www.ispcert.com the security classification system
TRANSCRIPT
www.ispcert.com
THE SECURITY CLASSIFICATION SYSTEM
www.ispcert.com
CONTENTS
• Why the Security Classification System• How is information classified• How is classified information marked• Government and contractor responsibilities• Test
www.ispcert.com
How do classified items receive their designations? Who is responsible for assigning classification levels? What recourse do security managers have after
discovering a classification error? Can anything be assigned a classification level by
anyone?
These are questions that come to the minds of many who safeguard or work with classified material. Although there is guidance to demonstrate proper control, accountability, documentation, storage, dissemination and destruction of classified material, many practitioners do not understand the fundamentals. Executive Order 13526 provides the history, disposition and future status of classified information.
CONTENTS
WHY ASSIGN CLASSIFICATION SYSTMS
“It has been estimated by some intelligence experts that Mr. Walker provided enough code-data information to alter significantly the balance of power between Russia and the United States” John Oconner, New York Times
For over 18 years John A. Walker, Jr. had sold secrets during and after his career in the Navy. Though entrusted with a security clearance and a “need-to know”, he did not demonstrate the trustworthiness of which his thorough background investigation deemed him worthy. When the opportunity revealed itself, he took advantage of his position and responsibilities to smuggle classified information to his Russian connections. During the investigation into his arrest, authorities discovered a complex spy ring consisting of family members and other recruited operatives. Walker had earned the trust and cooperation of his family to commit one of the most notorious of all cases of espionage. As a result of his crimes, he received a two life terms plus 10 year, his son received 25 years and the damage to the U.S. national security was tremendous.
www.ispcert.com
NISP is designed Safeguard classified information that has been or may be released to… “current, prospective, or former contractors, licensees, or grantees of United States agencies”. It is also designed to provide for the protection of classified material as outlined in EO 12356 and the Atomic Energy Act of 1954, as amended.
NATIONAL INDUSTRIAL SECURITY PROGRAM
www.ispcert.com
The NISPOM is the primary regulatory reference for performing industrial security
The Department of Defense consults with Secretary of Energy, the Nuclear Regulatory Commission and the Director of Central Intelligence to issue and maintain the NISPOM
It is up to the contractor and each agency work together to meet the NISPOM’s intent
NISPOM
The NISPOM provides restrictions, rules, guidelines and procedures for preventing unauthorized disclosure of classified material; it is the primary regulatory reference for performing industrial security.
www.ispcert.com
The Secretary of Energy and the Nuclear Regulatory Commission have the lead in detailing requirements for protecting classified information identified in the Atomic Energy Act of 1954
The Director of Central Intelligence will provide a section for intelligence sources and methods, to include Sensitive Compartmented Information (SCI) However, in this coordination each agency maintains its
authority
The NISPOM applies to authorized users of classified information and equips those working on classified contracts with critical instruction on how to implement the NISP in their organizations It is up to the contractor and the oversight agency to work
together to provide accurate interpretation of the guidelines to the specific classified contract requirements.
NISPOM
www.ispcert.com
All agencies apply three factors to the concept of Risk Management
1. Damage to national security2. Existing or anticipated threat to disclosure
of information. 3. Short and long term costs of the
requirements, restrictions, and other safeguards
NATIONAL INDUSTRIAL SECURITY PROGRAM
(NISPOM)
The second and third factors aren’t spelled out in the NISPOM, but are recognized as legitimate concerns to prevent the NISP from becoming a burden to industry
www.ispcert.com
The Secretary of Defense and the other identified agencies apply the concept of Risk Management while implementing the NISPOM
Astute Industrial Security managers develop risk management analysis to better interpret the risk and discover the potential impact. They will also develop solutions to reduce the risk and the predicted damage. The bottom line is to reduce the probability of unauthorized disclosure of classified information
NATIONAL INDUSTRIAL SECURITY PROGRAM
(NISPOM)
www.ispcert.com
Provides Classified National Security Information and delivers a cohesive method for designation classification
The Government has designed stringent policy to ensure thatclassified material is protected at the level necessary to prevent unauthorized disclosure.
