DERIVATIVE CLASSIFICATION TRAINING/IMPLEMENTATION AND ...ncms-antelopevalley.org/.../ISOO_Derivative_Classification_121003.pdf · DERIVATIVE CLASSIFICATION TRAINING/IMPLEMENTATION

DERIVATIVE CLASSIFICATION

TRAINING/IMPLEMENTATION AND

OVERVIEW OF EXECUTIVE ORDERS

IMPACTING THE NISP

Greg Pannoni, Associate Director, Operations and Industrial Security

Information Security Oversight Office

National Archives and Records Administration

Overview

• ISOO Goals and Functions

• National Industrial Security Program (NISP) (E.O. 12829)

• NISP Policy Advisory Committee and its Working Groups

• Classified National Security Information (E.O. 13526)

− Derivative Classification Training and Implementation

• Structural Reforms to Improve the Security of Classified Networks

and the Responsible Sharing and Safeguarding of Classified

Information (E.O. 13587)

• Classified National Security Information Program for State, Local,

Tribal, Private Sector Entities (SLTPS) (E.O. 13549)

• Controlled Unclassified Information (CUI) (E.O. 13556)

2

3

What are ISOO’s Goals?

• Ensure Safeguarding of Classified National Security Information in a Cost-Effective & Efficient Manner

• Eliminate Redundant, Overlapping, or Unnecessary Requirements that Impede National Security Interests

• Ensure Government / Industry Partnership in the Protection of Classified Information

• Hold Classification Activity to the Minimum Necessary to Protect National Security

• Promote Declassification & Public Access to Information as Soon as National Security Considerations Permit

How does ISOO Function?

• Develops, coordinates and issues implementing directives and

instructions regarding Executive Orders 13526, 12829, and 13556

that are binding on executive branch agencies.

• Provides oversight and maintains continuous liaison with agency’s on

all matters relating to the Government-wide security classification

program and the NISP.

• Annually reports relevant data regarding each agency's security

classification programs, to include costs, to the President.

• Recommends policy changes to the President through the National

Security Advisor.

4

NISP POLICY RELATIONSHIPS

5

E.O. 12829

NATIONAL INDUSTRIAL SECURITY PROGRAM

E.O. 13587

STRUCTURAL REFORMS TO IMPROVE THE SECURITY OF CLASSIFIED NETWORKS AND THE RESPONSIBLE SHARING OF

CLASSIFIED INFORMATION

E.O. 13526

CLASSIFIED NATIONAL SECURITY INFORMATION

E.O. 13549

Classified National Security Information Program for State, Local, Tribal, & Private

Sector Entities

NISP Policy Advisory Committee (NISPPAC)

• Membership

Director ISOO – Chairman

Representatives of Government agencies (15 members)

Nongovernmental (Industry) representatives (8 members)

• Functions – Advise the Chairman:

On all matters concerning the policies of the NISP

Serves as a forum to discuss policy issues in dispute

• Authority

Executive Order No. 12829, National Industrial Security Program

Subject to Federal Advisory Committee Act (FACA), The

Freedom of Information Act (FOIA), and The Government in the

Sunshine Act

NISPPAC Government Representatives

7

Members Agency

John P. Fitzpatrick, Chair Information Security Oversight Office

Mary Rose McCaffrey Central Intelligence Agency

Drew Winneberger Defense Security Service

Deborah Scholz Department of the Air Force

Patricia Stokes Department of the Army

Eric Dorsey Department of Commerce

Timothy Davis Department of Defense

Richard Donovan Department of Energy

NISPPAC Government Representatives

8

Members Agency

Christal Fulton Department of Homeland Security

Anna Harrison Department of Justice

Stephen Long Department of the Navy

Kimberly Baugher Department of State

Peter Ambrose National Aeronautics and Space

Administration

Dennis Hanratty National Security Agency

Darlene Fenton Nuclear Regulatory Commission

Richard Hohman Office of the Director of National Intelligence

NISPPAC Industry Members

9

Members Company

Scott Conway* Northrop Grumman

Marshall Sanders* Cloud Security Strategies

Frederick Riccardi ManTech

Shawn Daley MIT Lincoln Laboratory

Rosalind Baybutt Pamir Consulting LLC

Mike Witt Ball Aerospace

Rick Graham Huntington -Ingalls

Steve Kipp L3 Corporation

* Term Ends 1 October 2012

NISPPAC Working Groups

10

NISPPAC working groups established to review issues and

prepare recommendations for formal NISPPAC decisions.

