Transcript Derivative Classification Markings - NCMS

DERIVATIVE CLASSIFICATION
TRAINING/IMPLEMENTATION AND
OVERVIEW OF EXECUTIVE ORDERS
IMPACTING THE NISP
Greg Pannoni, Associate Director, Operations and Industrial Security
Information Security Oversight Office
National Archives and Records Administration
Overview
• ISOO Goals and Functions
• National Industrial Security Program (NISP) (E.O. 12829)
•
NISP Policy Advisory Committee and its Working Groups
• Classified National Security Information (E.O. 13526)
− Derivative Classification Training and Implementation
• Structural Reforms to Improve the Security of Classified Networks
and the Responsible Sharing and Safeguarding of Classified
Information (E.O. 13587)
• Classified National Security Information Program for State, Local,
Tribal, Private Sector Entities (SLTPS) (E.O. 13549)
• Controlled Unclassified Information (CUI) (E.O. 13556)
2
What are ISOO’s Goals?
• Ensure Safeguarding of Classified National Security Information in a
Cost-Effective & Efficient Manner
• Eliminate Redundant, Overlapping, or Unnecessary Requirements that
Impede National Security Interests
• Ensure Government / Industry Partnership in the Protection of
Classified Information
• Hold Classification Activity to the Minimum Necessary to Protect
National Security
• Promote Declassification & Public Access to Information as Soon as
National Security Considerations Permit
3
How does ISOO Function?
• Develops, coordinates and issues implementing directives and
instructions regarding Executive Orders 13526, 12829, and 13556
that are binding on executive branch agencies.
• Provides oversight and maintains continuous liaison with agency’s on
all matters relating to the Government-wide security classification
program and the NISP.
• Annually reports relevant data regarding each agency's security
classification programs, to include costs, to the President.
• Recommends policy changes to the President through the National
Security Advisor.
4
NISP POLICY RELATIONSHIPS
E.O. 13526
CLASSIFIED NATIONAL SECURITY INFORMATION
E.O. 13549
E.O. 12829
Classified National Security Information
Program for State, Local, Tribal, & Private
Sector Entities
NATIONAL INDUSTRIAL SECURITY
PROGRAM
E.O. 13587
STRUCTURAL REFORMS TO IMPROVE THE SECURITY OF
CLASSIFIED NETWORKS AND THE RESPONSIBLE SHARING OF
CLASSIFIED INFORMATION
5
NISP Policy Advisory Committee (NISPPAC)
• Membership
 Director ISOO – Chairman
 Representatives of Government agencies (15 members)
 Nongovernmental (Industry) representatives (8 members)
• Functions – Advise the Chairman:
 On all matters concerning the policies of the NISP
 Serves as a forum to discuss policy issues in dispute
• Authority
 Executive Order No. 12829, National Industrial Security Program
 Subject to Federal Advisory Committee Act (FACA), The
Freedom of Information Act (FOIA), and The Government in the
Sunshine Act
NISPPAC Government Representatives
Members
Agency
John P. Fitzpatrick, Chair
Information Security Oversight Office
Mary Rose McCaffrey
Central Intelligence Agency
Drew Winneberger
Defense Security Service
Deborah Scholz
Department of the Air Force
Patricia Stokes
Department of the Army
Eric Dorsey
Department of Commerce
Timothy Davis
Department of Defense
Richard Donovan
Department of Energy
7
NISPPAC Government Representatives
Members
Agency
Christal Fulton
Department of Homeland Security
Anna Harrison
Department of Justice
Stephen Long
Department of the Navy
Kimberly Baugher
Department of State
Peter Ambrose
National Aeronautics and Space
Administration
Dennis Hanratty
National Security Agency
Darlene Fenton
Nuclear Regulatory Commission
Richard Hohman
Office of the Director of National Intelligence
8
NISPPAC Industry Members
Members
Company
Scott Conway*
Northrop Grumman
Marshall Sanders*
Cloud Security Strategies
Frederick Riccardi
ManTech
Shawn Daley
MIT Lincoln Laboratory
Rosalind Baybutt
Pamir Consulting LLC
Mike Witt
Ball Aerospace
Rick Graham
Huntington -Ingalls
Steve Kipp
L3 Corporation
* Term Ends 1 October 2012
9
NISPPAC Working Groups
NISPPAC working groups established to review issues and
prepare recommendations for formal NISPPAC decisions.