EXECUTIVE ORDER 13526
www.ispcert.com
CONFIDENTIAL information could reasonably be expected cause damage
SECRET could reasonably be expected to cause serious damage
TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security
THREE DESINGNATIONS FOR CLASSIFIED
Caution: Classified information should not be confused with the proprietary information sometimes referred to as company confidential or secret.
www.ispcert.com
Classifications are not assigned unless: An original classification authority
(OCR) is applying the classification level
The U.S. Government owns, is producing, or is controlling the information
Information meets one of eight categories
The OCR determines unauthorized disclosure could cause damage to national security to include transnational terrorism and they can identify or describe the damage.
CONDITIONS FOR CLASSIFICATION
www.ispcert.com
According to a report from the Chairman of the House National Security Subcommittee, 10% of secrets should have never been classified and that nearly 90% of classified information has been over-classified
A Defense Security Services report stated in 2003 nearly $6.5 billion was spent to classify information
To prevent such abuse, the Executive Order provides guidance to train and prevent classification authorities from arbitrarily assigned a classification level
CONDITIONS FOR CLASSIFICATION
www.ispcert.com
1. Military plans, weapons systems or operations The U.S. armed forces not only safeguards, but provides instructions
for protecting the specifics of their weapons and plans. If these strategies and operations were released to the wrong hands, the information would damage national security and adversely affect our ability to defend ourselves.
2. Foreign government information This knowledge includes what the U.S. Government may already know
about other governments. This gives the U.S. the advantage of knowing information that another country thinks is protected.
WHAT ARE THE EIGHT CATEGORIES
www.ispcert.com
3. Intelligence activities, sources, or methods or cryptology One can imagine what damage could take place if any intelligence
gathering sources, methods or activities were compromised. The suspecting adversary could become aware of the threat and cease their activity or design countermeasures designed to thwart future efforts.
WHAT ARE THE EIGHT CATEGORIES
www.ispcert.com
4. Foreign relations or activities of the United States including confidential sources
This information is specified U.S. foreign policy activities and sources friendly to U.S. efforts and U.S. organizations. Such is protected to ensure the safety of the relations and success of the activities. Compromise of any of the sources could cause damage to National Security as they are denied further access.
5. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
Unauthorized access to national security-related U.S. scientific, technological, and economic data could compromise plans, production, and strategies and leave certain vulnerabilities.
WHAT ARE THE EIGHT CATEGORIES
www.ispcert.com
6. U.S. programs for safeguarding nuclear materials or facilities For nuclear activities, the Department of Energy and the Nuclear
Regulation Commission provide specific guidance to ensure the best protection. Vulnerabilities and strengths are assessed to ensure the best possible measures are in place to protect these items. Plans, strategies and programs are only effective if enforced AND access is limited.
WHAT ARE THE EIGHT CATEGORIES
www.ispcert.com
7. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
Security managers assess strengths and to ensure the best possible measures are in place to protect these items. Plans, strategies and programs are only effective if enforced AND access is limited. An adversary could use the programs to gain advantages, steal, damage or destroy systems, installations, infrastructures, projects, plans or protection services.
8. Weapons of Mass Destruction Information fitting this category is classified to
prevent unauthorized disclosure. Such unauthorized disclosure could make the U.S. vulnerable to adversaries to include transnational terrorists.
WHAT ARE THE EIGHT CATEGORIES
www.ispcert.com
Classified material should always display proper markings at all times
The classified information will have markings displayed in a specific manner based on the type of media (compact disk, cassette, book, map and etc.)
Furthermore, the classification should identify which pages, paragraphs and portions are classified and unclassified.
CLASSIFICATION MARKINGS
www.ispcert.com
EXAMPLES OF DOCUMENT MARKINGS
Overall Page Markings
Portion Marking
Classification Information
Notice that the document has a top and bottom marking at the highest level of classification on the page and appropriate levels of classification for the information in the paragraph.
www.ispcert.com
Limits to classificationA classification cannot be assigned to hide legal
violations, inefficiencies or mistakes
Nor can the classification authorities assigned to prevent embarrassment, prevent or restrict competition or delay the release of information that hasn’t previously required such a level of protection
LET’S CLASSIFY IT ALL JUST TO BE SURE
Users of Classified material have an obligation to challenge classification that violate any of the above
www.ispcert.com
Holders of classified information may discover that the classification level may be inappropriate or unnecessary. These holders have a duty to report their beliefs.
