Classified Information Handling and Security Regulations, Study notes of Construction

Download Classified Information Handling and Security Regulations and more Study notes Construction in PDF only on Docsity! UNCLASSIFIED Army Regulation 380 – 5 Security Army Information Security Program Headquarters Department of the Army Washington, DC 22 October 2019 SUMMARY of CHANGE AR 380 – 5 Army Information Security Program This major revision, dated 22 October 2019— o Changes the title of the publication from “Department of the Army Information Security Program” to “Army Information Security Program” (cover). o Removes marking guidance (formerly chap 4) and requires all Department of the Army personnel to apply marking standards set forth in Department of Defense Manual 5200.01, Volume 2 (para 1–15a). o Updates language that addresses controlled unclassified information to meet the requirements outlined in Department of Defense Manual 5200.01, Volume 4 (chap 1, 4, and 8). o Changes the requirements of self-inspections to be conducted at least annually versus biennially (para 1 – 24). o Adds training requirements for derivative classifiers (para 2 – 6). o Removes appendix G and refers to Department of Defense Manual 5200.45 for guidance on developing security classification guides (paras 2 – 17 and 8–7c). o Updates the distribution list and process for security classification guides (para 2 –18). o Adds figure 3 – 1, Letter of Certification required by the Army Declassification Activity that address automatic and systematic declassification reviews (para 3–2c). o Adds language requiring only equipment listed on an evaluated products list issued by National Security Agency/Central Security Service to be used to destroy classified information and materials (para 3 – 18). o Removes language prohibiting cover sheets from being stored in security containers (formerly chap 4). o Updates the language that addresses the Standard Form 312. Removes outdated mailing addresses for filing the Standard Form 312 and prohibits digital signatures on the Standard Form 312 (paras 5 – 2 and 5 – 3). o Cancels DA Form 2962 and requires the use of the debriefing acknowledgement section of a Standard Form 312 (Classified Information Nondisclosure Agreement) for termination briefings (para 5 – 5). o Changes the mandatory requirement for accountability and control of Top Secret (collateral) information (para 5 – 18). o Adds section detailing guidance on control and safeguarding of Foreign Government information, addressing North Atlantic Treaty Organization unclassified and allowing the processing on the non-classified internet protocol router network (para 5 – 19). o Clarifies language on removal of classified information for work at home (para 6 – 6). o Adds requirement for Part 1 of the Standard Form 700 be sealed in an opaque envelope before storing inside of the locked drawer (or door) of the container for protection of the personally identifiable information (para 6–8d(1)). o Updates instructions on applying the classification authority block of Part 2 of the Standard Form 700 envelope, treating such as a derivative classification (para 6–8d(2)). *This regulation supersedes AR 380-5, dated 29 September 2000, and rescinds DA Form 455, dated 1 July 1962, DA Form 969, dated 1 October 1978, DA Form 1575, dated 1 September 1977, and DA Form 2962, dated 1 September 1977. AR 380–5 • 22 October 2019 UNCLASSIFIED i Headquarters Department of the Army Washington, DC *Army Regulation 380 – 5 22 October 2019 Effective 22 November 2019 Security Army Information Security Program History. This publication is a major revi- sion. Summary. This regulation implements the policy set forth in EO 13526 and DODM 5200.01, Volumes 1 through 4. It establishes the policy for classification, downgrading, declassification, and safe- guarding of information requiring protec- tion in the interest of national security. Applicability. This regulation applies to the Regular Army, the Army National Guard/Army National Guard of the United States, the U.S. Army Reserve, and DA ci- vilian personnel, unless otherwise stated. Proponent and exception authority. The proponent of this regulation is the Dep- uty Chief of Staff, G – 2. The proponent has the authority to approve exceptions to this regulation that are consistent with control- ling law and regulation. The proponent may delegate this approval authority in writing to a division chief within the proponent agency in the grade of Colonel or the civil- ian equivalent. Activities may request a waiver to this regulation by providing justi- fication that includes a full analysis of the expected benefits and must include formal review by the activity’s senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the request- ing activity and forwarded through their higher headquarters to the policy propo- nent. Refer to AR 25 – 30 for specific guid- ance. Army internal control process. This regulation contains internal control provi- sions in accordance with AR 11 – 2 and identifies key internal controls that must be evaluated (see appendix B). Supplementation. Supplementation of this regulation and establishment of com- mand and local forms are prohibited with- out prior approval by the Deputy Chief of Staff, G – 2 (DAMI – CDS), 1000 Army Pen- tagon, Washington, DC 20310 – 1000. Suggested improvements. Users of this regulation are invited to send com- ments and suggestions for improvements on DA Form 2028 (Recommended Changes to Publications and Blank Forms) directly to the Deputy Chief of Staff, G – 2 (DAMI – CDS), 1000 Army Pentagon, Washington, DC 20310 – 1000. Distribution. This regulation is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve. Contents (Listed by paragraph and page number) Chapter 1 General Provisions and Program Management, page 1 Section I Introduction, page 1 Purpose • 1 – 1, page 1 References and forms • 1 – 2, page 1 Explanation of abbreviations and terms • 1 – 3, page 1 Responsibilities • 1 – 4, page 1 Record management (recordkeeping) requirements • 1 – 5, page 1 Section II Responsibilities, page 1 Administrative Assistant to the Secretary of the Army • 1 – 6, page 1 Deputy Chief of Staff, G – 1 • 1 – 7, page 1 Deputy Chief of Staff, G – 2 • 1 – 8, page 1 Commanders of Army commands, Army service component commands, and direct reporting units • 1 – 9, page 2 Commanders at all levels • 1 – 10, page 2 The security manager • 1 – 11, page 3 Contents—Continued ii AR 380–5 • 22 October 2019 Supervisors • 1 – 12, page 4 All Army personnel • 1 – 13, page 4 Section III Program Management, page 4 Applicability • 1 – 14, page 4 General principles • 1 – 15, page 4 Section IV Special Types of Information, page 5 Restricted data and/ or formerly restricted data • 1 – 16, page 5 Sensitive Compartmented Information, Communications Security information, and Special Access Program infor- mation • 1 – 17, page 5 Section V Exceptional Situations, page 5 Military operations, exercises, and unit deactivations • 1 – 18, page 5 Waivers and exceptions to policy • 1 – 19, page 6 Section VI Corrective Actions and Sanctions, page 6 General • 1 – 20, page 6 Sanctions • 1 – 21, page 6 Reporting of security incidents • 1 – 22, page 7 Section VII Reports, page 7 Reporting requirements • 1 – 23, page 7 Command security inspections • 1 – 24, page 7 Chapter 2 Classification, page 7 Section I Classification Principles, page 7 Original versus Derivative classification • 2 – 1, page 7 Delegation of authority • 2 – 2, page 8 Required training • 2 – 3, page 8 Section II Derivative Classification, page 8 Policy • 2 – 4, page 8 Accuracy responsibilities • 2 – 5, page 8 Required training • 2 – 6, page 9 Section III The Original Classification Process, page 9 General • 2 – 7, page 9 Classification criteria • 2 – 8, page 9 Levels of classification • 2 – 9, page 9 Duration of classification • 2 – 10, page 10 Reclassification of information declassified and released to the public under proper authority • 2 – 11, page 10 Communicating the classification decision • 2 – 12, page 10 Compilation • 2 – 13, page 10 Acquisition process • 2 – 14, page 10 Limitations and prohibitions • 2 – 15, page 10 Contents—Continued AR 380–5 • 22 October 2019 iii Section IV Security Classification Guides, page 10 Policy • 2 – 16, page 11 Content • 2 – 17, page 11 Approval, distribution, and indexing • 2 – 18, page 11 Review, revision, and cancellation • 2 – 19, page 12 Section V Non-Government Research and Development Information, page 12 Policy • 2 – 20, page 12 Nothing • 2 – 21, page Error! Bookmark not defined. Chapter 3 Declassification, Downgrading, Upgrading, and Destruction, page 12 Section I Army Declassification Program, page 12 General • 3 – 1, page 13 Special program manager • 3 – 2, page 13 Declassification of restricted data and formerly restricted data • 3 – 3, page 15 Declassification of other than Army information • 3 – 4, page 15 Section II The Automatic Declassification System, page 15 General • 3 – 5, page 15 Exemption from automatic declassification • 3 – 6, page 15 Marking records exempted from automatic declassification • 3 – 7, page 16 Records review guidelines • 3 – 8, page 17 Army commands, Army service component commands, direct reporting units requirements • 3 – 9, page 17 Section III Mandatory Declassification and Systematic Declassification Reviews, page 18 Mandatory declassification reviews • 3 – 10, page 18 Mandatory declassification review appeals • 3 – 11, page 18 Systematic declassification reviews • 3 – 12, page 18 Section IV Change in the Level of Classification, page 18 General • 3 – 13, page 19 Downgrading • 3 – 14, page 19 Upgrading • 3 – 15, page 19 Section V Classified Material Destruction Standards, page 19 General • 3 – 16, page 19 Approved routine methods of destruction • 3 – 17, page 19 Technical advice on approved destruction devices and methods • 3 – 18, page 20 Chapter 4 Controlled Unclassified Information, page 20 General • 4 – 1, page 20 Chapter 5 Access, Control, Safeguarding, and Visits, page 20 Section I Access, page 20 Contents—Continued vi AR 380–5 • 22 October 2019 Program management • 8 – 13, page 49 Chapter 9 Security Incidents and Reporting Involving Classified Information, page 49 Section I Policy, page 49 Terms and categories of security incidents • 9 – 1, page 49 Reporting and notifications • 9 – 2, page 50 Security inquiries and investigations • 9 – 3, page 51 Classified information appearing in the public media • 9 – 4, page 51 Reporting results of the inquiry • 9 – 5, page 52 Reevaluation and damage assessment • 9 – 6, page 52 Debriefings in cases of unauthorized access • 9 – 7, page 52 Management and oversight • 9 – 8, page 53 Unauthorized absences, suicides, or incapacitation • 9 – 9, page 53 Negligence • 9 – 10, page 53 Appendixes A. References, page 54 B. Internal Control Evaluation, page 60 Figure List Figure 3 – 1: Sample letter of certification, page 14 Glossary AR 380–5 • 22 October 2019 1 Chapter 1 General Provisions and Program Management Section I Introduction 1 – 1. Purpose This regulation establishes Department of the Army (DA) policy for the classification, downgrading, declassification, transmission, transportation, and safeguarding of information requiring protection in the interests of national security. It primarily pertains to classified national security information, or classified information, but also addresses controlled un- classified information (CUI). For purposes of this regulation, classified national security information, or classified infor- mation, is defined as information and/or material that has been determined, pursuant to Executive Order (EO) 13526, or any applicable predecessor order, to require protection against unauthorized disclosure and is marked to indicate its appro- priate classification. This regulation implements Executive Order 13526 and Department of Defense Manual (DODM) 5200.01, Volumes 1 through 4. This regulation also establishes policy on the safeguards of restricted data (RD) and for- merly restricted data (FRD), as specified by the Atomic Energy Act of 1954, as amended. 1 – 2. References and forms See appendix A. 1 – 3. Explanation of abbreviations and terms See glossary. 1 – 4. Responsibilities Responsibilities are listed in section II of this chapter. 1 – 5. Record management (recordkeeping) requirements The records management requirement for all record numbers, associated forms, and reports required by this regulation are addressed in the Records Retention Schedule-Army (RRS – A). Detailed information for all related record numbers, forms, and reports are located in Army Records Information Management System (ARIMS)/RRS – A at https://www.arims.army.mil. If any record numbers, forms, and reports are not current, addressed, and/or published cor- rectly in ARIMS/RRS - A, see DA Pam 25 – 403 for guidance. Section II Responsibilities 1 – 6. Administrative Assistant to the Secretary of the Army The AASA is designated the Army program management official responsible for ensuring implementation of the infor- mation security program for Headquarters, Department of the Army (HQDA). 1 – 7. Deputy Chief of Staff, G – 1 The DCS, G – 1 is responsible for executing the provisions of Executive Order (EO) 13526, Section 5.4(d)(7), establishing policy to ensure that the systems used to evaluate or rate civilian and military personnel performance include management of classified information as a critical element or item to be evaluated in the rating of: a. Original classification authorities. b. Security managers and security specialists. c. All other personnel whose duties significantly involve the creation or handling of classified information. 1 – 8. Deputy Chief of Staff, G – 2 The DCS, G – 2 will act as the designated DA senior agency official by the Secretary of the Army (SECARMY), to direct, administer, and oversee the Army’s information security program. The DCS, G – 2 will— a. Develop, coordinate, and oversee the Army Information Security Program. b. Provide program management through issuance of policy and operating guidance. 2 AR 380–5 • 22 October 2019 c. Ensure DA commands adequately resource the program and meet established policies and procedures. d. Ensure all DA commands integrate security education, training, and awareness into their information security pro- grams pursuant to EO 13526 and DODM 5200.01, Volume 3. e. Provide staff assistance to DA commands in resolving day-to-day security policy and operating problems. f. Formulate policy governing the submission of security incident reports. g. As a Top Secret original classification authority (OCA), delegate Secret and Confidential original classification au- thority to other Army officials where appropriate. h. The Director, Counterintelligence, Human Intelligence, Disclosure and Security (DAMI – CD) on behalf of the DCS, G – 2, manages and provides oversight of all aspects of the Army Information Security Program. The Director, (DAMI – CD) will— (1) Maintain a centralized system of control and coordination of security incident reporting and any resulting infor- mation security investigations worldwide. (2) Ensure that policy, procedures, and programs are developed for the implementation of EO 13526, DODM 5200.01, Volumes 1 through 4, and other DOD issuances that implement EO 13526. (3) Monitor, evaluate, and report on the administration of the Army's information security program. Ensure that Army commands (ACOMs), Army service component commands (ASCCs), and direct reporting units (DRUs) establish and maintain an ongoing self-inspection program, which includes periodic reviews and assessments of their classified and CUI. (4) Respond to information security matters pertaining to classified information that originated in an Army command that no longer exists and for which there is no successor in function. (5) Commit the resources required for the effective development of policy and oversight of the programs established by this regulation. (6) Serve as the approving authority of an information security curriculum for an Army Security Education, Training, and Awareness Program. 