•
•
Permanent
•
Certification and Accreditation Working Group
•
Personnel Security Clearance Working Group
Ad-Hoc
•
NISPOM Rewrite Working Group
•
Threat Information Working Group
•
Small and Middle-Sized company Issues Working Group
•
Special Access Program Working Group
•
Foreign Ownership, Control and Influence (FOCI) Working
Group
10
Derivative Classification
Guidance found in:
● Executive Order 13526, “Classified National Security Information”
December 29, 2009
● 32 C.F.R. Part 2001, “Classified National Security Information” June
25, 2010
● “Marking Classified National Security Information” January 2012
11
Derivative Classification
Derivative Classification is:
The incorporating, paraphrasing, restating, or generating in new
form information that is already classified, and marking the newly
developed material consistent with the classification markings that
apply to the source information.
Includes the classification of information based on classification
guidance.
It is not the duplication or reproduction of existing classified
information.
12
Training
Persons who apply derivative classification markings shall receive training in
the proper application of the derivative classification principles of the Order,
with an emphasis on avoiding over-classification, at least once every 2 years.
Derivative classifiers who do not receive such training at least once every two
years shall have their authority to apply derivative classification markings
suspended until they have received such training.
A waiver may be granted by the agency head, the deputy agency head, or the
senior agency official if an individual is unable to receive such training due to
unavoidable circumstances
Whenever a waiver is granted, the individual shall receive such training as soon
as practicable.
13
Minimum Derivative Classification Training Coverage
• Observe and respect original classification decisions
• Classification levels
• Duration of classification
• Identification and Markings (carry forward to newly created
documents the pertinent classification markings)
• Classification prohibitions and limitations
• Sanctions
• Classification challenges
• Security Classification Guides
• Information Sharing
**EMPHASIS ON AVOIDING OVER-CLASSIFICATION**
14
Classification Standards
Information may be originally classified if:
• An Original Classification Authority (OCA) is classifying the
information;
• The information is owned by, produced by or for, or is under
the control of the United States Government;
• The information falls within one or more of the classification
categories; and
•
The OCA determines that the unauthorized disclosure of the
information reasonably could be expected to result in damage
to national security, to include defense against transnational
terrorism, and the OCA is able to identify or describe the
damage.
15
Classification Levels
●
Top Secret - information whose unauthorized disclosure could
reasonably be expected to cause exceptionally grave damage to
the national security.
• Secret - information whose unauthorized disclosure could
reasonably be expected to cause serious damage to the national
security.
• Confidential - information whose unauthorized disclosure could
reasonably be expected to cause damage to the national security.
16
Prohibitions and Limitations
• In no case shall information be classified, continue to be maintained
as classified, or fail to be declassified in order to:
• Conceal violations of law, inefficiency, or administrative error;
• Prevent embarrassment to a person, organization, or agency;
• Restrain competition; or
• Prevent or delay the release of information that does not require
protection in the interest of national security.
• Basic scientific research information not clearly related to the
national security shall not be classified.
17
Sanctions
• U.S. Government employees, and its contractors, shall be subject
to appropriate sanctions if they knowingly, willfully, or negligently:
- disclose to unauthorized persons information properly classified
under the Order;
- classify or continue the classification of information in violation of
the order or any implementing directive;
- create or continue a special access program contrary to the
requirements of the Order; or
- contravene any other provision of the Order or its implementing
directive.
18
Classification Challenges
• Authorized holders of information, including authorized holders
outside the classifying agency, are encouraged and expected to
challenge the classification of information they believe is improperly
classified.
