Responsibility

Implementation looks like...

Manage the ISP

Following guidelines in policy to effectively manage and supervise the ISP on behalf of your activity head. This includes giving equal priority to protecting information and demonstrating a commitment to transparency and openness in government operations.

Advise Your Activity Head

Advising and representing your activity head on all DOD information security policy matters.

Mitigate Risk

Conducting risk assessment to evaluate the potential risks and vulnerabilities associated with protecting classified information throughout its life cycle.

Remain Cognizant of Policy

Staying informed about all aspects related to information security, personnel security, information systems security, physical security, and industrial security functions.

Communicate Policy

Ensuring that individuals with security duties are kept informed of any changes in policy and procedures and understand how to implement changes.

Manage Classified Information

Reviewing and assessing all of your activity's classified products on a regular basis to ensure adherence to policy.

Implement Security Education and Training Awareness (SETA)

Establishing and maintaining an effective SETA program for all personnel that includes a continuous security awareness component that addresses real-time security risks.

Create Internal Policy Guidance

Creating a written activity security instruction that clearly defines the procedures for safeguarding classified information during emergency situations and military operations, if applicable.

Responsibility

Implementation looks like...

Responsibility

Implementation looks like...

Safeguarding Expectations

Establishing expectations within your ISP that personnel have a true understanding of their responsibility to safeguard Classified National Security Information(CNSI) which includes providing clear guidance to personnel on how to identify, mark, and appropriately handle all levels of classified information.

Implement SETA

Establishing and maintaining an effective SETA program for all personnel that includes a continuous security awareness component that addresses real-time security risks.

Unauthorized Disclosure Protection

Ensuring classified information, including collateral, Sensitive Compartmented Information (SCI), and Special Access Program (SAP) information, is properly classified, declassified when necessary, and protected from unauthorized access or disclosure.

Misclassification Oversight

Authorizing designated officials to correct any instances of misclassification of information as applicable.

Responsibility

Implementation looks like...

Derivative Policy Implementation

• Maintaining an overall proficiency of derivative classification policy, procedures, and terms to support personnel.
• Maintaining an awareness of derivative classification policy implementation within your activity.

Protecting OCA Guidance

Ensuring personnel understand their individual responsibility to implement OCA guidance in source documents and  Security Classification Guides (SCGs) by applying all required markings on derivative documents including banner, portion markings, and the classification authority block (CAB) information.

Derivative Training

Ensuring personnel meet annual derivative classification training requirements and document completion.

Responsibility

Implementation looks like...

SCG Coordination

Coordinating with OCAs as applicable on:

• Preparing, disseminating, and maintaining SCGs in your activity following the guidelines outlined in DODM 5200.45, and DODM 5200.01 Volume 1, Enclosure 6
• Ensuring one copy is provided of each approved SCG (outside of those deemed too sensitive for secondary distribution), signed by an OCA, to the Administrator of DTIC, along with Department of Defense (DD) Form 2024, DOD Security Classification Guide Data Elements, as the DTIC indexes all approved SCGs in an online accessible database

Responsibility

Implementation looks like...

Classified Contracts Support

Coordinating with the Contracting Officer (KO) to support the communication of specific classified contract requirements to industry partners throughout the contracting process when classified information is shared with industry partners at activity facilities or other locations. This includes:

• Ensuring compliance with the rules outlined in 32 Code of Federal Regulations (CFR) Part 117, National Industrial Security Program Operating Manual (NISPOM), when classified information is provided to industry partners at their own facility.
• Providing support to the KO and contracting team specifically to complete requirements outlined in DD Form 254
  • Ensuring detailed information about all security requirements and safeguards for classified contractors is explicit (i.e., Box 13)
• Although not under your direct responsibility, remain cognizant of DD Form 441 issuance. This form documents the transfer or receipt of classified information between government agencies and contractors, ensuring proper accountability and control.

Responsibility

Implementation looks like...

Public Release Coordination

Collaborating with your Public Affairs and Operational Security officers to ensure all information intended for public release is reviewed in accordance with DODI 5230.09, Clearance of DOD Information for Public Release; DOD Instruction (DODI) 5230.29, Security and Policy Review of DOD Information for Public Release; and DODI 8550.01, DOD Internet Services and Internet-Based Capabilities.

Foreign Disclosure Coordination

Collaborating with your Foreign Disclosure Officer (FDO) to ensure your activity complies with the regulations outlined in DOD Directive (DODD) 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations, regarding the disclosure of classified information to foreign governments and international organizations.

Social Media Considerations

Coordinating with the PAO to ensure information released on external official present social media platforms follows the DOD ISP requirements and aligns with guidance in DODI 5400.17, Official Use of Social Media for Public Affairs Purposes.

Responsibility

Implementation looks like...