1 – 9. Commanders of Army commands, Army service component commands, and direct reporting units Commanders of ACOMS, ASCCs, and DRUs will— a. Establish an information security program and ensure that all DA personnel execute procedures and processes in accordance with this regulation and related DOD issuances. b. Ensure a security manager (SM) is appointed in writing for the command and subordinate commands, activities and agencies that create, handle, or store classified information and CUI to oversee the command’s information security pro- gram. The SM should be of sufficient rank or grade to effectively discharge assigned duties and responsibilities. As a general requirement, the SM will be a commissioned officer (O – 3 or above), warrant officer, or civilian in the grade of GS – 11/12 or above (or pay band equivalent). c. Ensure all SMs are afforded security training consistent with assigned duties and this regulation. d. Review and inspect the effectiveness of the information security program within the command annually or more frequently based on program needs and the degree of involvement with managing classified information. e. Provide oversight of the responsibilities listed in paragraph 1 – 8 for subordinate commands. f. Ensure that all incidents specified in this regulation are reported accordingly. g. Include the management of classified information as a critical element or item in personnel performance evaluations, where appropriate as directed in the provisions of EO 13526. 1 – 10. Commanders at all levels Commanders at all levels and heads of agencies and activities are responsible for effective management of the information security program within commands, agencies, activities, or areas of responsibility (referred to within this regulation as commands). Commanders may delegate certain authorities to execute the requirements of this regulation, where applicable, but not their program management responsibilities. Security, including the safeguarding of classified and CUI and the appropriate classification and declassification of information created by DA personnel, is the responsibility of the com- mander. The commander will— a. Establish written local information security policies and procedures and an effective information security education program, consistent with this regulation. b. Formulate and supervise measures or instructions necessary to ensure continuous protection of classified information, CUI, and related materials. c. Ensure that persons requiring access to classified information have met the appropriate security clearance eligibility, access standards, and have a need-to-know. AR 380–5 • 22 October 2019 5 d. If there is significant doubt about the need to classify information, it will not be classified. This provision does not: (1) Amplify or modify the substantive criteria or procedures for classification; or (2) Create any substantive or procedural rights subject to judicial review. e. Classified information will not be declassified automatically as a result of any unauthorized disclosure of identical or similar information. f. The unauthorized disclosure of foreign government information (FGI) is presumed to cause damage to the national security. g. Information or material that requires protection against unauthorized disclosure in the interest of national security, will be classified as one of the three following categories or levels, as defined in EO 13526: (1) Top Secret. (2) Secret. (3) Confidential. h. Except as otherwise provided by statute, no other terms will be used to identify U.S. classified information. If there is significant doubt about the appropriate level of classification, it will be classified at the lower level. i. Information and material will be afforded the level of protection against unauthorized disclosure commensurate with the level of classification or sensitivity assigned, under the varying conditions that may arise in connection with its use, dissemination, storage, movement, transmission, or destruction. All DA personnel will ensure classified and CUI infor- mation and materials are adequately protected from compromise and must be continually aware of possible threats from all-source intelligence efforts of potential adversaries. j. Access to classified information is authorized only to personnel: (1) With the appropriate need to know the information in order to perform a lawful and authorized governmental func- tion; (2) Who have been granted security clearance eligibility and access at the appropriate level (see AR 380 – 67); and (3) Who have executed an appropriate nondisclosure agreement (NDA). k. The holder of the information, not the potential recipient, determines the need-to-know and is responsible for verify- ing the clearance and access of the potential recipient. No person will be granted access to classified information solely by virtue of grade, rank, title, or position. l. Classified and CUI information will be maintained in the organization only when necessary for the operation of the organization or when its retention is required by law, regulation, or records management policy. Section IV Special Types of Information 1 – 16. Restricted data and/ or formerly restricted data EO 13526 does not apply to information classified as “restricted data (RD)” or “formerly restricted data (FRD).” RD and FRD will not be declassified without the specific permission of the Department of Energy (DOE). Policy on the marking of RD or FRD is contained in DODM 5200.01, Volume 2. RD and FRD will be safeguarded as required by this regulation and DOD directives referenced herein. The policy on the classification, downgrading, and declassification of RD and FRD is stated in classification and declassification guidance promulgated by the DOE, or in guidance issued jointly by the DOD and DOE. 1 – 17. Sensitive Compartmented Information, Communications Security information, and Special Access Program information Security classification and declassification policies apply to SCI, COMSEC, and SAP information in the same manner as other classified information (See DODM 5200.01 Volume 1 for declassification of cryptologic information). SCI, COMSEC, and SAP information will be controlled and safeguarded in accordance with AR 380 – 28, AR 380 – 40, and AR 380 – 381, respectively. Section V Exceptional Situations 1 – 18. Military operations, exercises, and unit deactivations a. Military operations. Commanders may modify, but not lessen, standards pertaining to accountability, dissemination, transmission, and storage of classified information, as necessary, to meet local conditions encountered during military 6 AR 380–5 • 22 October 2019 operations. Military operations include combat operations, emergency conditions under operations other than war (to in- clude peacekeeping operations), and any other emergency situation where that operation or situation requires exceptional measures to protect life or DA assets. Classified information will be introduced into combat areas or zones, or areas of potential hostile activity, only as necessary to accomplish the military mission. b. Military exercises. Military exercises pose a unique situation where the handling and protection of classified infor- mation or material are concerned. Documents and material that contain no classified information, but which carry classi- fication markings for training purposes or to provide an example, will also have a marking that clearly shows the actual classification (or dissemination control marking) of the documents. (See DODM 5200.01, Volume 2 for marking of this type). When real-world classified and/or CUI is introduced or used in military exercises, every effort will be taken to prevent compromise and/or loss. c. Unit deactivation. Original classification authority is assigned to a duty position, not to an individual person. When an organization has been deactivated, the OCA's responsibilities will revert to the higher headquarters or to the organization assuming responsibility for the deactivated organization’s security decisions. Challenges to classification decisions of the deactivated organization will be directed to the headquarters element that assumes the security responsibilities of the de- activated unit. 1 – 19. Waivers and exceptions to policy a. Unless otherwise specified herein, requests for waivers or exceptions to the provisions in this regulation will be submitted, through command channels, to DCS, G – 2 (DAMI – CD). Waivers and exceptions to DOD requirements will be forwarded by DCS, G – 2 (DAMI – CD) for decision to the appropriate DOD agency in accordance with DODM 5200.01, Volumes 1 through 4. b. Requests for waivers will contain sufficient information to permit a complete and thorough analysis to be made of the impact of approval on national security. At a minimum, requests must identify the specific provision(s) of this regula- tion or other authority for which the waiver or exception is sought, and provide rationale and justification for the request. c. The request must describe the mission need and any associated risk management considerations (for example, nega- tive impact to cost, schedule, mission or operations) or provisions, including a summary of proposed mitigation measures to reduce risk, and the timeframe (the proposed duration if requesting a waiver, and permanent if requesting an exception). (See glossary for definitions of waiver and exception.) d. The requestor will maintain documentation regarding all approved waivers and exceptions, and furnish this docu- mentation, upon request, to other agencies and to other DA commands with which classified information or secure facilities are shared. e. Waivers or exceptions granted before the effective date of this regulation are canceled no later than one year after the effective date of this regulation. New and updated requests may be submitted prior to the cancellation date. f. Throughout this regulation, there are references to policy subject to ACOM, ASCC, and DRU approval or subject to policy as the ACOM, ASCC, and DRU may direct. Where that language, in substance, is used, the commanders of ACOMs, ASCCs, DRUs, and the AASA, may delegate approval authority to a subordinate element within the command. The com- mander or the AASA will maintain a written copy of the delegation and review it periodically. Where this regulation specifically grants waiver or exception authority to an ACOM, ASCC, or DRU level commander or the AASA, that au- thority resides solely with the ACOM, ASCC, or DRU commander or AASA and will not be further delegated. Section VI Corrective Actions and Sanctions 1 – 20. General Commanders will establish procedures to ensure that prompt and appropriate action is taken in cases of compromise of classified information or unauthorized disclosure of CUI; improper classification or designation of information; violations of the provisions of this regulation; and incidents that may put classified information and CUI at risk of unauthorized disclosure. Such actions will focus on correction or elimination of the conditions that caused or contributed to the incident. 1 – 21. Sanctions a. DA personnel will be subject to sanctions if they knowingly, willfully, or negligently— (1) Disclose classified information or CUI to persons not authorized to receive it; (2) Classify or continue the classification of information in violation of this regulation; or (3) Violate any other provision of this regulation. AR 380–5 • 22 October 2019 7 b. Sanctions can include, but are not limited to warning, reprimand, suspension without pay, forfeiture of pay, removal, discharge, loss or denial of access to classified information and/or CUI, and removal of classification authority. Action can also be taken under the Uniform Code of Military Justice for military personnel, if warranted. c. Original classification authority will be withdrawn from individuals who demonstrate a disregard or pattern of error in applying the classification standards of this regulation. d. DODM 5200.01, Volume 3, Enclosure 6 addresses sanctions against contractor personnel. Disciplinary action and sanctions are the responsibility of the contractor’s company unless specific contract provisions address such actions. 1 – 22. Reporting of security incidents EO 13526, Section 5.5, requires that the Information Security Oversight Office (ISOO) be advised of instances in which properly classified information is knowingly, willfully, or negligently disclosed to unauthorized persons; instances of clas- sifying, or continuing the classification of, information in violation of this regulation; Creating or continuing a special access program contrary to EO 13526; or contravening any other provision of EO 13526, this regulation, or other applicable implementing directive. Reports of security incidents will be submitted through command channels to the DCS, G – 2 (DAMI – CD), for forwarding to the Director of ISOO. See chapter 9 for reporting of security incidents. Section VII Reports 1 – 23. Reporting requirements HQDA is required to report data necessary to support various requirements of EO 13526. ACOMs, ASCCs, DRUs, and the AASA will also submit a consolidated annual report for all units under their security responsibility, on the SF 311 (Agency Security Classification Management Program Data) to reach DCS, G – 2 (DAMI – CD) no later than 1 October, or other date specified by DCS G – 2 (DAMI – CD), each year. The report will cover the preceding fiscal year. DCS, G – 2 (DAMI – CD) will consolidate and submit the annual SF 311 report for the DA. 1 – 24. Command security inspections ACOMs, ASCCs, DRUs, and the AASA will establish and maintain a self-inspection program for their command, and a program to inspect their subordinate units. Self-inspections will be conducted annually or more frequently based on pro- gram needs and the degree of involvement with managing classified information. The purpose of the program will be to evaluate the effectiveness of the command's protection of classified and CUI, and adherence to policy contained in this regulation and DOD directives. The test questions located in appendix B may serve as the basis for the annual inspection and can incorporate additional questions as determined by the agency or command performing the inspection. Chapter 2 Classification Section I Classification Principles 2 – 1. Original versus Derivative classification a. Original classification decisions can only be made by persons designated in writing by the SECARMY or the DCS, G – 2. There are a limited number of officials in the Army that have the authority to apply original classification, and very limited instances of original classification. b. Original classification is the initial determination that information requires, in the interests of national security, pro- tection against unauthorized disclosure. This decision will be made only by persons specifically authorized in writing to do so and who have received training. The decision to originally classify must be made based on the requirements of this regulation. Delegations of original classification authority will be limited to the minimum required and only to officials who have a demonstrable and continuing need to exercise it. c. Derivative classification is incorporating, restating, paraphrasing, or generating in new form, information that has already been determined to be classified and ensuring it is classified and handled at the level the OCA has already deter- mined. Derivative classification is most commonly accomplished by marking classified material based on the guidance from a security classification guide (SCG) or from the source document. The derivative classifier must have enough subject matter knowledge to properly interpret and apply the instruction of the classification guidance. The OCA decides what 10 AR 380–5 • 22 October 2019 2 – 10. Duration of classification Information will be declassified as soon as it no longer meets the standards for classification. Information will remain classified if it is in the interest of national security and meets the criteria of EO 13526. At the time an item of information is originally classified, the original classifier must decide the length of time the information will require classification and select an appropriate declassification date or event for declassification based on the duration of the national security sen- sitivity of the information. Additional policies and procedures regarding the duration of classification are found in DODM 5200.01, Volume 1. 