• Agencies must ensure individuals are not subject to retribution.
• Informal versus Formal Challenges
- Review by an impartial official or panel
- System for processing, tracking and recording formal challenges
- Written response within 60 days. (Affirmative response must
identify or describe damage). 90 day non-response/120 day response
- Right to appeal agency decisions to the Interagency Security
Classification Appeals Panel (120 days)
-
19
Use of a Classified Addendum
Derivative classifiers shall, whenever practicable, use a
classified addendum whenever classified information
constitutes a small portion of an otherwise unclassified
document or prepare a product to allow for dissemination
at the lowest level of classification possible or in
unclassified form.
20
Security Classification Guides
(a) Agencies with original classification authority shall prepare
classification guides to facilitate the proper and uniform derivative
classification of information. These guides shall conform to standards
contained in directives issued under E.O. 13526.
(b) Each guide shall be approved personally and in writing by an
official who:
(1) Has program or supervisory responsibility over the information
or is the senior agency official; and
(2) Is authorized to classify information originally at the highest
level of classification prescribed in the guide.
(c) Agencies shall establish procedures to ensure that classification
guides are reviewed and updated as provided in directives issued under
E.O. 13526.
21
Security Classification Guides (cont’d)
(f) Makes clear that classification guides are not to be used to classify
information for more than 25 years except for confidential human
source, human intelligence source, or weapons of mass destruction
information.
The duration of classification of a document classified by a derivative
classifier using a classification guide shall not exceed 25 years from the
date of the document, except for:
(1) Information that should clearly and demonstrably be
expected to reveal the identity of a confidential human
source or a human intelligence source or key design concepts
of weapons of mass destruction; and
(2) Specific information incorporated into classification
guides in accordance with section 2.2(e) of E.O. 13526.
22
Classification by Compilation
A determination that information is classified through the
compilation of unclassified is a derivative classification action
based upon existing original classification guidance. If the
compilation of unclassified information reveals a new aspect of
information that meets the standards for classification, it shall be
referred to an original classification authority with jurisdiction over
the information to make an original classification decision.
23
Derivative Classification Markings
SECRET
Department of Good Works
Washington, D.C. 20006
Overall classification
marking:
July 15, 2010
MEMORANDUM FOR AGENCY OFFICIALS
From: Joe Carver, Director
Indicates the highest level of
classification of any one portion of
the document
Subject: (U) Examples
1. (S) Paragraph 1 contains information from
Paragraph 2 in the source document and is
therefore marked (S).
2. (U) Paragraph 2 contains “Unclassified”
information. Therefore, this portion will be
marked with the designation “U” in parentheses
preceding the portion.
SECRET
24
Derivative Classification Markings
SECRET
Department of Good Works
Washington, D.C. 20006
July 15, 2010
MEMORANDUM FOR AGENCY OFFICIALS
From: Joe Carver, Director
Classification authority block:
Subject: (U) Examples
1. (S) Paragraph 1 contains information from
Paragraph 2 in the source document and is
therefore marked (S).
Classified By: Identity of derivative classifier by name
and position or by personal identifier.
Derived From: Source information
Declassify On: Declassification instructions
2. (U) Paragraph 2 contains “Unclassified”
information. Therefore, this portion will be
marked with the designation “U” in parentheses
preceding the portion.
Classified By: Stan Smith, Program Analyst
Derived From: Miscellaneous SCG, Dated
January 5, 2009
Declassify On: 20300715
SECRET
25
Derivative Classification Markings
Source information (Derived From): Concisely identify the source document or
the classification guide on the “Derived From” line, including the agency, and
where available, the office of origin, and the date of the source or guide.