Such reports are to be handled with the agency authorities and reviewed for a decision.
The agency heads or senior officials also need to ensure there is no retribution for the report as well as notifying the individuals that they have a right to appeal the agency decisions to the Interagency Security Classification Appeals Panel.
CAN’T WE JUST CLASSIFY IT ALL JUST TO BE SURE
Users of Classified material have an obligation to challenge classification that violate any of the above
www.ispcert.com
Anyone desiring access to classified information must possess a security clearance and have “need to know”
Security clearances are issued after a favorable investigation and a determination is made.
CLEARANCE AND “NEED TO KNOW”
www.ispcert.com
Classified users are trained in proper safeguarding and sanctions imposed on those who fail to protect it from unauthorized disclosure
Each originating agency must provide instructions on the proper protection, use, storage, transmission and destruction of the information
WE ARE PROVIDED INSTRUCIONS OF USE
www.ispcert.com
DON’T BEGIN CLASSIFIED WORK WITHOUT DDFORM254-Provides instructions
on how, when and where to perform on a classified contract
SECURITY CLASSIFICATION GUIDE-Designed to notify what is classified and to what level. A security classification guide is assigned to each classified project.
WE ARE PROVIDED INSTRUCIONS OF USE
The NISP is created to protect classified information Three factors are considered before implementing the
NISPOM: level of damage to national security existing or anticipate threat to disclosure long and short term costs
Presidential Executive Order 13526 delivers a cohesive method for designation classification, protecting and declassifying national security information
Classified material should always be marked with the correct level
SUMMARY
www.ispcert.com
• O’Connor, John, “TV View; American Spies In Pursuit Of The American Dream”, New York Times, NY, 1990 http://query.nytimes.com/gst/fullpage.html?res=9C0CE6DA133BF937A35751C0A966958260, Feb 4, 2008
• The President, Executive Order 12829—National Industrial Security Program (Federal Register, Jan 1993) pg. 3-2.
• The President, Executive Order 13292, Further Amendment to Executive Order 13526, As Amended, Classified National Security Information—National Industrial Security Program (Federal Register, Mar 2003) Sec. 1-2
• “Too Many Secrets: Overclassification As A Barrier To Critical Information Sharing”, (Hearing Before The Subcommittee On National Security, Emerging Threats And International Relations Of The Committee On Government Reform House Of Representatives One Hundred Eighth Congress Second Session August 24, 2004) Serial No. 108-263, Available Via The World Wide Web: Http://www.Gpo.Gov/Congress/House and Http://www.House.Gov/Reform.“Secrecy Report Card, Quantitative Indicators in Secrecy of the Federal Government”, (http://www.openthegovernment.org/otg/SRC2006.pdf, August 2004) .
REFERENCES
www.ispcert.com
• Click on the correct answers
TEST
1. All of the following are classifications except:A. TOP SECRET B. CONFIDENTIALC. SECRETD. FOR OFFICIAL USE ONLY
2. All of the following are conditions to be met before classifying an item except
A. Original Classification Authority is involved
B. U.S. Government owns it
C. Information could cause damage to national security
D. Information could cause embarrassment to the President
3. Anyone with a SECRET clearance can access classified at the CONFIDENTIAL level
A. True
B. False
4. All must be considered before the Government implements NISPOM except
A. Cost of implementation
B. Threat to disclosure
C. Damage to National Security
D. Buy-in by contractors
TEST-SELECT THE CORRECT ANSWER
www.ispcert.com
5. Which of the following is described as possible damage for unauthorized disclosure of SECRET
A. Causes extremely serious damageB. Causes damageC. Causes extremely grave damageD. Causes serious damage
6. Presidential Executive Order 13526 implemented the National Industrial Security Program
A. True
B. False
TEST-SELECT THE CORRECT ANSWER
www.ispcert.com
CERTIFICATE