Download Classification of Government Information: Process, Levels, Marking, and Dissemination and more Lecture notes Communication in PDF only on Docsity!
Introduction to Information Security
Lesson: Course Introduction
Introduction
You’ve probably heard of classified information...maybe in the news, in a spy movie, or in your job. But, do you understand what types of information are classified and why information is classified at different levels?
Do you know who makes those classification decisions or how the Department of Defense, or DoD, classifies information? Do you know the requirements for protecting classified information?
Course Objectives
Hi! I’m Dave the Document. I’d like to welcome you to the Introduction to Information Security course. During this course you will learn about the DoD Information Security Program. This course will provide a basic understanding of the program, the legal and regulatory basis for the program, and how the program is implemented throughout the DoD.
It covers the Information Security Program lifecycle which includes who, what, how, when, and why information, such as a document like me, is classified (known as classification), protected (known as safeguarding), shared (known as dissemination), downgraded, declassified and destroyed to protect national security.
Here are the course objectives. Take a moment to review them.
You will be able to:
- Define the purpose and phases of the DoD Information Security Program
- Describe the classification process
- Describe safeguarding and secure dissemination of classified information
- Describe the declassification processes and destruction methods for classified information
Lesson: Overview of the Information Security Program
Lesson Objectives
Welcome to the Overview of the Information Security Program! In this lesson, we will briefly describe the Information Security Program lifecycle (Classification, Safeguarding, Dissemination, Declassification, and Destruction), why we need it, how it is implemented in the DoD and locate policies relevant to the DoD Information Security Program.
Purpose of the DoD Information Security Program
The purpose of the DoD Information Security Program is to promote the proper and effective way to classify, protect, share, apply applicable downgrading and appropriate declassification instructions, and use authorized destruction methods for official information which requires protection in the interest of national security.
Classification is the act or process by which information is determined to require protection against unauthorized disclosure and is marked to indicate its classified status.
Safeguarding refers to using prescribed measures and controls to protect classified information.
Dissemination refers to the sharing or transmitting of classified information to others who have authorized access to that information.
Declassification is the authorized change in status of information from classified to unclassified.
Destruction refers to destroying classified information so that it can’t be recognized or reconstructed.
Classified information does not only come in the form of paper documents; it comes in electronic and verbal forms too, and regardless of what form it is in, it must be appropriately protected.
Effective execution of a robust information security program gives equal priority to protecting information in the interest of national security and demonstrating a commitment to transparency in Government.
An effective information security program requires an accurate and accountable application of classification standards and routine, secure downgrading and declassification of information no longer requiring the same level of protection.
No matter your individual role within the DoD workforce, we all play a vital part in ensuring the effectiveness of the DoD Information Security Program.
missions and functions.
For information on security-related DoD policy, review the Policy 101 Flow Job Aid on the Course Resources.
Note that Controlled Unclassified Information, or CUI, will be discussed in a separate product due to CUI reform outlined in E.O. 13556 and the implementing guidance in 32 CFR Part 2002. Currently, CUI awareness training is available on the CUI Toolkit on the Center for Development of Security Excellence, or CDSE, website.
Knowledge Check Activity In the next two questions, let's see what you recall about the Information Security Program lifecycle.
Question 1 of 2 What are the steps of the information security program lifecycle?
o Classification, dissemination, downgrading, declassification, and destruction o Classification, safeguarding, dissemination, declassification, and destruction o Classification, marking, dissemination, downgrading, and destruction
Answer: Classification, safeguarding, dissemination, declassification, and destruction
Question 2 of 2 Which volumes of DoDM 5200.01 provide guidance and direction on classification management, marking, protection, and handling requirements for classified information? Select all that apply.
Volume 1 Volume 2 Volume 3 Volume 4 All of the above
Answer: Volume 1, Volume 2, Volume 3
Lesson Summary
This lesson provided an overview of the purpose and history of the Information Security Program, the ISP lifecycle and information security policy. At this point, you should have an understanding of how the Information Security Program has evolved and why it is so important.
Lesson: Classification
Lesson Objectives
As a security professional, one of your vital duties is to protect our country’s classified information! In order to protect this information, you will need to identify it as sensitive, appropriately mark it as such, and ensure only authorized personnel with a need-to-know gain access to it.
There are requirements for properly classifying, safeguarding, handling, transmitting, and destroying classified materials.
This lesson will look at the classification of information and provide you with an introduction to working with classified materials.
The lesson objectives include:
- Correlate the levels of classification to their impact on national security
- Compare and contrast original classification to derivative classification
- Identify the sequence of marking classified information
- Explain the components of the classification authority block
- Describe the purpose and origin of the security classification guide (SCG) and how to access it for derivative classification
Levels of Classification
Classified materials contain information that requires protection against unauthorized disclosure in order to protect our national security. What is national security? National security concerns the national defense and foreign relations of the United States. Let’s break this down further.
Unauthorized disclosure of classified information could inhibit our national defense or adversely affect our foreign relations. For information to be eligible for classification, it must be official government information that is owned by, produced by, produced for, or under strict control of the U.S. Government, which means the U.S. Government has the authority to regulate access to the information.
So, if materials are controlled by the U.S. Government and disclosure of the information could cause damage to national security, it may be classified. Once the determination is made that the information must be classified, the next step is to designate the level of classification.
The three levels of classification for national security information are Top Secret, Secret and Confidential, which are delineated by E.O. 13526. Top Secret is applied to information, the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage to our national security. Secret is applied to information, the unauthorized disclosure of which could reasonably be expected to cause serious damage to our national security. Confidential is applied to information, the unauthorized disclosure of which could reasonably be
Unauthorized disclosure of _____________ information could reasonably be expected to cause damage to our national security.
Answer: Unauthorized disclosure of Secret information could reasonably be expected to cause serious damage to our national security.
Unauthorized disclosure of Top Secret information could reasonably be expected to cause exceptionally grave damage to our national security.
Unauthorized disclosure of Confidential information could reasonably be expected to cause damage to our national security.
Knowledge Check Activity 2
Now, try this one.
Question 1 of 1 What is the basic formula for granting access to classified information for individuals? Select all that apply.
Verify the individual’s eligibility determination Determine the individual’s need-to-know Acknowledge that the SF-312 has been executed
Answer: Verify the individual’s eligibility determination, Determine the individual’s need-to-know, Acknowledge that the SF-312 has been executed
What is Original Classification?
The process of making an initial classification decision on Government information is called Original Classification. DoDM 5200.01, Volume 1, Enclosure 4 describes original classification as “the initial decision that information could reasonably be expected to cause identifiable damage to national security if subjected to unauthorized disclosure.”
This determination can only be made by a designated Original Classification Authority, or OCA. The OCA is an individual authorized in writing, either by the President, the Vice President, or by agency heads or other officials designated by the President, to originally classify information.
Within the DoD, OCA is delegated to a position, not to an individual person, which means that if someone moves to another position, or is on leave, the person occupying the position that was granted OCA holds the authority. Deputies, vice commanders, chiefs of staff, and similar immediate subordinates of an OCA are empowered to perform original classification.
They may do this when they have been officially designated to assume the duty position of the OCA in an acting capacity during the OCA’s absence and have certified in writing that they have received required OCA training.
Positions within the DoD that are designated as OCAs are those carrying out a unique mission with responsibility in one of the subject areas which are the authorized categories from which information may be classified as outlined in E.O. 13526.
The delegation of authority will specify the highest level the OCA can classify a piece of information. This means, if the OCA is authorized to classify information at the Secret level, then they can also classify information at the Confidential level.
Because of the importance of their responsibilities, OCAs must complete training prior to exercising their authority and then annually thereafter.
OCA Annual Training
OCAs must be trained annually on the following topics:
- The difference between original and derivative classification
- Who can be an OCA
- The requirement to certify, in writing, before initially exercising OCA authority and annually thereafter, that training has been received
- The prohibitions and limitations on classifying information
- The responsibility and discretion in classifying information
- Classification principles, the classification process, and the need to avoid over- classification
- Safeguarding classified information from unauthorized disclosure
- Criminal, civil, and administrative sanctions that may be imposed due to unauthorized disclosure
Original Classification Process
OCAs follow a standard process to make classification determinations. CDSE packaged the standard process into six digestible steps.
In Step 1 “Official”, the OCA must ensure that the information is official government information. Remember, for information to be classified, the U.S. Government must own, have proprietary interest in, or control the information. During this step, the OCA must ensure that the information was not already classified by another OCA. If the information was already classified, then the original classification process ends.
In Step 2 “Eligible”, the OCA will determine whether the information is eligible for classification by first examining the categories of information E.O. 13526 authorizes. The second part of determining eligibility is to ensure that the information is not specifically prohibited, or limited, from being classified as outlined in E.O. 13526.
