DM 3440-001
Department
of
Agriculture
Departmental Administration
Office of Security Services
Personnel and Document Security Division
USDA Classified National Security
Information Program Manual
DM 3440-001
TABLE OF CONTENTS
Chapters Page
Sections
1 GENERAL INFORMATION 4
1 Purpose 4
2 Scope 4
3 Authority 4
4 Cancellation 4
5 Responsibility 5
6 Waivers 8
2 CLASSIFICATION 10
1 Original 10
2 Derivative Classification 13
3 Classified Foreign Government Information 13
4 Non-USDA Agency Classified Information 14
3 DECLASSIFICATION AND REGRADING 15
1 Declassification 15
2 Regrading 15
4 MARKING 17
1 General 17
2 Original Classification Marking 17
3 Derivative Classification Marking 19
4 Overall Document and Non-Document Marking 20
5 Files or Folders Containing Classified Documents 22
6 Marking Classified Working Papers 22
7 Marking Electronically Transmitted Messages 23
8 Marking of Foreign Government Information (FGI) 23
9 Warning Notices and Special Handling Instructions 24
5 SAFEGUARDING 28
1 Storage of Classified Materials 28
2 Requesting Accreditation for a Secure Room 29
3 Security Containers 31
4 Intellectual Property 33
5 North Atlantic Treaty Organization Information 34
6 DISTRIBUTION OF CLASSIFIED INFORMATION 35
1 Preparing Classified Information/Material for 35
Distribution
2 Mailing Services Within and Between the 36
or
3 Transmission Methods for Classified Information 37
to a
the
4 Releasing USDA Classified Information to 38
Foreign Entities
5 Electronic Transmission of Classified Information 38
6 Hand Carrying Classified Information 39
7 Meetings and Conferences (Classified) 41
8 Contractors 42
7 DISPOSAL AND DESTRUCTION 44
1 General 44
2 Destruction Policy 44
3 Methods of Destruction 44
4 Record of Destruction for Accountable Material 45
5 Destruction of Classified Media 45
6 Bulk Destruction 46
7 Reproduction of Classified Material 46
8 Disposal of Equipment 47
8 SELF-INSPECTIONS 48
1 General 48
2 Frequency 48
3 Inspection Coverage 48
9 LOSS, POSSIBLE COMPROMISE, OR 49
UNAUTHORIZED DISCLOSURE OF CLASSIFIED
INFORMATION
1 General 49
2 Discovery 49
3 Investigation of Discovery 49
4 Report Conclusions 49
5 Security Infractions and Violations 50
6 Corrective Actions 51
10 SECURITY EDUCATION AND TRAINING 52
1 General 52
2 Security and Education Program Requirements 52
3 Responsibilities 52
11 EMERGENCY RELEASE OF CLASSIFIED 54
INFORMATION AND PROTECTION OF
CLASSIFIED INFORMATION
1 Emergency Release of Classified Information 54
2 Protecting Classified Information During an 55
Emergency
APPENDICES
A REFERENCES A-1
B DEFINITIONS B-1
C MANDATORY DECLASSIFICATION REVIEW C-1
PROCESS
D EQUIVALENT FOREIGN SECURITY D-1
CLASSIFICATION
E PHYSICAL SECURITY STANDARDS E-1
F COURIER SECURITY AGREEMENT F-1
G SELF-INSPECTION CHECKLIST G-1
H PRELIMINARY INQUIRY QUESTION SHEET H-1
FOR THE POSSIBLE LOSS OR COMPROMISE
OF CLASSIFIED MATERIAL
I RESPONSIBILITY WHEN THERE IS A I-1
POSSIBLE COMPROMISE OF CLASSIFIED
INFORMATION
|
DEPARTMENTAL MANUAL |
Number: 3440-001 |
|
|
SUBJECT: USDA Classified National Security Information Program Manual |
DATE: May 1, 2008 |
|
|
OPI: Office of Security Services |
||
|
|
|
|
CHAPTER 1
GENERAL INFORMATION
1. PURPOSE
This Manual establishes the policies and procedures that govern the U.S. Department of Agriculture (USDA) Information Security Program, including uniform requirements and guidance for classifying, safeguarding, declassifying, and destroying classified national security information, whether originated by or released to USDA.
2. SCOPE
This Manual applies to all USDA mission areas, agencies, and offices and their contractors who possess, handle, distribute, process, transmit, transport, and/or store classified information. Individuals serving in an advisory or consultant capacity who have been entrusted with USDA classified information are required to protect that information according to standards commensurate with those discussed in this Manual.
3. AUTHORITY
The authority for this guidance is derived from Executive Order 12958, as amended; Classified National Security Information (hereafter, E.O. 12958); the Information Security Oversight Office (ISOO) Directive 1, Classified National Security Information (NSI); and Department Regulation 3440-001, USDA Classified National Security Program.
4. CANCELLATION
This Manual supersedes DM 3440-001, Classification, Declassification, and Safeguarding Classified Information, dated August 10, 1983.
5. RESPONSIBILITIES
E.O. 12958 requires each Department that has been given original classification authority (OCA) to establish an information security program (ISP) that ensures the protection of national security classified information.
a. The Secretary of Agriculture, or delegated official, is responsible for originally classifying USDA information, the unauthorized disclosure of which could reasonably be expected to cause serious damage to the national security. The Secretary will:
(1) demonstrate a personal commitment and dedicate senior management to the successful implementation of the ISP;
(2) commit necessary resources to the effective implementation of the ISP established;
(3) ensure that Departmental record systems are designed and maintained to optimize the safeguarding of classified information and to facilitate its declassification under the terms of E.O. 12958 when it no longer meets the standards for continued classification;
(4) receive specific training on how to originally classify USDA information; and
(5) designate a Senior Agency Official (SAO) to direct and administer the ISP.
b. The Assistant Secretary for Administration (ASA) is designated by the Secretary as the SAO who oversees the ISP and serves as liaison between USDA and the National Archives and Records Administration (NARA), ISOO. This designation has been re-delegated to the Director of USDA’s Office of Security Services (OSS). The SAO shall maintain a minimum of a Top Secret security clearance and will:
(1) oversee USDA’s ISP;
(2) promulgate implementing regulations, which shall be published in the Federal Register to the extent that they affect members of the public; and
(3) report annually to ISOO as required by ISOO Directive 1.
c. USDA agencies, mission areas, and offices are responsible for identifying an Information Security Coordinator (ISC) and applying adequate resources to protect classified information.
d. The
(1) establish and maintain security education and training programs to include training each OCA;
(2) establish and maintain a self-inspection program, which shall include the periodic review and assessment of USDA’s classified products;
(3) establish procedures to prevent unnecessary access to classified information, including procedures that:
(a) require a justification for access to classified information before initiating security clearance procedures; and
(b) ensure that the number of persons granted access to classified information is limited to the minimum consistent with operational and security requirements and needs.
(4) develop special contingency plans for the safeguarding of classified information used in or near hostile or potentially hostile areas;
(5) through the ASA and the Director, Office of Human Capital Management, ensure that applicable employee performance standards include language requiring the proper protection of classified information for all employees who routinely handle such information. For example, standards may include the statement, “Maintains classified information in accordance with E.O. 12958, Classified National Security Information.” At a minimum, positions requiring this standard are:
(a) original classification authorities;
(b) security specialists or ISCs; and
(c) all other personnel whose duties significantly involve the creation or handling of classified information.
(6) account for the costs associated with the implementation of E.O. 12958, which shall be reported annually to the Director of ISOO for publication;
(7) handle referrals for any request, appeal, challenge, complaint, or suggestion that pertains to classified information that originated in a component of the Department that no longer exists, and for which there is no clear successor function;
(8) assist with the preparation of a security classification guide to facilitate the proper and uniform derivative classification and declassification of information (these guides shall conform to standards contained in directives issued under E.O. 12958);
(9) assist in establishing and conducting a program for systematic declassification reviews;
(10) ensure the safeguarding of foreign government information under standards that provide a degree of protection at least equivalent to that required by the providing government or international organization of governments that furnished the information;
(11) ensure that USDA does not disclose information originally classified by another agency without its authorization;
(12) establish classification and marking principles for USDA classified information.
e. The ISC is the liaison between the OSS PDSD and USDA mission areas, agencies, and offices on matters relating to this Manual. Each ISC should maintain a security clearance at the same level of classification as the material maintained by that agency or program or higher. Duties may include, but are not limited to:
(1) initiating a preliminary inquiry when there is suspicion of a possible compromise or loss of classified information;
(2) reporting security violations and infractions to the Chief, PDSD;
(3) assisting the PDSD Information Security Staff (ISS) in collecting information to meet requirements for annual reporting to ISOO;
(4) conducting inventories of security equipment and evaluating agency security needs;
(5) coordinating and/or conducting annual security refresher training;
(6) coordinating document reviews with the ISS for possible classification or declassification;
(7) reviewing, commenting on, and providing recommendations on draft policy documents; and
(8) ensuring that security container combination changes are completed as required.
f. The Office of the Chief Information Officer (OCIO) is responsible for:
(1) Certifying and accrediting USDA computer systems for processing collateral classified information;
(2) Coordinating with PDSD, requests for processing collateral classified information on USDA computers and establishing secure networks, and;
(3) Incorporating, where appropriate, applicable USDA information security policies and procedures into USDA policies and standards for Information Technology system protection. System protection functions include communications security, encryption, network security products, and system reliability.
g. USDA employees holding security clearances are responsible for the following:
(1) familiarizing themselves with and adhering to the provisions of this Manual;
(2) protecting classified information from individuals who do not have a need-to-know, maintaining the proper security clearance, and having access to the proper security container to store classified information;
(3) meeting the accountability requirements identified within this Manual;
(4) participating in security awareness and education training; and
(5) reporting any irregularities and security violations/infractions immediately upon discovery to their respective security officer, Information Security Coordinator (ISC), or PDSD.
6. WAIVERS
Waivers to the requirements of this Manual may be approved only by the Chief, Information Security Staff, within the guidelines of E.O. 12958. Waivers may be approved for up to 3 years. Requests for a waiver must be submitted in writing to the Chief, PDSD, and include the following:
a. location for the waiver;
b. requirement(s) for which the waiver is requested;
c. detailed justification for why the requirement(s) cannot be met;
d. proposed compensatory measures;
e. duration of the waiver;
f. impact of denying the waiver request; and
g. point of contact, including the person’s name, address, telephone number, and
e-mail address.
CHAPTER 2
CLASSIFICATION
Classification is a process to determine if information can
potentially cause damage to
In some situations, an aggregation of classified information may warrant a higher classification than its component parts. For example, two elements of information classified as Confidential may warrant a Secret classification when aggregated. Below are the types of classification and what must be determined when classifying information:
1. ORIGINAL CLASSIFICATION
Original
classification is the initial decision to designate a certain item of
information as classified, at a certain level, and for a certain length of
time. These decisions can be made only
by persons designated in writing by the President of the
a. Levels of Classification. There are three levels of classification.
(1) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe;
(2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe;
(3) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
b. Classification Categories. E.O. 12958 identifies information that qualifies for being potentially classified. The categories are as follows:
(1) military plans, weapons systems, or operations (1.4a);
(2) foreign government information (1.4b);
(3) intelligence activities (including special activities), intelligence sources or methods, or cryptology (1.4c);
(4)
foreign relations or foreign
activities of the
(5) scientific, technological, or economic matters relating to the national security, which includes defense against transnational terrorism (1.4e);
(6) United States Government programs for safeguarding nuclear materials or facilities (1.4f);
(7) vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security, which includes defense against transnational terrorism (1.4g); and
(8) weapons of mass destruction (1.4h).
c. Duration of Classification. The OCA is required to determine, at the time of original classification, when the information can be downgraded or declassified. Classification of USDA information cannot extend beyond 25 years. At the time of classification, the information must be evaluated to determine if there is a specific date or event such that once it occurs, the damage the information could cause would be significantly reduced. An example may be a vulnerability assessment of a facility that reveals significant issues which, if discovered by an adversary, could allow access to highly dangerous substances. The report could be classified until the vulnerability is mitigated. At the time of mitigation, the information would be declassified.
If a date or event cannot be determined, then the information is evaluated for a period of classification of up to 10 years. If 10 years may not protect the information long enough, the OCA can assign a duration of classification of up to 25 years. Information can always be declassified sooner than originally determined. Conversely, if it is determined that a declassification date is upcoming and the information can still cause damage to national security, then the duration can be extended providing it does not exceed the 25- year limit. Requesting continued classification beyond the 25 years must be done by notifying the President through the Assistant to the President for National Security Affairs. This action is initiated through PDSD.
d. Interim Classification. When a USDA employee or government contractor who does not have OCA originates information believed to require classification, the information shall be protected as classified information and in a manner consistent with this Manual. The information should be marked “Secret—Currently Under Classification Review.” The markings should be located at the top and bottom of each page and on each paragraph containing the potentially classified information. The document or information is forwarded to PDSD for further evaluation by SMEs and classification experts, who will provide recommendations to USDA OCA.
e. Classification Prohibitions and Limitations. Basic scientific research information that is not clearly related to the national security shall not be classified. In no instance shall information be classified in order to:
(1) conceal violations of law, inefficiency, or administrative error;
(2) prevent embarrassment to a person, organization, or agency;
(3) restrain competition; or
(4) prevent or delay the release of information that does not require protection in the interest of the national security.
f. Classification Challenges. Authorized holders of USDA information who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status. Under no circumstance will the individual challenging the classification be subject to retribution. USDA assures all individuals that this is an opportunity for a review by an impartial official or panel of SMEs. To the extent possible, this process will be accomplished within 30 calendar days of receipt of the challenge. To challenge a classification, authorized holders must:
(1) prepare written correspondence explaining all concerns relative to the challenge;
(2) identify the exact document or information in question;
(3) provide any backup information or material to support the challenge; and
(4) forward the package, in a manner required for classified information, to PDSD for evaluation.
2. DERIVATIVE CLASSIFICATION
Derivative classification consists of the incorporating, paraphrasing, restating, or generating of a new form of information that has already been determined to be classified and marking the new material consistent with the classification markings of the source information. This ensures that the new material is classified and handled at the level that the OCA has already determined. Anyone with the proper security clearance and authorized access to the information can derivatively classify information. Derivative classifiers are not required to be appointed or designated in writing. This is the most common means of classification.
3. CLASSIFIED FOREIGN GOVERNMENT INFORMATION (FGI)
The
following are the requirements of the
a. Top Secret. Records shall be maintained to include the receipt of the information, internal distribution, destruction, access, reproduction, and transmittal of foreign government Top Secret information. Reproduction requires the consent of the originating government. Destruction will be witnessed.
b. Secret. Records shall be maintained to include the receipt of the information, external dispatch, and destruction of foreign government Secret information. Other records may be necessary if required by the originator. Secret foreign government information may be reproduced to meet mission requirements unless prohibited by the originator. Reproduction shall be recorded unless this requirement is waived by the originator.
c. Confidential. Records need not be maintained for foreign government Confidential information unless required by the originator.
d. Restricted and Other FGI Provided in Confidence. In order to ensure the protection of FGI provided in confidence, such information must be classified under E.O. 12958. If USDA is the receiving agency, then USDA is responsible for providing a degree of protection to the FGI at least equivalent to that required by the government or international organization that provided the information. When adequate to achieve equivalency, these standards may be less restrictive than the safeguarding standards that ordinarily apply to U.S. Confidential information. If the foreign protection requirement is lower than the protection required for U.S. Confidential, the following requirements shall be met:
(1) Documents may retain their original foreign
markings if the responsible agency determines that these markings are adequate
to meet the purposes served by
(2) Documents shall be provided only to those individuals who have the required security clearance and an established need-to-know to perform their official duties.
(3) Individuals with access to FGI shall be notified of applicable handling instructions. This may be accomplished by a briefing, written instruction, or by applying specific handling requirements to an approved classified document cover sheet.
(4) Documents shall be stored in such a manner as to prevent unauthorized access.
(5) Documents shall be transmitted in a method approved for classified information unless this method is waived by the originating government.
(6) Declassifying FGI is consistent with
e. Third-country transfers. The release or disclosure of FGI to any third-country entity must have the prior consent of the originating government if required by a treaty, agreement, bilateral exchange, or other obligations.
The requirements in this section do not apply to North Atlantic Treaty Organization (NATO) information. NATO classified information is safeguarded in accordance with NATO Instruction 1-69. Appendix D, Equivalent Foreign Security Classification, is offered as a translation of foreign countries’ classification markings.
4. NON-USDA AGENCY CLASSIFIED INFORMATION
The Department is required to respect each non-USDA OCA’s decisions, including the level and duration of classification. Under no circumstance should a USDA employee or contractor remove the classification markings without the originating agency’s approval.
CHAPTER 3
DECLASSIFICATION AND REGRADING
The process of declassification must be performed by SMEs and classification specialists. When a decision is made to classify information, the decision of when to declassify the information must be made simultaneously. It is possible that a Freedom of Information Act request may include classified information, or that classified information is discovered published in a journal. Events such as these would require USDA to conduct an unscheduled review of the information to see if it can or should be declassified or regraded. This type of mandatory review, as well as other types of reviews, is explained in this section.
1. DECLASSIFICATION
Information should be declassified when it no longer meets the standards and criteria for classification. The authority to declassify information resides with the OCA and those individuals appointed as declassification authorities. Declassification is subject to the criteria specified in E.O. 12958 and/or successor orders and directives. USDA files and records, potentially eligible for declassification, must be reviewed to determine if continued classification is warranted and authorized. E.O. 12958 contains provisions for four declassification programs, as follows:
a. OCA action: The OCA can decide to declassify information at any time.
b. Automatic: When the document is marked to be declassified on a specific date and the date has arrived, the holder can then declassify the document.
c. Mandatory: When information has been compromised or requested by an uncleared person to be released, security experts, subject matter experts, the Office of the General Counsel (OGC), and PDSD must review the information to determine if it can be declassified. See Appendix C for the Mandatory Declassification Review Process.
d. Systematic: Prior to declassification, originally classified information under E.O. 12958, or its predecessor, shall be reviewed.
2. REGRADING
a. Downgrading. When information no longer requires protection at the current classification level, the information can be downgraded. For example, information classified as “Secret” may be downgraded to “Confidential” after an event occurs. The OCA should consider identifying downgrading instructions at the time of original classification. If downgrading instructions can be determined at the time classification is determined, they are noted in the declassification section of the OCA’s security classification decision. Downgrading information at a later date is permissible, but all holders of the information must be first notified to ensure uniform protection of the information.
b. Upgrading. Classified
information can be upgraded to a higher level of classification. However,
this is done in rare circumstances when an OCA has the determined the
information requires a higher level of protection. When this is done,
OCAs are required to notify holders of the information of the change so that
the information will be uniformly protected at the higher level. The
Secretary of Agriculture can upgrade from Confidential to Secret.
Upgrading to Top Secret can be accomplished by other OCAs who have a shared
interest with USDA and have Top Secret OCA, such as the Secretary, Department
of Homeland Security.
c. Reclassifying. Information that has not previously been disclosed to the public under proper authority may be classified or reclassified. Such information, for example, may be identified while evaluating material requested through the Freedom of Information Act or the Privacy Act of 1974 or in response to the mandatory review provisions of this Manual. Reclassification can occur only if the:
(1) information meets the classification requirements outlined in E.O. 12958;
(2) reclassification is completed on a document-by-document basis with the personal participation or under the direction of the Secretary or the Deputy Secretary, ASA or Deputy ASA should the Secretary further delegate his or her OCA;
(3) information may be reasonably recovered; and
(4) reclassification action is reported to ISOO through PDSD.
CHAPTER 4
MARKING
1. GENERAL
A uniform security classification system requires that standard markings be applied to classified information. The marking of classified information created by USDA employees and its contractors shall not deviate from the following prescribed formats, unless under extraordinary circumstances and with the approval of the PDSD. If markings cannot be affixed to specific classified information or materials, the originator shall provide written instructions for protecting the information to individuals and offices holding the information. Markings shall be uniformly and conspicuously applied to leave no doubt about the classified status of the information, the level of protection required, and the duration of classification.
2. ORIGINAL CLASSIFICATION MARKING
The following markings shall be applied on the face of each originally classified document, or media containing the information, for the OCA’s review and approval:
a. Classification Authority. The name or personal identifier and position title of the OCA shall appear on the “Classified By” line. An example might appear as:
Classified By: “Secretary’s Name”
Secretary of Agriculture
b. Agency and Office of Origin. If not otherwise evident, the agency and office of origin shall be identified. The name or personal identifier shall appear on the “Classified By” line. An example might appear as:
Classified By: “Secretary’s Name”
Secretary of Agriculture
c. Reason for Classification. The OCA shall approve the reason(s) for the decision to classify. The OCA shall include, at a minimum, a brief reference to the pertinent classification category(ies), or the number 1.4 plus the letter(s) that corresponds to that classification category shown in Chapter 2, paragraph 1(b). The SME shall provide the OCA the reason that the information should be classified when submitting it for classification approval. Once approved by the OCA, the originally classified document must reflect the reason for classification. An example might appear as:
Classified By: “Secretary’s Name”
Secretary of Agriculture
Reason: 1.4(g)
When the reason for classification is not apparent (e.g., classification by compilation), then the OCA must provide a more detailed explanation for the reason for classification.
d. Declassification Instructions. The duration of the original classification decision shall be placed on the “Declassify On” line. The SME should recommend to the OCA one of the following instructions for approval and application:
(1) A specific date or event for declassification that would require releasing the information to individuals who do not hold a security clearance or a date or event after which releasing the information would no longer cause damage to the national security. The date should be less than 10 years from the date of the original decision. When linking the duration of classification to a specific date or event, mark that date or event as follows:
Classified By: “Secretary’s Name”
Secretary of Agriculture
Reason: 1.4(g)
Declassify
On: October 14, 2007 (date)
or
Declassify
On: Upon completion of the 2007 Food
Seminar (event)
(2) When a specific date or event within 10
years cannot be established, then apply the date that is within 10 years from
the date of the original decision. For
example, on a document that contains information classified on
Classified By: “Secretary’s Name”
Secretary of Agriculture
Reason: 1.4(g)
Declassify
On: October 14, 2013 (10-year date)
(3) Upon determination that the information
must remain classified beyond 10 years, the SMEs must inform the OCA how long
they believe the information needs to be classified. The date cannot exceed 25 years from the date
of the original classification decision.
For example, on a document that contains information classified on