2 – 11. Reclassification of information declassified and released to the public under proper authority a. The OCA must determine that, if classification is applied or reapplied, there is a reasonable possibility the infor- mation will be provided protection from unauthorized disclosure. b. Reclassification is accomplished on a document-by-document basis, with the participation, or under the direction of, the SECARMY, the Under Secretary of the Army, or the DCS G – 2. Guidance from DCS, G – 2 (DAMI – CD) will be requested in these instances. The information that is reclassified must meet the criteria for classified information estab- lished in EO 13526 or successor orders and directives. Additional policies and procedures regarding reclassification are found in DODM 5200.01, Volume 1. 2 – 12. Communicating the classification decision An OCA who has decided to originally classify information is responsible for communicating that decision to persons who will likely be in possession of that information. This will be accomplished by issuing classification guidance, discussed in section V of this chapter, or by ensuring that documents containing the information are properly marked to reflect the decision. a. In rare situations where the OCA’s decision must be rendered verbally due to priorities of an on-going operation, written confirmation will be issued within seven calendar days of the decision and provide the required declassification and marking instructions. b. Decisions made and issued by other than a classification or declassification guide (for example, in the form of a memorandum, plan or order) should be incorporated in an SCG as soon as possible. 2 – 13. Compilation In unusual circumstances, compilation of items of information that are individually unclassified can be classified if the compiled information reveals an additional association or relationship that matches criteria for classification as described in paragraph 2 – 8 of this regulation. Classification by compilation will be fully supported by a written explanation that will be provided on, in, or with, the material containing the information. Any classification as a result of compilation requires an original classification decision by an OCA. Additional policies and procedures regarding classification by compilation are found in DODM 5200.01, Volume 1. 2 – 14. Acquisition process Classification and safeguarding of information involved in the DOD acquisition process will conform to the standards of this regulation, as well as the requirements of Department of Defense Directive (DODD) 5000.01 and Department of Defense Instruction (DODI) 5000.02 (or successor directives and instructions). SCGs should be updated to include classi- fied critical program information identified as part of the program protection planning process required by DODI 5200.39. 2 – 15. Limitations and prohibitions EO 13526 and the Atomic Energy Act of 1954, as amended (42 USC 2011 et seq.), provide the only basis to classify information. Classification cannot be used to conceal violations of law, inefficiency, or administrative error, or to prevent embarrassment to a person, organization, agency, or to restrain competition. Basic scientific research and its results can be classified only if it clearly relates to the national security. Section V of this chapter covers information that is a product of non-government research and development that does not incorporate or reveal classified information to which the producer or developer was given prior access. Section IV Security Classification Guides AR 380–5 • 22 October 2019 11 2 – 16. Policy An SCG will be issued for each system, plan, program, project, or mission which involves classified information. Agencies with original classification authority will prepare classification guides to facilitate the proper and uniform derivative clas- sification of information. These guides will conform to standards contained in this regulation and DOD regulations issued under DODM 5200.01, Volume 1. DODM 5200.45 provides detailed instructions on developing SCGs. 2 – 17. Content SCGs will identify specific items or elements of information to be protected and the classification level to be assigned each item or element. When deemed useful, specify the items or elements of information which are unclassified, or which were previously classified and now are declassified. Additional policies and procedures regarding the content of security clas- sification guides are found in DODM 5200.01 and DODM 5200.45. 2 – 18. Approval, distribution, and indexing a. SCGs will be personally approved in writing by an OCA who is authorized to classify information at the highest level designated by the guide, and who has program support or supervisory responsibility for the information or for the command's information security program. b. SCGs will be distributed to those commands, contractors, or other activities expected to be derivatively classifying information covered by the guide. c. Each approved SCG and its changes will be sent to the following agencies along with the DD Form 2024 (DOD Security Classification Guide Data Elements): (1) Defense Office of Prepublication and Security Review, Washington Headquarters Service. Guides that cover SCI or SAP information and that contain information that requires special access controls are exempt from this requirement. See AR 380 – 381 for guidance on distribution of classification guides for SAPs, and AR 380 – 28 for guidance on SCI programs. The mailing address is: Department of Defense Office of Prepublication and Security Review 1155 Defense Pentagon Washington, DC 20301 – 1155 (2) Army Declassification Special Program Office. One copy, in paper document (hard copy) and/or automated format (soft copy) will be sent. The mailing address is: Army Declassification Activity 9301 Chapek Road, Building 1458 Fort Belvoir, Virginia 22060 – 5605 Email questions on how to send guides electronically to: usarmy.belvoir.hqda-oaa-ahs.mbx.rmda-records-declassifica- tion@mail.mil. (3) Defense Technical Information Center. Provide one copy of each approved guide (including those issued as regu- lations, manuals, or other issuances, but not those covering Top Secret, SCI or SAP information, or guides deemed by the guide’s approval authority to be too sensitive for automatic secondary distribution) to the Administrator, DTIC, along with DD Form 2024. Each guide furnished to DTIC will bear the appropriate distribution statement required by DODI 5230.24. DTIC’s mailing address is: Defense Technical Information Center (DTIC – OA) (Security Classification Guides) 8725 John J. Kingman Road Fort Belvoir, VA 22060 – 6218 For information on e-mail or electronic submission and preparation of the DD Form 2024, contact tr@dtic.mil. 12 AR 380–5 • 22 October 2019 (4) Information Security Policy Team. Provide one copy of the approved guide along with the DD Form 2024 to DCS, G – 2 (DAMI – CDS) by automated copy (soft copy) by contacting the Information Security Policy team via email. Refer to http://g2-public-website.azurewebsites.us/site/infosec/ for up to date contact information. d. SCGs will be indexed in an on-line accessible index maintained by DTIC. The originator of the guide will submit DD Form 2024 to the Administrator, DTIC, upon approval of the guide. If the originator determines listing the guide in DTIC’s on-line database would be inadvisable for security reasons, issuance of the guide will be separately reported, with an explanation of why the guide cannot be listed, to the Director of Security, OUSD(I), along with a separate memorandum to DCS, G – 2 (DAMI – CD). e. Commands may access DTIC’s on-line SCG index by registering at https://www.dtic.mil. 2 – 19. Review, revision, and cancellation a. SCGs will be reviewed by the originator for currency and accuracy at least once every 5 years, or if concerning a defense acquisition program, prior to each acquisition program milestone, whichever occurs first. Changes identified in the review process will be promptly made. When a guide is revised, and a specific date was selected for declassification instruction, computation of declassification instructions will continue to be based on the date of the original classification of the information, and not on the date of the revision or reissuance. If no changes are required, the originator will advise the Administrator, DTIC, and DCS, G – 2 (DAMI – CD) in writing, and the record copy of the guide will be so annotated with the date of review recorded on the new DD Form 2024. b. Guides will be cancelled only when: (1) All information specified as classified by the guide has been declassified; (2) When the system, plan, program, or project classified by the guide has been cancelled, discontinued, or removed from the inventory and there is no reasonable likelihood that information covered by the guide will be involved in other classified programs or will be the subject of derivative classification; or (3) When a major restructuring has occurred as the information is incorporated into a new classification guide and there is no reasonable likelihood that information covered by the guide will be the subject of derivative classification. c. Impact of the cancellation on systems, plans, programs, and projects provided to other nations under approved foreign disclosure decisions, and impact of such decisions on existing U.S. SCGs of similar systems, plans, programs, or projects, will be considered in the decision. When a SCG is cancelled because the system, plan, program, or project has been can- celled, discontinued, executed, or removed from the inventory, the information covered by the guide is not automatically declassified. That decision rests with the OCA and authorized declassification authorities within the Army. Upon cancel- lation of a guide, the OCA, or other designated declassification official, with the concurrence of the OCA, will consider the need for publication of a declassification guide. In place of a separate declassification guide, declassification guidance can be included in a SCG for a similar, current system, plan, program, project, or mission. d. Revision, reissuance, review, and cancellation of a guide will be reported to DTIC on DD Form 2024 as required for new guides. Copies of changes, reissued guides, and cancellation notices will be distributed as required for new guides as stated in paragraph 2 – 18. Section V Non-Government Research and Development Information 2 – 20. Policy Information that is a product of contractor or individual independent research and development (IR&D) or bid and proposal (B&P) efforts, as defined by DODI 3204.01, conducted without prior or current access to classified information associated with the specific information in question may not be classified unless it meets all the requirements of EO 13526 and implementing directives, including this regulation. Additional policies and procedures regarding classification of this type of information are found in DODM 5200.01, Volume 1. Chapter 3 Declassification, Downgrading, Upgrading, and Destruction Section I Army Declassification Program AR 380–5 • 22 October 2019 15 3 – 3. Declassification of restricted data and formerly restricted data RD and FRD are not subject to EO 13526. This information is classified under the Atomic Energy Act of 1954, as amended. Declassification of RD and FRD information can only be accomplished with the express specific approval of the classifi- cation authority for the information. RD information can only be declassified by the DOE and FRD information can only be declassified jointly by DOE and DOD. 3 – 4. Declassification of other than Army information a. Records containing classified information that another government department or agency originated, other than rec- ords that are properly excluded or exempted from automatic declassification, will be referred to that agency prior to auto- matic declassification. ACOMs, ASCCs, and DRUs will identify other government department or agency information for referral during the initial review of records. The records will be referred using SF 715 (U.S. Government Declassification Review Tab) (Refer to https://www.archives.gov/isoo/security-forms for instructions on completing the SF 715.) b. The ADA can provide additional information regarding recognizing the large number of equity holders. Section II The Automatic Declassification System 3 – 5. General a. EO 13526, Section 3.3 sets forth policy on the automatic declassification of information. Specifically, all classified records that are 25 years old or older determined to have permanent, historical value under 44 USC, will be automatically declassified whether or not the records have been reviewed. However, no DA records will be automatically declassified without review. DA records will be reviewed by an authorized declassification authority prior to 31 December of the year the records become 25 years old. As a result of the review, each record will be exempted, excluded, referred to another government department or agency or declassified, as appropriate. AR 25 – 400 – 2 identifies Army files determined to be of permanent, historical value under 44 USC. Agency records managers should be consulted in determining classified and permanent historical records holdings. b. Permanent historical records may be reviewed when they reach 20 years of age. c. The following provisions apply to the onset of automatic declassification: (1) Classified records within an integral file block, as defined in EO 13526, that are otherwise subject to automatic declassification will not be automatically declassified until 31 December of the year that is 25 years from the date of the most recent record within the file block. (2) Prior to automatic declassification, the command’s declassification official may, in coordination with the Chief, ADA and Director, National Declassification Center (NDC), delay automatic declassification for up to five additional years for classified information contained in microforms, motion pictures, audiotapes, videotapes, or comparable media that make a review for possible declassification exemptions more difficult or costly. (3) Prior to automatic declassification, the command’s declassification official may, in coordination with the Chief, ADA and Director, Information Security Oversight Office (ISOO), delay automatic declassification for up to 3 years for classified records that have been referred or transferred to that agency by another agency less than 3 years before automatic declassification would otherwise be required. (4) The command’s or organization’s declassification official may, by coordination with the Chief, ADA and Director, ISOO, delay automatic declassification for up to 3 years from the date of discovery of classified records that were inad- vertently not reviewed prior to the effective date of automatic declassification. d. Only records that have permanent, historical value under 44 USC are subject to automatic declassification. DA re- tention and destruction requirements apply to temporary records. e. Automatic declassification does not constitute approval for public release of the information. Automatically declas- sified records will not be released to the public until a public disclosure review has been conducted. 