In Step 3 “Impact”, the OCA must determine if unauthorized disclosure of the information could cause damage to national security, which includes defense against transnational terrorism. E.O. 13526 requires that the damage can be identified or described by the OCA.
Derivative Classifier Annual Training Derivative classifiers must be trained annually on the following topics:
- Principles of derivative classification
- Classification levels
- Duration of classification
- Identification and markings
- Avoidance of over-classification
- Prohibitions and limitations of classification
- Sanctions
- Classification challenges
- Classification guides
- Information sharing
Classification Concepts
Some important factors affecting classification are the concepts of Contained in, Compilation, and Revealed by.
Contained in applies when derivative classifiers incorporate classified information, word for word, from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information.
Compilation occurs in some circumstances when information that is individually unclassified, or classified at a lower level, may be classified, or classified at a higher level, only if the compiled information reveals an additional association or relationship. Types of information that are commonly classified through compilation are budgets and tables of distribution, staffing and equipment allowances, and mission and geographic location. The OCA will include a clear explanation of the basis for classification by compilation within the SCG for the system, plan, program, project or mission.
Revealed by applies when classified information has been paraphrased or restated and not taken word for word from an authorized source document, but the classification is deduced from interpretation or analysis.
Knowledge Check Activity 3
In the next two questions, can you identify the different ways that classified information is created?
Question 1 of 2 Select the correct term (Original Classification, Derivative Classification) to complete each sentence.
_____ is defined as the incorporating, paraphrasing, restating, or generating in new form any information that is already classified.
_____ is defined as an INITIAL determination that information requires, in the interest of national security, protection against unauthorized disclosure.
Answer: Derivative Classification is defined as the incorporating, paraphrasing, restating, or generating in new form any information that is already classified.
Original Classification is defined as an INITIAL determination that information requires, in the interest of national security, protection against unauthorized disclosure.
Question 2 of 2 True or False: A derivative classifier may overrule an original classification determination if it is in the interest of national security. o True o False
Answer: False
Markings Overview
Marking classified information is the specific responsibility of original and derivative classifiers. Markings serve to alert holders to the presence of classified information and technical information with restriction on its dissemination; identify, as specifically as possible, the exact information that needs protection; indicate the level of classification assigned to the information; provide guidance on downgrading and declassification; give information on the source or sources and reason or reasons for classification or other restrictions; and warn holders of special access, control, or safeguarding requirements.
Types of Markings
All documents containing classified information must be marked using a sequential process where portion markings must be done before banner markings to mitigate confusion, marking errors and potential unauthorized disclosure.
Portion markings indicate the highest level of classification in every portion of the document and must be placed at the beginning of the respective portion.
Portion markings utilize authorized abbreviations to indicate the classification level: TS stands for Top Secret. S stands for Secret. C stands for Confidential. And U stands for Unclassified.
Banner markings indicate the highest level of classification of the overall document, as determined by the highest level of any one portion within the document. They are placed on the top and bottom of every page of the document.
In banner markings, the classification level, TOP SECRET, SECRET, CONFIDENTIAL must be completely spelled out in all capital letters.
Answer: True Question 3 of 3 What information will you find in the Classification Authority Block on the front page of any classified document? Select all that apply.
Classified By Post At Derived From Downgrade To (if applicable) Declassify On All of the above
Answer: Classified By, Derived From, Downgrade To (if applicable), Declassify On
Knowledge Check Activity 5
In the next two questions, let’s see what you recall about security classification guides.
Question 1 of 2 Who issues security classification guides?
o Derivative classifiers o Original classification authorities o Security managers
Answer: Original classification authorities
Question 2 of 2 What information does a security classification guide provide a derivative classifier? Select all that apply.
Classification level for each element of information to be protected Reason for classification Duration of classification and any applicable downgrading instructions Special control notices OCA contact information
Answer: Classification level for each element of information to be protected, Reason for classification, Duration of classification and any applicable downgrading instructions, Special control notices, OCA contact information
Lesson Summary
This lesson provided an overview of the classification process. At this point, you should understand why information is classified, who classifies information and how they do it, as well as who may have access to classified information.
Lesson: Safeguarding and Dissemination
Lesson Objectives
Now that I have been properly classified, you need to learn how to protect me when you are handling me, storing me, or sharing me with others. We want to avoid security incidents!
