AR 380-5 Chapter XIII Program Management
AR 380-5 Section 1
Executive Branch Oversight and Policy Direction
AR 380-5 13-100. National Security Council
Pursuant to the provisions of E.0. 12356 (reference (b)), the NSC
shall provide overall policy direction for the Information
Security Program.
AR 380-5 13-101. Administrator of General Services
The Administrator of General Services is responsible for
implementing and monitoring the Information Security Program
established under reference (b). In accordance with reference (b),
the Administrator delegates the implementation and monitorship
functions of the Program to the Director of the ISOO.
AR 380-5 13-102. Information Security Oversight Office
a. Composition. The ISOO has a full-time director appointed by
the Administrator of General Services with approval of the
President. The Director has the authority to appoint a staff for
the office.
b. Functions. The Director of the ISOO is charged with the
following principal functions that pertain to the Department of
Defense:
1. Oversee DoD actions to ensure compliance with reference (b)
and implementing directives, for example, the ISOO Directive No. 1
(reference (c)) and this Regulation;
2. Consider and take action on complaints and suggestions from
persons within or outside the government with respect to the
administration of the Information Security Program;
3. Report annually to the President through the NSC on the
implementation of reference (b);
4. Review this Regulation and DoD guidelines for systematic
declassification review; and
5. Conduct on-site reviews of the Information Security Program of
each DoD Component that generates or handles classified
information.
c. Information requests. The Director of the ISOO is authorized
to request information or material concerning the Department of
Defense, as needed by the ISOO in carrying out its functions.
d. Coordination. Heads of DoD Components shall ensure that any
significant requirements levied directly on the Component by the
ISOO are brought to the attention of the Director of Security
Plans and Programs, ODUSD(P). Notification of any direct taskings
will be forwarded through command channels to HQDA (DAMI-CIS) WASH
DC 20310-1051. DAMI-CIS will provide notification to ODUSD(P).
AR 380-5 Section 2
Department of Defense
AR 380-5 13-200. Management responsibility
a. The DUSD(P) is the senior DoD official having DoD-wide
authority and responsibility to ensure effective and uniform
compliance with and implementation of E.0. 12356 and its
implementing ISOO Directive No. 1 (references (b) and (c)). As
such, the DUSD(P) shall have primary responsibility for providing
guidance, oversight and approval of policy and procedures
governing the DoD Information Security Program. The DUSD(P) or his
designee may approve waivers or exceptions to the provisions of
this Regulation to the extent such action is consistent with
references (b) and (c).
b. The heads of DoD Components may approve waivers to the
provisions of this Regulation only as specifically provided for
herein. Requests for waivers or exceptions will be forwarded
through command channels to HQDA (DAMI-CIS) WASH DC 20310-1051.
c. The Director, NSA/Chief, Central Security Service, under DoD
Directive 5200.1 (reference (a)), is authorized to impose special
requirements with respect to the marking, reproduction,
distribution, accounting, and protection of and access to
classified cryptologic information. In this regard, the Director,
NSA, may approve waivers or exceptions to these special
requirements. Except as provided in subsection 1-205, the
authority to lower any COMSEC security standards rests with the
Secretary of Defense. Requests for approval of such waivers or
exceptions to established COMSEC security standards which, if
adopted, will have the effect of lowering such standards, shall be
submitted to the DUSD(P) for approval by the Secretary of Defense.
Requests for waivers or exceptions will be submitted through
command channels to HQDA (DAMI-CIS) WASH DC 20310-1051.
AR 380-5 Section 3
DoD Components
AR 380-5 13-300. General
The head of each DoD Component shall establish and maintain an
Information Security Program designed to ensure compliance with
the provisions of this Regulation throughout the Component.
AR 380-5 13-301. Military departments
In accordance with DoD Directive 5200.1 (reference (a)), the
Secretary of each Military Department shall designate a senior
official who shall be responsible for complying with and
implementing this Regulation within the Department. The Chief of
Staff, U.S. Army, under the direction of the Secretary of the
Army, exercises control over Army policies relating to the DoD
Information Security Program. The DCSINT has general staff
responsibility for the implementation of, and compliance with, the
program throughout the Army, and is the ""senior official''
designated under this subsection.
AR 380-5 13-302. Other components
In accordance with DoD Directive 5200.1 (reference (a)), the head
of each other DoD Component shall designate a senior official who
shall be responsible for complying with and implementing this
Regulation within their respective Component.
AR 380-5 13-303. Program monitorship
The senior officials designated under subsections 13-301 and
13-302 are responsible within their respective jurisdictions for
monitoring, inspecting with or without prior announcement, and
reporting on the status of administration of the DoD Information
Security Program at all levels of activity under their cognizance.
Information security officials from HQDA (DAMI-CIS) will conduct
periodic visits to each MACOM and to selected installations,
activities, and agencies to monitor and inspect the administration
of the Army Information Security Program. The DCSINT will ensure
funding for this purpose.
AR 380-5 13-304. Field program management
a. Throughout the Department of Defense, the head of each
activity shall appoint, in writing, an official to serve as
security manager for the activity. This official shall be
responsible for the administration of an effective Information
Security Program in that activity with particular emphasis on
security education and training, assignment of proper
classifications, downgrading and declassification, safeguarding,
and monitorship, to include sampling classified documents for the
purpose of assuring compliance with this Regulation.
1. In addition to the specific areas listed below, Army
commanders are responsible for the maintenance of an effective
security posture within their activities. Each Army commander and
agency head will:
(a) Designate in writing a properly cleared, professional
commissioned officer (0-3), warrant officer, or DA civilian in the
080 series, whose job is already classified at grade GS-12 or
above, as security manager for the MACOM or ARSTAF activity.
(Commanders of subordinate MACOM/ARSTAF elements may appoint
security managers at lesser grade/rank than that specified above.)
(b) Establish local information security policies and procedures
which comply with this regulation.
(c) Initiate and supervise measures or instructions necessary to
ensure continual control of classified material.
(d) Ensure that persons who require access to classified
information are properly cleared and have a need to know.
(e) Continually assess the individual trustworthiness of
personnel who possess a security clearance.
(f) Ensure adequate funding and manpower to allow security
personnel to manage applicable information security program
requirements.
(g) Prioritize security management assets to ensure that
information security program requirements are met.
(h) Ensure integration of the information security program with
mission requirements of the activity.
2. A commander may delegate authority to perform local security
functions, but not the responsibility to do so. Security,
including proper classification and timely declassification, is a
responsibility of the commander. Therefore, it is incumbent upon
local commanders to ensure that individuals delegated security
responsibilities possess the personal maturity, good judgment, and
professional caliber to maintain a good security posture within
the activity.
b. Activity heads shall ensure that officials appointed as
security managers either possess, or obtain within a reasonable
time after appointment, knowledge of and training in the
Information Security Program commensurate with the needs of their
positions. The Director of Security Plans and Programs, ODUSD(P)
shall, with the assistance of the Director, Defense Security
Institute, develop minimum standards for training of activity
security managers. Such training should result in appropriate
certifications to be recorded in the personnel files of the
individuals involved. HQDA (DAMI-CIS) will coordinate minimum
training requirements for Army security manager certification with
ODUSD(P) and the Defense Security Institute.
c. Activity heads shall ensure that officials appointed as
security managers are authorized direct and ready access to the
appointing official on matters concerning the Information Security
Program. They also shall provide sufficient resources of time,
staff, and funds to permit accomplishment of the security
manager's responsibilities, to include meaningful oversight of the
Information Security Program at all levels of the activity.
1. Designated Army security managers will:
(a) Advise and represent the commander on matters related to the
classification, downgrading, declassification, and safeguarding of
national security information.
(b) Establish, implement, and maintain an effective security
education program. (Security managers who delegate this
responsibility in whole or in part to subordinate security
personnel, staff element security points of contact, etc., remain
responsible for overseeing activity compliance with chapter X of
this regulation.)
(c) Establish procedures for ensuring that all persons handling
classified material are properly cleared and have a need to know.
The clearance status of each individual must be recorded and
accessible for verification.
(d) Advise and assist officials on classification problems and
the development of classification guidance.
(e) Ensure that classification guides for classified plans,
programs, and projects are created early and reviewed and updated
when required.
(f) Conduct periodic reviews of classifications assigned within
the activity to ensure that such decisions are proper.
(g) Ensure the review and continual reduction of classified
information within the activity by declassification, destruction,
or retirement. Oversee activity annual cleanout days.
(h) Oversee the conduct of announced and unannounced security
inspections for compliance with this regulation and other security
directives. Notify the commander of the results of such
inspections.
(i) Assist and advise the commander in matters pertaining to the
enforcement of regulations on the dissemination, reproduction,
transmission, protection, and destruction of classified material.
(j) Make recommendations regarding requests for visits by foreign
nationals.
(k) Ensure the protection of classified information presented
during meetings, symposiums, and/or conferences sponsored by the
activity.
(l) Act as single point of contact for coordinating, challenging,
and resolving classification and declassification problems.
2. Requests to waive the minimum rank/grade requirements for
designation as a HQDA agency or MACOM security manager (see
paragraph a, above) will be forwarded HQDA (DAMI-CIS) WASH DC
20310-1051.
AR 380-5 Section 4
Information Requirements
AR 380-5 13-400. Information requirements
DoD Components shall submit on a fiscal year basis a consolidated
report concerning the Information Security Program of the
Component on SF 311, ""Agency Information Security Program Data,''
to reach the ODUSD(P) by October 20 of each year. SF 311 shall be
completed in accordance with the instructions thereon and
augmenting instructions issued by the ODUSD(P). The ODUSD(P) shall
submit the DoD report (SF 311) to the ISOO by October 31 of each
year. Interagency Report Control Number 0230-GSA-AN applies to
this information collection system as well as to that contained in
subsection 1-602. MACOM and HQDA agency security managers will
submit a consolidated report on SF 311 to reach HQDA (DAMI-CIS)
WASH DC 20310-1051 by 11 October each year. Information reported
will be as of 30 September. USAR units are exempt from this
requirement. DAMI-CIS will submit a consolidated report to
ODUSD(P).
AR 380-5 Section 5
Defense Information Security Committee
AR 380-5 13-500. Purpose
The Defense Information Security Committee (DISC) is established
to advise and assist the DUSD(P) and the Director, Security Plans
and Programs, ODUSD(P) in the formulation of DoD Information
Security Program policy and procedures.
AR 380-5 13-501. Direction and membership
The DISC shall meet at the call of the DUSD(P) or the Director,
Security Plans and Programs. It is comprised of the DUSD(P) as
Chairman; the Director, Security Plans and Programs, as Vice
Chairman; and the senior officials (designated in accordance with
section E.3.a., DoD Directive 5200.1, reference (a)) (or their
representatives) responsible for directing and administering the
Information Security Program of the OJCS, the Departments of the
Army, Navy, and Air Force, the Defense Intelligence Agency, the
Defense Nuclear Agency, the National Security Agency, and the
Defense Investigative Service. Other DoD Components may be invited
to attend meetings of particular interest to them. The DCSINT is
designated as Army representative for the Defense Information
Security Committee. The Director of Counterintelligence and
Security Countermeasures, DCSINT, is the alternate representative.
��