3 – 6. Exemption from automatic declassification a. It is vital that sensitive DA information be protected from automatic declassification to ensure that current operations, systems, plans and other information are not adversely affected. There are nine exemption categories specifically desig- nated in EO 13526: (1) Reveal the identity of a confidential human source, or a human intelligence source, a relationship with an intelli- gence or security service of a foreign government or international organization, or nonhuman intelligence source; or impair the effectiveness of an intelligence method currently in use, available for use, or under development. (2) Reveal information that would assist in the development, production, or use of weapons of mass destruction. 16 AR 380–5 • 22 October 2019 (3) Reveal information that would impair U.S. cryptologic systems or activities. (4) Reveal information that would impair the application of state-of-the-art technology within a U.S. weapon system. (5) Reveal formally named or numbered U.S. military war plans that remain in effect, or reveal operational or tactical elements of prior plans that are contained in such active plans. (6) Reveal information, including foreign government information that would cause serious harm to relations between the United States and a foreign government, or to ongoing diplomatic activities of the United States. (7) Reveal information that would impair the current ability of Government officials to protect the President, Vice President, and other protectees for whom protection services, in the interest of the national security, are authorized. (8) Reveal information that would seriously impair current national security emergency preparedness plans or reveal current vulnerabilities of systems, installations, or infrastructures relating to the national security. (9) Violate a statute, treaty, or international agreement that does not permit the automatic or unilateral declassification of information at 25 years. b. For detailed exemptible Army information descriptions see the Army Declassification Guide (ADG) (25X/50X). The ADG is available to authorized automatic declassification reviewers. For questions concerning the ADG contact the ADA at usarmy.belvoir.hqda-oaa-ahs.mbx.rmda-records-declassification@mail.mil. c. Classified information that is determined to be sensitive may be exempted from automatic declassification for an additional 25 (25X), 50 (50X) or 75 (75X) years beyond the date of its origination if it falls within one of the exemption categories listed in this paragraph. d. When 25-year-old information is determined to be exempt from automatic declassification, the information will re- main classified until 31 December of the year that is 50 years from the date of origin. Prior to the date of automatic declassification, exempted records may be re-reviewed and exempted again for another 25 years, as appropriate. Currently, no further extension of classification past 75 years is authorized. If a record is re-reviewed and the DA information is determined to be declassified and it contains classified information that another government department or agency can exempt, it will be referred to those agencies. If the record is no longer exempt and does not contain classified information that another government department or agency can exempt, it will be declassified. e. Exempting 25-year-old information (25X). An authorized declassification review official may exempt from auto- matic declassification specific 25-year-old information, the release of which should clearly and demonstrably be expected to reveal information described in one of the nine exemptions indicated above. f. Exempting 50-year-old information (50X). (1) Information that is 50 years old may continue to be exempted from automatic declassification for an additional 25 years for a period not to exceed 75 years from the date of origin. The exemption category numbers are the same as for 25- year exemptions, except the number “50” will be used in place of “25.” (2) The ADG (25X/50X) authorizes exemption of specific information in the 50X1, 50X2, 50X4, 50X5, 50X6 and 50X8 exemption categories. (See the ADG (25X/50X) for details on these exemptions.) (3) Additionally, any information the release of which should clearly and demonstrably be expected to reveal the iden- tity of a confidential human source or a human intelligence source (50X1 – HUM), or key design concepts of a weapon of mass destruction (50X2 – WMD) may be exempted from automatic declassification at 50 years. For definitions of a confi- dential human source or human intelligence source and key design concepts of weapons of mass destruction, consult the ADG (25X/50X). g. Currently, the Army is not authorized to exempt 75-year-old information (75X). h. The Army is not currently authorized to apply a file series exemption (FSE). However, ACOMs, ASCCs or DRUs may request authorization of an FSE, as appropriate. All such requests for FSE authorization will be coordinated with the Chief, ADA. i. As new information that qualifies for exemption from automatic declassification is identified, it must be reported to the ADA for inclusion in the ADG. An unclassified description of the information proposed for exemption and the reason the information must remain classified beyond 25 years must be included in the proposed exemption memorandum to ADA. The ADG will be updated at least every five years but may be updated more frequently, as necessary. j. Information exempted from automatic declassification remains subject to the mandatory and systematic declassifica- tion review provisions of this regulation. 3 – 7. Marking records exempted from automatic declassification a. Records that contain information exempted from automatic declassification at 25 years will be marked with the designation "25X,” followed by the number of the exemption category and a declassification date or event. For example, a record originated in 1988 is reviewed at 25 years (2013). If it contains information that requires continued classification because of exemption category 4, “Reveal information that would impair the application of state of the art technology AR 380–5 • 22 October 2019 17 within a U.S. weapon system,” the new automatic declassification date will be 31 December 2038 (1988 + 50 = 2038). The declassification marking would be written as “Declassify On: 25X4, 20381231.” b. Records that contain information previously exempted from automatic declassification at 50 years will be marked with the designation “50X,” followed by the number of the exemption category and a declassification date or event. For example, assume the record cited above, which was originated in 1988, is re-reviewed in 2038 and the information requires continued classification per the ADG (25X/50X). In this case, the new automatic declassification date will be 31 December 2063 (1988 + 75 = 2063). The new automatic declassification marking would be written “Declassify On: 50X4, 20631231.” 3 – 8. Records review guidelines a. Each record subject to automatic declassification will be thoroughly reviewed on a page-by-page basis and one of four possible disposition decisions will be applied. The four automatic declassification disposition decisions are: exempt, exclude, refer, or declassify. A concurrent release review is not required for records subject to automatic declassification, but must be performed before public release. (1) Exempt. Records are exempted at 25 or 50 years when they clearly contain information that fall under one or more of the exemption categories in paragraph 3 – 6. Specific application of these exemptions is provided in the ADG (25X/50X). (2) Exclude. Records containing RD and/or FRD markings are excluded from automatic declassification in accordance with EO 13526. However, when unmarked RD information is identified in a record, it is referred to DOE. Unmarked FRD is referred to DOE and the Deputy Assistant Secretary of Defense for Nuclear Matters (DASD (NM)). In accordance with Public Law 105 – 261, Section 3161 and Public Law 106 – 065, Section 3149 (Kyl-Lott Amendment), in order to prevent the inadvertent release of records containing RD/FRD, such records must be reviewed by a DOE-trained and certified reviewer who has attended and successfully completed the Historical Records Restricted Data Reviewers Course. (3) Refer. Referrals to other government departments or agencies are made only after reviewing for exclusions or Army exemptions. Records for which there is no DA objection to declassification but which contain classified information that another government department or agency can exempt, shall not be declassified by the DA. These records are referred to the appropriate government department(s) or agency(s). Commands are not authorized to declassify information from other government departments or agencies or from other commands. Records that contain information another government de- partment or agency or command can exempt will be referred to the identified government departments or agencies and reported to the ADA. Information from other commands can either be referred to the identified agency or sent to ADA for review, as appropriate. (4) Declassify. DA-originated records are declassified when they do not contain information falling under the exemp- tion categories specified in paragraph 3 – 6, do not contain classified information that another government department or agency can exempt, and do not contain RD or FRD. b. Tabbing records. When stamping records is not possible, agencies will use the SF 715 to tab all exempt, excluded and referred records. DA records that are declassified do not need to be tabbed. Reviewers that fail to complete the SF 715 in a legible and clear manner place their content at risk. The SF 715 may be ordered through the Government Printing Office (GPO) (see prescribed forms section for URL for ordering this form). c. Stamping records. Commands that conduct automatic declassification reviews of records in their custody/logistical control should stamp records or use SF 715s prior to accessioning. See 32 Code of Federal Regulations (CFR) Section 2001.25 for instructions for marking a declassified record. For excluded, exempted, or referred records, use the information fields from the SF 715, as applicable. d. Pre-1946 records. Most DOD classified information that originated prior to 1 January 1946 was declassified with the exception of information in specific categories. Agencies shall contact the ADA for further guidance in review and declassification of information of this type. 3 – 9. Army commands, Army service component commands, direct reporting units requirements ACOMs, ASCCs and DRUs that maintain physical custody/logistical control of federal records subject to the automatic declassification requirements of the EO will: a. Identify 25-year-old and older permanent, historical records subject to automatic declassification. b. Ensure personnel who review records for automatic declassification have completed the ADA’s Automatic Declas- sification Reviewers training course and Department of Energy’s Historical Records Restricted Data Reviewers Course if records are likely to contain RD/FRD. c. Review records subject to EO 13526 or coordinate the review with the ADA. d. Report the status of their reviews to the ADA by completing the annual ADA LOC by 31 December of each year (see fig 3 – 1). The LOC will be signed by the command’s declassification official, or their designee. Negative responses are required. 20 AR 380–5 • 22 October 2019 e. Storage media containing SCI will be handled as stated in AR 380 – 28 and SAPs handled in accordance with AR 380 – 381. 