●
When using multiple source documents, the “Derived From” line shall appear
as:
●
Derived From: Multiple Sources
The derivative classifier shall include a listing of the source materials on, or
attached to, each derivatively classified document. Example:
●
(U) Sources:
1. (U) Dept of Good Works Memorandum dated
June 27, 2010, Subj: Examples
2. (U) Dept of Good Works Memorandum dated
May 20, 2009, Subj: Examples
3. (U) Radar SCG dated February 2, 2006
26
Derivative Classification Markings
Source document
Classified By: John E. Doe, Chief Division 5
Reason: 1.4(a)
Declassify On: 20150627
Derivative
Joe Carver,document
Director
Declassification Instructions:
In most cases, the declassification date will be
carried over from the source document.
When there are multiple
sources, the declassification
instruction will be the most
restrictive date
Classified By:
Derived From: Department of Good Works Memorandum
dated June 27, 2010, Subj: (U) Examples
Declassify On: 20150627
Source Document 1 - Declassify On: 20350215
Source Document 2 - Declassify On: 20320510
Source Document 3 - Declassify On: 20291231
Derivative Document - Declassify On:
20350215
27
Derivative Classification Markings
Source document
Portion marking:
Portion markings will be
carried over from the
source document to the
derivatively classified
document. All other
portions will be
appropriately marked.
Department of Good Works
Washington, D.C. 20006
July 15, 2010
Derivative
document
Department of Good Works
Washington, D.C. 20006
MEMORANDUM FOR AGENCY OFFICIALS
July 15, 2010
From: Joe Carver, Director
MEMORANDUM FOR AGENCY OFFICIALS
Subject: (U) Examples
From: Joe Carver, Director
1. (S) Paragraph 1 contains information that is
classified SECRET and is therefore marked (S). Subject: (U) Examples
2. (U) Paragraph 2 contains “Unclassified”
1. (S) Paragraph 1 contains information from
information. Therefore, this portion will Paragraph
be marked1 in the source document and is
with the designation “U” in parentheses preceding therefore marked (S).
the portion.
2. (U) Paragraph 2 contains “Unclassified”
information. Therefore, this portion will be
marked with the designation “U” in parentheses
preceding the portion.
28
Derivative Classification Markings
Declassification Instructions – Use of Exemptions from Automatic
Declassification (25X1-25X9):
The 25X exemptions may only be used on the “Declassify On” line if an
agency has identified permanently valuable information that needs to be
exempted from automatic declassification at 25 years and has received
approval from the Interagency Security Classification Appeals Panel (ISCAP)
to exempt the information and to incorporate the exemption into a
classification guide. (See 32 C.F.R. Part 2001.26.)
When using an approved exemption, a date or event that has been approved by
the ISCAP must be included with the marking and shall not exceed 50 years
from the date of the document.
Classified By: John E. Doe, Chief
Division 5
Derived From: SCG title and date
Declassify On: 25X3, 20540215
29
Derivative Classification Markings
Specific information, the release of which should clearly and demonstrably be
expected to:
25X1 - reveal the identify of a confidential human source, a human intelligence
source, a relationship with an intelligence or security service of a foreign
government or international organization, or a non-human intelligence source; or
impair the effectiveness of an intelligence method currently in use, available for
use, or under development
25X2 - reveal information that would assist in the development, production, or
use of weapons of mass destruction
25X3 - reveal information that would impair U.S. cryptologic systems or activities
25X4 - reveal information that would impair the application of state-of-the-art
technology within a U.S. weapon system
30
Derivative Classification Markings
25X5 – reveal formally named or numbered U.S. military war plans that remain
in effect, or reveal operational or tactical elements of prior plans that are
contained in such active plans
25X6 - reveal information, including foreign government information, that would
cause serious harm to relations between the United States and a foreign
government, or to ongoing diplomatic activities of the United States
25X7 - reveal information that would impair the current ability of United States
Government officials to protect the President, Vice President, and other protectees
for whom protection services, in the interest of the national security, are
authorized
25X8 - reveal information that would seriously impair current national security
emergency preparedness plans or reveal current vulnerabilities of systems,
installations, or infrastructures relating to the national security
25X9 - violate a statute, treaty, or international agreement that does not permit
the automatic or unilateral declassification of information at 25 years.