This lesson will provide you an overview of how to safeguard and safely share classified information with authorized individuals. We will look at the security requirements related to storing and disseminating classified information and the different types of security incidents that occur when safeguarding and dissemination procedures are not followed.
Take a moment to review the lesson objectives.
You will be able to:
- Describe the security requirements related to storing classified information
- Describe the high-level security requirements related to disseminating classified information
- Define security incidents and describe the different types
Authorized Storage Methods
Do you know how many places are authorized for storage of classified information? Take a guess. If you guessed four places, you are correct! The four authorized places to store classified information are in an authorized individual’s head, in an authorized individual’s hands, in a General Services Administration, or GSA, approved security container, and in authorized information technology.
When the information is in an authorized individual’s head or hands, it should stay there and only be shared with other authorized individuals that meet the criteria we discussed earlier.
When not directly in an authorized individual’s possession, classified information must be put back into a GSA-approved security container such as a 2- or 4-drawer cabinet, a safe, or a vault. All locks for GSA-approved security containers must conform to Federal Specification FF-L-
When using information technology to access classified information, you must follow cybersecurity policies related to accessing or sharing classified information on classified systems such as the Secure Internet Protocol Router Network, or SIPRNET.
Classified Information Outside GSA-approved Containers
Specific forms and procedures are required when classified information is outside GSA- approved security containers as well as for those security containers themselves.
exception is sought (cite this manual by volume, enclosure, and paragraph).
Requests from DoD Components must provide rationale and justification, including negative impacts to cost, schedule, mission, or operations; a mission analysis summary to identify vulnerabilities and risk management considerations; a summary of proposed mitigation measures to reduce risk; and the necessary duration for any waivers.
Current waivers and exceptions will continue to be valid until they are due for renewal. Unless otherwise specified in DoDM 5200.01, Volume 1, the DoD Components must submit requests for information security waivers or exceptions to the standards and requirements through the chain of command to the USD(I).
For waivers involving marking of classified information or requests involving prescribed standard forms, refer to DoDM 5200.01, Volume 2, Enclosure 2 and Enclosure 3.
Knowledge Check Activity 1
In the next two questions, let's see what you recall about the requirements for safeguarding classified information.
Question 1 of 2 True or False? You may store classified information in your locked desk drawer while you go to lunch as long as you cover it with the appropriate classified cover sheet.
o True o False
Answer: False
Question 2 of 2 If your office is preparing to undergo renovations for the next few months and you will not be able to store classified information according to the requirements as specified in DoDM 5200.01, Volume 3, which of the following should you request? o Waiver o Exception o Security Incident
Answer: Waiver
Transmission
You must continue to safeguard classified information when you disseminate it to other authorized individuals via phone, information systems, and fax. When using a phone to share classified information with other authorized individuals, you must only use phones with approved secure communication circuits. Know how to use your secure communication device. And remember, just because you are on a STE (Secure Terminal Equipment) does not mean that
someone can’t hear your end of the conversation. So, always be vigilant of your surroundings and know who is nearby when using this phone.
Cybersecurity refers to the measures that protect and defend information and information systems. Processing classified information on an information system presents unique and challenging security issues. When processing classified information on an information system, only use an information system that has been specifically authorized to process classified information and only email classified information over a classified network.
When using a fax machine to transmit classified information, the fax machine must be connected through appropriate secure communication equipment over secure communication circuits approved for transmission of information at the specific level of classification.
Transportation
There are different requirements for transporting Confidential, Secret, and Top Secret information. As simple as it might be to just pop classified documents into a post office box, or hand them over to the mail carrier, it can’t be done that way. Precautions must always be taken to secure classified information.
Classified information can be transported via hand-carrying or an escort, courier, or mail.
The chart is broken down by levels of classification with helpful information to transmit or transport classified information. Note that certain methods of transportation can be used for all three levels of classified information. Some can only be used for Secret and Confidential. Others can only be used for Confidential. Take a moment to review the chart.
Transmission and Transportation Methods Top Secret Secret Confidential Direct contact between appropriately cleared personnel (^) X X X Approved secure communications systems (i.e., an authorized cryptographic system or protected distribution system) X^ X^ X Defense Courier Service (DCS) (^) X X X Authorized U.S. Government agency courier services (i.e., Dept. of State Diplomatic Courier Service, authorized DoD component courier service) X^ X^ X Cleared U.S. military and Government personnel and DoD contractor employees specifically designated to carry the information and travelling by surface transportation or on a scheduled commercial passenger aircraft
X X X GSA contract holders for overnight delivery (^) X X USPS registered mail within U.S. and through Military Postal Service facilities only outside of U.S. X^ X USPS Express mail within the U.S. and Puerto Rico only (^) X X Canadian registered mail between USG and Canadian government installations located in the U.S. and Canada X^ X Carriers under National Industrial Security Program (NISP) providing protective security service within the continental U.S. (CONUS) only X^ X U.S. Government and USG contract vehicles, aircraft, and ships (^) X X Air carrier without an appropriately cleared escort or under certain circumstances without an escort X^ X USPS certified mail for material addressed to DoD contractors or non-DoD agencies X USPS First Class Mail between DoD Component locations anywhere in the U.S. and its territories
X Commercial carriers providing a constant surveillance service within CONUS X Custody of U.S. citizen commanders or masters of U.S. registered ships X
Classified Meetings and Conferences
When a DoD activity sponsors a classified meeting or conference, the activity will assign an official to serve as the security manager for the meeting.
The security manager will be responsible for ensuring that, at a minimum, the following security provisions are met:
- Brief attendees on safeguarding procedures.
- Control the entrance so that only authorized personnel gain entry to the area
- Control the perimeter to ensure unauthorized personnel cannot overhear classified discussions or introduce devices that would result in the compromise of classified information.
- Provide escorts for uncleared personnel who are providing services to the meeting or conference (such as food setup or cleaning) when classified presentations and/or discussions are not in session.
- Prohibit use of cell phones, personal electronic devices, or PEDs, 2-way pagers, and other electronic devices that transmit.
- Only permit note taking during classified sessions when it is determined that such action is necessary to fulfill the U.S. Government purpose for the meeting.
- Ensure classified notes and handouts are properly safeguarded.
- Segregate classified sessions from unclassified sessions.
- Only disclose classified information to foreign nationals in coordination with your Foreign Disclosure Officer, or FDO.
- Conduct an inspection of the room(s) at the conclusion of the meeting or conference (or at the end of each day of a multi-day event) to ensure all classified materials are properly stored.
Prepublication Review
The Defense Office of Prepublication and Security Review (DOPSR) is responsible for managing the DoD security review program and reviewing written materials for public and controlled release. This includes government and industry work products, as well as materials submitted by current and former DoD civilians, contractors, and military members pursuant to their non-disclosure agreement obligations.
The security review protects classified information, controlled unclassified information, and unclassified information that may individually, or in aggregate, lead to the compromise of classified information or disclosure of operations security. Some examples of materials DOPSR reviews include manuscripts, articles, theses, conference papers, briefings, brochures, reports to Congress, and books.
DOPSR derives its authority from DoDI 5230.09, Clearance of DoD Information for Public Release, and DoDI 5230.29, Security and Policy Review of DoD Information for Public Release.
Heads of DoD Components must ensure that component specific documents, including official
correspondence, are reviewed internally and that information is reviewed for operations security before public release. The review must also address technology transfer and public releasability of technical data.
For more information on disseminating classified information, refer to the CDSE website.
Knowledge Check Activity 2
In the next two questions, let's see what you recall about disseminating classified information.
Question 1 of 2 When can Top Secret information be sent via the United States Postal Service (USPS)? o When Defense Courier Operations (DCO) is not available o When the information needs to be signed for o Never
Answer: Never
Question 2 of 2 True or False. While manuscripts, articles, theses, conference papers, briefings, brochures, and books must be sent to the Defense Office of Prepublication and Security Review (DOPSR) for review and approval before publishing, reports to Congress do not require prepublication review. o True o False
Answer: False
Types of Security Incidents
When someone fails to use proper security requirements for protecting classified information, we have a security incident that must be handled. Before we learn how to react to a security incident, we need to understand the types of incidents that could occur. These types of security incidents are a security violation, security infraction, spillage, and unauthorized disclosure.
Security Violation
What specifically is a security violation? A security violation occurs when there is a knowing, willful, or negligent action that could reasonably be expected to result in the loss, suspected compromise or compromise of classified information. For example, an individual fails to secure the SCIF at the end of the day and subsequently, unescorted cleaning personnel access the SCIF and see classified information. A security violation occurs when an inquiry reveals there has been a compromise of classified information. Depending on the type of information which has been compromised, an investigation may also be required.