3 – 18. Technical advice on approved destruction devices and methods Contact the NSA/CSS System and Network Analysis Center via e-mail at snac@radium.ncsc.mil, to obtain technical guid- ance concerning appropriate methods, equipment, and standards for destroying classified electronic media, IS equipment, electronic components, and other similar or associated materials. a. Crosscut shredders. Only crosscut shredders listed on the NSA/CSS EPL for High Security Crosscut Paper Shred- ders may be used to destroy classified material by shredding. When COMSEC material is destroyed by shredding, only crosscut shredders listed in NSA/CSS Specification 02 – 01 at the time of acquisition will be used. Refer to AR 380 – 40 for destruction requirements for COMSEC material. (1) Pending replacement, ACOMs, ASCCs, and DRUs will ensure that procedures are in place to manage the risk posed by crosscut shredders not on the approved NSA/CSS list. At a minimum, the volume and content of each activity’s classi- fied material destruction flow will be assessed and a process established to optimize the use of high security crosscut paper shredders (for example, with Top Secret collateral material being the highest collateral priority) to take full advantage of the added security value of those shredders. (2) The bag of shredded material will be “stirred” before discarding to ensure that the content is mixed up. (3) Shredding of unclassified material along with the classified material is encouraged. b. Pulverizers and disintegrators. Pulverizers and disintegrators must have a 3/32 inch or smaller security screen. Con- sult the “NSA/CSS EPL 02 – 02” for High Security Disintegrators for additional details and guidance. c. Pulping. Pulping (wet process) devices with a 1/4 inch or smaller security screen may be used to destroy classified water-soluble material. Chapter 4 Controlled Unclassified Information 4 – 1. General a. Controlled unclassified information, though not considered classified under EO 13526, requires the application of controls and protective measures in accordance with DODM 5200.01, Volume 4. The information referred to collectively as CUI includes “For Official Use Only” information, “Law Enforcement Sensitive,” “Sensitive But Unclassified” (for- merly “Limited Official Use”) information, “DEA Sensitive Information,” “DOD Controlled Unclassified Nuclear Infor- mation,” “Sensitive Information” as defined in the Computer Security Act of 1987, and information contained in technical documents. b. DA personnel will follow the instructions outlined in DODM 5200.01, Volume 4 as it relates to policy and the protection of CUI. c. Unclassified documents and material containing CUI will be marked in accordance with DODM 5200.01, Volume 4. Refer to DODM 5200.01, Volume 2, for guidance on marking classified documents containing CUI information. Chapter 5 Access, Control, Safeguarding, and Visits Section I Access 5 – 1. Responsibilities DA personnel are personally responsible for safeguarding classified information and material. This responsibility includes ensuring they do not permit access to classified information and material by unauthorized personnel. Both the security clearance eligibility and the need-to-know must be present before access is authorized. The holder of the information, not the potential recipient, must confirm valid need-to-know and must verify the level of security clearance eligibility or access authorization. Collecting, obtaining, recording, or removing any classified material or information for any personal use whatsoever is prohibited. AR 380–5 • 22 October 2019 21 5 – 2. Nondisclosure agreement a. Prior to granting access to classified information, DA personnel will receive a briefing on their responsibility to protect classified information and will sign SF 312 (Classified Information Nondisclosure Agreement) (NDA) or other NDA approved by the Director of National Intelligence (DNI). Electronic signatures will not be used to execute the SF 312. b. Contractor personnel will execute the NDA through their company and not through the sponsoring DA command unless working as a consultant for that agency. c. Non-U.S. Government personnel, who have been hired under civil service procedures as consultants to the DA, and granted security clearance eligibility and access, will follow the same procedures as stated in paragraph 5–2a. d. SCI and SAP access requirements will be completed in accordance with AR 380 – 28 and AR 380 – 381 respectively, for those meeting requirements of access to classified information stated in paragraph 5–2a. 5 – 3. Signing and filing the Nondisclosure agreement a. Once the NDA has been executed, a command official will witness the execution of the NDA by signing and dating the form immediately after the individual’s signature. The same official, or another official in the command who witnesses the form, can serve as the accepting official. Once completed, the date will be recorded in the Joint Personnel Adjudication System (JPAS), or its successor system of record, in accordance with AR 380 – 67. Original copies will be kept on file in the individual’s official personnel folder (OPF). SF 312 will be retained for 50 years from the date of signature. See AR 600 – 8 – 104 and U.S. Office of Personnel Management Guide “The Guide to Personnel Recordkeeping” Operating Manual for filing instructions. b. The SM or other command official will coordinate final disposition of the SF 312 with their local personnel offices (for example, military personnel office for Soldiers, civilian personnel advisory centers for civilian personnel) to ensure the SF 312 is properly filed and maintained in the individual’s OPF, applying the appropriate disposition instructions. c. Department of the Army consultants and other non-Government personnel. If a consultant to the DA is hired under civil service procedures, as opposed to contracting with a company for consultant services, the NDA will be executed and filed as for DA personnel. If the consultant's OPF is not retired, the command is obligated to retain the NDA for the required 50-year retention period. Consultant NDAs cannot be used by or transferred to another activity. They only au- thorize access to classified information under a specific agreement and access termination must be executed when the agreement has ceased or when classified access is no longer required, whichever occurs first. In special situations where non-Government uncleared personnel have been granted classified access to specific information in accordance with the policy established in AR 380 – 67, the NDA will be attached to the exception to policy memorandum or other appropriate written authorization which authorizes the individual's access to classified information and will be retained in the com- mand's files for the required retention period of 50 years. 5 – 4. Refusal to execute the nondisclosure agreement If a person refuses to sign the NDA, they will not be permitted access to classified information and an incident report will be submitted as required by AR 380 – 67. 5 – 5. Debriefing and termination of classified access a. Classified information is not the personal possession of any DA personnel, regardless of rank, title, or position. Classified information will not be removed to nonofficial or unapproved locations, such as personal residences, upon the termination of employment or military service of any person, including the custodian of that material. b. All DA personnel who are retiring, separating, resigning, being discharged, or who will no longer have access to classified information, will out-process through the command security office or other designated command office and receive a termination briefing. During this out-processing, the individual will be informed that access to classified infor- mation has been terminated and the individual still has an obligation to protect any knowledge they have of classified information. These individuals will sign a security termination statement at the time of out-processing. The “Security Debriefing Acknowledgement” section of a SF 312 will be used for this purpose. This does not require the individual’s originally signed SF 312. The security termination statement (SF 312) will be maintained in the command’s security office, or other designated command office, for a period of two years, in accordance with AR 25 – 400 – 2 and AR 380 – 67. c. DA personnel who refuse to sign the security termination statement as stated in paragraph 5–5b, will be reported as required by AR 380 – 67. d. The same procedures will be followed for DA personnel still employed and still in service whose security clearance eligibility has been withdrawn, denied (after interim access was granted), or revoked either for cause or for administrative 22 AR 380–5 • 22 October 2019 reasons due to lack of need for future access to classified information. In these cases, individuals will execute the debriefing statement as stated in paragraph 5–5b. e. Unless exempted by the senior security official at the ACOM, ASCC or DRU level, security out-processing is re- quired for all cleared personnel transferring to another DA command or to a Federal Government agency. Transfers will not require the execution of the type of debriefing statement described in paragraph 5–5b. This does not preclude the command from requesting the transferring individual sign or initial a form or statement indicating, in substance, that the individual has been advised of the continuing responsibility to protect classified information and/or has completed the security out–processing. Personnel transferring will be briefed on the responsibilities stated in paragraph 5–5b. f. Out–processing can also be used as a means to ensure that the appropriate command security officials are aware of the departure of personnel to ensure combinations and passwords are changed, keys are returned, and accountable docu- ments and property are under new custody. Where out–processing is not required for transfers, the command will establish procedures to ensure the SM is advised of such transfers. Note: There is no requirement to execute a new NDA when access is removed from JPAS, or its successor system, during out-processing based on a transfer to another command. Debriefings will be completed and maintained on file for a mini- mum of 2 years, in accordance with AR 25 – 400 – 2. 5 – 6. Access to restricted data, formerly restricted data, and critical nuclear weapon design information a. Access to RD, FRD, including critical nuclear weapon design information (CNWDI) by DA personnel, at Army facilities, will be under the same conditions of a comparable level of security classification, based on the appropriate security clearance eligibility and access, need-to-know for the information, and in accordance with DODI 5210.02. b. Access to CNWDI is strictly limited to U.S. citizens. In rare cases, an exception to the U.S. citizenship requirement will be made. This determination will be made by the Secretary of Defense based upon the recommendation of the SECARMY. Such requests will be forwarded through command channels to DCS, G – 2, (DAMI – CD). 5 – 7. Access by persons outside the Executive Branch a. Classified information can be made available to individuals or agencies outside the Executive Branch, provided such information is necessary for performance of a lawful and authorized function, and with the approval of the originating department or agency. The SECARMY, the DCS, G2, or Commanders of ACOMs, ASCCs, DRUs, and the AASA are designated as DA release authorities, unless otherwise specified in this regulation. They are authorized to determine, sub- ject to OCA approval and before the release of classified information, the propriety of such action in the interest of national security and the assurance of the recipient's trustworthiness and need-to-know. This authority can be further delegated, if required, unless otherwise specified in this regulation. b. Congress. (1) Congressional staff members requiring access to DOD classified information will be processed for a security clear- ance in accordance with DODI 5400.04. (2) The Assistant Secretary of Defense (Legislative Affairs), as the principal staff assistant to the Secretary of Defense responsible for DOD relations with the members of Congress, will provide for DOD processing of personnel security clearances for members of Congressional staffs. (3) Personnel testifying before a Congressional committee, in executive session, in relation to a classified matter, will obtain the assurance of the committee that individuals present have a security clearance commensurate with the highest classification of information that is to be presented. c. Government Printing Office. Documents and material of all classification may be processed by the GPO, which protects the information in accordance with the DOD/GPO Security Agreement. d. Representatives of the General Accounting Office. Representatives of the General Accounting Office (GAO) can be granted access to classified information, originated by and in the possession of the DA and DOD, when such information is relevant to the performance of the statutory responsibilities of that office, as set forth in DODI 7650.01. Certifications of security clearance, and the basis thereof, will be accomplished pursuant to arrangements between GAO and the con- cerned command. Personal recognition or presentation of official GAO credential cards is acceptable for identification purposes but is insufficient for access to classified information. e. Historical researchers. Persons outside the Executive Branch who are engaged in historical research projects may be authorized access to DOD classified information provided that the SECARMY, the DCS, G – 2, Commanders of ACOMs, ASCCs, DRUs, or the AASA, with the concurrence of the OCA responsible for classifying the information, completes the requirements stated in DODM 5200.01, Volume 3. This authority cannot be further delegated. Security AR 380–5 • 22 October 2019 25 5 – 12. Classified discussions a. Classified discussions are not permitted in personal residences, in public, in public transportation conveyances (air- plane and taxi), or in any area outside approved spaces in a Government or cleared contractor facility except as discussed in paragraph b below. Classified information will only be discussed, in telephone conversations, over secure communica- tions equipment, such as secure terminal equipment (STE), and circuits approved for transmission of information at the level of classification being discussed. b. When discussing classified information, the ability of others in the area (who are not appropriately cleared or do not have a need-to-know) to hear the conversation will be taken into consideration. This includes instances where the installa- tion of STE telephones are authorized in personal residences in accordance with paragraph 6 – 6. c. Non-secure telephones will have DD Form 2056 (Telephone Monitoring Notification Decal) affixed, advising the user that the telephone is subject to monitoring at all times and that use constitutes consent to this. Further guidance on monitoring can be found in AR 380 – 53. 5 – 13. Removal of classified storage and information technology equipment Storage containers and IT equipment which had been used to store or process classified information will be inspected by cleared personnel before removal from protected areas, and/or before unauthorized persons are allowed unescorted access to them. The inspection will ensure that no classified information remains within or on the equipment. Items to be inspected include security containers, reproduction equipment, facsimile machines, micrographic readers and printers, IS equipment and components, equipment used to destroy classified material, and other equipment used for safeguarding or processing classified information. A written record of the inspection will be completed and maintained in accordance with paragraph 6 – 11. 5 – 14. Visits Commands will establish procedures to control access to, or disclosure of, classified information by visitors. At a mini- mum, local procedures will include the identity, security clearance eligibility, access, if appropriate, and the need-to-know for all visitors. a. Visit requests will be processed and security clearance eligibility and access level verified in accordance with AR 380 – 67. b. Official visits by foreign government representatives to DA commands will be handled in accordance with AR 380 – 10. 