Enforce Protection of CNSI

Consistently enforcing requirements for safeguarding, storing, destroying, transmitting, and transporting classified information.

Storage Methods

Deterring and detecting unauthorized access to classified information through effective storage methods to include:

• General Services Administration (GSA)-approved security containers
• Locks approved by the DOD lock program to secure the classified materials
• Procedures for safeguarding and storing combinations to GSA-approved security containers by using Standard Form (SF)-700 for each container

Unauthorized Disclosure Reporting Cognizance

Proactively minimizing potentially negative consequences of unauthorized access to classified information at your activity by ensuring reporting and investigating procedures are in place.

Consistent Security Checks

Conducting security checks at the end of each duty to verify that areas where classified information is handled or stored are secure. This includes using SF 701, Activity Security Checklist and SF 702, Security Container Check Sheet.

Handling Accountability

Ensuring procedures are in place at your activity for regularly handling and sharing to include:

• Using secure communication methods to safeguard classified information.
• Following established procedures when reproducing classified information.
• Supervising adherence to guidelines for transmission and transfer of classified information.

Destruction Accountability

Ensuring procedures and best practices for destroying classified information are in place to include:

• Only using equipment on the evaluated products list (EPL) issued by the National Security Agency (NSA).
• Promoting “clean desk” environments.
• Ensuring personnel promptly destroy non-record copies of CNSI when no longer needed for tasks.

Responsibility

Implementation looks like...

CUI Policy

Implementing the policy guidance for CUI.

CUI Protection

Ensuring personnel have a clear understanding of the processes involved in protecting CUI, including:

• Ensuring DOD CUI program requirements as directed by the component head or CUI Program Manager (CPM) are communicated to personnel.
• Ensuring guidance and best practices are followed at every stage of the CUI life cycle - identifying/creating, designating, marking, sharing, decontrolling, and destroying.

CUI Training

Meeting the training requirements for CUI by ensuring all relevant information is effectively communicated to personnel, enabling them to:

• Identify CUI categories and indexes
• Describe CUI registries - DOD and the Information Security Oversight Office (ISOO)
• Describe CUI minimum marking requirements
• Describe CUI safeguards when handling, sharing, and storing
• Use appropriate destruction methods
• Complete unauthorized disclosure incident reporting
• Describe dissemination and other control measures

CUI Information Technology (IT) Considerations

Coordinating with IT personnel to ensure system requirements for storing and sharing CUI electronically are in place and communicated to personnel per DODI 5200.48, Controlled Unclassified Information.

CUI Unauthorized Disclosure Reporting

Completing incident reporting for the unauthorized disclosure of CUI.

Responsibility

Implementation looks like...

Security Incident Accountability

• Promptly conducting security reviews and other necessary assessments when a compromise of security is determined. 
• Ensuring all security threats and incidents related to classified information are reported, recorded, coordinated with the proper authorities, and, when necessary, investigated. 
• Taking appropriate action to mitigate damage and prevent recurrence of security issues. 
• Ensuring any security violations or security breaches are promptly reported and referred to the appropriate investigative authority responsible for handling such matters. 

Spillage Coordination

• Ensuring policy requirements for unauthorized disclosure, or spillage are followed. This includes inquiry, notification, investigation, damage assessment, and reporting to appropriate authorities all unauthorized disclosure of classified information. 
• Coordinating with local Cybersecurity officials/staff, IT, and Information Assurance (IA) staff to address inquiries into incidents related to the possible or actual compromise of classified information on IT systems, or spillage, but ensure you retain overall responsibility for the integrity of the process at your activity.  

Incident Reporting Coordination 

• Providing a copy of the results of any inquiry to the contracting company and to the Defense Counterintelligence and Security Agency (DCSA) when security incidents involve on-site contractors. 
• Ensuring incidents which you do not have cognizance over are reported to all appropriate authorities.  

Process Management

Ensuring the security inquiry process is followed and completed within the designated timeline—10 business days. If additional time is needed to complete the initial inquiry, initiate a request for an extension. It's important to note that ASMs are typically not assigned to conduct security investigations when they are warranted, but as noted earlier, should oversee the process through completion. 

Responsibility

Implementation looks like...

Risk Management Framework (RMF) Coordination

Ensuring your activity follows DODI 8510.01, Risk Management Framework for DOD Systems and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 and 800-39.

