12 FAM 550

SECURITY INCIDENT PROGRAM

(CT:DS-333; 06-24-2020)

(Office of Origin: DS/SI/IS)

12 FAM 551 PURPOSe

(CT:DS-186; 02-08-2013)

The purpose of the Security Incident Program is to enhance the protection of classified information by identifying, evaluating, and assigning responsibility for breaches of security. The program implements Executive Order 13526, Classified National Security Information, December 29, 2009.

12 FAM 552 SECURITY INSPECTIONS

(CT:DS-186; 02-08-2013)

a. Cleared U.S. citizen security personnel designated by the Office of Information Security, Program Applications Division (DS/IS/APD), regional security officers (RSOs), Marine security guards (MSGs), and/or U.S. citizen contract guards are responsible for conducting security inspections to ensure that classified information is properly protected.

b. Cleared security personnel must conduct such security inspections routinely for all offices, buildings, or other facilities that come under the jurisdiction of the Department worldwide, except those exempted under interagency agreements.

c. During regular business hours, employees have authority to lock desks and credenzas to secure personal items. After regular business hours, employees must not lock desks, bookcases, and credenzas unless the inspecting security office has a master key that affords access to perform security inspections.

12 FAM 553 REPORTING OF SECURITY INCIDENTS

12 FAM 553.1 Reporting Improperly Secured Classified Information

(CT:DS-312; 12-17-2018)

a. Report all security incidents (see 12 FAM 090 definition) to DS/IS/APD. Employees must inform the security officer, who is responsible for oversight of that office, orally or in writing of any improper security practice that comes to the employee’s attention, and the security officer must take remedial action.

b. Upon discovery of improperly secured classified information or other security incidents, the responsible security officer must ensure comprehensive and accurate completion of unclassified Form OF-117, Notice of Security Incidents.

c. Abroad, the RSO or Post Security Officer at constituent posts, must investigate the incident and complete Form OF-118, item 1, and forward it to the person(s) allegedly responsible for the incident. The person(s) allegedly responsible for the incident must complete and sign Form OF-118, item 2, within three workdays. Item 2 of Form OF-118 allows the employee to provide any mitigating factors, such as lack of culpability, which he or she believes are pertinent to the adjudication process. If the person(s) allegedly responsible for the incident fail(s) or refuse(s) to sign the form within three workdays, the RSO must document this fact in the security officer comments on Form OF-118, item 3, and forward the form to DS/IS/APD. When the person(s) allegedly responsible for the incident sign(s) item 2 of the form, the RSO must give the form to the employee’s immediate supervisor for signature, complete item 3, and send the form to DS/IS/APD. In item 3, the RSO reports the results of his or her investigation in a brief summary, indicating his or her view that there was a valid security incident, and, if so, whether it was a security infraction (see 12 FAM 090 definition) or violation (see 12 FAM 090 definition). Forms OF-117 and OF-118 are available on myData.

d. Domestically, when issuing Form OF-117 to an offender, the uniformed protection officer (UPO) watch commander must submit a copy to DS/IS/APD. When DS/IS/APD receives the record copy of Form OF-117, DS/IS/APD must complete item 1 of Form OF-118, and forward it to the principal unit security officer (PUSO) or bureau security officer (BSO) who has oversight for the person(s) allegedly responsible for the incident. Only authorized investigative personnel assigned to DS/IS/APD have the authority to investigate a potential security violation. Unit security officers only have authority to process cases involving potential security infractions. The PUSO or BSO must provide the Form OF-118 to the person(s) allegedly responsible for the incident to complete and sign item 2 within three workdays. If the person(s) allegedly responsible for the incident fail(s) or refuse(s) to sign Form OF-118, the PUSO or BSO must indicate this omission in the security officer's comments section in item 3, and return the form to DS/IS/APD. When the person(s) allegedly responsible for the incident sign(s) item 2, the PUSO or BSO must give the form to the employee’s immediate supervisor for signature. The PUSO or BSO must then complete item 3 and submit the form to DS/IS/APD.

e. The RSO, PUSO, or BSO must give a copy of the completed Form OF-118 to the person(s) allegedly responsible for the incident.

f. Form OF-118 is unclassified and must include the information that the form's instructions, printed on the reverse side, require. Any classified supplemental information must be submitted under a separate classified memorandum sent to DS/IS/APD via email to DS_APD_SP on ClassNet with the Form OF-118.