5 – 15. Classified meetings and conferences Meetings and conferences, which include classes, seminars, symposia, and similar activities, at which classified infor- mation is to be presented or discussed, are considered classified meetings. The classified portions of these meetings present vulnerabilities to unauthorized disclosure and will be limited to persons possessing an appropriate security clearance, ac- cess and the need-to-know for the specific information involved. Security requirements contained elsewhere in this regu- lation and other applicable security regulations apply, without exception, to classified meetings. a. ACOMs, ASCCs, DRUs, or the AASA approval processes for classified meetings will ensure that the following requirements are met: (1) The classified meeting or session is mission critical to the Army. (2) Use of other approved methods or channels for disseminating classified information or material are insufficient, impractical and not cost effective. (3) The meeting or conference, or classified sessions take place only at an appropriately cleared Government facility or a contractor facility that has an appropriate facility security clearance and, as required, secure storage capability, unless a waiver is approved in advance by the DCS, G – 2. (a) Requests for waivers to permit use of facilities other than appropriately cleared U.S. Government or U.S. contractor facilities will be submitted through the organization’s ACOM, ASCC, DRU, or the AASA, in writing for approval to the DCS, G – 2 (DAMI – CDS) a minimum of 45 days prior to the classified meeting. Requests will be sent by secure internet protocol router Network (SIPRNET). (b) The request will include a security plan that outlines how the requirements of paragraphs 5–15b and 5–15d are being met. (4) If a classified meeting or conference is held at a cleared U.S. contractor location, the contractor will comply with all applicable portions of DODM 5220.22 and Title 22, CFR, Subchapter M, Parts 120 – 130 (also known as the Interna- tional Traffic in Arms Regulations). DCS, G – 2 approval for the conduct of the meeting does not constitute authorization for presentation of export-controlled information when foreign nationals attend. 26 AR 380–5 • 22 October 2019 (5) The conduct of classified meetings or conferences at foreign installations and foreign contractor sites is often subject to the rules and regulations of the host country, thus presenting additional security risks. Prior to approval of the conduct of such meetings, ACOM, ASCC, DRU, or the AASA will obtain assurances, in writing, that the responsible foreign government will agree to use security measures and controls that are at least as stringent as those required by this regulation and other related DA and DOD regulations. The provisions of paragraph 5–15d also will be satisfied. Assistance can be provided by the Director, International Security Directorate, Defense Technology Security Administration, Office of the Under Secretary of Defense for Policy (OUSD(P)) through DCS, G – 2 (DAMI – CDS). (6) Routine day-to-day classified meetings and gatherings at DA commands will be conducted only at an appropriately cleared Government or contractor facility. Waivers will not be granted for routine meetings. (7) The provisions of this section do not apply to operational meetings conducted in combat situations, classes con- ducted by DA schools, or gatherings of personnel of a DA command and foreign government representatives or U.S. and/or foreign contractor representatives on a matter related to a specific Government contract, program, or project. (8) Classified sessions are segregated from unclassified sessions. (9) Access to the meeting or conference, or specific sessions thereof, where classified information may be discussed or disseminated is limited to persons who possess an appropriate security clearance and need-to-know. (10) Any participation by foreign representatives complies with requirements of AR 380 – 10. (11) Announcement of a meeting or conference is unclassified and limited to a general description of topics expected to be presented, names of speakers, logistical information, and administrative and security instructions. (12) Information systems used during the meeting or conference to support creation or presentation of classified infor- mation will meet all applicable requirements for processing classified information in accordance with AR 25 – 2, including, as appropriate, considerations of technical security countermeasures (TSCM). Unclassified laptop computers, handheld information technologies (for example, personal electronic devices (PEDs)), and other similar devices capable of recording or transmitting will not be used for note taking during classified sessions. Use of classified computers and other electronic devices will be permitted only when needed to meet the intent of the meeting or conference and applicable protection and TSCM requirements have been met. b. The DA command sponsoring a classified meeting or conference will assign an official to serve as SM for the meeting and be responsible for ensuring that, at a minimum, the following security provisions are met: (1) Attendees are briefed on safeguarding procedures. (2) Entry is controlled so only authorized personnel gain entry to the area. (3) The perimeter is controlled to ensure unauthorized personnel cannot overhear classified discussions or introduce devices that would result in the compromise of classified information. (4) Escorts are provided for uncleared personnel who are providing services to the meeting or conference (for example, setting up food or cleaning) when classified presentations and/or discussions are not in session. (5) Use of cell phones, PEDs, 2-way pagers, laptop computers and other electronic devices that record or transmit is prohibited. (6) Classified notes and handouts are safeguarded in accordance paragraph 5 – 9 of this regulation. (7) Classified information is disclosed to foreign government representatives only in accordance with the provisions of AR 380 – 10. (8) An inspection of the room(s) is conducted at the conclusion of the meeting or conference (or at the end of each day of a multi-day event) to ensure all classified materials are properly stored. c. Appropriately cleared Government contractor personnel may provide administrative support and assist in organizing a classified meeting or conference, but the DA command sponsoring the gathering remains responsible for all security requirements. d. Facilities other than appropriately cleared Government or U.S. contractor facilities proposed for use for classified meetings and conferences will: (1) Not be open to the public and access will be controlled by the Government or cleared contractor through a 100 percent identification card check at the perimeter point. For a military installation or comparably protected Federal gov- ernment installation, this can be at the perimeter fence of the installation or compound. (2) Have the room(s) where the classified sessions are to be held located away from public areas so that access to the room(s), walls, and ceiling(s) can be completely controlled during the classified sessions. (3) Provide authorized means to secure classified information in accordance with this chapter of the regulation. (4) Meet the DOD antiterrorism standards specified in AR 525 – 13. (5) Be subject to TSCM surveys in accordance with DODI 5240.05. When addressing this requirement, TSCM security classification guidance MUST be consulted to ensure proper classification of meeting details when associated with the use of TSCM. AR 380–5 • 22 October 2019 27 e. Not later than 90 days following the conclusion of a classified meeting or conference for which an exception was granted, the sponsoring command will provide an after-action report to the DCS, G – 2, (DAMI – CDS). The after-action report will be a brief summary of any issues or threats encountered during the event and actions taken to address the situation. Section III Accountability and Administrative Procedures 5 – 16. Equipment used in Information Technology networks There is a variety of non-COMSEC-approved equipment that is used to process classified information. This includes cop- iers, facsimile machines, computers and other IT equipment and peripherals, display systems, and electronic typewriters. Command IT-certified technicians will identify those features, parts, or functions of equipment used to process classified information that may retain some or all of the information. Command security procedures will prescribe the appropriate safeguards to prevent unauthorized access to that information, and replace, control, and/or destroy equipment parts, pur- suant to the level of the classified material contained therein prior to disposal. Alternatively, the equipment can be desig- nated as classified and appropriately protected at the retained information's classification level (for instance, by being re- installed in a secure area approved for the storage of classified information at the appropriate classification level for the material). 5 – 17. Receipt of classified material Commands will develop procedures to protect incoming mail, bulk shipments, and items delivered by messenger until a determination is made whether classified information is contained in the mail. Screening points will be established to limit access to classified information. 5 – 18. Top Secret information Top Secret control and accountability is not mandatory, but if the commander elects to appoint a Top Secret control officer (TSCO) to facilitate appropriate control of Top Secret material, procedures for the control and accountability of the Top Secret material will be developed. These procedures should provide the means of facilitating oversight and management of top Secret access controls, assessment and management of holdings, and identification of material at risk, in cases of potential unauthorized disclosure. In developing these procedures, the following requirements will be met. a. TSCOs and one or more alternates will be designated in writing and will be responsible for receiving, dispatching, and maintaining accountability and access records for top Secret material. Such individuals will be selected on the basis of experience and reliability, and as a general rule, will already possess the appropriate security clearance eligibility and access equal to or higher than the information to be handled. TSCOs will maintain a current, accurate system of account- ability within the command for all Top Secret documents and other material. TSCOs will record the receipt, dispatch, downgrading, movement from one command element to another, current custodian, and destruction of all Top Secret ma- terial. b. Top Secret material will be accounted for by a continuous chain of receipts. Receipts will be maintained for 5 years. Top Secret registers and Top Secret accountability record forms (for example, DA Form 3964 (Classified Document Ac- countability Record)) or equivalent will reflect sufficient information to identify adequately the Top Secret document or material. c. At a minimum, the register should include the title or short title, date of the document, identification of the originator, copy number, and disposition. Top Secret material will be numbered serially and marked to indicate its copy number (for example, copy 1 of 2 copies) and accounted for accordingly. d. Top Secret material will be inventoried at least once annually. The inventory will reconcile the Top Secret account- ability register and records with 100 percent of the Top Secret material held. The inventory will be conducted by two properly cleared individuals. One will be the TSCO or alternate, and the other will be a properly cleared, disinterested party, that is neither a TSCO, alternate, or subordinate to either official. The inventory will consist of a physical sighting of the material or written evidence of authorized disposition, such as certificate of destruction or receipt of transfer. At the time of the inventory, each Top Secret document or material will be physically examined for completeness and the TSCO will ensure that the accountability record accurately reflects the material held. Discrepancies found during the inventory will be resolved immediately, or, where they cannot be immediately resolved, referred to the command’s SM for further investigation. e. In activities that store exceptionally large volumes of Top Secret material, ACOMS, ASCCs, and DRUs can authorize the inventory of Top Secret material to be limited to documents and material to which access has been granted within the 30 AR 380–5 • 22 October 2019 c. Personnel who operate reproduction equipment will be made aware of the risks involved with the specific equipment, the command procedures concerning the protection, control and accountability of reproduced information as well as the destruction of classified waste products. d. FGI will only be reproduced and will be controlled pursuant to guidance and authority granted by the originating government. Section IV Disposition and Destruction of Classified Material 5 – 22. Policy a. Classified documents and other material will be retained only if they are required for effective and efficient operation of the command or if their retention is required by law or regulation. Commands with classified holdings will establish at least one day a year when specific attention and effort is focused on disposing of unneeded classified material (“clean-out day”). b. Requests from contractors for retention of classified material will only be approved if they meet the same criteria and approvals and in accordance with security guidance provided in the contract. See AR 380 – 49 for more guidance on contractor retention. c. Documents which are no longer required for operational purposes will be disposed of in accordance with the provi- sions of the Federal Records Act (44 USC Chapter 21 and 44 USC Chapter 33) as implemented by AR 25 – 400 – 2. Classi- fied information is subject to the same retention criteria as unclassified information. Special care will be exercised in the placing of classified information in files designated under AR 25 – 400 – 2 as "permanent." d. Commands will review classified files designated as "permanent," under AR 25 – 400 – 2, prior to forwarding to a Federal Records Center, where the files are maintained pending ultimate destruction or accession into the National Ar- chives. Each classified document in the files will be reviewed to ensure: (1) The classified material is a necessary part of the file as described in AR 25 – 400 – 2. (2) Only the record copy is placed in the file and duplicate copies are destroyed. (3) The classified material has been reviewed for downgrading and declassification and is properly remarked if down- graded or declassified. (4) Any FOUO information contained in the document is properly marked and a notice that the document contains FOUO information is displayed on the front cover and title page, or the first page when there is no cover or title page. It is recommended that unclassified documents in the file that contain FOUO information be checked at the same time to make sure they are properly identified on the documents, on the file, and on the SF 135 (Records Transmittal and Receipt). (5) The subject of the classified information is adequately described on the file label. (6) RD, FRD and FGI are not intermingled with other information, and are clearly marked on the file and accompanying forms. (7) Top Secret information is not included unless it meets the criteria stated in AR 25 – 400 – 2. (8) The subject of the classified information is adequately and completely described in the accompanying documenta- tion, the SF 135 as required by AR 25 – 400 – 2. This applies to all files, whether classified or unclassified. Classified infor- mation will not be disclosed on the SF 135; only unclassified titles may be used to identify the records. e. Commanders will make sure the management of the retention of classified material is included in oversight and evaluation of program effectiveness. f. Material which has been identified for destruction will continue to be protected as appropriate for its classification until it is destroyed. 