AR 380-5 Chapter VI Compromise of Classified Information
AR 380-5 6-100. Policy
Compromise of classified information presents a threat to the
national security. Once a compromise is known to have occurred,
the seriousness of damage to U.S. interests must be determined and
appropriate measures taken to negate or minimize the adverse
effect of such compromise. When possible, action also should be
taken to regain custody of the documents or material that were
compromised. In all cases, however, appropriate action must be
taken to identify the source and reason for the compromise and
remedial action taken to ensure further compromises do not occur.
The provisions of DoD Instruction 5240.4 and DoD Directive 5210.50
(references (jj) and (kk)) apply to compromises covered by this
Chapter.
AR 380-5 6-101. Cryptographic and sensitive compartmented
information
a. The procedures for handling compromises of cryptographic
information are set forth in NACSI 4006, (reference (fff)), AR
380-40 and TB 380-41 series (reference (v)), and implementing
instructions.
b. The procedures for handling compromises of SCI information are
set forth in DoD TS-5105.21-M-2 (reference (bbb)) and DoD
C-5105.21-M-1 (reference (ccc)).
AR 380-5 6-102. Responsibility of discoverer
a. Any person who has knowledge of the loss or possible
compromise of classified information shall immediately report such
fact to the security manager of the person's activity (see
subsection 13-304) or to the commanding officer or head of the
activity in the security manager's absence.
b. Any person who discovers classified information out of proper
control shall take custody of such information and safeguard it in
an appropriate manner, and shall notify immediately an appropriate
security authority. The local activity security manager will be
promptly notified of each such incident. That official will advise
the commander of the action to be taken.
c. DA Form 2134 (Security Violation(s) Report) may be used to
report a violation of transmission requirements (for example,
failure to doublewrap material) to the sender of a classified
document, or to report other discrepancies in marking or handling.
Use of this report does not eliminate the requirement for an
inquiry when needed to determine the probability of compromise.
AR 380-5 6-103. Preliminary inquiry
The immediate commander, supervisor, security manager, or other
authority shall initiate a preliminary inquiry to determine the
circumstances surrounding the loss or possible compromise of
classified information. A properly cleared and disinterested
commissioned officer, warrant officer, noncommissioned officer (E-
7 or above), or DA civilian (GS-7 or above) may conduct the
preliminary inquiry. Individuals appointed to conduct preliminary
inquiries are authorized to take sworn statements in accordance
with AR 15-6 (reference (vvv)), when necessary. When a specific
individual could be involved in the circumstances surrounding the
violation, the person conducting the inquiry will possess a rank
or grade at least equal to that individual's. The preliminary
inquiry shall establish one of the following:
a. That a loss or compromise of classified information did not
occur;
b. That a loss or compromise of classified information did occur
but the compromise reasonably could not be expected to cause
damage to the national security. If, in such instances, the
official finds no indication of significant security weakness, the
report of preliminary inquiry will be sufficient to resolve the
incident and, when appropriate, support the administrative
sanctions under subsection 14-101; or
c. That the loss or compromise of classified information did
occur and that the compromise reasonably could be expected to
cause damage to the national security or that the probability of
damage to the national security cannot be discounted. Upon this
determination, the responsible official shall:
1. Report the circumstances of the compromise to an appropriate
authority as specified in DoD Component instructions;
(a) A report that fully identifies the information compromised
will be submitted through appropriate channels to HQDA (DAMI-CIS)
WASH DC 20310-1051 when the preliminary inquiry indicates that Top
Secret or Secret information was compromised, and a probability of
damage to the national security exists.
(b) Reports concerning the compromise of Confidential information
will be submitted to the commander.
2. If the responsible official is the originator, take the action
prescribed in subsection 6-106; and
3. If the responsible official is not the originator, notify the
originator of the known details of the compromise, including
identification of the classified information. If the originator is
unknown, notification will be sent to the office specified in DoD
Component instructions.