• Permanent

• Certification and Accreditation Working Group

• Personnel Security Clearance Working Group

• Ad-Hoc

• NISPOM Rewrite Working Group

• Threat Information Working Group

• Small and Middle-Sized company Issues Working Group

• Special Access Program Working Group

• Foreign Ownership, Control and Influence (FOCI) Working

Group

11

Guidance found in:

● Executive Order 13526, “Classified National Security Information”

December 29, 2009

● 32 C.F.R. Part 2001, “Classified National Security Information” June

25, 2010

● “Marking Classified National Security Information” January 2012

Derivative Classification

Derivative Classification is:

The incorporating, paraphrasing, restating, or generating in new

form information that is already classified, and marking the newly

developed material consistent with the classification markings that

apply to the source information.

Includes the classification of information based on classification

guidance.

It is not the duplication or reproduction of existing classified

information.

12

Derivative Classification

Persons who apply derivative classification markings shall receive training in

the proper application of the derivative classification principles of the Order,

with an emphasis on avoiding over-classification, at least once every 2 years.

Derivative classifiers who do not receive such training at least once every two

years shall have their authority to apply derivative classification markings

suspended until they have received such training.

A waiver may be granted by the agency head, the deputy agency head, or the

senior agency official if an individual is unable to receive such training due to

unavoidable circumstances

Whenever a waiver is granted, the individual shall receive such training as soon

as practicable.

13

Training

Minimum Derivative Classification Training Coverage

• Observe and respect original classification decisions

• Classification levels

• Duration of classification

• Identification and Markings (carry forward to newly created

documents the pertinent classification markings)

• Classification prohibitions and limitations

• Sanctions

• Classification challenges

• Security Classification Guides

• Information Sharing

14

**EMPHASIS ON AVOIDING OVER-CLASSIFICATION**

Classification Standards

Information may be originally classified if:

• An Original Classification Authority (OCA) is classifying the

information;

• The information is owned by, produced by or for, or is under

the control of the United States Government;

• The information falls within one or more of the classification

categories; and

• The OCA determines that the unauthorized disclosure of the

information reasonably could be expected to result in damage

to national security, to include defense against transnational

terrorism, and the OCA is able to identify or describe the

damage.

15

Classification Levels

● Top Secret - information whose unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to the national security.

• Secret - information whose unauthorized disclosure could reasonably be expected to cause serious damage to the national security.

• Confidential - information whose unauthorized disclosure could reasonably be expected to cause damage to the national security.

16

Prohibitions and Limitations

• In no case shall information be classified, continue to be maintained

as classified, or fail to be declassified in order to:

• Conceal violations of law, inefficiency, or administrative error;

• Prevent embarrassment to a person, organization, or agency;

• Restrain competition; or

• Prevent or delay the release of information that does not require

protection in the interest of national security.

• Basic scientific research information not clearly related to the

national security shall not be classified.

17

Sanctions

• U.S. Government employees, and its contractors, shall be subject

to appropriate sanctions if they knowingly, willfully, or negligently:

- disclose to unauthorized persons information properly classified

under the Order;

- classify or continue the classification of information in violation of

the order or any implementing directive;

- create or continue a special access program contrary to the

requirements of the Order; or

- contravene any other provision of the Order or its implementing

directive.

18

Classification Challenges

• Authorized holders of information, including authorized holders

outside the classifying agency, are encouraged and expected to

challenge the classification of information they believe is improperly

classified.

• Agencies must ensure individuals are not subject to retribution.

