What are the requirements to be granted access to sensitive compartmented information cyber awareness?

12 FAM 700 
SECURITY POLICY FOR SENSITIVE COMPARTMENTED INFORMATION (SCI) WITHIN DEPARTMENT OF STATE FACILITIES

12 FAM 710 

security policy for sensitive Compartmented Information

(CT:DS-314;   12-17-2018)

(Office of Origin:  DS/SI/IS)

12 FAM 711  General

12 FAM 711.1  Authorities

(CT:DS-258;   06-13-2016)

(1)  National Security Act of 1947, as amended

(2)  Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004

(3)  Executive Order 12333, as amended

(4)  Executive Order 13526

(5)  Executive Order 12968

(6)  Public Law 100-204, as amended

(7)  The Foreign Service Act of 1980

(8)  The Omnibus Diplomatic Security and Anti-terrorism Act of 1986 (22 U.S.C. 4801 et seq.)

(9)  Intelligence Community Directives (ICD) and related Standards and Policy Guidance

(10) Bureau of Intelligence and Research (INR)/Diplomatic Security (DS) Memorandum of Agreement (MOA) Security Responsibility for the Protection of Certain Intelligence-Related Matters, April 18, 2016

12 FAM 711.2  Purpose

(CT:DS-258;   06-13-2016)

a. This subchapter implements security policies established to protect national intelligence worldwide, as defined in section 1012 of IRTPA, designated by the Director of National Intelligence (DNI) as Sensitive Compartmented Information (SCI), and intelligence sources and methods.  It describes the:

(1)  Roles, responsibilities, and authorities of the Assistant Secretary for INR as the Department Intelligence Community (IC) element head as defined by the National Security Act of 1947, as amended, and E.O. 12333, as amended;

(2)  Authorities of other agency IC element heads for their facilities within Department buildings worldwide; and

(3)  Responsibilities of all Department employees and contractors indoctrinated into SCI access.

b. This subchapter further implements Department worldwide security policies for National Intelligence as required by E.O. 13526, E.O. 12968, ICDs, Intelligence Community Standards, Intelligence Community Policy Guidance (ICPG), and other documents cited herein for guidance on specific security functions.  Users are referred to applicable DNI control system manuals or directives for guidance on appropriate classification levels and compartmented information.

12 FAM 711.3  Applicability

(CT:DS-258;   06-13-2016)

The policies in this subchapter must be applied by all bureaus, posts, and personnel under the authority of the Secretary and chief of mission (COM) for receiving, transmitting, handling, storing, processing, discussing or otherwise using SCI.

12 FAM 712  RESPONSIBILITIES

12 FAM 712.1  Intelligence Community (IC) Element Head

(CT:DS-258;   06-13-2016)

a. INR is the Department’s IC element head.  An IC element head may delegate responsibility for the implementation of policies and procedures defined in DNI ICDs and related guidance for the protection of SCI to a Cognizant Security Authority (CSA).

b. DS, as delegated by INR, per the INR/DS MOA of April 18, 2016 must:

(1)  Protect SCI from unauthorized disclosure consistent with DNI guidance;

(2)  Implement uniform security policies and procedures in accordance with DNI directives and related guidance to ensure the proper protection, handling, storage, dissemination, and destruction of SCI;

(3)  Ensure reciprocity with other U.S. Government agencies of personnel security access determinations or system or facility accreditations when there are no waivers, conditions, or deviations to DNI standards.  Ensure other U.S. Government agencies receiving access determinations or accreditations from the Department are informed of all waivers;

(4)  Ensure risk management is employed in implementing SCI protection measures to minimize the potential for compromise while maximizing the sharing of information between U.S. Government agencies;

(5)  Ensure access to SCI is predicated on:

(a)  A favorable determination of eligibility for access made by an IC element head or their designee;

(b)  A signed DNI-approved non-disclosure agreement (NDA); and

(c)  The need for access to national intelligence to perform or assist in a lawful and authorized governmental function.

(6)  Ensure security and counterintelligence elements work together collaboratively for the protection of SCI;

(7)  Ensure all personnel are vetted, trained, and advised of their legal obligations, the ramifications of their security responsibilities, and provided a secure work environment;

(8)  Implement aggressive security and counterintelligence initiatives to support identification, apprehension, and as appropriate, prosecution of insiders who endanger national security concerns; and

(9)  Establish formal continuing security awareness training and education programs to ensure comprehension of and compliance with DNI guidance.  Individuals must be indoctrinated into their security responsibilities, and upon debrief, their life-long legal responsibilities to protect SCI.

c.  The Office of Information Security (DS/SI/IS) performs duties as the Department's CSA for the protection of Classified National Intelligence, Including Sensitive Compartmented Information, in accordance with ICD 703, and as directed by INR [1 FAM 262.7-1] with the exception of the following authorities:

(1)  INR retains determination approval authority for access to SCI under ICD 704, Personnel Security Standards Governing Access to SCI; and

(2)  INR retains authority to waive uniform security requirements under ICD 705, Sensitive Compartmented Information Facilities (SCIF).

12 FAM 712.2  Special Security Operations (DS/IS/SSO)

(CT:DS-258;   06-13-2016)

a. DS/IS/SSO is responsible for carrying out the DS responsibilities under the INR/DS MOA of April 18, 2016.  This includes developing directives for the implementation of all relevant ICDs, DCIDs, and related or subsequent guidance, and overseeing Department compliance with those directives for the protection of SCI.

b. DS/IS/SSO division chief is the SCIF accrediting official (AO) who coordinates, implements, and oversees policies, plans, and procedures for the certification and accreditation of Department SCIFs in accordance with applicable IC policies.

c.  DS/IS/SSO processes SCI nominations for all Department employees, contractors, and detailees for access to SCI.  DS/IS/SSO coordinates all Department related requests for SCI access with the designated Determination Authority and the Office of Personnel Security and Suitability (DS/SI/PSS) [1 FAM 262.7-1(C)].

d. DS/IS/SSO personnel are trained in DNI security policy and procedures to allow them to provide advice, guidance, and assistance on SCI security matters under their purview.  This includes:

(1)  Managing SCI security processes and procedures;

(2)  Ensuring that SCI is properly controlled, transmitted, packaged, safeguarded, destroyed, and when appropriate, brought under accountability;

(3)  Collaborating with information management officers, information systems security officers, communications security (COMSEC) officers and others to ensure security of SCI, SCIFs, and the information systems housed therein;

(4)  Reporting security incidents to the Program Applications Division (DS/IS/APD) for investigation; and

(5)  Coordinating with IC elements on SCI related issues.

12 FAM 712.3  Special Security Representative (SSR)

(CT:DS-258;   06-13-2016)

a. Each bureau executive director or post must appoint, in writing, an SCI-indoctrinated person to serve as a primary SSR and an assistant special security representative (ASSR) for each accredited Department SCIF under their purview.  DS/IS/SSO strongly recommends the appointed SSR work within the office where the SCIF is located to ensure operational requirements are met.

b. Once appointed, each SSR must receive SSR training from DS/IS/SSO.  DS/IS/SSO provides annual SSR training and is available to provide periodic refresher training upon request.  If possible, an SSR will receive training by DS/IS/SSO before reporting to overseas posts.

c.  The bureau executive director or post must notify DS/IS/SSO of a change of appointment of an SSR or ASSR for each Department SCIF.

d. SSRs are responsible for all security procedures and activities associated with their appointed SCIF.  These duties include verifying current SCI access approvals or requesting SCI access approvals for new arrivals, conducting orientation training, conducting annual refresher training, reporting security violations/infractions, reporting modifications to a SCIF, and ensuring that SCIF opening, closing, and access control procedures are followed.

e. SSRs should consult with their bureau executive office (EX), bureau security officer (BSO), or regional security officer (RSO) regarding non-compliance with SCIF security procedures and requirements.  SSRs must report incidents or activities that meet the parameters of the reporting requirements, as stated in 12 FAM 713.5-2 to the RSO overseas or the Counterintelligence Division (DS/ICI/CI) domestically, with a copy of the report to DS/IS/SSO.

12 FAM 712.4  Sensitive Compartmented Information (SCI) Users

(CT:DS-258;   06-13-2016)

a. Individuals with access to SCI must ensure the proper protection, marking, handling, storage, dissemination, and destruction of SCI as directed by DNI and this FAM.

b. Additionally, recipients of SCI within the Department including contractors, consultants, or detailees from other Government departments, agencies or entities, must follow the procedures established by INR for protection, handling, accountability, dissemination, and destruction of SCI.

12 FAM 713  security policy for SCI access

12 FAM 713.1  General

(CT:DS-258;   06-13-2016)

Eligibility for access to SCI is governed by ICD 704 and related DNI guidance.  Eligibility determinations are made in accordance with uniform personnel security standards and procedures to facilitate initial vetting, continuing personnel security evaluation, and reciprocity throughout the IC.