4. When the findings of the preliminary inquiry report are
determined to be sufficient for final disposition, the inquiry
will be closed.
d. At a minimum, the preliminary inquiry will include the
following:
1. Where and when the violation occurred.
2. Who reported the violation and to whom.
3. A summary of the incident, identity of the document or
material, and its classification.
4. An estimate of the cause of the violation, including
contributing factors and identity of the person or persons
responsible, if known.
5. One of the following findings:
(a) Compromise did not occur.
(b) Compromise did occur.
(c) Probability of compromise is remote.
(d) Probability of compromise is not remote.
6. If compromise did occur, or if the probability is not remote,
a statement is required concerning the following:
(a) An estimate of the damage to the national security.
(b) A comment that the provisions of paragraph 2-210
(reevaluation of classification) have been complied with.
7. A summary of corrective and disciplinary action taken or
anticipated, if applicable.
8. A recommendation on the need for further investigation. This
is required only when it is concluded that further investigation
would reveal with reasonable assurance the cause or causes,
responsibility, and compromise aspects of the violation. (See
paragraph 6-104h.)
AR 380-5 6-104. Investigation
If it is determined that further investigation is warranted, such
investigation will include the following:
a. Identification of the source, date, and circumstances of the
compromise.
b. Complete description and classification of each item of
classified information compromised;
c. A thorough search for the classified information;
d. Identification of any person or procedure responsible for the
compromise. Any person so identified shall be apprised of the
nature and circumstances of the compromise and be provided an
opportunity to reply to the violation charged. If such person does
not choose to make a statement, this fact shall be included in the
report of investigation;
e. An analysis and statement of the known or probable damage to
the national security that has resulted or may result (see
subsection 2-210), and the cause of the loss or compromise; or a
statement that compromise did not occur or that there is minimal
risk of damage to the national security;
f. An assessment of the possible advantage to foreign powers
resulting from the compromise; and
g. A compilation of the data in paragraphs a. through f., above,
in a report to the authority ordering the investigation to include
an assessment of appropriate corrective, administrative,
disciplinary, or legal actions. (Also see subsection 14-104.)
h. Further investigation is authorized only in the event of one
of the following:
1. After the preliminary inquiry finds that an actual compromise
did occur or that damage to the national security is probable,
provided further investigation would clarify the causes,
responsibility, or compromise aspects of the violation.
2. When a MACOM commander or Headquarters agency head personally
decides it might be useful.
i. Under the circumstances in subsection h, above, the
responsible official will begin proceedings under AR 15-6
(reference (vvv)) and this regulation, or request a higher
official in the chain of command to do so.
AR 380-5 6-105. Responsibility of authority ordering investigation
a. The report of investigation shall be reviewed to ensure
compliance with this Regulation and instructions issued by DoD
Components.
b. The recommendations contained in the report of investigation
shall be reviewed to determine sufficiency of remedial,
administrative, disciplinary, or legal action proposed and, if
adequate, the report of investigation shall be forwarded with
recommendations through supervisory channels. See subsections
14-101 and 14-102.
c. Whenever an action is contemplated against any person believed
responsible for the compromise of classified information, damage
assessments shall be coordinated with the legal counsel of the DoD
Component where the individual responsible is assigned or
employed. Whenever a violation of criminal law appears to have
occurred and a criminal prosecution is contemplated, the DoD
Component responsible for the damage assessment shall apprise the
General Counsel, Department of Defense. HQDA (DAMI-CIS) WASH DC
20310-1051 will ensure that a legal review is conducted of
appropriate cases prior to apprising the General Counsel. See
subsection 14-104.
d. Reports of investigation will be reviewed for compliance with
AR 15-6 (reference (vvv)) and this regulation. If no compromise
has occurred, the official ordering the inquiry or investigation
may dispose of the incident. Whenever possible, the commander
ordering disposition of the case will consider implementing the
recommendations of the investigating officer. All persons notified
of the possible compromise must also be notified of final actions
in the case.