• Informal versus Formal Challenges

- Review by an impartial official or panel

- System for processing, tracking and recording formal challenges

- Written response within 60 days. (Affirmative response must

identify or describe damage). 90 day non-response/120 day response

- Right to appeal agency decisions to the Interagency Security

Classification Appeals Panel (120 days)

-

19

Derivative classifiers shall, whenever practicable, use a

classified addendum whenever classified information

constitutes a small portion of an otherwise unclassified

document or prepare a product to allow for dissemination

at the lowest level of classification possible or in

unclassified form.

20

Use of a Classified Addendum

21

(a) Agencies with original classification authority shall prepare classification guides to facilitate the proper and uniform derivative classification of information. These guides shall conform to standards contained in directives issued under E.O. 13526.

(b) Each guide shall be approved personally and in writing by an official who:

(1) Has program or supervisory responsibility over the information or is the senior agency official; and

(2) Is authorized to classify information originally at the highest level of classification prescribed in the guide.

(c) Agencies shall establish procedures to ensure that classification guides are reviewed and updated as provided in directives issued under E.O. 13526.

Security Classification Guides

22

(f) Makes clear that classification guides are not to be used to classify information for more than 25 years except for confidential human source, human intelligence source, or weapons of mass destruction information. The duration of classification of a document classified by a derivative classifier using a classification guide shall not exceed 25 years from the date of the document, except for: (1) Information that should clearly and demonstrably be expected to reveal the identity of a confidential human source or a human intelligence source or key design concepts of weapons of mass destruction; and (2) Specific information incorporated into classification guides in accordance with section 2.2(e) of E.O. 13526.

Security Classification Guides (cont’d)

Classification by Compilation

A determination that information is classified through the

compilation of unclassified is a derivative classification action

based upon existing original classification guidance. If the

compilation of unclassified information reveals a new aspect of

information that meets the standards for classification, it shall be

referred to an original classification authority with jurisdiction over

the information to make an original classification decision.

23

24

Overall classification

marking:

Indicates the highest level of

classification of any one portion of

the document

Department of Good Works

Washington, D.C. 20006

July 15, 2010

MEMORANDUM FOR AGENCY OFFICIALS

From: Joe Carver, Director

Subject: (U) Examples

1. (S) Paragraph 1 contains information from

Paragraph 2 in the source document and is

therefore marked (S).

2. (U) Paragraph 2 contains “Unclassified”

information. Therefore, this portion will be

marked with the designation “U” in parentheses

preceding the portion.

SECRET

SECRET

Derivative Classification Markings

25

Classification authority block:

SECRET



July 15, 2010











SECRET

Classified By: Identity of derivative classifier by name

and position or by personal identifier.

Classified By: Stan Smith, Program Analyst

Derived From: Miscellaneous SCG, Dated

January 5, 2009

Derived From: Source information

Declassify On: 20300715 Declassify On: Declassification instructions


26

● Source information (Derived From): Concisely identify the source document or

the classification guide on the “Derived From” line, including the agency, and

where available, the office of origin, and the date of the source or guide.

● When using multiple source documents, the “Derived From” line shall appear

as:

Derived From: Multiple Sources

● The derivative classifier shall include a listing of the source materials on, or

attached to, each derivatively classified document. Example:

(U) Sources:

1. (U) Dept of Good Works Memorandum dated

June 27, 2010, Subj: Examples

2. (U) Dept of Good Works Memorandum dated

May 20, 2009, Subj: Examples

3. (U) Radar SCG dated February 2, 2006


27

Declassification Instructions:

In most cases, the declassification date will be

carried over from the source document.

Classified By: John E. Doe, Chief Division 5

Reason: 1.4(a)

Declassify On: 20150627

Source document

Derivative

document Classified By: Joe Carver, Director

Derived From: Department of Good Works Memorandum

dated June 27, 2010, Subj: (U) Examples


Source Document 1 - Declassify On: 20350215



When there are multiple

sources, the declassification

instruction will be the most

restrictive date

Derivative Document - Declassify On:

20350215


28

Portion marking:

Portion markings will be

carried over from the

source document to the

derivatively classified

document. All other

portions will be

appropriately marked.



July 15, 2010




1. (S) Paragraph 1 contains information that is

classified SECRET and is therefore marked (S).


information. Therefore, this portion will be marked

with the designation “U” in parentheses preceding

the portion.



July 15, 2010











Source document

Derivative

document


29

Declassification Instructions – Use of Exemptions from Automatic

Declassification (25X1-25X9):

The 25X exemptions may only be used on the “Declassify On” line if an

agency has identified permanently valuable information that needs to be

exempted from automatic declassification at 25 years and has received

approval from the Interagency Security Classification Appeals Panel (ISCAP)

to exempt the information and to incorporate the exemption into a

classification guide. (See 32 C.F.R. Part 2001.26.)

When using an approved exemption, a date or event that has been approved by

the ISCAP must be included with the marking and shall not exceed 50 years

from the date of the document.

Classified By: John E. Doe, Chief

Division 5

Derived From: SCG title and date

Declassify On: 25X3, 20540215


30

Specific information, the release of which should clearly and demonstrably be

expected to:

25X1 - reveal the identify of a confidential human source, a human intelligence

source, a relationship with an intelligence or security service of a foreign

government or international organization, or a non-human intelligence source; or

impair the effectiveness of an intelligence method currently in use, available for

use, or under development

25X2 - reveal information that would assist in the development, production, or

use of weapons of mass destruction

25X3 - reveal information that would impair U.S. cryptologic systems or activities

25X4 - reveal information that would impair the application of state-of-the-art

technology within a U.S. weapon system


31

25X5 – reveal formally named or numbered U.S. military war plans that remain

in effect, or reveal operational or tactical elements of prior plans that are

contained in such active plans

25X6 - reveal information, including foreign government information, that would

cause serious harm to relations between the United States and a foreign

government, or to ongoing diplomatic activities of the United States

25X7 - reveal information that would impair the current ability of United States

Government officials to protect the President, Vice President, and other protectees

for whom protection services, in the interest of the national security, are

authorized

25X8 - reveal information that would seriously impair current national security

emergency preparedness plans or reveal current vulnerabilities of systems,

installations, or infrastructures relating to the national security

25X9 - violate a statute, treaty, or international agreement that does not permit

the automatic or unilateral declassification of information at 25 years.


32

Section 3.3(h), E.O. 13526

Records that contain information, the release of which should clearly and

demonstrably be expected to reveal the following are exempt from automatic

declassification at 50 years:

50X1-HUM – the identity of a confidential human source or a human intelligence

source

50X2-WMD – key design concepts of weapons of mass destruction

50X__ - in extraordinary cases, additional specific information formally

approved by the ISCAP

(50X1-50X9 – match the same categories as the 25X1-25X9 categories)

Section 3.3(h)(3), E.O. 13526

75X___ - specific information may be exempted from automatic declassification at 75 years

if formally approved by the ISCAP.


25

years

50

years

75

years 25X__

_

territo

ry

50X__

_

territo

ry

75X__

_

territo

ry

from automatic declassification

All other information

50X1-HUM (no date or event required)

50X2-WMD (no date or event required) E.O. 13526 section 3.3(h)(1)(B)

E.O. 13526 section 3.3(h)(1)(A) Identity of confidential human

source or human intelligence

source

Key design concepts of

weapons of mass destruction

Information that meets

the standards of

E.O. 13526

section 3.3(b)

25X___

with a date

or event

E.O. 13526

section

3.3(b)

50X___

with a date

or event

E.O. 13526

section

3.3(h)(2)

34


The following declassification instructions are no longer valid and, if annotated

on the source document, will not be carried over to the derivative document.

• X1, X2, X3, X4, X5, X6, X7, X8

• OADR

• MR (never a valid declassification instruction)

• Subject to Treaty or International Agreement

The derivative classifier shall calculate a date that is 25 years from the date of

the source document when determining the declassification instruction for the

derivative document.


35

Declassification

Instructions:

SECRET



July 15, 2010

MEMORANDUM FOR AGENCY

OFFICIALS



1. (S) Paragraph 1.

2. (U) Paragraph 2.

Classified By: OCA name and position

Reason: 1.4(a)

Declassify On: OADR

SECRET

SECRET



January 21, 2011


OFFICIALS






2. (U) Paragraph 2 is unclassified.

Classified By: Derivative classifier’s name

Derived From: Dept of Good Works Memo,

dtd July 15, 2010

Declassify On: July 15, 2035

SECRET

Source document Derivative document

The same rules apply when the

source document contains any

invalid markings (X1-X8;

OADR; MR; Subject to treaty

or international agreement)

Calculate a date that is 25 years from the date of the source document.

Do not carry over “OADR”


36


DNI Only or DCI Only are also no longer valid and, if annotated on the

source document, will not be carried over to the derivative document.

If the document contains imagery, as described in E.O. 12951, the

derivative classifier will mark the derivative document in the following

manner:

Declassify on: 25X1, E.O. 12951

If the document does not contain imagery, as described in E.O. 12951, the

derivative classifier will calculate a declassification date that is 25 years

from the date of the source document.


37

Declassification

Instructions: SECRET



July 15, 2010


OFFICIALS



1. (S) Paragraph 1.

2. (U) Paragraph 2.


Reason: 1.4(a)

Declassify On: DNI Only

SECRET

SECRET



January 21, 2011


OFFICIALS






2. (U) Paragraph 2 is unclassified.



dtd July 15, 2010


SECRET

Source document

Derivative document

Do not carry over “DNI Only”

If the source document

contains “DNI Only” or “DCI

Only” as a declassification

instruction, and there is no

imagery in the document, a

declassification date will be

calculated 25 years from

the date of the source

document.

Calculate a date that is 25 years from the date of the source document.

Derivative Classification Markings (Cont’d)

38

Declassification

Instructions:

SECRET



Xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


Reason: 1.4(a)

Declassify On: DCI Only

SECRET

Source document Derivative document

Do not carry over

“DCI Only”

SECRET



Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxx.Xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxx.



dtd July 15, 2010

Declassify On: 25X1, E.O. 12951

SECRET

Secre

t

Secre

t

If the source document

contains “DNI Only” or “DCI

Only” as a declassification

instruction, and contains

imagery, the new

declassification instruction

will read: “Declassify on:

25X1, E.O. 12951”

The declassification instruction on the derivatively classified

document will read: Declassify on: 25X1, E.O. 12951


Reminders

• Only individuals specifically authorized in writing may classify documents originally.

• Only individuals with the appropriate security clearance, who are required by their work to restate classified source information, may derivatively classify information.

• The terms “Top Secret,” “Secret,” and “Confidential” are not to be used to mark executive branch information that has not been properly designated as classified national security information under E.O. 13526.

• Information shall not be classified for any reason unrelated to the protection of the national security.

• Classifiers and authorized holders are responsible for ensuring that information is appropriately classified and properly marked.

39

Reminders (continued)

• Individuals who believe that information in their possession is inappropriately classified, or inappropriately unclassified, are expected to bring their concerns to the attention of responsible officials.

• The following markings are not authorized in the “Declassify On” line:

• Originating Agency’s Determination Required” or “OADR” for documents created after 10/14/95;

• “X1”, “X2”, “X3”, “X4”, “X5”, “X6”, “X7”, or “X8” for documents created after 9/22/2003;

• “Manual Review” or “MR;”

• “DNI Only” or “DCI Only;”

• “Subject to treaty or international agreement;” and

• “25X1-human.”

40

E.O. 13587

Structural Reforms to Improve the Security of Classified

Networks and the Responsible Sharing and Safeguarding

of Classified Information

• Reinforce the importance of responsible information sharing

• Ensure that policies, processes, technical security solutions, oversight,

and organizational cultures match information sharing & safeguarding

requirements

• Emphasize consistent guidance and implementation across the entire

Federal government

• Recognize the importance of shared risk and shared responsibility

41

E.O. 13587 Governance Structure

• A Senior Information Sharing and Safeguarding Steering Committee to coordinate

interagency efforts and ensuring that Departments and Agencies are held accountable

for implementation of information sharing and safeguarding policy and standards.

• A Classified Information Sharing and Safeguarding to provide sustained, full-time

focus on sharing and safeguarding of classified national security information.

• Senior representatives of the Department of Defense and the National Security Agency

jointly act as the Executive Agent for Safeguarding Classified Information on

Computer Networks to develop technical safeguarding policies and standards and

conduct assessments of compliance.

• An Insider Threat Task Force to develop a government-wide program for insider

threat detection and prevention to improve protection and reduce potential

vulnerabilities of classified information from exploitation, compromise or other

unauthorized disclosure.

Areas of Focus & Ongoing Improvement

Enhancing control of removable media

Identity Management; including reducing user anonymity and increasing user attribution

Building a more robust insider threat program

Enhancing access controls

Improving enterprise audit capabilities

Removable Media

44

Initial Operating Capability (IOC) Definition:

● IOC is reached when write privileges are disabled and/or

controlled using a hardware or software solution

Final Operating Capability (FOC) Definition:

● FOC includes IOC, and is achieved when a monitoring and

alerting function is implemented for all successful / unsuccessful

“write” attempts to removable media devices.

Reducing Anonymity


● FOC includes IOC, and is achieved when:

● 90 percent of users have PKI certificates for identification (or a comparable solution)

on classified networks (Secret and Top Secret); and

● Hardware tokens are used for authentication to enable access to high and

medium-sensitivity applications (software tokens are sufficient pursuant to Intelligence

Community policy and with coordination with the Steering Committee).


● IOC is reached when the PKI is established such that:

● Certificates are issued (or a comparable solution) for identification for a minimum

of 10 percent of users on classified networks (Secret and Top Secret) and

● PKI tokens are used for authentication to high-sensitivity applications (software

tokens are sufficient pursuant to Intelligence Community policy and with

coordination with the Steering Committee).

Insider Threat Program

46


● IOC is reached when an agency has policies, procedures, and an

organizational structure that identifies an accountable official(s)

for the insider threat program, provides regular insider threat

awareness training to agency personnel, and includes an integrated

approach to gathering (electronically and/or manually) relevant

sources of insider threat information for analysis and response.

Insider Threat Program

47


● FOC includes IOC, and is achieved when an agency has implemented the

capabilities for:

● Monitoring user network activities on all agency networks;

● Inclusion of counterintelligence triggers for user-monitoring tailored to the

agency environment;

● Establishing an integrated capability to monitor, audit, gather, and

analyze information relevant to insider threat analysis from across the

agency; and

● There is a capability for integrated insider threat analysis of current data

on user actions collected from automated and/or manual information sources

– such as audit data, foreign travel and contact reporting, financial

disclosure, facility, access, phone records, and external databases.

Access Control

48


IOC is reached when an interoperable infrastructure for integrated access-control

capability (hard-token PKI plus “attribute-based” authorization) is operational (Secret and

Top Secret) in accordance with the Federal Identity, Credential, and Access Management

(FICAM) framework or equivalent guidance appropriate for the subject network fabric.

● Establishes capability for user attribute provisioning to support attribute-based

authorization on classified networks.

● Requires this capability to be integrated with the PKI authentication capability.

Scope:

● Minimum of 10 percent of users on classified networks are provisioned with

attributes for authorization-related access-control decisions.

● Minimum of 25 percent of classified data repositories designated as highest

sensitivity (as defined in NIST SP 800-53, CNSSI 1253, ICD 503 or equivalent

guidance appropriate for the subject network fabric) are integrated to use the

interoperable access-control infrastructure facilities (PKI integrated with attribute-

based access control).

Access Control

49


FOC includes IOC, and is achieved when an agency has implemented the

capabilities for:

● Federation (exchange) of standardized user authorization attributes on

classified networks across organizations;

● Consistent application of fabric-wide access control policy, with timely

promulgation of policy changes; and

●Tagging of information resources with access-relevant attributes on

ingest, creation, or modification; as applicable.

Scope:

● All users of classified networks.

● All high and medium-sensitivity classified network applications.