Reporting Accountability

Remaining accountable and ensuring requirements for reporting spillage of classified and unauthorized disclosure of CUI on IT systems are met. Remember spillage reports must be Unclassified. Remain cognizant of other actions related to reporting that may also need to be taken depending on the type and level of the cyber incident, including notifying:

• Your DOD Component Head
• USCYBERCOM
• U.S. Computer Emergency Readiness Team
• DOD Privacy Act officials - Personally Identifiable Information (PII) breach
• Unauthorized disclosure in the public domain - Unauthorized Disclosure Program Management Office (UDPMO)

Access Monitoring

• Ensuring CNSI is transmitted exclusively over secure communication networks approved for transmitting information at the specified classification level.
• Ensuring policy requirements for all uses of IT are effectively implemented and adhered to.
• Ensuring compliance with system access controls audibility and user activity monitoring.
• Adhering to the "least privilege" principle when granting access to classified networks. This means providing individuals with only the minimum level of access and permissions necessary to perform their job functions and responsibilities within the classified network.

IT Coordination

• Coordinating with Authorizing Official (AO) or Authorizing Official Designated Representative (AODR) to identify and mitigate emerging risks in the evolving IT environments.
  • As technology advances at a faster pace than policy updates, there is a need to adapt to new products, equipment, and peripherals that affect data storage, communications, access control, and intrusion detection.
• Coordinating with Information Systems Security Managers (ISSM) and other IT personnel to:
  • Ensure information systems security measures and procedures are implemented to protect classified information in electronic format.
  • Monitor IT capabilities that present vulnerabilities such as enabling data aggregation, which has the potential to result in the creation of classified compilations.
  • Communicate concerns when there is a need for new policies or procedures to deal with new capabilities, through the security chain of command to the Director of Security, USW(I&S).
  • Implement technical measures to prevent unauthorized copying of classified data and employing anomaly detection methods to identify unusual patterns related to accessing, handling, downloading, and removing digital classified information.
  • Ensure awareness that non-DOD controlled electronic messaging services are not permitted to handle or share non-public DOD information, regardless of any perceived or claimed security measures offered by those services.

Responsibility

Implementation looks like...

Manage Access

Ensuring only personnel who have the appropriate security eligibility with a legitimate need-to-know and signed SF 312 are granted access to classified information. Also manage access by: 

• Limiting access to classified information daily by using suitable control measures. 
• Ensuring requirements for open storage areas are in place such as appropriate Security-in-Depth (SID) controls to deter and detect unauthorized access to sensitive information, as applicable. 
• Adhering to the minimum storage standards set by the GSA for securing specific levels of classified information 
• Adhering to the lock specifications FF-L-2740 or FED-STD 832 as applicable on GSA containers and vaults. 

Manage Classified Visits

Developing security measures and protocols at your activity in accordance with DODD 5230.20, DODI 5200.08, and other relevant policies that address the considerations of visitors who require access to classified information to include at a minimum:  

• Verifying the identity of visitors 
• Confirming their personnel security eligibility 
• Granting access if necessary 
• Verifying need-to-know  

Cognizance of Industry Access

Ensuring compliance is maintained when providing access to classified information to industry personnel at your activity and affiliated locations in relation to classified contracts. If the classified information is shared with industry personnel at the contractor's facility, it is important to adhere to the provisions outlined in 32 CFR, Part 117 National Industrial Security Program (NISPOM). 

Manage Classified Meetings

Ensuring classified meetings related to your activity are conducted only for specific government purposes and are held at appropriately cleared facilities. Classified meetings requirements include: 

• Only approving when other approved methods for disseminating information are not practical.  
• Ensuring that classified meeting announcements are Unclassified to avoid disclosing sensitive information. 
• Ensuring unclassified sessions are effectively separated from classified. 
• Ensuring procedures for meetings include the storage and destruction of classified information as applicable.

Responsibility

Implementation looks like...

SCI Cognizance

• Overseeing the aspects of the SCI security programs that are not delegated to intelligence agencies.  
• Developing guidance, or coordinating as necessary with Special Security Officer (SSO), to ensure the protection of SCI information. The SSO will be responsible for the day-to-day management, operation, implementation, use, and dissemination of SCI within the activity.  
• Ensuring day-to-day oversight procedures are in place for handling and disseminating SCI with the activity.  
• Providing copies of requests for exceptions and waivers of information security policies, security incident reports, and other information submitted to the Director of National Intelligence (DNI) to the USW(I&S).  

Responsibility

Implementation looks like...

SETA Management and Supervision

Developing, coordinating, and implementing the SETA program by: 

• Ensuring all personnel receive the necessary initial and annual SETA training. 
• Instilling, promoting, and maintaining a culture of continuous security awareness. 
• Implementing effective techniques and strategies to motivate all personnel to actively support the goals of the ISP. 
• Promoting a clear understanding among personnel of the policies and requirements outlined in the ISP that directly relate to national security interests. 
• Educating personnel on real-time emerging security risks as applicable. 
• Ensuring personnel understand the difference between whistleblowing and UD. 