e. Reports of investigation that cannot be disposed of (d above)
will be settled to the extent authorized to the convening
authority. MACOM commanders and Headquarters agency heads may
dispose of incidents involving classified information up to and
including the level of original classification authority (OCA)
delegated to them.
f. Final reviewing authorities will review the report of
investigation for adequacy of subordinate command action. If
further action is necessary, the report of investigation, together
with pertinent instructions, will be sent to the subordinate
command. One copy of each completed report of investigation of the
probable or actual compromise of Top Secret or Secret information
will be sent through channels to HQDA (DAMI-CIS) WASH DC
20310-1051. DA Form 1574 (Report of Proceedings by Investigating
Officer/Board of Officers) or similar report of investigation and
action of the convening and final reviewing authority is
sufficient. Exhibits or enclosures need not be forwarded.
AR 380-5 6-106. Responsibility of originator
The originator or an official higher in the originator's
supervisory chain shall, upon receipt of notification of loss or
probable compromise of classified information, take action as
prescribed in subsection 2-210.
AR 380-5 6-107. System of control of damage assessments
Each DoD Component shall establish a system of controls and
internal procedures to ensure that damage assessments are
conducted when required and that records are maintained in a
manner that facilitates their retrieval and use within the
Component. DA security managers will maintain a central record of
damage assessments developed on programs or projects for which the
activity is the proponent. Damage assessments will be developed in
response to a request from another agency or when a local inquiry
or investigation of a security incident reveals a probable or
actual compromise of classified information. At a minimum, records
will reflect:
a. The requestor of the damage assessment (activity).
b. Reason for the assessment (actual or probable compromise).
c. Date the damage assessment was requested.
d. Date the assessment was developed, and by whom.
e. Program, project, or information involved.
f. Classification of information involved; damage to national
security that resulted.
g. Action taken or recommended to mitigate damage to the program,
project, or information and to the national security.
h. Notification to holders of the information.
AR 380-5 6-108. Compromises involving more than one agency
a. Whenever a compromise involves the classified information or
interests of more than one DoD Component or other agency, each
such activity undertaking a damage assessment shall advise the
others of the circumstances and findings that affect their
information and interests. Whenever a damage assessment
incorporating the product of two or more DoD Components or other
agencies is needed, the affected activities shall agree upon the
assignment of responsibility for the assessment. In general,
primary responsibility for developing damage assessments when
another agency is involved rests with the agency possessing a
majority of the information subjected to compromise. In such
cases, the agency having primary interest will coordinate the
conduct of assessments with other agencies, and compile the final
damage assessment report. HQDA (DAMI-CIS) WASH DC 20310-1051 will
be advised via command channels of any cases meeting the criteria
of this paragraph prior to an Army activity's acceptance of
primary responsibility. DAMI-CIS will conduct the necessary
coordination with OSD.
b. Whenever a compromise of U.S. classified information is the
result of actions taken by foreign nationals, by foreign
government officials, or by U.S. nationals employed by
international organizations, the activity performing the damage
assessment shall ensure, through appropriate intergovernmental
liaison channels, that information pertinent to the assessment is
obtained. Whenever more than one activity is responsible for the
assessment, those activities shall coordinate the request prior to
transmittal through appropriate channels. Army activities will
refer cases under this paragraph to HQDA (DAMI-CIS). DAMI-CIS will
work through intergovernmental liaison channels and Army staff
elements to obtain information pertinent to the damage assessment.
AR 380-5 6-109. Espionage and deliberate compromise
Cases of espionage and deliberate unauthorized disclosure of
classified information to the public shall be reported in
accordance with DoD Instruction 5240.4 and DoD Directive 5210.50
(references (jj) and (kk)) and implementing issuances. Regardless
of the classification involved, cases of suspected or actual
espionage and other deliberate compromise of classified
information will be reported under AR 381-12 (reference (jj)).