31
Derivative Classification Markings
Section 3.3(h), E.O. 13526
Records that contain information, the release of which should clearly and
demonstrably be expected to reveal the following are exempt from automatic
declassification at 50 years:
50X1-HUM – the identity of a confidential human source or a human intelligence
source
50X2-WMD – key design concepts of weapons of mass destruction
50X__ - in extraordinary cases, additional specific information formally
approved by the ISCAP
(50X1-50X9 – match the same categories as the 25X1-25X9 categories)
Section 3.3(h)(3), E.O. 13526
75X___ - specific information may be exempted from automatic declassification at 75 years
if formally approved by the ISCAP.
32
from automatic declassification
Identity of confidential human
source or human intelligence
source
Key design concepts of
weapons of mass destruction
50X1-HUM (no date or event required)
E.O. 13526 section 3.3(h)(1)(A)
50X2-WMD (no date or event required)
E.O. 13526 section 3.3(h)(1)(B)
Information that meets
the standards of
E.O. 13526
section 3.3(b)
25X___
with a date
or event
50X___
with a date
or event
E.O. 13526
section
3.3(b)
E.O. 13526
section
3.3(h)(2)
All other information
25
years
25X__
_
50
years
50X__
_
75
years
75X__
_
Derivative Classification Markings
Declassification Instructions:
The following declassification instructions are no longer valid and, if annotated
on the source document, will not be carried over to the derivative document.
• X1, X2, X3, X4, X5, X6, X7, X8
• OADR
• MR (never a valid declassification instruction)
• Subject to Treaty or International Agreement
The derivative classifier shall calculate a date that is 25 years from the date of
the source document when determining the declassification instruction for the
derivative document.
34
Derivative Classification Markings
Source document
Declassification
Instructions:
The same rules apply when the
source document contains any
invalid markings (X1-X8;
OADR; MR; Subject to treaty
or international agreement)
Derivative document
SECRET
Department of Good Works
Washington, D.C. 20006
SECRET
Department of Good Works
Washington, D.C. 20006
July 15, 2010
January 21, 2011
MEMORANDUM FOR AGENCY
OFFICIALS
MEMORANDUM FOR AGENCY
OFFICIALS
From: Joe Carver, Director
From: Joe Carver, Director
Subject: (U) Examples
Subject: (U) Examples
1. (S) Paragraph 1.
1. (S) Paragraph 1 contains information from
Paragraph 1 in the source document and is
therefore marked (S).
2. (U) Paragraph 2.
Classified By: OCA name and position 2. (U) Paragraph 2 is unclassified.
Reason: 1.4(a)
Classified By: Derivative classifier’s name
Declassify On: OADR
Derived
From: Dept of Good Works Memo,
SECRET
dtd July 15, 2010
Do not carry over “OADR”
Declassify On: July 15, 2035
SECRET
Calculate a date that is 25 years from the date of the source document.
35
Derivative Classification Markings
Declassification Instructions:
DNI Only or DCI Only are also no longer valid and, if annotated on the
source document, will not be carried over to the derivative document.
If the document contains imagery, as described in E.O. 12951, the
derivative classifier will mark the derivative document in the following
manner:
Declassify on: 25X1, E.O. 12951
If the document does not contain imagery, as described in E.O. 12951, the
derivative classifier will calculate a declassification date that is 25 years
from the date of the source document.
36
Derivative Classification Markings (Cont’d)
Derivative document
Declassification
Instructions:
Source document
SECRET
Department of Good Works
Washington, D.C. 20006
July 15, 2010
If the source document
contains “DNI Only” or “DCI
Only” as a declassification
instruction, and there is no
imagery in the document, a
declassification date will be
calculated 25 years from
the date of the source
document.
MEMORANDUM FOR AGENCY
OFFICIALS
SECRET
Department of Good Works
Washington, D.C. 20006
January 21, 2011
MEMORANDUM FOR AGENCY
OFFICIALS
From: Joe Carver, Director
Subject: (U) Examples
From: Joe Carver, Director
Subject: (U) Examples
1. (S) Paragraph 1 contains information from
Paragraph 1 in the source document and is
therefore marked (S).
1. (S) Paragraph 1.
2. (U) Paragraph 2 is unclassified.
2. (U) Paragraph 2.
Classified By: Derivative classifier’s name
Classified By: OCA name and position Derived From: Dept of Good Works Memo,
Reason: 1.4(a)
dtd July 15, 2010
Declassify On: DNI Only
Declassify On: 20350715
SECRET
SECRET
Do not carry over “DNI Only”
Calculate a date that is 25 years from the date of the source document.
37
Derivative Classification Markings
Derivative document
Source document
Declassification
Instructions:
If the source document
contains “DNI Only” or “DCI
Only” as a declassification
instruction, and contains
imagery, the new
declassification instruction
will read: “Declassify on:
25X1, E.O. 12951”
SECRET
Department of Good Works
Washington, D.C. 20006
SECRET
Department of Good Works
Washington, D.C. 20006
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx.Xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxx.
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Secre
t
Secre
t
Classified By: Derivative classifier’s name
Derived From: Dept of Good Works Memo,
Classified By: OCA name and position
dtd July 15, 2010
Reason: 1.4(a)
Declassify On: 25X1, E.O. 12951
Declassify On: DCI Only
SECRET
SECRET
Do not carry over
“DCI Only”
The declassification instruction on the derivatively classified
document will read: Declassify on: 25X1, E.O. 12951
38
Reminders
•
Only individuals specifically authorized in writing may classify documents
originally.
•
Only individuals with the appropriate security clearance, who are required
by their work to restate classified source information, may derivatively
classify information.
•
The terms “Top Secret,” “Secret,” and “Confidential” are not to be used to
mark executive branch information that has not been properly designated
as classified national security information under E.O. 13526.
•
Information shall not be classified for any reason unrelated to the
protection of the national security.
•
Classifiers and authorized holders are responsible for ensuring that
information is appropriately classified and properly marked.
39
Reminders (continued)
•
Individuals who believe that information in their possession is
inappropriately classified, or inappropriately unclassified, are expected to
bring their concerns to the attention of responsible officials.
•
The following markings are not authorized in the “Declassify On” line:
•
•
•
•
•
•
Originating Agency’s Determination Required” or “OADR” for
documents created after 10/14/95;
“X1”, “X2”, “X3”, “X4”, “X5”, “X6”, “X7”, or “X8” for documents created
after 9/22/2003;
“Manual Review” or “MR;”
“DNI Only” or “DCI Only;”
“Subject to treaty or international agreement;” and
“25X1-human.”
40
E.O. 13587
Structural Reforms to Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding
of Classified Information
•
Reinforce the importance of responsible information sharing
•
Ensure that policies, processes, technical security solutions, oversight,
and organizational cultures match information sharing & safeguarding
requirements
•
Emphasize consistent guidance and implementation across the entire
Federal government
•
Recognize the importance of shared risk and shared responsibility
41
E.O. 13587 Governance Structure
•
A Senior Information Sharing and Safeguarding Steering Committee to coordinate
interagency efforts and ensuring that Departments and Agencies are held accountable
for implementation of information sharing and safeguarding policy and standards.
•
A Classified Information Sharing and Safeguarding to provide sustained, full-time
focus on sharing and safeguarding of classified national security information.
•
Senior representatives of the Department of Defense and the National Security Agency
jointly act as the Executive Agent for Safeguarding Classified Information on
Computer Networks to develop technical safeguarding policies and standards and
conduct assessments of compliance.
•
An Insider Threat Task Force to develop a government-wide program for insider
threat detection and prevention to improve protection and reduce potential
vulnerabilities of classified information from exploitation, compromise or other
unauthorized disclosure.
