is the classification level applied to information whose unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to the national security.Secret is the classification level applied to information whose unauthorized disclosure could reasonably be expected to cause serious damage to the national security.Confidential is the classification level applied to information whose unauthorized disclosure could reasonably be expected to cause damage to the national security."For Official Use Only" (FOUO) or "Secret Sensitive" (SS) shall not be used for the identification of U.S. classifiednational security information.
10Control Measures Top Secret Secret Confidential All Top Secret information (including copies) originated or received by a command shall be continuously accounted for, individually serialized, and entered into a command Top Secret register or log.Top Secret information shall be physically sighted or accounted for at least annually, and more frequently ascircumstances warrant.Commanding officers shall establish administrative procedures for the control of Secret information appropriate to their local environment, based on an assessment of the threat, the location, and mission of their command.Commanding officers shall establish administrative procedures for the control of confidential information appropriate to their local environment, based on an assessment of the threat, location, and mission of their command.Commanding officers shall establish procedures to control and mark all Secret and Confidential working papers in the manner prescribed for a finished document when retained more than 180 days from the date of creation or officially released outside the organization by the originator. A document transmitted over a classified IT system is considered a finished document.
11Dissmination Third party rule Emergency situations Top Secret informationSecret informationConfidential informationClassified information originated in a non-DoD department or agency shall not be disseminated outside the DoD without the consent of the originator except where specifically permitted (also known as the “third agency rule”).In emergency situations, in which there is an imminent threat to life or in defense of the homeland, the Secretary of the Navy or a designee may authorize the disclosure of classified information to an individual or individuals who are otherwise not routinely eligible for access.Limit the amount of classified information disclosed to the absolute minimum to achieve the purpose;Limit the number of individuals who receive it;Transmit the classified information via approved Federal Government channels by the most secure and expeditious method or other means deemed necessary when time is of the essence;Provide instructions about what specific information is classified, how it should be safeguarded; physical custody of classified information must remain with an authorized FederalGovernment entity, in all but the most extraordinary circumstances;Provide appropriate briefings to the recipients on their responsibilities not to disclose the information and obtain a signed nondisclosure agreement; andWithin 72 hours of the disclosure of classified information, or the earliest opportunity that the emergency permits, but no later than 30 days after the release, the disclosing authority must notify the originating agencyTop Secret information originated within the DoD shall not be disseminated outside the DoD without the consent of the originator or higher authority,Unless specifically prohibited by the originator, Secret and Confidential information originated within the DoD may bedisseminated to other DoD components and agencies within the executive branch of the U.S. Government.
12Transmission Top Secret Secret Confidential Commanding officers shall ensure that only appropriately cleared personnel or authorized carriers transmit, transport, escort, or hand carry classified information. The means selected should minimize the risk of a loss or compromise while permitting the use of the most cost-effective mode of conveyance.All international transfers of classified information shall be via government-to-government channels.Transmit or transport U.S. Top Secret material only by:1. Direct contact between appropriately cleared U.S. personnel;2. The Defense Courier Service (DCS), if the material qualifies under the provisions of reference (a);3. The Department of State (DOS) Diplomatic Courier Service;4. Communications protected by a cryptographic system authorized by the Director, NSA, or a protected distributionsystem designed and installed to meet the requirements of reference (b). This applies to voice, data, message, andfacsimile transmissions;5. Appropriately cleared U.S. military or Government civilian personnel specifically designated to escort or hand carry the material, traveling on a private, public or Government owned, controlled, or chartered conveyance, or DoD contractor employee traveling by surface transportation;6. Appropriately cleared U.S. military or Government civilian personnel, specifically designated to escort or hand carryclassified information, traveling on scheduled commercial passenger aircraft within and between the U.S., its territories, and Canada;7. Appropriately cleared U.S. military and Government civilian personnel, specifically designated to escort or hand carry classified information, traveling on scheduled U.S. owned commercial passenger aircraft on flights outside the U.S., its territories, and Canada per paragraph 9-12; and8. Appropriately cleared and designated DoD contractor employees within and between the U.S., its territories, andCanada per reference (c).Secret Material1. Any means approved for Top Secret information, except that Secret information may be introduced into the DCS only when U.S. control cannot otherwise be maintained. This restriction doesnot apply to COMSEC and SCI, per paragraph 9-5;2. U.S. Postal Service (USPS) registered mail within and between the U.S. and its territories;3. USPS registered mail addressed to U.S. Government agencies through U.S. Army, Navy, Marine Corps, or Air Force Postal Service facilities outside the U.S. and its territories;Confidential information:Transmit or transport U.S. Confidential information only by:1. Any means approved for Secret information;2. USPS registered mail to and from APO or FPO addressees located outside the U.S. and its territories, and when the originator is uncertain that the addressee’s location is within U.S. boundaries;3. USPS certified mail for information addressed to a cleared DoD contractor facility or non-DoD agencies;
13Storage and destruction In a GSA-approved security containerIn a vault, modular vault or secure room constructed per exhibit 10A, equipped with an IDS and a personnel response to the alarm within 15 minutes of the alarm annunciation if the area is covered by Security-in-Depth, or a 5-minute alarm response if it is not.Until 1 October 2012, in a non-GSA-approved container having a built-in combination lock.Commanding officers shall ensure that all classified information is stored in a manner that will deter or detect access by unauthorized persons.Weapons or pilferable items, such as money, jewels, precious metals, or narcotics shall not be stored in the same security containers used to store classified information.There shall be no external markings revealing the classification level of information being stored in a specificsecurity container, vault, or secure room.Report to the Chief of Naval Operations (CNO (N3AT)), via CNO (N09N2), any weakness, deficiency, or vulnerability in any equipment used to safeguard classified information.
14Loss/compromise of classified information A loss of classified information occurs when it cannot be accounted for or physically located.A compromise is the unauthorized disclosure of classified information to a person(s) who does not have a valid security clearance, authorized access or need-to-know.A possible compromise occurs when classified information is not properly controlled.When a loss or compromise of classified information occurs, the cognizant commanding officer or securitymanager shall immediately initiate a Preliminary Inquiry (PI).The Security Manager shall be responsible for overseeing the PI.An individual who becomes aware that classified information is lost or compromised shall immediately notify theirsecurity manager or commanding officer of the incident, as well as their supervisory chain of command.