Enterprise Audit

50


IOC is reached when an agency has the ability to:

● Monitor user-attributable activities (defined as Auditable Events in ICS 500-27) on at least

one community-shared information resource on at least one of the agency’s classified

networks;

● Analyze identified anomalies (which includes correlating such anomalies with other data

sources);

● Report and respond to potential security incidents through collaboration with the

appropriate CI, security, law enforcement, or Information Security (INFOSEC) offices;

● Provide automated notifications of security incidents from a community-shared

information resource on at least one of the agency’s classified networks to the appropriate

offices;

● Deliver an automated flow of audit data from a community-shared information resource

on at least one of the agency’s classified networks into an agency-specific audit capability;

and

● Provide audit data to other affected organizations.

Enterprise Audit

51


FOC includes IOC applied to all classified networks, and is achieved when an

agency has implemented the ability to:

● Share user-attributable audit information in a common format

collected from high and medium-sensitivity information resources (both

internal and community-shared) for users;

● Analyze identified anomalies; and

● Enable a timely response to incidents.

E.O.13549 “Classified National Security Information Program for State,

Local, Tribal, and Private Sector Entities” (SLTPS)

• Establishes a program to safeguard and govern access to classified

information shared by the Federal Government with SLTPS entities.

• Ensures that security standards for classified information are applied in

accordance with national policy.

• Private sector facilities where classified information is or will be used or

stored as well as contractors of SLT entities shall be inspected, accredited,

and monitored for compliance with the standards established pursuant to the

NISP by DoD or another responsible Cognizant Security Agency.

• SLTPS-Policy Advisory Committee created to discuss policy disputes and

facilitate or recommend changes to remove undue impediment to information

sharing

52

53

Key Elements of the E.O. 13556 (CUI)

• Establishes an open and uniform program.

• Manages all unclassified information within the executive branch

that requires safeguarding and dissemination controls.

• The control of this information is pursuant to and consistent with

law, regulation, and Government-wide policy.

• Freedom of Information Act (FOIA): “The mere fact that information

is designated as CUI shall not have a bearing on determinations

pursuant to any law requiring the disclosure of information or

permitting disclosure as a matter of discretion, including

disclosures to the legislative or judicial branches.” – Section 2(b)

54

Overview of the CUI Program

Registry

Dissemination Policy

Decontrol Policy

Safeguarding Policy

Marking Policy

One uniform and

consistent policy

applied to a defined

and organized body

of information

Approved CUI Categories

1. Agriculture

2. Copyright

3. Critical Infrastructure

4. Emergency Management

5. Export Control

6. Financial

7. Immigration

8. Intelligence

9. Law Enforcement

10. Transportation

11. Nuclear

12. Patent

13. Privacy

14. Proprietary

15. Statistical

16. Tax

17. Legal

55

56

Five Programmatic Areas of the Compliance Plan

Governance

Policy and Guidance

Training Technology

Self -Inspection

Controlled Unclassified

Information

Compliance Plan

Processes and procedures

of continuous monitoring

to ensure compliance with

the EO and Notice

Roles and responsibilities established to guide

and direct the program and its requirements

Development,

implementation and

revision of properly

documented policies that

are readily available to all

affected personnel

Education of affected personnel on the

appropriate handling of information

including responsibilities and ongoing

maintenance

Identify and assess requirements of IT

systems and toolsets for program

implementation

CUI Executive Agent

Current Efforts

57

• Development of CUI Supplemental Guidance & Consultation

Interagency

Representatives of the public

State, Local, Tribal

Private Sector

• Approval of Additional CUI Categories & Subcategories

CUI Registry Updates

Continuing Agency Submissions

• Approval of Compliance Plans

Target Date Updates

Continuing Agency Submissions

58

Contact Information

Information Security Oversight Office

National Archives and Records Administration

700 Pennsylvania Avenue, N.W., Room 100

Washington, DC 20408-0001

(202) 357-5250

(202) 357-5907 (fax)

[email protected]

[email protected]

www.archives.gov/isoo

QUESTIONS?

59

Documents

DERIVATIVE CLASSIFICATION TRAINING/IMPLEMENTATION AND ...ncms-antelopevalley.org/.../ISOO_Derivative_Classification_121003.pdf · DERIVATIVE CLASSIFICATION TRAINING/IMPLEMENTATION