12 FAM 713.2  Access Approvals

12 FAM 713.2-1  Approval Authority

(CT:DS-258;   06-13-2016)

a. INR, as the Department IC element head, approves requests for access to SCI for Department personnel in accordance with ICD 704.  Unless specifically delegated, approval authority for access to information derived from certain SCI programs is retained by the cognizant program manager, executive agent, or national authority.  IC element heads are responsible for issuing administrative procedures governing the granting of SCI accesses in their organizations.

b. The Department will accept SCI access determinations from other U.S.  Government agencies without further adjudication unless an exception to personnel security standards has been granted by the parent agency.

12 FAM 713.2-2  Access Approvals

(CT:DS-258;   06-13-2016)

a. Department personnel requiring SCI access must have a final Top Secret (TS) clearance.

b. Access is only granted when INR (see 12 FAM 713.2-1 paragraph a) determines an individual requires access to SCI to perform or assist in a lawful and authorized governmental function, including repairs or maintenance (see 12 FAM 715.4-1(D) paragraph d and 12 FAM 717.2-3 paragraph d).

c.  The Department will not grant SCI access solely to enable an individual to act as a custodian for SCI in non-SCIF areas or for the purpose of gaining unescorted access to a SCIF.

d. SCI access is based on the needs of the individual’s current position and is not permanent.  Each bureau and post must establish check-in/check-out procedures to ensure that an individual’s requirement for continued access to SCI is revalidated before the individual departs the assignment.  Any changes in requirements for access due to position changes during an assignment must be reported to DS/IS/SSO.

12 FAM 713.2-3  Nomination

(CT:DS-258;   06-13-2016)

a. Department employees (including but not limited to Foreign Service, Civil Service, When-Actually-Employed, and Personal Services Contract):

(1)  An SCI access nomination letter, found at the DS/IS/SSO Web site, must be submitted by the bureau EX or post deputy chief of mission (DCM) directed to INR via DS/IS/SSO for newly assigned personnel who require access to SCI, or when requested by DS/IS/SSO.  Bureau EX or post DCM must submit a nomination letter to DS/IS/SSO for all personnel regardless of their previous SCI access status (except as stated in (3), below).  The access request must state the justification for the need for SCI access and be approved by the bureau EX or post DCM;

(2)  Bureau EX or post DCM may submit the nomination letter no sooner than 30 days prior to the individual’s arrival.  Nomination letters for Department employees are available on DS/IS/SSO Web site or from DS/IS/SSO Access Control Team.  Bureau EX or post DCM can reach the Access Control Team via email at “DS_SSO” on either CLASSNET or OPENNET; and

(3)  An SSR may contact a gaining bureau EX, post SSR or RSO to determine if a person transferring to a new assignment will require continued SCI access.  The SSR must send this email request to DS/IS/SSO Access Control Team (DS_SSO).  If the need for continued access is confirmed by email from the gaining bureau or post, DS/IS/SSO will allow the person to remain indoctrinated, and a nomination letter will not be required.  If the person does not require continued SCI access, the person departing the bureau or post must receive a debriefing (see 12 FAM 713.7 Removal of Access).

b. Contractors:

(1)  The Government sponsor will advise the contracting officer's representative (COR) or his/her designee of the need for access to SCI by a contractor employee.  Only nominate a contractor employee for access to SCI to perform assigned duties under a specific contract where there is a need to handle, process, or discuss SCI.  Do not submit SCI nominations solely for gaining unescorted facility access;

(2)  Only when SCI access is required, the contract under which the contractor employee is working must include the requirement for TS/SCI access for designated personnel.  If the contract is not at the TS level and does not include the overall requirement for SCI access specifically related to the requirements identified in item 12 FAM 713.2-3 paragraph b(1) above, the COR must contact the government contracting officer (CO), in writing, to request a modification to the contract to include the need for SCI access.  Once the request and justification have been reviewed/approved by the CO and coordinated with the Office of Industrial Security (DS/IS/IND), the contract will be modified.  A revised (Form DD-254, Contract Security Classification Specification), which includes the SCI requirements, will be issued to the contracting company; and

(3)  The COR will submit the Contractor SCI Access Nomination Letter to DS/IS/IND.  Nomination letters for contractors are available on the DS/IS/SSO Web site or from DS/IS/SSO Access Control Team DS/IS/IND will work with the contracting company to obtain the required paperwork and will coordinate verification of each contractor’s suitability with (DS/SI/PSS).  If the nominee meets suitability standards and is eligible for access to SCI, DS/SI/PSS will complete the package and forward it to DS/IS/SSO.  DS/IS/SSO will coordinate final SCI access approval with INR, then notify the COR and employee of the approval.  At that time, the contractor employee will be eligible for an SCI indoctrination briefing.

c.  Other agency personnel (including detailees to Department and tenant agency personnel):

(1)  The parent agency, to include bureau executive directors, must approve all SCI access requests for non-Department employees and the parent agency must ensure that personnel clearances and access approvals are passed to DS/IS/SSO;

(2)  INR will review all requests for access to SCI within the Department for employees of other agencies who were approved for access by exception; and

(3)  DS/IS/SSO will advise the requesting bureau or post once the SCI access is granted.

12 FAM 713.2-4  Access Determination

(CT:DS-258;   06-13-2016)

a. Access to SCI is contingent on meeting DNI personnel eligibility requirements as measured by investigative standards prescribed in ICPG 704.1 and the application of specific adjudicative guidelines contained in ICPG 704.2.

b. Once approved for SCI access, DS/IS/SSO will notify the individual, the requestor and the BSO, SSR and/or RSO, as appropriate, in writing.  Personnel assigned domestically will be directed to attend an indoctrination briefing.  The RSO will coordinate briefings for personnel at posts abroad.

c.  An individual that is denied access will also be notified in writing in accordance with the provisions of ICPG 704.3 providing the reasons for this decision along with instructions on recourse.

d. Continuous personnel security and counterintelligence evaluation is required of all personnel granted SCI access.

12 FAM 713.2-5  Sensitive Compartmented Information Nondisclosure Agreement (NDA)

(CT:DS-258;   06-13-2016)

a. As a condition of access to SCI, individuals must sign a DNI-authorized form NDA-4414, Sensitive Compartmented Information Nondisclosure Agreement (See 12 FAM Exhibit 713.2-5).  The NDA establishes explicit obligations of the individual signer for the protection of SCI.  NDA 4414 was revised in 2013, but all agreements signed before this date continue to be in effect as the provisions are consistent with and do not supersede, conflict with, or otherwise alter the employee obligations, rights, or liabilities created by existing statute or E.O.

b. Prior to signing an NDA or being afforded access to SCI, personnel approved for SCI access will:

(1)  Receive a non-SCI-revealing brief on the general nature and procedures for protecting the SCI to which they will be exposed;

(2)  Be advised of their obligations to protect information and report matters of security concern; and

(3)  Be advised of penalties, criminal and administrative, for non-compliance with security directives.

c.  Personnel will be allowed to express any reservations concerning the NDA or access to SCI.  Unwillingness to sign the NDA or to accept SCI security obligations is cause for denial or revocation of existing SCI access.

d. The briefer must scan and email or fax the completed NDA to DS/IS/SSO at DS_SSO on either CLASSNET or OPENNET.  The signed hard copy NDA must be forwarded to DS/IS/SSO for filing and retention.

e. These provisions are consistent with and do not supersede, conflict with, or otherwise alter the employee obligations, rights, or liabilities created by existing statute or EO relating to:

(1)  Classified information;

(2)  Communications to Congress;

(3)  The reporting to an Inspector General of a violation of any law, rule, or regulation, or mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety; or

(4)  Any other whistleblower protection.  The definitions, requirements, obligations, rights, sanctions, and liabilities created by controlling EOs and statutory provisions are incorporated into this agreement and are controlling.

12 FAM 713.3  Security Indoctrination And Education

(CT:DS-258;   06-13-2016)

a. Department personnel approved for access to SCI will be briefed in accordance with DNI requirements as directed by DS/IS/SSO.

b. Initial security indoctrinations will include:

(1)  The need for and purpose of SCI, and the adverse effect on national security that could result from unauthorized disclosure;

(2)  The continuing obligation to protect SCI, even after the individual no longer has access to SCI;

(3)  The mission of the Department to include the use of intelligence information in furtherance of that mission;

(4)  The administrative, personnel, physical, and other procedural security requirements of the Department and those requirements peculiar to specific duty assignments, including information on who to consult to determine if particular outside employment or activity might be of concern;

(5)  The individual’s classification management responsibilities as described in appropriate directives and regulations to include classification/ declassification guidelines and marking requirements;

(6)  The definitions and criminal penalties for espionage, including harboring or concealing persons; gathering, transmitting, or losing defense information; gathering or delivering defense information to aid foreign governments; photographing and sketching defense installations; unauthorized disclosure of classified information (18 U.S.C. 792 through 18 U.S.C. 795, 18 U.S.C. 797 and 18 U.S.C. 798), the Internal Security Act of 1950 (50 U.S.C. 783), the Intelligence Identities Protection Act of 1982 (50 U.S.C. 421 through 50 U.S.C. 426) and, when appropriate, the Atomic Energy Act (Sections 224 through 227);

(7)  These provisions are consistent with and do not supersede, conflict with, or otherwise alter the employee obligations, rights, or liabilities created by existing statute or EO relating to:

(a)  Classified information;

(b)  Communications to Congress;

(c)  The reporting to an inspector general of a violation of any law, rule, or regulation, or mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety; or

(d)  Any other whistleblower protection.  The definitions, requirements, obligations, rights, sanctions, and liabilities created by controlling EOs and statutory provisions are incorporated into this agreement and are controlling.

(8)  An overview of the Department Security Incident Program (12 FAM 550);

(9)  A review of the techniques employed by foreign intelligence organizations in attempting to obtain national security information; and

(10) Identification of the elements within the Department to which matters of security interest are to be referred.

c.  Individual security responsibilities include:

(1)  Observing the prohibition against discussing SCI in an unauthorized area, over an unauthorized telephone, or in any other manner that permits access by unauthorized persons;

(2)  The need to exercise caution to avoid unauthorized disclosure of SCI when communicating with members of professional, commercial, scholarly or advocacy organizations that publish or discuss information on intelligence, defense, or foreign affairs; and

(3)  The continuing obligation to submit for review any planned articles, books, speeches or public statements that contain or purport to contain SCI or information relating to or derived from SCI as outlined in the NDA.

d. All persons granted SCI access by the Department will receive periodic SCI security education and awareness refresher training advising them of:

(1)  Their continuing security responsibilities and of security threats they may encounter;

(2)  Foreign intelligence threats (including risks associated with foreign travel and foreign associations);

(3)  Technical threats;

(4)  Terrorist threats;

(5)  Personnel, physical, information systems, and procedural security;

(6)  Classification management;

(7)  Individual security responsibilities; and

(8)  Criminal penalties and administrative sanctions.

12 FAM 713.4  Access to Sensitive Compartmented Information Systems

12 FAM 713.4-1  System Access Request

(CT:DS-258;   06-13-2016)

INR is the sole approval authority for any access to Department SCI systems.  If an individual’s position requires use of an SCI system, the bureau EX/post DCM must submit, via DS/IS/SSO for verification of access, an access request to INR for approval.

12 FAM 713.4-2  Training Requirements

(CT:DS-258;   06-13-2016)

All personnel granted access to a Department SCI system must complete initial SCI Cyber Security Awareness training.  Failure to complete the subsequent annual SCI Cyber Security Awareness training will result in loss of access to the SCI system.

12 FAM 713.5  Individual Responsibilities

12 FAM 713.5-1  Need-To-Know Policy

(CT:DS-258;   06-13-2016)

Holders of SCI must determine that a prospective recipient of the information has appropriate access approvals and has a need for access to specific SCI to perform or assist in a lawful and authorized governmental function.  Holders of SCI must ensure the recipient can properly protect the information.  Holders of SCI must challenge requests for information that do not appear to be legitimate.

12 FAM 713.5-2  Reporting Requirements

(CT:DS-258;   06-13-2016)

a. All personnel under Department authority with SCI access are obligated to report to proper authorities all activities or conduct concerning themselves or of another individual who has access to SCI as stated below in 12 FAM 713.5-3 through 12 FAM 713.5-5.

b. Employees of other agencies must also comply with their parent agency’s reporting requirements.

12 FAM 713.5-3  Prepublication Review

(CT:DS-258;   06-13-2016)

a. Department employees, contractors, and former employees are obligated by their signed NDA to submit for security review any writing or other preparation in any form (speeches, public statements, internet postings, etc., including works of fiction) that contain or purport to contain any SCI, description of activities that produce or relate to SCI, or there is reason to believe derive from SCI.  This is a continuing obligation that applies during the course of any access to SCI and after.  Current employees, including When Actually Employed (WAE) status, and contractors must submit material via the Bureau of Public Affairs (PA) Reviews Web site.  Former employees and contractors must submit material for review to the Office of Information Programs and Services (A/GIS/IPS) at .  Personnel must obtain written authorization from the Department prior to release to any unauthorized person or public disclosure.

b. Prepublication review is also necessary to avoid potential damage that would result from confirmation of SCI information previously published without authorization.  Individuals with SCI access may not publicly cite such information especially in conjunction with military title, U.S. Government position, or contractual relationships with SCI programs.

c.  Department employees and contractors must submit material for review in accordance with 3 FAM 4170, Review of Public Speaking, Teaching, Writing and Media Engagement.  The review office will coordinate with DS/IS/SSO on the review of materials submitted by personnel with SCI access.

12 FAM 713.5-4  Foreign National Contacts

(CT:DS-258;   06-13-2016)

12 FAM 262 states the Department’s policy on reporting of foreign contacts.  12 FAM 274 and 12 FAM 274.2 provide additional guidance.  12 FAM 275 provides guidance for reporting intent to marry or cohabit.  All individuals under Department authority with SCI access must report foreign contacts as directed in the FAMs.

12 FAM 713.5-5  Sensitive Compartmented Information Travel Security Policy

(CT:DS-258;   06-13-2016)

All individuals under Department authority with SCI access granted by the Department must report personal foreign travel in accordance with the reporting procedures contained in 12 FAM 276 and 12 FAM 264.2 paragraph(g).

12 FAM 713.6  Special Personnel Security Investigations

(CT:DS-314;   12-17-2018)

The Office of Special Investigations (DS/ICI/OSI) may conduct special personnel security investigations in accordance with and as defined in 12 FAM 226.  Results of investigations involving Department employees and contractors with SCI access will be provided to DS/IS/SSO and INR for their determination on suitability of employees and contractors to retain access to SCI.

12 FAM 713.7  Removal of Access

(CT:DS-258;   06-13-2016)

a. All personnel who retire or resign from the Department are required to notify DS/IS/SSO so that a debriefing by DS/IS/SSO or by a designated security entity can take place prior to their departure.  Personnel who will remain at the Department, but no longer need SCI access for the performance of their duties shall notify DS/IS/SSO and be promptly debriefed.  It is the responsibility of the supervisor to ensure that DS/IS/SSO is informed.  Debriefed personnel will sign the debrief block of an form NDA-4414 (see 12 FAM Exhibit 713.2-5).

b. Debriefed personnel will be reminded of their continuing obligation to protect national intelligence and comply with the terms of the NDA, including the continuing obligation to submit for review any planned articles, books, speeches, or public statements that contain or purport to contain SCI or information relating to or derived from SCI.

c.  Personnel who depart without signing the debriefing acknowledgement or who refuse to sign a debriefing acknowledgment are still obligated by the terms of the original signed NDA.  Those personnel will be administratively debriefed by DS/IS/SSO and the record of the debriefing will be entered into all applicable databases and files.

d. The completed NDA must be scanned and emailed or faxed to DS/IS/SSO at DS_SSO on either CLASSNET or OPENNET.  The debriefer must forward the signed hard copy NDA to DS/IS/SSO for filing and retention.

12 FAM 713.8  Recording Indoctrinations And Debriefings

(CT:DS-258;   06-13-2016)

a. The names of all individuals with SCI access are posted on an Intelligence Community (IC) database called Scattered Castles.  Access to Scattered Castles is restricted to security elements in each agency that need to verify SCI access information.  The IC Scattered Castles repository, or successor database, must be the authoritative source for personnel security access approval verifications regarding SCI and other controlled access programs, visit certifications, and documented exceptions to personnel security standards.

b. Department personnel that need to verify an individual’s SCI access should contact their BSO, RSO, or DS/IS/SSO at “DS_SSO” on OPENNET or CLASSNET.  DS/IS/SSO is responsible for passing all SCI accesses to other Government agencies.

12 FAM 714  SECURITY VIOLATIONS, COMPROMISES, AND UNAUTHORIZED DISCLOSURES

12 FAM 714.1  Responsibilities

(CT:DS-258;   06-13-2016)

a. Department personnel and contractors are required to report to their respective SSR, BSO, or RSO:

(1)  Any possible or actual security violation or compromise involving SCI.  Individuals who learn of violations or compromise must report matters and take immediate action to protect SCI found in an unsecure environment, until it can be restored to SCI control;

(2)  Publication in the media of actual or apparent SCI information.  Respective SCI security/control officers must report incidents through appropriate channels to DS/IS/SSO who will advise the Department IC element head; and

(3)  Any unauthorized revelation or exposure of SCI that might reasonably be expected to result in publication of the SCI.

b. All such reports must be forwarded immediately to DS in accordance with 12 FAM 550.  As provided in 12 FAM 554, any security incident involving the mishandling of SCI material will be deemed a security violation rather than an infraction, even when occurring in a controlled access area (CAA) abroad or within the equivalent of a CAA domestically.

12 FAM 714.2  Investigations

(CT:DS-258;   06-13-2016)

a. In accordance with 12 FAM 550, DS will conduct investigations of security incidents involving the mishandling of SCI.  The 1 FAM 262.7-1(A) authorizes The Program Applications Division (DS/IS/APD) to conduct incident investigations involving SCI within the Department, and coordinate investigations within DS and with other agency investigative elements, as required.

b. An investigation will be conducted to identify full details of the violation/compromise, and to determine specific information involved, damage, and whether culpability was involved.  Investigations must determine if there is a reasonable likelihood that SCI material was compromised, the identity of the person(s) responsible for the unauthorized disclosure, and the need for remedial measures to prevent a recurrence.  The adjudication of security incidents will apply a risk-based analysis, which will assess intent, location of incident, risk of compromise, sensitivity of information, and mitigating factors.

c.  If a compromise occurs, DS/IS/SSO will advise INR.  INR must immediately report the compromise to the appropriate IC SCI program manager.

d. If an inadvertent disclosure occurs, DS/IS/SSO will determine whether the interests of SCI security are served by seeking a written inadvertent NDA from non-indoctrinated persons to whom SCI has been disclosed.  If DS/IS/SSO determines that an inadvertent NDA is necessary, the person(s) involved will be requested to sign an inadvertent NDA.  Copies of the NDA will be maintained in the files of both DS/IS/SSO and the appropriate IC program manager.

e. Security violations will be recorded in security files in accordance with 12 FAM 557.  Disciplinary actions will be conducted in accordance with 12 FAM 557.  DS/IS/APD will provide reports of security violations to INR for review and determination of an individual’s continued eligibility for SCI access.

f.  Investigating officers will advise DS/IS/SSO of weaknesses in security programs and recommend corrective action(s).  DS/IS/SSO is responsible for ensuring corrective action is taken in all cases of actual security violations and compromises related to the protection of SCI.

12 FAM 715  Sensitive compartmented information facility (scif)

12 FAM 715.1  Sensitive Compartmented Information Facility Policy

(CT:DS-258;   06-13-2016)

a. The process, storage, use, and discussion of SCI will only occur within accredited SCI facilities (SCIFs).  The term SCIF includes the types of facilities that are described in 12 FAM 715.2, below.  All SCIFs must be accredited by that agency's Accrediting Office (AO) prior to use for SCI operations.  Accreditation is the beginning of a life-cycle process of continuous monitoring and evaluation, periodic re-evaluations and documentation reviews to ensure the SCIF is maintained in accordance with ICD 705 and all related standards.

b. All SCIFs must comply with uniform security requirements as established by DNI directives and related issuances for physical and technical security of SCIFs.  Physical security standards for the construction and protection of such facilities are prescribed in the current ICD 705 and related guidance.  ICD 705 allows the use of mitigation strategies to meet the intent of the standards without requiring written waivers.

c.  Department SCIFs are accredited up to the Special Intelligence (or Signals Intelligence)/Talent Keyhole/Gamma/Human Intelligence Control System (SI/TK/G/HCS) level.  DS/IS/SSO must be notified in advance of the requirement to use a Department SCIF for other SCI programs.  DS/IS/SSO will determine if a compartmented area (CA) needs to be created inside the SCIF for the additional SCI programs.

d. An explanation of SCI compartmented programs is contained in the separate unclassified SCI Indoctrination briefing package located on DS/IS/SSO website.

e. All existing SCIFs within Department bureaus, posts, or other facilities as of the date of this subchapter will continue to operate in accordance with security requirements applicable at the time of the most recent accreditation.  Upon reaccreditation an existing SCIF must be compliant with current requirements unless a waiver is granted by the IC element head or designee in accordance with ICD 705.  The IC element head or designee may accredit, re-accredit, and de-accredit SCIFs and may grant waivers to standards.

f.  A SCIF accreditation may be suspended or revoked if there is a danger of SCI being compromised due to unsatisfactory security conditions.

12 FAM 715.2  Sensitive Compartmented Information Facility Types

(CT:DS-258;   06-13-2016)

a. SCIFs that are authorized by the AO to store SCI are denoted as one of the following types of storage:

(1)  Closed storage:  All SCI material is stored within General Services Administration (GSA) approved security containers when the SCIF is unoccupied.  This includes storage of hard drives used to process SCI and any other SCI-related media;

(2)  Continuous operations:  The SCIF is manned 24 hours a day, every day.  The capability must exist for storage of all SCI in GSA approved security containers; and

(3)  Temporary SCIF (T-SCIF):  An area, room, group of rooms, building, or installation accredited for SCI-level processing, storage and discussion, that is used for operational exigencies (actual or simulated) for a specified period of time not exceeding one year.

b. Two additional facilities authorized for SCI work but not storage are the secure working area (SWA), and the temporary secure working area (TSWA):

(1)  A SWA is an area accredited for handling, discussion, and/or processing of classified information to include SCI but not for the storage of SCI; and

(2)  A TSWA is a facility temporarily accredited to handle, process, or discuss classified information to include SCI that may not be used more than 40 hours per month and the accreditation may not exceed 12 months.  SCI may not be stored in a TSWA.

(a)  The SSR will maintain a record of the use of the facility as a TSWA;

(b)  When not in use at the SCI level, a TSWA must be secured with an approved key or combination lock, and

(c)  Access must be limited to U. S. personnel cleared at a minimum to Secret.

c.  Open storage, which allows SCI to be openly stored and processed within the SCIF without storing material in GSA approved storage containers when the SCIF is unoccupied, is not authorized at Department of State facilities.

12 FAM 715.3  Security In Depth

(CT:DS-258;   06-13-2016)

a. In addition to existing construction security standards, security in depth (SID) describes the factors that enhance the probability of detection before actual penetration of the SCIF occurs.  The existence of a layer or layers of security that offer mitigations for risks may be accepted by the AO.  The AO may develop additional strategies to mitigate risk and increase probability of detection of unauthorized entry.

b. SID requires that at least one of the following mitigations is applied:

(1)  Military installations, embassy compounds, U.S. Government compounds, or contractor compounds with a dedicated response force of U.S. persons;

(2)  Controlled buildings with separate building access controls, alarms, elevator controls, stairway controls, etc., required to gain access to the buildings or elevators.  These controls must be fully coordinated with a formal agreement or managed by the entity that owns the SCIF;

(3)  Controlled office areas adjacent to or surrounding SCIFs that are protected by alarm equipment installed in accordance with manufacturer’s instructions.  These controls must be fully coordinated with a formal agreement or managed by the entity that owns the SCIF; or

(4)  Fenced compounds with access controlled vehicle gate and/or pedestrian gate.

12 FAM 715.4  Requirements for Department Sensitive Compartmented Information Facilities

(CT:DS-258;   06-13-2016)

INR will determine when there are clear operational requirements for new Department SCIFs and when existing SCIFs are not adequate to support the requirement.  INR will also revalidate the requirements for an existing Department SCIF when an office moves to a new location.  DS/IS/SSO must document and maintain the requirements justifying a new SCIF or revalidating a relocated SCIF with accreditation records by DS/IS/SSO.

12 FAM 715.4-1  Domestic Sensitive Compartmented Information Facilities

12 FAM 715.4-1(A)  Concept Approval

(CT:DS-258;   06-13-2016)

a. Bureaus requesting establishment of a new SCIF or to relocate a SCIF within their office must submit a request in writing to DS/IS/SSO stating the purpose and requirements for the SCIF.  This request will be reviewed by DS/IS/SSO and coordinated with other offices falling under the Office of the Under Secretary of Management (M).  DS/IS/SSO will submit a request to INR to approve the SCIF concept.

b. All costs associated with the establishment of a SCIF, including construction and travel for surveys and inspections will be borne by the requesting bureau.

12 FAM 715.4-1(B)  Survey

(CT:DS-258;   06-13-2016)

Once the SCIF concept has been approved by the IC element head, DS/IS/SSO will conduct a physical survey of the space to determine requirements for meeting SCIF physical security standards.  DS/IS/SSO must approve all designs for new SCIF construction.

12 FAM 715.4-1(C)  Waivers

(CT:DS-258;   06-13-2016)

The requesting bureau is responsible for submitting a written waiver request to DS/IS/SSO if any requirement of ICD 705 cannot be met or mitigated.  DS/IS/SSO will submit the requested waiver to INR for approval.

12 FAM 715.4-1(D)  Changes To Existing Sensitive Compartmented Information Facilities

(CT:DS-258;   06-13-2016)

a. The SSR must contact DS/IS/SSO prior to initiating any construction or modification to a Department SCI facility that requires physical alteration.  DS/IS/SSO must approve the plans for all renovations and physical modifications of existing SCIFs.

b. The requesting bureau SSR must notify DS/IS/SSO before the introduction of equipment (fire equipment, alarm equipment, fax machines, telecommunications equipment, etc.) into a Department SCIF.  Equipment must be authorized by DS prior to introduction and use.

c.  The requesting bureau SSR must also notify DS/IS/SSO before automated information systems or other forms of electronic processing systems within the SCIF are added or changed.  The equipment must be authorized by DS and the system must be accredited as required by ICD 503 and related guidance before it is used for SCI.

d. Routine maintenance (such as changing light bulbs, copier repairs, and computer maintenance) is the responsibility of each bureau and does not require prior coordination with DS/IS/SSO, however proper security procedures for uncleared personnel must be followed.  Department personnel must notify the requesting bureau BSO or the facility SSR prior to any routine maintenance work.

12 FAM 715.4-1(E)  Site Security Manager (SSM)

(CT:DS-258;   06-13-2016)

A site security manager (SSM) is the single point of contact regarding SCIF security and is the individual responsible for all security aspects of the SCIF construction.  Within the Department, the duties of the SSM may be carried out by a Facilities Security Division (DS/PSP/FSD) project manager.  The SSM is responsible for the following:

(1)  Ensure SCIF security requirements are implemented and advise DS/IS/SSO of compliance or variances;

(2)  In consultation with DS/IS/SSO, develop a construction security plan (CSP) regarding implementation of SCIF security standards.  (This document will include actions required to document the project from start to finish);

(3)  Conduct periodic security inspections for the duration of the project to ensure compliance with the CSP;

(4)  Document security violations or deviations from the CSP and notify DS/IS/SSO within three business days; and

(5)  Ensure that procedures to control site access are implemented.

12 FAM 715.4-1(F)  Risk Assessment

(CT:DS-258;   06-13-2016)

DS/IS/SSO and the SSM must evaluate each proposed SCIF for threats, vulnerabilities, and assets to determine the most efficient countermeasures required for physical and technical security.  Based on a risk assessment, mitigation of a standard may be more practical or efficient.  Mitigations are verifiable, non-standard methods that are approved by DS/IS/SSO to effectively meet the physical/technical security protection level(s) of the standard.  DS/IS/SSO will document its approval to confirm that the mitigation is at least equal to the physical/technical security level of the standard.

12 FAM 715.4-1(G)  Accreditation

(CT:DS-258;   06-13-2016)

DS/IS/SSO will accredit the space as a SCIF upon completion of construction.  DS/IS/SSO will notify the requestor of the accreditation, allowing operations to begin.  SCIF operations may not commence until DS/IS/SSO grants the final accreditation.  DS/IS/SSO retains copies of all documentation for Department SCIFs.

12 FAM 715.4-1(H)  Construction Security Plan (CSP)

(CT:DS-258;   06-13-2016)

a. The project manager will develop a CSP for each project that will be approved by DS/IS/SSO (see 12 FAM Exhibit 715.4-1(H)) prior to any modification of space for a new SCIF, renovations of an existing SCIF, or awarding a construction contract to build a SCIF.

b. A CSP outlines security protective measures that will be applied to each phase of the construction project.  The requirements described in this plan provide the baseline for construction security activities and may be supplemented as required but may not be reduced without coordination and approval from DS/IS/SSO.

c.  Construction security plans and all related documents will be handled and protected in accordance with the security classification guidance stated in the CSP.

d. For SCIF renovation projects within an existing SCIF, barriers must be installed to segregate construction workers from operational activities and provide protection against unauthorized access and visual observation.  Specific guidance must be contained in the CSP.

e. The SSM or designee will conduct periodic security inspections for the duration of the project to ensure compliance with construction design and security standards.

f.  Construction and design of SCIFs should be performed by U.S. companies using U.S. citizens to reduce risk, but may be performed by U.S. companies using a non-U.S. citizen who has been lawfully admitted for permanent residence as defined in 8 U.S.C. 1101(a)(20), or who is a protected individual as defined by 8 U.S.C. 1324b(a)(3).  DS/IS/SSO will ensure mitigations are implemented when using non-U.S. citizens.  These mitigations must be documented in the CSP.

g. When SCIF renovations require that construction personnel enter an operational SCIF, they must be cleared or be escorted by personnel cleared to the accreditation level of the SCIF.  SCI indoctrinated escorts may not be required when a barrier has been constructed to separate the SCIF from the areas identified for construction.

h. The CSP must document all site control measures.  Among the control measures that may be considered are:

(1)  Identity verification;

(2)  Random searches at site entry and exit points;

(3)  Signs at all entry points listing prohibited and restricted items (e.g., cell phones, cameras, explosives, drugs, etc.).  Firearms are also prohibited except for law enforcement, military and other civilian personnel authorized to carry official firearms; and

(4)  Physical security barriers to deny unauthorized access.

12 FAM 715.4-2  Sensitive Compartmented Information Facilities Abroad

(CT:DS-258;   06-13-2016)

The process for establishing or modifying a SCIF overseas is similar to the process for domestic SCIFs.  Posts must keep in mind, however, that in addition to ICD 705, all OSPB requirements must be met.  Additionally, all requests must be coordinated with the Bureau of Overseas Building Operations (OBO).

12 FAM 715.4-2(A)  Concept Approval

(CT:DS-258;   06-13-2016)

a. Posts requesting establishment of a new SCIF or to relocate a SCIF within their space must submit a request in writing to DS/IS/SSO stating the purpose and requirements for the SCIF.  DS/IS/SSO will review the request and coordinate with any other stakeholders, and submit it to INR to approve the SCIF concept.

b. All costs associated with the establishment of a SCIF, including construction and travel for surveys and inspections will be borne by the requesting post.

12 FAM 715.4-2(B)  Survey

(CT:DS-258;   06-13-2016)

Once the SCIF concept has been approved by the IC element head, DS/IS/SSO will conduct a physical survey of the space to determine requirements for meeting SCIF physical security standards.  DS/IS/SSO must approve all designs for new SCIF construction.

12 FAM 715.4-2(C)  Waivers

(CT:DS-258;   06-13-2016)

The requesting post is responsible for submitting a written waiver request to DS/IS/SSO if any requirement of ICD 705 cannot be met or mitigated.  DS/IS/SSO will submit the requested waiver to INR for approval.  All SCIFs abroad that fall under COM authority must also comply with 12 FAH-6 H-626 and other OSPB standards.  When conflict between requirements occurs, the stricter requirement applies.  OSPB exception requests must be submitted to the Physical Security Division (DS/PSP/PSD) in accordance with 12 FAH-5 H-210.

12 FAM 715.4-2(D)  Changes To Existing Sensitive Compartmented Information Facilities

(CT:DS-258;   06-13-2016)

a. The SSR must contact DS/IS/SSO prior to initiating any construction or modification to a Department SCI facility that requires physical alteration.  DS/IS/SSO must approve the plans for all renovations and physical modifications of existing SCIFs.  Post will coordinate construction with OBO and DS in accordance with 12 FAM 360 and DS/IS/SSO.

b. The requesting bureau SSR must notify DS/IS/SSO before the introduction of equipment (fire equipment, alarm equipment, fax machines, telecommunications equipment, etc.) into a Department SCIF.  Equipment must be authorized by DS prior to introduction and use.

c.  The requesting post SSR must also notify DS/IS/SSO before automated information systems or other forms of electronic processing systems within the SCIF are added or changed.  The equipment must be authorized by DS and the system must be accredited as required by ICD 503 and related guidance before it is used for SCI.

d. Routine maintenance (e.g, changing light bulbs, copier repairs, and computer maintenance) is the responsibility of each post and does not require prior coordination with DS/IS/SSO, however proper security procedures for uncleared personnel must be followed.  Department personnel must notify the RSO or the facility SSR prior to any routine maintenance work.

12 FAM 715.4-2(E)  Site Security Manager (SSM)

(CT:DS-258;   06-13-2016)

OBO will appoint an (SSM) for construction of Department SCIFs at post.  The SSM is the single point of contact regarding SCIF security and is the individual responsible for all security aspects of the SCIF construction.  The SSM is responsible for the following:

(1)  Ensure SCIF security requirements are implemented and advise DS/IS/SSO of compliance or variances;

(2)  In consultation with DS/IS/SSO, develop a construction security plan (CSP) regarding implementation of SCIF security standards.  This document will include actions required to document the project from start to finish;

(3)  Conduct periodic security inspections for the duration of the project to ensure compliance with the CSP;

(4)  Document security violations or deviations from the CSP and notify DS/IS/SSO within three business days; and

(5)  Ensure that procedures to control site access are implemented.

12 FAM 715.4-2(F)  Risk Assessment

(CT:DS-258;   06-13-2016)

DS/IS/SSO and the SSM should evaluate each proposed SCIF for threats, vulnerabilities, and assets to determine the most efficient countermeasures required for physical and technical security.  Based on a risk assessment, mitigation of a standard may be more practical or efficient.  Mitigations are verifiable, non-standard methods that are approved by DS/IS/SSO to effectively meet the physical/technical security protection level(s) of the standard.  DS/IS/SSO will document its approval to confirm that the mitigation is at least equal to the physical/technical security level of the standard.

12 FAM 715.4-2(G)  Accreditation

(CT:DS-258;   06-13-2016)

DS/IS/SSO will accredit the space as a SCIF upon completion of construction.  DS/IS/SSO will notify the requestor of the accreditation, allowing operations to begin.  SCIF operations may not commence until DS/IS/SSO grants the final accreditation.  DS/IS/SSO retains copies of all documentation for Department SCIFs.

12 FAM 715.4-2(H)  Construction Security Plan (CSP)

(CT:DS-258;   06-13-2016)

a. The project manager will develop a CSP for each project that will be approved by DS/IS/SSO (see 12 FAM Exhibit 715.4-1(H)) prior to any modification of space for a new SCIF, renovations of an existing SCIF, or awarding a construction contract to build a SCIF.

b. A CSP outlines security protective measures that will be applied to each phase of the construction project.  The requirements described in this plan provide the baseline for construction security activities and may be supplemented as required but may not be reduced without coordination and approval from DS/IS/SSO.

c.  Construction security plans and all related documents will be handled and protected in accordance with the security classification guidance stated in the CSP.

d. For SCIF renovation projects within an existing SCIF, barriers must be installed to segregate construction workers from operational activities and provide protection against unauthorized access and visual observation.  Specific guidance must be contained in the CSP.

e. The SSM or designee will conduct periodic security inspections for the duration of the project to ensure compliance with construction design and security standards.

f.  Construction and design of SCIFs should be performed by U.S. companies using U.S. citizens to reduce risk, but may be performed by U.S. companies using non-U.S. citizens (an individual who has been lawfully admitted for permanent residence as defined in 8 U.S.C. 1101(a)(20) or who is a protected individual as defined by Title 8 U.S.C. 1324b(a)(3)).  DS/IS/SSO will ensure mitigations are implemented when using non-U.S. citizens.  These mitigations must be documented in the CSP.

g. When SCIF renovations require that construction personnel enter an operational SCIF, they must be cleared or be escorted by personnel cleared to the accreditation level of the SCIF.  SCI indoctrinated escorts may not be required when a barrier has been constructed to separate the SCIF from the areas identified for construction.

h. The CSP must document all site control measures.  Among the control measures that may be considered are:

(1)  Identity verification;

(2)  Random searches at site entry and exit points;

(3)  Signs at all entry points listing prohibited and restricted items (e.g., cell phones, cameras, explosives, drugs, etc.).  Firearms are also prohibited except for law enforcement, military, and other civilian personnel authorized to carry official firearms; and

(4)  Physical security barriers to deny unauthorized access.

12 FAM 715.5  Tenant Agency SCIFs

(CT:DS-258;   06-13-2016)

a. Other U.S. Government agencies have SCIFs located in Department facilities.  These tenant SCIFs are accredited by the tenant AO.  AOs are responsible for complying with ICD 705.  AOs are allowed to use mitigation strategies to meet the requirements of ICD 705.  A tenant IC element head may also grant waivers to ICD 705.

b. Tenant agencies will coordinate with DS/IS/SSO to establish SCIFs in domestic Department facilities.

c.  All SCIFs abroad that fall under COM authority must comply with 12 FAH-6 H-626, other OSPB standards and ICD 705.  When conflict between requirements occurs, the stricter requirement applies.  Exception requests must be submitted to DS/PSP/PSD in accordance with 12 FAH-5 H-210 if SCIFS do not meet OSPB standards.  Use of mitigation strategies or waivers of ICD 705 standards do not require exception requests so long as the facility meets 12 FAH-6 H-500 OSPB standards.

d. The requesting tenant agency will bear all costs associated with the establishment of a tenant SCIF.

12 FAM 715.6  Emergency Response to SCIFS

(CT:DS-258;   06-13-2016)

a. The bureau or post must develop, have approved, and maintain an emergency response plan for each accredited SCIF to satisfactorily address entrance of emergency personnel (e.g., police and firefighters) into a SCIF, the physical protection of those working in such SCIFs including evacuation plans for personnel, and secure removal or emergency destruction of SCI.

b. Emergency personnel and equipment will be allowed access to SCIFs and be escorted to the degree practical consistent with safety considerations as determined by the senior emergency responder on site.  If exposed to classified information, they will be asked to sign an inadvertent disclosure statement when feasible.

12 FAM 715.7  Technical Surveillance Countermeasures

(CT:DS-258;   06-13-2016)

DS/IS/SSO will ensure technical surveillance countermeasures surveys of Department SCIFs are conducted in accordance with ICD 702, Technical Surveillance Countermeasures, (TSCM) and related standards.  DS/IS/SSO will coordinate with the Technical Surveillance Countermeasures Branch (DS/CMP/TSC) on the requirements for and the conduct of all TSCM surveys of SCIFs.  Government-owned equipment needed to conduct SCIF inspections will be admitted into the SCIF without delay.

12 FAM 715.8  TEMPEST

(CT:DS-258;   06-13-2016)

Certified TEMPEST technical authorities (CTTAs) will:

(1)  Review Department SCIF construction or renovation plans to determine if TEMPEST countermeasures are required and recommend solutions.  To the maximum extent practicable, TEMPEST mitigation requirements will be incorporated into the SCIF design; and

(2)  Provide DS/IS/SSO with documented results of the review with recommendations.

12 FAM 715.9  Reciprocity And Co-Utilization

(CT:DS-258;   06-13-2016)

a. Department SCIFs accredited without a waiver of DNI security requirements are available for reciprocal use unless exempted based on conditions or deviations from DNI standards or mission need.

b. Department SCIFs may be co-utilized by other agencies provided they have a co-utilization agreement approved by the AO or designee.  Co-utilization is the mutual agreement among two or more Government organizations to share the same SCIF.  Organizations desiring to co-utilize a SCIF must accept current accreditations unless there is a waiver of DNI standards.  Visitors from other agencies may provide briefings in a SCIF without a co-utilization agreement.

12 FAM 715.10  Termination And De-Accreditation

(CT:DS-258;   06-13-2016)

When a bureau or post determines that a Department SCIF is no longer required, they must contact DS/IS/SSO to initiate action to terminate the accreditation of the facility.  The bureau must send a request memo to DS/IS/SSO requesting termination of the accreditation of the facility.  DS/IS/SSO will provide guidance on procedures regarding termination.

12 FAM 715.11  General Physical Security

(CT:DS-258;   06-13-2016)

a. SCIF entrance doors must have with an access control device (either an electronic card reader or a DS-approved day-time access lock), an alarm sensor, and a DS-approved three-position dial-type combination lock with deadbolt that meets Federal Specifications FF-L 2740A (combination lock) and FF-L 2890 (deadbolt).  SCIFs may also have emergency exits equipped with deadbolt locking panic hardware, and a local enunciator.  At no time may a door be propped open or left ajar.

b. Combinations to locks and access control devices should be changed when first installed or used, when a person has been debriefed and no longer requires access, or whenever there is a possibility that the combination is compromised.  Combinations to three-position dial-type combination locks installed on SCIF doors, access control devices (e.g., Unicam), and SCIF security containers containing SCI must be recorded on a Standard Form (form SF-700, Security Container Information).  Form SF-700 will be filled in/prepared in a SCIF, marked TS/SCI, and transported in accordance with SCI control procedures and stored in another SCIF.  DS/IS/SSO will provide assistance if a second SCIF is not available to store the form SF-700.

c.  Only authorized personnel with SCI access and appropriate lock training may change lock combinations.

d. The form SF-700 on file will be updated periodically to reflect changes in personnel and their contact information.

e. SCIFs located domestically must have an alarm system monitored by the Security Support Division (DS/DFP/SSD).  SCIFs located abroad must have an alarm system monitored by Marine security guards (MSGs).  SCIFs in COM facilities abroad without a 24/7 MSG may have additional separate remote monitoring capabilities, as approved by DS.

f.  Department SCIFs:

(1)  DS/IS/SSO must be advised of any serious problems with Department SCIFs (such as repeated lock failures or alarm activations), lengthy delays when locks and/or alarms cannot be activated, and when the problem has been solved; and

(2)  The SSR must report alarm/IDS equipment, door, lock, or other malfunctions of Department SCIFs to the facility SSR or bureau BSO domestically or to the RSO or security engineering officer (SEO) when located overseas.

g. SCIFs that cannot be properly secured by combination locks afterhours must be monitored by a SCI-authorized individual physically present either inside the SCIF or outside the closed door until the lock is fixed.  SCIFs with nonfunctioning alarms must be locked after hours and inspected a minimum of hourly to ensure the door is secured.

h. Only SCI-indoctrinated personnel may have access to SCIF alarms for opening and closing the SCIF.  Once SCI access has been confirmed, the SSR will request that badges be programmed for card reader access (if applicable) and/or operation of the SCIF alarm system.

12 FAM 716  AUTOMATED INFORMATION SYSTEMS (AIS) SECURITY

(CT:DS-258;   06-13-2016)

a. An authorizing official (AO) must accredit all AIS used for processing SCI information in accordance with ICD 503.  In accordance with INR/DS MOA dated 18 April 2016, the chief of IT for INR is the AO for Department SCI systems that fall under the requirements of ICD 503.

b. The AO must approve all Department AIS operational capabilities (e. g., print, scan, USB and/or other types of data ports, CD and/or DVD drives, etc.) for State SCI systems.

c.  Other Government agencies with SCI level AIS in Department SCIFs will accredit their own systems and provide documentation of system certification to DS/SI/IS.  Tenant agencies that accredit their space as SCIFs and operate independent AIS do not need to provide system accreditations to DS/SI/IS.

12 FAM 717  Sensitive compartmented information facility OPERATIONS

12 FAM 717.1  Sensitive Compartmented Information Facility Use

12 FAM 717.1-1  Opening a Sensitive Compartmented Information Facility

(CT:DS-258;   06-13-2016)

Record initials and dates of all openings and closings of a Department SCIF on form SF-702, Security Container Check Sheet.  Retain form SF-702 for 90 days from the date of last entry and then destroy unless an incident has occurred that would warrant longer retention.  Forms involved in investigations will be retained until completion of the investigation.

12 FAM 717.1-2  Facilities In-Use Condition

(CT:DS-258;   06-13-2016)

a. To preclude entry by unauthorized personnel, access to an accredited SCIF must be controlled.  When the SCIF is in-use, an SCI-indoctrinated person must be present in the SCIF at all times when the SCIF is open or the SCIF must be under visual control (line of sight) of an SCI-indoctrinated person at all times to prevent unauthorized entry.

b. Use of automated access control systems to control access to in-use SCIFs may be permitted where continuous visual observation is not possible.  DS/IS/SSO must specifically authorize all such procedures in writing.

c.  The door(s) to the SCIF must be closed and all windows covered during operations to prevent visual observation of classified material (SCI or collateral).

12 FAM 717.1-3  Facilities Not In-Use Condition

(CT:DS-258;   06-13-2016)

When not in-use, the SCIF entrance must be closed and secured (alarmed and locked with the combination lock.)  The access control device by itself is not adequate to secure a SCIF when it is unattended (i.e., when the SCIF is unoccupied and the SCIF entrance is not under the visual control of an SCI-indoctrinated individual.)  Leaving a SCIF unsecured is a security violation.

12 FAM 717.2  Sensitive Compartmented Information Facility Access

12 FAM 717.2-1  New Staff, New Arrivals

(CT:DS-258;   06-13-2016)

Bureau or post SSRs must provide an orientation brief discussing procedures and guidelines for using the Department SCIF to all newly-arrived personnel after DS/IS/SSO grants or confirms their access to SCI.

12 FAM 717.2-2  Access Rosters

(CT:DS-258;   06-13-2016)

The SSR will maintain current access rosters located inside the door at the SCIF point of entry.  The access rosters will list all persons who are authorized access to the SCIF.

12 FAM 717.2-3  Visitors

(CT:DS-258;   06-13-2016)

a. A visitor is any individual, indoctrinated into SCI or not, who is not employed by or detailed to the bureau or post and/or who is not listed on the SCIF access roster.  Conduct access by foreign national employees to post SCIFs in compliance with 12 FAH-6 H-500 OSPB standards.  Enter all visitors into the visitor log (see 12 FAM 717.2-4, below).

b. Department employees, contractors, and other authorized personnel with a ‘five’ on their domestically issued Department badge have SCI (SI/TK/G/HCS) access.  The five is preceded by an S (for Department employee), N (for contractor), and O (for other Government organizations).  Do not assume a visitor has SCI access.  Verify SCI access using the RSO Security Management Console, or through the DS/IS/SSO Access Control Team.  The Access Control Team can also be reached via email at “DS_SSO” on either CLASSNET or OPENNET.

c.  In some cases, Five Eyes (FVEY) visitors may have reciprocal SCI access; however these visitors will not be approved for access to all compartments.  The office sponsoring the visitor should contact DS/IS/SSO as soon as they are made aware of the visitor's access requirements, as guidance will be provided on a case-by-case basis.

d. Non-SCI indoctrinated personnel (including all maintenance and cleaning crews) may enter the SCIF only when SCI material is not present, or the SCIF is sanitized (i.e., SCI discussions, handling, and electronic processing cease, and all SCI documents are covered or stored).

e. Prior to granting access to non-SCI indoctrinated personnel, there should be an announcement or notification to all SCIF occupants that there will be non-SCI indoctrinated personnel entering the facility.  All TS/SCI material, operations and discussions must cease until the uncleared personnel have departed.  This includes covering or securing all TS/SCI material, turning off all TS/SCI systems, and ceasing all SCI conversations.  Non-SCI indoctrinated personnel entering the SCIF must be continuously escorted (close proximity, never left unattended in the facility).  An SCI indoctrinated person from the bureau or post familiar with the security procedures of that SCIF must escort the non-SCI indoctrinated person at all times to prevent a compromise.  All visitors must be under the continuous escort ratio of one appropriately TS/SCI personnel to two escorted persons.

f.  Before entering the SCIF, visitors must be asked by the person granting access if they have Portable Electronic Devices (PEDs) (see 12 FAM 718) in their possession.  If so, they cannot enter until the device has been secured outside/away from the facility and preferably turned off.  Many facilities provide boxes for this purpose.

g. Emergency personnel and equipment will be allowed access to SCIFs escorted to the degree practical consistent with safety considerations as determined by the senior emergency responder on site.  Emergency personnel will be asked to sign an inadvertent nondisclosure agreement when feasible (see 12 FAM 715.6 paragraph b) if exposed to classified information.

12 FAM 717.2-4  Visitor Logs

(CT:DS-258;   06-13-2016)

All visitors, regardless of clearance/access level, must be recorded in the SCIF visitor’s log when entering the SCIF.  The visitor log must list the visitor’s full printed name, organization, citizenship, badge number (if applicable), point of contact, date and time of visit, and the reason for the visit.  The visitor log must be retained for two years after the date of last entry and then destroyed.  Where applicable, Government-issued identification will be required as positive identification.

12 FAM 718  PORTABLE ELECTRONIC DEVICES (PEDS)

12 FAM 718.1  Personally Owned Portable Electronic Devices

12 FAM 718.1-1  Personally Owned Portable Electronic Devices Policy 

(CT:DS-258;   06-13-2016)

a. Personally owned PEDs with recording (photographic, video or audio) or transmission (radio frequency, wireless, wi-fi, etc.) capabilities are prohibited in Department SCIFs, including but not limited to cell phones, PDAs, tablets, personal computers, MP3 players, iPods, e-readers, mobile hotspots, wireless fitness devices, personal GPS, Bluetooth devices, smartwatches, Fitbits, and devices such as Google Glasses.

b. The prohibition against PEDs in Department SCIFs does not apply to equipment needed for medical or health reasons.  The SSR must document these items with DS/IS/SSO via a signed memo.

c.  In an emergency situation, admit equipment used by emergency responders (e.g., fire, police, medical personnel, etc.) into a SCIF without restriction or inspection.

d. This guidance is in addition to the requirements stated in 12 FAH-6 H-652 for posts.

12 FAM 718.1-2  Other Personally Owned Electronic Devices Permitted in SCIFs

(CT:DS-258;   06-13-2016)

Other electronic devices without recording or transmission capabilities such as calculators, electronic spell-checkers, wristwatches, data diaries not equipped with data-ports, receive-only pagers, receive-only radios, and audio and video equipment with no “record” features, etc., are permitted in a Department SCIF.  Introduction of such electronic devices must be coordinated with the BSO, facility SSR, or RSO:

(1)  Due to the possibility of technical compromise, electronic equipment approved for introduction into a SCIF should not be routinely removed from and re-introduced into the SCIF; and

(2)  Such items are subject to technical and/or physical inspection at any time.

12 FAM 718.2  GOVERNMENT-OWNED PORTABLE ELECTRONIC DEVICES (PED)

12 FAM 718.2-1  Domestic Facilities

(CT:DS-258;   06-13-2016)

Government-owned PEDs are not permitted in any Department SCIFs without the express written approval of DS/IS/SSO.  When possible, use existing approved PEDs and make all efforts to transmit briefing material by secure means (electronic, CD, etc.) instead of introducing outside equipment into a SCIF.  When it is necessary to use an outside PED for the presentation of briefings, DS/IS/SSO must be contacted at least three days in advance by the bureau SSR.  This allows time for DS/IS/SSO to coordinate security requirements with the SSR.

12 FAM 718.2-2  Posts Abroad

(CT:DS-258;   06-13-2016)

Government PEDs are not permitted in any Department SCIFs without the express written approval of the RSO in accordance with 12 FAH-6 H-540.  Existing approved PEDs should be used when possible.  Make all efforts to transmit briefing material by secure means (e.g., electronic, CD, etc.) instead of introducing outside equipment into a SCIF.  When it is necessary to use a PED for briefings, the post RSO must be contacted at least three days in advance by the SSR.  This allows time for the RSO to coordinate security requirements with the SSR.

12 FAM 718.2-3  General

(CT:DS-258;   06-13-2016)

a. Once approval is granted to bring a Government PED into a Department SCIF, an SCI-indoctrinated person must maintain control over the PED during the entire time it is in the SCIF and ensure it is removed at the conclusion of the briefing.

b. PEDs are not allowed to be connected to any information system within the SCIF.

12 FAM 719  Information Security

12 FAM 719.1  Standard Classification Marking Requirements For Sensitive Compartmented Information

(CT:DS-258;   06-13-2016)

a. SCI documents are classified as Confidential, Secret, or Top Secret.  Classification guides issued by SCI compartment program managers are used to classify SCI information.  SCI control system(s) markings (below) will always follow the classification and be spelled out or abbreviated as indicated.

b. Apply standard security classification markings (i.e., classification authority and declassification markings) to SCI according to ICD 710 and supporting guidance.  The classification and control markings system established by ICD 710 is implemented through the Controlled Access Program Coordination Office’s (CAPCO) Authorized Classification and Control Markings Register and the Intelligence Community Classification and Control Markings Implementation Manual.

12 FAM 719.2  Control Markings For Sensitive Compartmented Information Documents

(CT:DS-258;   06-13-2016)

a. The following are proper SCI control system markings including sample header/footer markings and portion (paragraph) markings.  (See 12 FAM Exhibit 719.2 for proper placement of SCI headers, footers, and portion markings).  Dissemination controls, such as NOFORN (NF) and ORCON (OC), may be required in the headers, footers, and portion markings of SCI documents but are not unique to SCI.  The classification, control system markings, and dissemination controls will be separated by double forward slashes.  Multiple control system markings or dissemination controls will be divided by single forward slashes (see Combined Control Markings, below.)

b. Other SCI compartments or caveats no longer in use may appear in historical documents, e.g., COMINT, BYE, UMBRA, SPOKE, ZARF, RUFF, or Handle Via [SCI compartment] Channels Only (e.g., HVCCO meaning Handle Via COMINT Channel Only) or Handle Via [two or more SCI compartments] Channels Jointly (HVCTKCJ meaning COMINT and TK channel.)  These documents must be treated as SCI unless clearly marked as unclassified or no longer controlled by an SCI control system.  Contact the Document Control Branch (DS/SSO/DCB) for guidance on any unfamiliar caveats.

c.  Classification and control requirements apply to information regardless of the medium (e.g., text, image, graphics, and electronic documents, including web pages, wikis, and blogs).

12 FAM 719.3  Sensitive Compartment Information Letters, Memoranda And Facsimile Transmissions

(CT:DS-258;   06-13-2016)

a. Transmittal cover letters or memoranda that are unclassified or of a lower classification must include a banner line with the highest classification level and most restrictive controls of any classified information attached or enclosed, portion marks, and a classification authority block for the aggregate of all information transmitted.  The transmittal document shall also include conspicuously on its face the following instruction: "Upon removal of Attachments, this document is [Classification level]."

b. Conspicuously mark the top and bottom of individual header sheets used to precede the transmission of SCI material by secure facsimile with the highest security classification of the transmitted material.  Mark appropriate classification and control markings prominently on header sheets.

12 FAM 719.4  Specialized Media Labeling Requirements For Sensitive Compartmented Information

(CT:DS-258;   06-13-2016)

Graphic arts material (e.g., visual aids, maps, art work, blueprints, videos, etc.) must be marked with the assigned classification and applicable SCI control system under the legend, title block, or scale, and at the top and bottom in such a manner as to be reproduced on all copies.

12 FAM 719.5  Cover Sheets

(CT:DS-258;   06-13-2016)

a. In order to be readily identifiable, SCI documents should have either a colored-broken border coversheet or color-coded bars in the upper right-hand corner on the cover page.  The color coding indicates the different SCI compartments.  The broken borders are red for COMINT or SI; black for TK, and blue for HCS.

b. When SCI coversheets are not present, look for the control system marking after the classification as described above.  SCI coversheets can be obtained from unit security officers, SSR, or DS/SSO/DCB.

NOTE:  Collateral (non-SCI classified) coversheets (orange, red, or deep blue solid borders) used for Top Secret, Secret, and Confidential documents are not authorized for use with SCI.

12 FAM 719.6  Sensitive Compartmented Information Handling Policies

(CT:DS-258;   06-13-2016)

a. Only SCI-indoctrinated individuals may handle SCI in accredited SCIFs.  Only SCI-indoctrinated individuals may transport SCI from one SCIF to another.  SCI must be transmitted from one SCIF to another in a manner that ensures it is properly protected.

b. Domestic handling:

(1)  Transport SCI between SCIFs or SWAs within a Department building in a locked container (briefcase or pouch [key removed]) or double wrapped.  Double wrap SCI when transported outside a building; a locked container may serve as the outer wrapper;

(2)  The outer wrapper or locked container must be marked with a notation such as "PROPERTY OF THE US GOVERNMENT TO BE RETURNED UNOPENED TO [name of appropriate organization and a telephone number that will be manned at all times]."  Mark the inner wrapper with the classification of the contents and the address of the recipient; and

(3)  Coordinate with DS/SSO/DCB before transferring hard copy SCI out of the Department.  When transporting SCI outside of Department buildings, a written record (form DS-112, Classified Material Receipt may be used) of the SCI transported from a building must be retained in the sender’s office.

c.  Overseas handling:

(1)  SCI is not authorized for transport overseas and will be transmitted electronically on authorized systems; and

(2)  SCI material may be hand carried between SCIFs within overseas posts.  Proper wrapping procedures must be followed when this occurs.  SCI material cannot be left unattended in non-SCIF mission offices or in the custody of personnel not indoctrinated into SCI access.  Mission personnel will not be granted access to SCI solely for the purpose of acting as custodians of SCI material.  SCI cleared personnel are responsible for control of SCI material and will be held accountable for any inappropriate handling of SCI material.

12 FAM Exhibit 713.2-5  
Form NDA 4414, Sensitive Compartmented Information NonDisclosure Agreement

(CT:DS-258;   06-13-2016)

12 FAM Exhibit 715.4-1(H)  
Construction Security Plan

(CT:DS-258;   06-13-2016)

a. Site Security Manager: (identify the SSM and contact information)

b. Statement of Construction Project: (provide a description of the proposed work)

c.  Existing SCIF ID (if project is associated with currently accredited SCIF)

d. Location of Work: (address/location)

e. Estimated Start Date: (estimated date construction will begin)

f.  Estimated Completion Date: (estimated date construction will end)

g. Has a Risk Assessment Been Completed: (if yes, attach copy)

h. Security in Depth (SID) Documentation: (Document the layers of protection offered at the site, such as security fencing or walls, roving guards, CCTV coverage, and controlled and/or limited access buffers to facility)

i.  Adjacencies to Consider: (include a description of adjacent facilities to include other classified agencies, activities, and presence of foreign nationals operating in adjacent spaces on all six sides of the proposed SCIF)

j.  Control of Construction Plans and Documents: (Describe how construction plans and all related documents will be handled and protected)

k. Control of Operations if a Renovation Project: (describe barriers that will be installed to segregate construction workers from operational activities)

l.  Procurement, Shipping and Storage of Building/Finishing Material: (If required by the SSO, describe security measures to ensure integrity of building materials and/or finishing materials.) 

m. Construction Workers: (for construction workers, provide information to verify U.S. citizen/person status, clearances if required, and/or mitigations employed.)

n. Site Security: (Identify plans to secure construction site, to include any proposed fences, guards, CSTs, escorts, etc.)

o. Security Administration: (list security documentation and retention requirements that will be maintained by the SSM (i.e., visitor logs, names of construction workers, security incidents, etc.)

12 FAM Exhibit 719.2  
Control Markings for SCI Documents

(CT:DS-258;   06-13-2016)