5 – 23. Methods and standards for destruction a. Classified documents and materials will be destroyed by burning, or, when meeting the standards contained in chapter 3 of this regulation, by melting, chemical decomposition, pulping, pulverizing, cross-cut shredding, or mutilation, suffi- cient to preclude recognition or reconstruction of the classified information. Strip shredders will not be used to destroy classified information. b. Systems which involve the collection of classified material for later destruction; for example, the use of burn bags to store classified information, will include provisions for minimizing the possibility of unauthorized removal and/or access while awaiting destruction. Burn bags will be safeguarded in accordance with this regulation until destroyed. AR 380–5 • 22 October 2019 31 5 – 24. Records of destruction a. Records of destruction are required for Top Secret documents and material as part of the command’s Top Secret control process, where applicable (see para 5 – 18). The record will be executed when the material is actually destroyed, or when it is torn and placed in a burn bag or similar container. Two persons will sign the destruction record as witnessing the destruction. DA Form 3964 may be used for this purpose. Destruction records are not required for waste materials (scratch notes, typewriter and printer ribbons, and carbon paper) containing Top Secret information, unless that material has been placed on an accountability record. b. Records of destruction are not required for Secret or Confidential material unless required by the originator, except for NATO and foreign government documents. For guidance on requirements for NATO classified material, to include retention standards, refer to USSAN 1 – 07. Chapter 6 Storage and Physical Security Standards Section I General 6 – 1. Policy Classified information will be secured under conditions adequate to prevent access by unauthorized persons and meeting the minimum standards specified in this regulation. An assessment of the threat to the material, the location of the com- mand, and the sensitivity of the information, will be considered when determining if the minimum requirements of this chapter require enhancement, as determined by the local command. 6 – 2. Physical security policy a. Physical security is intended to be built upon a system of defense, or security-in-depth as defined in the glossary, to provide accumulated delay time. AR 190 – 13 provides additional information on the principles of physical security. b. AR 190 – 13 prescribes minimum uniform standards and procedures in the use of security identification cards and badges to control personnel movement into, and movement within, restricted areas. Section II Storage Standards 6 – 3. Standards for storage equipment a. General Services Administration (GSA) establishes and publishes minimum standards, specifications, and supply schedules for approved security containers, vault doors, modular vaults, alarm systems, and associated security devices suitable for the storage and protection of classified information. b. The DOD Lock Program is the technical authority for securing a storage facility and containers with approved lock- ing devices for the protection of classified information. For technical assistance concerning classified material storage standards, commands can contact the DOD Lock Program Technical Support Hotline. Contact information is available at https://navfac.navy.mil. 6 – 4. Storage of classified information a. Classified information that is not under the personal control and observation of an authorized person is to be guarded or stored in a locked security container, vault, room, or area, pursuant to the level of classification and this regulation by one or more of the following methods: (1) Top Secret information will be stored as identified below: (a) A GSA-approved security container with one of the following supplementary controls. 1. An employee cleared to at least the Secret level, will inspect the security container once every two hours, but not in a way that indicates a pattern. 2. The location that houses the security container is protected by an Intrusion Detection System (IDS), meeting the requirements of section III of this chapter, with personnel responding to the alarm arriving within 15 minutes of the alarm annunciation. (b) In a GSA-approved container equipped with a lock meeting Federal Specification FF – L – 2740, provided the con- tainer is located within an area that has been determined to have security-in-depth. 32 AR 380–5 • 22 October 2019 (c) In an open storage area (also called a secure room) constructed in accordance with section III of this chapter, and equipped with an IDS with the personnel responding to the alarm within 15 minutes of the alarm annunciation if the area has been determined to have security-in-depth; or within five minutes of alarm annunciation if it has not. (d) In a vault, or GSA- approved modular vault, meeting the requirements of Federal Standard (FED – STD) 832 as specified in section III of this chapter. (e) Under field conditions during military operations, commanders can prescribe the measures deemed adequate to meet the storage standard contained in paragraph 6–4b(1). (2) Secret information will be stored by one of the following methods: (a) In the same manner as prescribed for Top Secret information, or (b) In a GSA-approved security container or modular vault, or vault built to FED – STD 832 without supplementary controls, or (c) In an open storage area meeting the requirements of this regulation, provided that security-in-depth exists, and one of the following supplemental controls is used: 1. An employee cleared to at least the Secret level will inspect the open storage area once every four hours. 2. An IDS meeting the requirements of section III of this chapter with the personnel responding to the alarm arriving within 30 minutes of the alarm annunciation. (3) Confidential information will be stored in the same manner as prescribed for Top Secret or Secret information except that supplementary controls are not required. b. Specialized security equipment. (1) GSA–approved field safes and special purpose, one and two drawer, light–weight, security containers, approved by the GSA, are used primarily for storage of classified information in the field and in military platforms, and will be used only for those or similar purposes. These containers will use locks conforming to Federal Specification FF – L – 2740 or FF – L – 2937 as required by Federal Specification AA – F – 358. Special size containers will be securely fastened to the plat- form; field safes will be under sufficient control and surveillance when in use to prevent unauthorized access or loss. (2) GSA-approved map and plan files are available for storage of odd-sized items such as computer media, maps, charts, and classified equipment. (3) GSA-approved modular vaults, meeting Federal Specification AA – V – 2737, can be used to store classified infor- mation as an alternative to vault requirements described in section III of this chapter. c. Storage areas, for bulky material containing Secret or Confidential information, may have access openings (for ex- ample, roof hatches, vents) secured by GSA-approved, changeable combination padlocks meeting Federal Specification FF – P – 110. Other security measures are required in accordance with paragraph 6–4a(2) and 6–4a(3). (1) When special circumstances exist, key operated locks may be used for storage of bulky material containing Secret and Confidential information. It will be the responsibility of the command to document this requirement outlining the special circumstances that warrant deviation from the changeable combination padlock standard in paragraph 6–4c and will establish administrative security standard operating procedures for the control and accountability of keys and locks whenever key-operated, high-security padlocks are utilized. As a minimum, the following procedures will be implemented: (a) A key and lock custodian will be appointed and cleared at the Secret level, in writing to ensure proper custody and handling of keys and locks. (b) A key and lock control register will be maintained to identify keys, the number of keys for each lock, and their current location and custody. (c) Keys will be inventoried with each change of custodian. Keys will not be removed from the premises. (d) Keys that are not issued to users on hand receipt and spare locks will be stored in a GSA-approved security container or other secure container that meet Federal Specification FF – L – 2740 standards. (e) To reduce the risk of a padlock being swapped while the container is opened, the padlock and the key will be either placed in the security container, or the padlock will be locked to the hasp and the key either be personally retained, stored in a central location, or placed inside the unlocked container. (f) Key operated locks will be changed or rotated at a minimum of once every 2 years, and will be immediately replaced upon loss or compromise of their keys. (2) 18 USC Section 1386 makes unauthorized possession of keys, key-blanks, key-ways or locks adopted by any part of the DOD for use in the protection of conventional arms, ammunition, explosives, special weapons, or classified infor- mation or equipment, a criminal offense punishable by fine or imprisonment for up to 10 years, or both. 6 – 5. Procurement of new storage equipment New security storage equipment will be procured from those items listed on the GSA Federal Supply Schedule. When GSA-approved security containers or vault doors with locks meeting FF – L – 2740 are placed in service or when existing AR 380–5 • 22 October 2019 35 b. Neutralization or repair by, or using, methods and procedures other than described in FED – STD 809 is considered a violation of the security container’s or vault door’s security integrity and the GSA label shall be removed. Thereafter, the containers or doors may not be used to protect classified information until repaired per FED – STD 809, inspected by a qualified inspector, and certified for use in writing. 6 – 10. Maintenance and operating inspections ACOMs, ASCC, and DRUs will establish procedures concerning repair and maintenance of classified material security containers, vaults, and secure rooms, to include a schedule for periodic maintenance. The following guidelines pertain to spotting repair and maintenance problems that will be addressed outside the regular maintenance schedule. a. Security containers are usually serviceable for at least 25-years, if properly maintained. The life span of the container is often cut short by lock or locking bolt linkage malfunctions that require neutralization of the container. Most of these problems can be detected in their early stages, and definite symptoms can warn of a developing problem. Users should be alert for these symptoms, and if any of them are detected, the users should immediately contact their supporting SM. It is important to never use force to try to correct the problem. Critically needed material should not be stored in containers showing any of these symptoms, since they cannot be depended upon to open again. Should that occur, the user can be faced with a lockout. b. Users should watch for the following signs of trouble: (1) A dial that is unusually loose or difficult to turn. (2) Any jiggling movement in the dial ring. This is often detected when a twist motion is applied to the dial. (3) Difficulty in dialing the combination or opening the container. (4) Difficulty with the control drawer or other drawers. Examples are as follows: (a) Drawers rubbing against container walls. This can be caused if the container is not leveled, or the tracks or cradles are not properly aligned. (b) Problems with opening or closing drawers because the tracks or cradles need lubricant, material is jammed in behind the drawer, or the internal locking mechanism is tripped. (5) Difficulty in locking the control drawer. Examples are as follows: (a) The control drawer handle or latch will not return to the locking position when the drawer is shut. (b) The locking bolts move roughly, slip, or drag, or the linkage is burred or deformed. (6) GSA approval labels are missing or in need of replacement. If missing, contact the DOD lock program to obtain information on retaining an authorized inspector. GSA-approved security containers and vault doors must have a GSA approval label or a GSA recertification label on the front of the equipment in order to store classified information. c. Commands will periodically remind users of containers about the above guidelines. 6 – 11. Turn-in or transfer of security equipment In addition to having combinations reset before turn-in (see para 6–8c(4)), security equipment will be inspected before turn-in or transfer to ensure that classified material is not left in the container. The turn-in procedure will include removal of each container drawer and inspection of the interior to make sure that all papers and other material are removed and that the container is completely empty. Incinerators, shredders, or other classified material destruction devices, as well as the rooms in which they are located, will be thoroughly inspected to make sure that no classified material remains. A written, signed record certifying that this inspection has been accomplished and that no classified material remains, will be fur- nished to the SM and filed for two years in accordance with AR 25 – 400 – 2. Section III Physical Security Standards 6 – 12. General This section provides the general construction standards for areas approved for the open storage of classified information, general standards for intrusion detection (alarm) systems (IDS) used in areas in which classified information is stored, and access control standards. Classified material will be stored in GSA-approved security containers. Open storage areas will only be approved when storage in other approved security containers is not feasible due to the size, shape, or volume of material stored. 6 – 13. Vault and secure room (open storage area) construction standards a. Vaults will meet the construction standards outlined in Federal Standard 832, as follows: (1) Class A (concrete poured-in-place). 