AR 380-5 6-110. Unauthorized absentees
When an individual who has had access to classified information is
on unauthorized absence, an inquiry as appropriate under the
circumstances, to include consideration of the length of absence
and the degree of sensitivity of the classified information
involved, shall be conducted to detect if there are any
indications of activities, behavior, or associations that may be
inimical to the interest of national security. When such
indications are detected, a report shall be made to the DoD
Component counterintelligence organization.
AR 380-5 6-111. Suicide and attempted suicide
When a person who has had access to classified information
attempts or commits suicide, an inquiry will be initiated to
determine the possible security implications. If such implications
are discovered or suspected, action will be taken to report the
matter under AR 604-5. The inquiry must determine why suicide was
attempted or committed before security implications may be
addressed.
AR 380-5 6-112. Unauthorized disclosure of classified information to the
public
a. This subsection applies to unauthorized appearances of
classified information in the public media and to unauthorized
disclosures of classified information to a person likely to
release that information to the public, whether or not the
information is actually disclosed to the public. This subsection
also applies to suspected incidents of this nature.
b. Army personnel will promptly report incidents or suspected
incidents described in subsection a, above, to their commander or
activity security manager.
c. Army officials notified of such incidents will immediately
report them through command channels to HQDA (DAMI-CIS) WASH DC
20310-1051. This report does not preclude action that must be
taken under paragraphs 6-103, 6-104, and 6-105 above. To speed
reporting, electronically transmitted messages should be used
whenever possible.
1. All reports will include:
(a) Identification of the classified information involved.
(b) Nature and circumstances of the incident, to include complete
and exact identification of the publication or broadcast in which
the information appeared.
2. If the reporting activity is the proponent, the report will
also include as much of the following as possible:
(a) Accuracy of the information.
(b) Level and source of classification.
(c) Preliminary estimate of the nature and degree of damage to
the national security caused by the disclosure.
(d) Available information about the source of the information
(document, briefing, etc.) and the extent to which the information
was disseminated.
(e) Available information about individuals who may have been
responsible for the disclosure.
d. The Director of Counterintelligence and Security
Countermeasures (DAMI-CI) will:
1. Evaluate reports of incidents in consultation with the
Assistant Secretary of Defense (Public Affairs) and officials
having primary security classification jurisdiction over the
information concerned; determine whether investigation of the
incident would be in the interest of national security.
2. Refer the incident to the appropriate investigative agency,
when necessary.
3. Report incidents to the DUSD(P) in accordance with DoD
Directive 5210.50 (reference (kk)); coordinate requests for
investigative assistance from non-Army agencies with the DUSD(P).
4. Advise MACOM commanders and Headquarters agency heads of
information developed during investigations that indicates the
need for corrective action, including disciplinary or
administrative action.
5. Advise MACOM commanders and Headquarters agency heads of the
compromise or possible compromise of information under their
security classification jurisdiction in connection with incidents
described in subsection a, above.
e. The Commanding General, U.S. Army Intelligence and Security
Command (INSCOM), will:
1. Investigate incidents described in subsection a, above, that
fall within his or her investigative jurisdiction on referral from
the Director of Counterintelligence and Security Countermeasures
(DAMI-CI).
2. Provide assistance to non-Army investigative agencies when
requested to do so by the Director of Counterintelligence and
Security Countermeasures (DAMI-CI).
f. MACOM commanders and Headquarters agency heads will:
1. Provide information and assistance to the Director of
Counterintelligence and Security Countermeasures (DAMI-CI), the
Commanding General, INSCOM, and non-Army investigative agencies to
aid in the evaluation and investigation of incidents described in
subsection a, above.
2. Ensure that prompt and effective corrective action is taken as
needed. Corrective action may include procedural changes or action
described in chapter XIV.
3. Reevaluate the classification of information appearing in the
public domain that falls under their security classification
jurisdiction (see paragraphs 2-209 and 2-210).
g. Information subjected to unauthorized disclosure will be
classified as provided under subsection 2-209.
��