Areas of Focus & Ongoing Improvement
Enhancing control of removable media
Identity Management; including reducing user
anonymity and increasing user attribution
Building a more robust insider threat program
Enhancing access controls
Improving enterprise audit capabilities
Removable Media
Initial Operating Capability (IOC) Definition:
●
IOC is reached when write privileges are disabled and/or
controlled using a hardware or software solution
Final Operating Capability (FOC) Definition:
FOC includes IOC, and is achieved when a monitoring and
alerting function is implemented for all successful / unsuccessful
“write” attempts to removable media devices.
●
44
Reducing Anonymity
Initial Operating Capability (IOC) Definition:
● IOC is reached when the PKI is established such that:
●
Certificates are issued (or a comparable solution) for identification for a minimum
of 10 percent of users on classified networks (Secret and Top Secret) and
●
PKI tokens are used for authentication to high-sensitivity applications (software
tokens are sufficient pursuant to Intelligence Community policy and with
coordination with the Steering Committee).
Final Operating Capability (FOC) Definition:
●
●
FOC includes IOC, and is achieved when:
90 percent of users have PKI certificates for identification (or a comparable solution)
on classified networks (Secret and Top Secret); and
Hardware tokens are used for authentication to enable access to high and
medium-sensitivity applications (software tokens are sufficient pursuant to Intelligence
Community policy and with coordination with the Steering Committee).
●
Insider Threat Program
Initial Operating Capability (IOC) Definition:
● IOC is reached when an agency has policies, procedures, and an
organizational structure that identifies an accountable official(s)
for the insider threat program, provides regular insider threat
awareness training to agency personnel, and includes an integrated
approach to gathering (electronically and/or manually) relevant
sources of insider threat information for analysis and response.
46
Insider Threat Program
Final Operating Capability (FOC) Definition:
● FOC includes IOC, and is achieved when an agency has implemented the
capabilities for:
● Monitoring user network activities on all agency networks;
● Inclusion of counterintelligence triggers for user-monitoring tailored to the
agency environment;
● Establishing an integrated capability to monitor, audit, gather, and
analyze information relevant to insider threat analysis from across the
agency; and
● There is a capability for integrated insider threat analysis of current data
on user actions collected from automated and/or manual information sources
– such as audit data, foreign travel and contact reporting, financial
disclosure, facility, access, phone records, and external databases.
47
Access Control
Initial Operating Capability (IOC) Definition:
IOC is reached when an interoperable infrastructure for integrated access-control
capability (hard-token PKI plus “attribute-based” authorization) is operational (Secret and
Top Secret) in accordance with the Federal Identity, Credential, and Access Management
(FICAM) framework or equivalent guidance appropriate for the subject network fabric.
● Establishes
capability for user attribute provisioning to support attribute-based
authorization on classified networks.
● Requires
this capability to be integrated with the PKI authentication capability.
Scope:
● Minimum
of 10 percent of users on classified networks are provisioned with
attributes for authorization-related access-control decisions.
● Minimum
of 25 percent of classified data repositories designated as highest
sensitivity (as defined in NIST SP 800-53, CNSSI 1253, ICD 503 or equivalent
guidance appropriate for the subject network fabric) are integrated to use the
interoperable access-control infrastructure facilities (PKI integrated with attributebased access control).
48
Access Control
Final Operating Capability (FOC) Definition:
FOC includes IOC, and is achieved when an agency has implemented the
capabilities for:
● Federation (exchange) of standardized user authorization attributes on
classified networks across organizations;
● Consistent application of fabric-wide access control policy, with timely
promulgation of policy changes; and
●Tagging of information resources with access-relevant attributes on
ingest, creation, or modification; as applicable.
Scope:
● All users of classified networks.
● All high and medium-sensitivity classified network applications.