Special Training Management

Ensuring, as applicable, any special training that may be required for personnel in your activity who have DOD ISP specific duties or job responsibilities takes place as outlined in DODM 5200.01 Volume 3, Protection of Classified Information, Enclosure 5. Special training includes: 

• Initial OCA training for newly appointed OCAs in your activity and annually thereafter that meets the requirements in DODM 5200.01 Volume 3, Protection of Classified Information, Enclosure 5. 
• Management and oversight training for any personnel whose duties involve managing and overseeing classified information in accordance with DODI 3305.13, DOD Security Education, Training, and Certification. 
• Enhanced security training for organizations with deployable elements to meet the needs of the operational environment. This includes security requirements for handling, sharing, and marking of classified information, as well as classification markings or special controls specific to the situation.  

Responsibility

Implementation looks like...

Self-Inspection Accountability

• Establishing and maintaining an ongoing self-inspection and oversight program to regularly evaluate the effectiveness and efficiency of your activity’s ISP.  
• Completing annual self-inspections, or more frequently, if necessary, based on your program needs and the amount and level of classified information handled by your activity.   

Managing Reporting Requirements

Submitting annual reports of self-inspections to the ISOO or USW(I&S), as required. The self-inspection reports must include the following information: 

• A clear description of the self-inspection program, including the activities that were assessed, the programs that were covered, and the methods used for self-inspection. 
• A summary of findings in various areas, including original classification, derivative classification, declassification, safeguarding, security violations, security education and training, and management and oversight. 
• Details on the findings from the annual reviews of original and derivative classification actions. 
• Information about the corrective actions that have been taken or planned to address any identified deficiencies or instances of misclassification. 
• Implementing best practices from the DOD Inspector General Report (DODIG)-2013-142.   

Responsibility

Implementation looks like...

ISP Personnel Integrity and Accountability

Contractors: 

• Ensuring contractors who are responsible for security administration and support tasks are clearly distinguished in terms of their roles, functions, and capacities. This is necessary to avoid any confusion regarding which security personnel have the authority to perform inherently governmental tasks and which do not. 
• Ensuring work-related tasks and responsibilities that are considered inherently governmental, as specified in policy guidance, are not performed by contractors. These activities include: 
  • Making original classification decisions 
  • Approving or issuing security policy 
  • Making decisions related to foreign disclosure, public release, or classification challenges 
• Conducting security investigations to determine fault involving government or contract personnel (except for preliminary inquiries). 

Security Oversight Coordination

Designate as applicable, Top Secret Control Officer (TSCO), Top Secret Control Assistants (TSCAs), and Security Assistants: 

• Designating a TSCO as required by policy. 
• Providing guidance, direction, coordination, and oversight to designated ASMs, TSCOs, TSCAs, security assistants, and others in security management. 
• Assigning security assistants to carry out administrative security functions, as applicable. 
• Following the requirements of Intelligence Community Directive 703 by designating an SSO for the activity.  
  • Coordinate with SSO to designate alternate SSOs as needed. These designations must be in writing and apply to any activity that is accredited and authorized to receive, use, and store SCI.   

Foreign National Personnel Cognizance

Foreign Nationals: 
Recognizing and enforcing the restrictions that apply to foreign nationals in relation to the ISP. Foreign nationals should not: 

• Have the authority to approve or issue policy. 
• Be involved in making original classification or declassification decisions. 
• Oversee the foreign disclosure process or make decisions in that regard. 
• Oversee or coordinate decisions related to public release. 
• Be responsible for overseeing the security incident process or ensuring that security actions and corrective measures are implemented. 

Responsibility

Implementation looks like...

IT Coordination

Preventing the inadvertent disclosure of DOD information to unauthorized individuals, by coordinating with your AO and IT staff to establish proper procedures for the disposal of computer hard drives when remediating a spillage. These procedures should specifically address the removal of U.S. Government data from hard drives prior to disposal.

Stakeholder Coordination 

Working with all stakeholders and officials both internally and externally to ensure the proper security measures for the classification, safeguarding, transmission, declassification, and destruction of all classified information. These individuals include the SSO, the SAP Security Officer, the Information Systems Security Officer (ISSO), Counterintelligence (CI), and OPSEC.

Department of Energy (DOE) Coordination

Ensuring, as applicable, DOE classified information is protected and handled by personnel that have access as required by the Atomic Energy Act (AEA). 

SCG Coordination

Ensuring SCG Coordination: 

• Coordinate with originating organizations and OCAs, as necessary, for the distribution of SCGs. 
• Coordinate the preparation, dissemination, and maintenance of SCGs under your activity’s jurisdiction, as required. 

Leadership Coordination

Coordinating with the head of your activity and component on a regular basis to ensure effective communication about all program oversight and implementation practices that they are ultimately responsible for. 

FDO Coordination

Collaborate, as necessary, with the FDO to address all aspects related to the disclosure of classified information and CUI to foreign governments and international organizations as outlined in DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations.