Index

CHAPTER 10

ACTUAL OR POTENTIAL COMPROMISE OF CLASSIFIED INFORMATION

10-100 Policy

a. The compromise of classified information can present a threat to the national security. Once a compromise is known to have occurred, the seriousness of damage to U.S. interests must be determined and appropriate measures taken to negate or minimize the adverse effect of such compromise. When possible, action also should be taken to regain custody of documents or material that were compromised. In all cases, appropriate action must be taken to identify the source and reason for the actual or potential compromise and remedial action to be taken to prevent recurrence.

b. Actual or potential compromises involving cryptologic information shall be handled in accordance with NACSI 4006.

c. Actual or potential compromises involving SCI will be handled in accordance with DoD S-5105.21-M-l.

10-101 Reporting

a. Anyone finding classified material out of proper control shall take custody of and safeguard the material, if possible, and immediately notify the appropriate security authorities.

b. Any person who becomes aware of the possible compromise of classified information shall immediately report it to the head of his or her local activity or to the activity security manager. If the person believes that the head of the activity or the security manager may have been involved in the incident, he or she may report it to the security authorities at the next higher level of command or supervision.

c. If classified information appears in the public media, DoD personnel must be careful not to make any statement or comment that would confirm the accuracy or verify the classified status of the information. Report the matter as instructed by the appropriate DoD Component directives, but do not discuss it with anyone without an appropriate security clearance and need-to-know. If approached by a representative of the media who wishes to discuss information you believe is classified, neither confirm nor deny the accuracy of or the classification of the information, and report the situation immediately to the appropriate security and public affairs authorities.

d. Any incident in which deliberate compromise of classified information or involvement of foreign intelligence agencies is suspected as well as apparent violations of criminal law shall be reported in accordance with DoD Instruction 5240.4. The Principal Director, Information Warfare, Security, and Counterintelligence (PD(IWSCI)); OASD(C3I), is the focal point for investigative matters involving the actual or potential compromise of classified information directed to the Department of Defense by other government agencies or that may involve other government agencies.

e. Local security officials will advise their parent command security officials of compromises occurring within their security cognizance and involving personnel assigned to that parent command.

f. If the head of an activity or the activity security manager to whom an incident is initially reported does not have security cognizance over the incident, such official shall ensure that the incident is reported to the appropriate authority. The organization with security cognizance shall ensure that an inquiry/investigation is conducted consistent with this chapter and for taking corrective action as required.

g. All compromises involving computer systems, terminals, or equipment shall be reported through appropriate channels to the Director, Information Assurance, Office of the Deputy Assistant Secretary of Defense (Command, Control and Communications) (DASD(C3)).

h. Compromises involving foreign government information shall be reported to the Director of International Security Programs, OUSD(P), who shall notify the foreign government.

i. Compromises involving DoD Special Access Programs, or results of inquiries/investigations that indicate that weaknesses or vulnerabilities in established SAP policy and/or procedures contributed to a potential compromise, shall be reported to the Director, Special Programs, OUSD(P).

j. Results of inquiries/investigations into actual or potential compromises that indicate that defects in the procedures and requirements of this Regulation contributed to the incident shall be reported to the PD(IWSCI), OASD(C3I).

10-102 Inquiry/Investigation

a. Preliminary Inquiry. When an actual or potential compromise of classified information occurs, the head of the activity or activity security manager having security cognizance shall promptly initiate an inquiry into the incident to determine the following. If information obtained as a result of the preliminary inquiry is sufficient to provide answers to these questions, then such information shall be sufficient to resolve the incident to include institution of administrative sanctions under Section 5, Chapter 1 of this Regulation:

b. Investigation. If the circumstances of an incident as such that a more detailed investigations is necessary, then an individual will be appointed to conduct that investigation. This individual must have an appropriate security clearance, have the ability to conduct an effective investigation, and must NOT be someone likely to have been involved, directly or indirectly, in the incident. Except in unusual circumstances, the activity security manager should not be appointed to conduct the investigation. In cases of compromise of classified information to the public media, the investigation should expand upon paragraph 10-102a.5. above, to include:

10-103 Results of the Inquiry/Investigation

a. If the conclusion of the inquiry/investigation is that a compromise occurred, the official initiating the inquiry/investigation shall immediately notify the originator of the information or material involved. If the originating activity no longer exists, the activity that inherited the functions of the originating activity shall be notified. If the functions of the originating activity were dispersed to more than one other activity, the inheriting activity(ies) cannot be determined or, the functions have ceased to exist, the senior agency official of the DoD Component of which the originating activity was a part, shall be notified. This notification shall not be delayed pending completion of any additional inquiry/investigation or resolution of other related issues.

b. If the conclusion of the inquiry/investigation is that a compromise occurred and that a weakness or vulnerability in established security practices and/or procedures contributed to the compromise or that the potential exists for a compromise of classified information dues to a weakness or vulnerability in established security practices and/or procedures, the appropriate responsible security official shall take prompt action to issue new or revised guidance as necessary to resolve identified deficiencies.

c. If the conclusion of the inquiry/investigation is that a compromise did not occur but that there was potential for compromise of classified information due to a failure of a person or persons to comply with established security practices and/or procedures, the official having security cognizance over such persons or persons shall be responsible for taking action as may be appropriate to resolve the incident.

10-104 Verification, Reevaluation and Damage Assessment

a. When notified of the compromise of classified information or material, the original classification authority for that information or material shall:

b. While performing the reevaluation and damage assessment, the original classification authority must consider countermeasures that can be taken to minimize or eliminate the damage to the national security resulting from the compromise and then initiate or recommend adoption of such countermeasures. These countermeasures might include changing plans or system design features, revising operating procedures, providing increased protection to related information (through classification or upgrading), etc.

c. The verification, reevaluation and damage assessment process is to be completed as soon as possible following notification of a compromise. However, damage assessment requiring multi-disciplinary or multiple agency review of the adverse effects of the compromise on systems, operations, and/or intelligence, can sometimes be a long-term process.

d. When classified information under the control of more than one DoD Component or other agency is involved, the affected activities are responsible for coordinating their efforts in reevaluation and damage assessment.

10-105 Debriefings in Cases of Unauthorized Access

In cases where a person has had unauthorized access to classified information, it may be advisable to discuss the situation with the individual to enhance the probability that he or she will properly protect it. The activity head shall determine if a debriefing is warranted. This decision must be based on the circumstances of the incident, what is known about the person or people involved, and the nature of the classified information. The following general guidelines apply:

10-106 Management and Oversight

a. The DoD Components shall establish necessary reporting and oversight mechanisms to ensure that inquiries/investigations are conducted when required, that they are done in a timely and effective manner, and that appropriate management action is taken to correct identified problems. Inquiries/investigations and management analyses of security incidents must consider possible systemic shortcomings that may have caused or contributed to the incident. The effectiveness of activity security procedures, security education, supervisory oversight of security practices, etc., should be considered in determining causes and contributing factors. The focus of management response to security incidents should be to eliminate or minimize the probability of further incidents occurring. Appropriate disciplinary action or legal prosecution, discussed in Section 5 of Chapter 1, is sometimes one means of doing this, but the broader focus on prevention must not be lost. Simple disciplinary action-without consideration of what other factors may have contributed to the situation-should not be considered an acceptable response to a security incident.

b. Each DoD Component shall establish a system of controls and internal procedures to ensure that damage assessments are conducted when required and that their results are available as needed.

10-107 Additional Investigation

Additional investigation -- beyond what is required by this chapter -- may be needed to permit application of appropriate sanctions for violation of regulations, criminal prosecution, or determination of effective remedies for discovered vulnerabilities. The inquiry required by this chapter may serve as a part of these investigations, but notification of originators shall not be delayed pending completion of these additional investigations.

10-108 Unauthorized Absences

When an individual who has had access to classified information is absent without authorization, the head of the activity or security manager shall determined if there are indications of activities, behavior, or associations that could indicate classified information may be at risk. If so, the supporting counterintelligence organization shall be notified. The scope and depth of this inquiry will depend on the length of the absence and the sensitivity of the classified information involved.