49
Enterprise Audit
Initial Operating Capability (IOC) Definition:
IOC is reached when an agency has the ability to:
Monitor user-attributable activities (defined as Auditable Events in ICS 500-27) on at least
one community-shared information resource on at least one of the agency’s classified
networks;
●
● Analyze
identified anomalies (which includes correlating such anomalies with other data
sources);
Report and respond to potential security incidents through collaboration with the
appropriate CI, security, law enforcement, or Information Security (INFOSEC) offices;
●
● Provide
automated notifications of security incidents from a community-shared
information resource on at least one of the agency’s classified networks to the appropriate
offices;
Deliver an automated flow of audit data from a community-shared information resource
on at least one of the agency’s classified networks into an agency-specific audit capability;
and
●
●
Provide audit data to other affected organizations.
50
Enterprise Audit
Final Operating Capability (FOC) Definition:
FOC includes IOC applied to all classified networks, and is achieved when an
agency has implemented the ability to:
● Share user-attributable audit information in a common format
collected from high and medium-sensitivity information resources (both
internal and community-shared) for users;
● Analyze identified anomalies; and
● Enable a timely response to incidents.
51
E.O.13549
“Classified National Security Information Program for State,
Local, Tribal, and Private Sector Entities” (SLTPS)
•
Establishes a program to safeguard and govern access to classified
information shared by the Federal Government with SLTPS entities.
•
Ensures that security standards for classified information are applied in
accordance with national policy.
•
Private sector facilities where classified information is or will be used or
stored as well as contractors of SLT entities shall be inspected, accredited,
and monitored for compliance with the standards established pursuant to the
NISP by DoD or another responsible Cognizant Security Agency.
•
SLTPS-Policy Advisory Committee created to discuss policy disputes and
facilitate or recommend changes to remove undue impediment to information
sharing
52
Key Elements of the E.O. 13556 (CUI)
• Establishes an open and uniform program.
• Manages all unclassified information within the executive branch
that requires safeguarding and dissemination controls.
• The control of this information is pursuant to and consistent with
law, regulation, and Government-wide policy.
• Freedom of Information Act (FOIA): “The mere fact that information
is designated as CUI shall not have a bearing on determinations
pursuant to any law requiring the disclosure of information or
permitting disclosure as a matter of discretion, including
disclosures to the legislative or judicial branches.” – Section 2(b)
53
Overview of the CUI Program
Dissemination
Policy
Marking Policy
Registry
One uniform and
consistent policy
applied to a defined
and organized body
of information
Decontrol
Policy
Safeguarding
Policy
54
Approved CUI Categories
1.
Agriculture
11. Nuclear
2.
Copyright
12. Patent
3.
Critical Infrastructure
13. Privacy
4.
6.
Emergency Management 14. Proprietary
Export Control
15. Statistical
Financial
16. Tax
7.
Immigration
8.
Intelligence
9.
Law Enforcement
5.
17. Legal
10. Transportation
55
Five Programmatic Areas of the Compliance Plan
Roles and responsibilities established to guide
and direct the program and its requirements
Governance
Processes and procedures
of continuous monitoring
to ensure compliance with
the EO and Notice
Self Inspection
Policy and
Guidance
Controlled Unclassified
Information
Compliance Plan
Identify and assess requirements of IT
systems and toolsets for program
implementation
Technology
Training
Development,
implementation and
revision of properly
documented policies that
are readily available to all
affected personnel
Education of affected personnel on the
appropriate handling of information
including responsibilities and ongoing
maintenance
56
CUI Executive Agent
Current Efforts
•
Development of CUI Supplemental Guidance & Consultation
 Interagency
 Representatives of the public
 State, Local, Tribal
 Private Sector
•
Approval of Additional CUI Categories & Subcategories
 CUI Registry Updates
 Continuing Agency Submissions
•
Approval of Compliance Plans
 Target Date Updates
 Continuing Agency Submissions
57
Contact Information
Information Security Oversight Office
National Archives and Records Administration
700 Pennsylvania Avenue, N.W., Room 100
Washington, DC 20408-0001
(202) 357-5250
(202) 357-5907 (fax)
[email protected]
[email protected]
www.archives.gov/isoo
58
QUESTIONS?
59