g. If a security incident investigation includes the personal interview of an employee who is covered by a collective bargaining unit for which a union has exclusive representation rights, and the employee reasonably believes that the interview may result in disciplinary action, the investigating official must give the employee the opportunity to be represented by the exclusive representative, if the employee so requests. This right is extended irrespective of the employee's union membership and is known as the Weingarten Right. When the employee invokes the Weingarten Right, the investigating official must allow a reasonable time period for a union representative to attend the interview. At any time during the investigation, an employee may choose to invoke his or her Weingarten Right (see 12 FAM 091 for definition). The Department advises such employees of their Weingarten Right on an annual basis.

12 FAM 553.2 Examples of Security Incidents

(CT:DS-312; 12-17-2018)

a. This section contains examples of security incidents, in accordance with 12 FAM 500, that affect the protection of classified information. The examples are illustrative and indicate the wide range of possible security incidents in this area. (See 12 FAM 553.3 for information systems security incidents.)

b. Examples of security incidents include, but are not limited to:

(1) Failing to properly escort, i.e., maintaining continuous visual and/or physical control over uncleared personnel (e.g., uncleared visitors or janitorial/maintenance personnel) in an area where classified information is processed, discussed, viewed, or stored, or allowing improper access to Department controlled facilities (see 12 FAM 534.1);

(2) Taking classified material out of the building without proper double-wrap protection (see 14 FAM 733.3 and 14 FAH-4 H-320);

(3) Crossing international borders with classified material without courier authorization (see 12 FAM 536.9-1);

(4) Failing to secure containers with classified material (see 12 FAM 539.1 paragraph e);

(5) Storing classified materials in desk drawers or other improper containers (e.g., a non-barlock file cabinet) (see 12 FAM 539.1 paragraph h);

(6) Reading classified material in any public area (see 12 FAM 536.9-4 paragraph e);

(7) Transmitting classified material on unclassified facsimile machines (see 12 FAM 536.9-2 and 536.9-3);

(8) Losing control of classified material by leaving it in non-secure areas (e.g., hotel rooms, taxis, or restaurants) (see 12 FAM 533.1 and 534.1);

(9) Discussing classified information on unsecure telephones (see 12 FAM 536.8 paragraph c); and

(10) Failing to perform daily checks on supplemental entry verification systems (SEVs)(see 12 FAH-6 H-311.11 paragraph d, H-312.11 paragraph d, H-313.11 paragraph d, and H-314.11 paragraph d).

12 FAM 553.3 Information System Security Incidents

(CT:DS-253; 02-19-2016)

This subsection contains examples of security incidents, in accordance with 12 FAM 600, that affect the protection of classified information with respect to information systems. The examples are illustrative and indicate the wide range of possible security incidents in this area:

(1) Failure to remove and properly secure media, which users normally control, such as classified data storage media (e.g. flash drive, USB storage drive, hard drives, CD ROM, etc.; see 12 FAM 632.1-6 paragraph a);

(2) Failure to prevent uncleared persons from viewing a classified screen and/or printer output (see 12 FAM 633.2-2);

(3) Improper storage of passwords to classified automated information systems (see 12 FAM 632.1-4 paragraph k.);

(4) Unauthorized connectivity between classified and unclassified hardware (e.g., modems, central processing units, printers, and switch boxes) (see 12 FAH-10 H-272.16); and

(5) Introducing classified information or media into an unclassified system (see 12 FAM 635, for authorized exception).

12 FAM 553.4 Incidents Involving Administratively Controlled (Sensitive But Unclassified (SBU)) Material

(CT:DS-186; 02-08-2013)

The security procedures in this subchapter are for incidents related to classified information, and not applicable to incidents involving Sensitive But Unclassified (SBU) material. Do not issue Form OF-117 for incidents involving SBU materials.

12 FAM 554 SPECIAL CATEGORY SECURITY VIOLATIONS

(CT:DS-186; 02-08-2013)

a. The Department’s communications security (COMSEC) incident program, including its reporting procedures, is in 5 FAH-6 H-530. In 5 FAH-6 Exhibit H-533, there is a complete list of reportable incidents.

b. DS/IS/APD evaluates all COMSEC incident reports and renders an adjudication based on evidence of the degree of national security information compromised. DS/IS/APD provides a copy of the notification letter to the Cryptographic Services Branch (ITI/SI/CSB).

c. Although the COMSEC program's administrative aspects (e.g., timely accounting of inventories) are important, failure to perform such aspects will not be investigated as a security violation or infraction under the security incident program when there is no evidence of a direct effect to direct effect to the system's security.

12 FAM 555 SECURITY INCIDENTS INVOLVING NONDEPARTMENT EMPLOYEES AND CONTRACTORS

(CT:DS-186; 02-08-2013)

a. Report security incidents involving employees of other Federal agencies or organizations and/or their contractors in the same manner as described in 12 FAM 553. The RSOs abroad report such security incidents on Forms OF-117 and OF-118, and send the forms to DS/IS/APD. DS/IS/APD coordinates any further investigation necessary to complete the report of findings. DS/IS/APD must forward this report to the parent agency of the employee allegedly responsible for the incident, and the parent agency handles the adjudication and disposition.

b. Report security incidents involving Department contractors in the same manner as described in 12 FAM 553, except DS/IS/APD forwards Forms OF-117 and OF-118 to the employer and sends a copy of each form to the DS Office of Information Security’s Industrial Security Division (DS/IS/IND).

12 FAM 556 EVALUATION OF SECURITY INCIDENTS

(CT:DS-186; 02-08-2013)

a. Adjudication has three possible outcomes: valid, unfounded, and valid but not culpable. DS/IS/APD performs the final adjudication of all security incident investigations, including administrative (i.e., non-criminal) investigations that the Office of Inspector General conducts and investigations conducted by other DS investigative entities involving the possible or actual failure to protect classified national security information. This requirement is not meant to include cases presented to the Department of Justice for criminal prosecution. After DS/IS/APD's affirmative adjudication that an employee committed a valid security violation, DS/IS/APD initiates any 12 FAM 557 administrative action required.

b. A basic premise for adjudication is to hold individuals responsible for their actions. However, in certain incidents, DS/IS/APD's adjudication may include having supervisors held responsible for failing to provide effective organizational security procedures. This might occur, for example, when abnormal conditions interrupt routine security procedures and supervisors do not implement remedial controls, or when the incident relates to controls that are not normally the sole responsibility of an individual.

c. When the security incident investigation does not warrant implicating a specific individual, DS/IS/APD may still adjudicate the incident as valid without holding a specific individual accountable, provided that:

(1) Mitigating circumstances generally prevent narrowing responsibility to an individual; and

(2) The DS/IS/APD chief approves this type of adjudication.

d. Upon completion of the adjudication, DS/IS/APD notifies the individual(s) implicated in the incident, in writing, of the adjudication results specific to them. DS/IS/APD also notifies the appropriate RSO, BSO, or PUSO, who provides a copy to the individual’s supervisor.

12 FAM 557 ADMINISTRATIVE ACTIONS

12 FAM 557.1 Record Keeping and Administrative Action Framework

(CT:DS-333; 06-24-2020)

a. DS/IS/APD permanently maintains files on all personnel who have incurred security incidents. Upon an employee's termination, DS/IS/APD will retire the records. Information from these files is available to the Director General of the Foreign Service or the Bureau of Global Talent Management (GTM), as needed, for future nominations or other personnel decisions, and included in full field investigation reports on candidates for Presidential appointment.

b. Disciplinary and security clearance actions for security incidents are made on a case-by-case basis. However, repeat offenses affect these actions, becoming more serious following additional incidents.

c. An employee’s adverse security incident history may result in the curtailment of a current assignment or denial of a future assignment.

d. Foreign Service Selection Boards receive a copy of the current security incident history report for each employee competing for promotion to grade FS-01 and above, senior performance pay, and/or Presidential awards. The report is limited to incidents adjudicated as valid that occurred within the previous 5-year period. DS/SI provides the entire history to the Office of the Director General for Presidential nominations. Data provided for each incident is limited is limited to:

(1) A tracking number;

(2) Office or post where the incident took place;

(3) Name of the employee involved in the incident;

(4) Whether the incident was an infraction or a violation;

(5) Date and time of the incident;

(6) Date Diplomatic Security (DS) completed the Form OF-118, Report of Incident;

(7) Status of the incident;

(8) Level of classified material involved; and

(9) A short description of the incident, e.g., unsecured documents or unsecured hard drive.

e. Department and tenant agency employees and contractors may request a copy of their entire security incident history, at any time, via the DS Security History email box at (DSH@state.gov).

12 FAM 557.2 Disciplinary Actions and Security Clearance Review Referral for Security Infractions

(CT:DS-333; 06-24-2020)

After DS/IS/APD affirms adjudication of security infractions within a moving 3-year (36-month) window (see 12 FAM 090 definitions), DS takes the following actions, at a minimum:

(1) First infraction—The DS/IS/APD chief sends a letter of notification to the employee, requiring a signed reply acknowledging that the employee understands the policies and consequences of future security incidents. The RSO or PSO abroad, or BSO or USO domestically, must provide the employee with a security briefing;

(2) Second infraction—The Office of Information Security (DS/SI/IS) director sends a letter to the employee that describes the actions DS and GTM take in the event of future security incidents. This requires a signed reply from the employee, indicating that he or she understands the policies and consequences of future security incidents. The RSO or PSO abroad, or BSO or USO domestically, must provide the employee with an additional security briefing;

(3) Third infraction within the 36-month window—DS/IS/APD refers the matter to the Office of Employee Relations (GTM/ER) for appropriate disciplinary action. DS/IS/APD also refers the matter to the director of the DS Office of Personnel Security and Suitability (DS/SI/PSS) for action relating to the employee’s security clearance; and

(4) Subsequent infractions within the 36-month window—DS/IS/APD refers the matter to GTM/ER for disciplinary action. DS/IS/APD also refers the matter to the DS/SI/PSS director for action relating to the employee’s security clearance.

12 FAM 557.3 Disciplinary Actions and Security Clearance Review Referral for Security Violations

(CT:DS-333; 06-24-2020)

After DS/IS/APD affirms adjudication of an employee's security violation, DS/IS/APD refers the incident, along with a summary of mitigating or aggravating factors and other security incidents within the moving 3-year window, to DS/SI/PSS and GTM/ER. DS/SI/PSS and/or GTM/ER takes or initiates one or more of these actions against the violator:

(1) DS/SI/PSS issues a letter of notification, reviews the security clearance of the violator, suspends or revokes the violator’s security clearance; and/or

(2) GTM/ER issues a letter of admonishment or a letter of reprimand, suspends the violator without pay, or terminates the violator’s employment.

12 FAM 557.4 Appeals

(CT:DS-186; 02-08-2013)

a. Without prejudice to any other procedures, an employee who wants to appeal the validity or categorization of a security incident must submit the appeal in writing to DS/IS/APD. This appeal request may occur after receiving the written notice that DS/IS/APD has adjudicated the incident.

NOTE: An employee statement on Form OF-118 does not initiate an appeal procedure.

b. DS/IS/APD forwards the appeal request along with any other pertinent data to DS/SI/IS, for a final appeal decision.

12 FAM 558 CRIMINAL LAWS

(CT:DS-312; 12-17-2018)

Incidents involving intentional or grossly negligent release or mishandling of classified information may result in criminal penalties. An illustrative list of criminal statutes establishing penalties of fine and imprisonment for the release of classified information is in 12 FAM Exhibit 558.

12 FAM 559 UNASSIGNED





12 FAM EXHIBIT 558

CRIMINAL LAWS

(CT:DS-312; 12-17-2018)

Statutes establish penalties of fine and imprisonment for the unauthorized disclosure, dissemination, communication, furnishing, transmission, or other unlawful release of certain classified information, and for making false or fraudulent statements to an agency of the government. The Department recommends that employees read the following provisions of such laws:

(1) 18 U.S.C. 641. Public money, property or records

(2) 18 U.S.C. 793. Gathering, transmitting or losing defense information

(3) 18 U.S.C. 794. Gathering or delivering defense information to aid foreign government

(4) 18 U.S.C. 798. Disclosure of Classified Information

(5) 18 U.S.C. 952. Diplomatic codes and correspondence

(6) 50 U.S.C. Chapter 15 Subchapter IV-Protection of Certain National Security Information

(7) 50 U.S.C. 783. Offenses