36 AR 380–5 • 22 October 2019 (2) Class B (GSA-approved modular vault meeting Federal Specification AA – V – 2737). (3) Class C (steel-lined vault) is NOT authorized for protection of classified information. b. Secure room (open storage area). Below are the minimum construction standards for open storage areas: (1) Walls, floor, roof. Walls, floor, and roof must be of permanent construction materials; for example, plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other materials offering resistance to and evidence of unauthorized entry into the area. Walls will be extended from the true floor to the true ceiling and attached with permanent construction materials, mesh, or 18 gauge expanded steel screen. (2) Ceiling. The ceiling will be constructed of plaster, gypsum, wallboard material, hardware, or other similar material to be of equivalent strength. (3) Doors. Access doors will be substantially constructed of wood or metal. For out-swing doors, hinge-side protection will be provided by making hinge pins non-removable (for example, spot welding) or by using hinges with interlocking leaves that prevent removal. Doors will be equipped with a GSA-approved combination lock meeting FF – L – 2740. Doors other than those secured with locks meeting FF – L – 2740 will be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar that extends across the width of the door. (4) Windows. Windows that are less than 18 feet above the ground measured from the bottom of the window, or are easily accessible by means of objects located directly beneath the windows, will be constructed from or covered with materials that will provide protection from forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. Secure rooms which are located within a military installation or controlled compound or equivalent, may eliminate the requirement for forced entry protection if the windows are made inoperable either by permanently sealing them or equipping them on the inside with a locking mechanism and they are covered by an IDS (either independently or by motion detection sensors within the area). Windows, which might reasonably afford visual observation of classified activities within the facility, will be made opaque or equipped with blinds, drapes, or other cov- erings. (5) Openings. Utility openings such as ducts and vents will be smaller than man-passable (96 square inches). An open- ing larger than 96 square inches (and over 6 inches in its smallest dimension) that enters or passes through an open storage area will be hardened in accordance with Military Handbook 1013/1A. 6 – 14. Intrusion Detection System standards a. An IDS often referred to as an alarm, must detect an unauthorized penetration in the secured area. An IDS will be installed when results of a documented risk assessment to determine its use as a supplemental control is warranted, in accordance with this regulation, and use is approved by the ACOM, ASCC, DRU, or AASA. When used, all areas that reasonably afford access to the security container or areas where classified data is stored will be protected by an IDS unless continually occupied. An IDS complements other physical security measures and consists of the following: (1) IDS or equipment (IDE). (2) Security forces. (3) Operating procedures. b. System functions. IDS components operate as a system with the following four distinct phases: (1) Detection. (2) Communications. (3) Assessment. (4) Response. c. These elements are equally important, and none can be eliminated if the IDS is to provide an acceptable degree of protection. (1) Detection : The detection phase begins as soon as a detector or sensor reacts to stimuli it is designed to detect. The sensor alarm condition is then transmitted over cabling located within the protected area to the premise control unit (PCU). The PCU may service many sensors. The PCU, and the sensors it serves, comprise a “zone” at the monitor station. This will be used as the definition of an alarmed zone for purposes of this regulation. (2) Communications : The PCU receives signals from all sensors in a protected area and incorporates these signals into a communication scheme. An additional signal is added to the communication for supervision to prevent compromise of the communication scheme (for example, tampering or injection of false information by an intruder). The supervised signal is sent by the PCU through the transmission link to the monitor station. Inside the monitor station either a dedicated panel or central processor monitors information from the PCU signals. When an alarm occurs, an annunciator generates an au- dible and visible alert to security personnel. Alarms result normally from intrusion, tampering, component failure, or sys- tem power failure. (3) Assessment : The assessment period is the first phase that requires human interaction. When alarm conditions occur, the operator assesses the situation and dispatches the response force. AR 380–5 • 22 October 2019 37 (4) Response : The response phase begins as soon as the operator assesses an alarm condition. A response force must immediately respond to all alarms. The response phase must also determine the precise nature of the alarm and take all measures necessary to safeguard the secure area. 6 – 15. Selection of equipment a. General. As determined by the commander, and in accordance with the minimum standards established by this regulation, all areas that reasonably afford access to the container or facility, or where classified data is stored, are to be protected by IDS unless continually occupied. Prior to the installation of an IDS, commanders, or their designated person- nel, will consider the threat, the vulnerabilities, and any in-depth security measures, and will perform a risk analysis to determine if an IDS is appropriate to the situation. b. Acceptability of equipment. All IDE must be Underwriters Laboratories (UL)-listed, or equivalent, and approved by the DA or authorized Government contractor. Government installed, maintained, or furnished systems are acceptable. 6 – 16. Intrusion Detection System transmission and annunciation a. Transmission line security. When the transmission line leaves the facility and traverses an uncontrolled area, Class I or Class II line supervision will be used. (1) Class I. Class I line security is achieved using National Institute of Standards and technology-approved implemen- tation of the Advanced Encryption Standard. (2) Class II. Class II line supervision refers to systems in which the transmission is based on pseudo-random generated tones or digital encoding using an interrogation and response scheme throughout the entire communication, or UL Class AA line supervision. The signal will not repeat itself within a minimum six-month period. Class II security will be imper- vious to compromise using resistance, voltage, current, or signal substitution techniques. b. Internal cabling. The cabling between the sensors and the PCU must be dedicated to the IDE and must comply with national and local code standards. c. Entry control systems. If an entry and/or access control system is integrated into an IDS, reports from the automated entry and/or access control system must be subordinate in priority to reports from intrusion alarms. d. Maintenance mode. When the alarm zone is placed in the maintenance mode, this condition will be signaled auto- matically to the monitor station. The signal must appear as an alarm or maintenance message at the monitor station and the IDS will not be securable while in the maintenance mode. The alarm or message must be continually visible at the monitor station throughout the period of maintenance. A standard operating procedure will be established to address ap- propriate actions when maintenance access is indicated at the panel. All maintenance periods will be archived in the system. A self-test feature will be limited to one second per occurrence. The maintenance program for the IDS should ensure that incidents of false alarms be investigated and should not exceed one in a period of 30 days per zone. e. Annunciation of shunting or masking condition. Shunting or masking of any internal zone or sensor must be appro- priately logged or recorded in archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists whenever there is a survey of zones or sensors. f. Indications. Indications of alarm status will be revealed at the monitoring station and optionally within the confines of the secure area. g. Power supplies. Primary power for all IDE will be commercial alternating or direct current (AC or DC) power. In the event of commercial power failure at the protected area or monitor station, the equipment will change power sources without causing an alarm indication. (1) Emergency power. Emergency power will consist of a protected independent backup power source that provides a minimum of 8 hours’ operating power via battery and/or generator power. When batteries are used for emergency power, they will be maintained at full charge by automatic charging circuits. The manufacturer’s periodic maintenance schedule will be followed and results documented. (2) Power source and failure indication. An illuminated indication will exist at the PCU of the power source in use (AC or DC). Equipment at the monitor station will indicate a failure in power source, a change in power source, and the location of the failure or change. h. Component tamper protection. IDE components located inside or outside the secure area will be evaluated for a tamper protection requirement. If access to a junction box or controller will enable an unauthorized modification, tamper protection will be provided. 40 AR 380–5 • 22 October 2019 h. Electric, mechanical, or electromechanical access control devices. Electric, mechanical, or electromechanical de- vices which meet the criteria stated below; may be used to control admittance to secure areas during duty hours, if the entrance is under visual or other command approved system of control by cleared authorized personnel located in the area. These devices are also acceptable to control access to selected or otherwise compartmented areas within a secure area. Nothing in this statement is intended to modify the policy stated in AR 380 – 28. Access control devices will be installed in the following manner: (1) The electronic control panel containing the mechanism by which the combination is set is to be located inside the area. The control panel, located within the area, will require only minimal degree of physical security designed to preclude unauthorized access to the mechanism. (2) The control panel will be installed in such a manner, or have a shielding device mounted, so that an unauthorized person in the immediate vicinity cannot observe the setting or changing of the combination. (3) The selection and setting of the combination will be accomplished by an individual cleared at the same level as the highest classified information controlled within. (4) Electrical components, wiring included, or mechanical links (cables, rods and so on) should be accessible only from inside the area, or, if they traverse an uncontrolled area they should be secured within protecting covering to preclude surreptitious manipulation of components. Chapter 7 Transmission and Transportation Section I Methods of Transmission or Transportation 7 – 1. Policy Classified information will be transmitted or transported as specified in this chapter. Commands will establish local pro- cedures to meet the requirements to minimize risk of compromise while permitting use of the most cost-effective trans- mission or transportation means. External, street side collection boxes, for instance U.S. Mail boxes, will not be used for the dispatch of classified information. Commands will develop procedures to protect incoming mail, bulk shipments, and items delivered by messenger, until a determination is made whether classified information is contained therein. Screening points will be established to limit access to classified information to only cleared personnel. a. COMSEC material will be transmitted and transported according to AR 380 – 40. b. NATO classified information, including NATO Restricted, will be transmitted and transported according to the re- quirements outlined in USSAN 1 – 07. 7 – 2. Dissemination outside the Department of Defense a. Classified information originating in another agency within the DOD or in another department or agency outside the DOD may be disseminated to other DOD agencies, to other United States departments or agencies, or to a U.S. entity without the consent of the originating DOD component, department, or agency, as long as: (1) The criteria for access to classified information outlined in chapter 3 are met. (2) The classified information is NOT marked as requiring authorization for dissemination to another department or agency. The originator controlled marking may be used to identify information requiring prior authorization for dissemi- nation to another department or agency. (3) The document was created on or AFTER 27 June 2010, the effective date of Part 2001 of Title 32, CFR. Documents created before 27 June 2010 may not be disseminated outside of the DOD without the originator’s consent. Additionally, documents created on or after 27 June 2010, whose classification is derived from documents created prior to that date, and where the date before 27 June 2010 of the classified source(s) is readily apparent from the source list, will not be dissem- inated outside the DOD without the originator’s consent. b. Classified information originating in, or provided to or by, the DOD may be disseminated to a foreign government or an international organization of governments, or any element thereof, in accordance with AR 380 – 10. c. Dissemination of information regarding intelligence sources, methods, or activities will be consistent with directives issued by the DNI and in accordance with AR 380 – 28. d. Dissemination of classified information to state, local, tribal and private sector officials pursuant to EO 13549 will be in accordance with the implementing guidance issued by the Department of Homeland Security. AR 380–5 • 22 October 2019 41 7 – 3. Top Secret information Top Secret information will be transmitted and transported only by: a. Direct contact between appropriately cleared persons. b. Electronic means over an approved secure communications system. This applies to voice, data, message, and fac- simile transmissions (see AR 25 – 2). c. The Defense Courier Division (DCD) if the material qualifies under the provisions of DODI 5200.33. The DCD may use a specialized shipping container as a substitute for a DCD courier on direct flights if the shipping container is suffi- ciently constructed to provide evidence of forced entry, secured with a high security padlock meeting FF – P – 110 specifi- cations and equipped with an electronic seal that would provide evidence of surreptitious entry. A DCD courier must escort the specialized shipping container to and from the aircraft and oversee its loading and unloading. This authorization also requires that the DCD develop procedures that address protecting specialized shipping containers in the event a flight is diverted for any reason. d. Authorized command courier or messenger services. e. The DOS Diplomatic Courier Service. f. Appropriately cleared U.S. Military and U.S. Government civilian personnel, specifically designated to carry the information and traveling by surface transportation, or traveling on scheduled commercial passenger aircraft within and between the U.S., its territories, and Canada. g. Appropriately cleared U.S. military and U.S. Government civilian personnel, specifically designated to carry the information and traveling on scheduled commercial passenger aircraft on flights outside the U.S., its territories, and Can- ada. h. DOD contractor employees with the appropriate clearances traveling within and between the U.S., and its territories, when the transmission has been authorized, in writing, by the appropriate Cognizant Security Agency (CSA), or a desig- nated representative (see AR 380 – 49 for further guidance). 7 – 4. Secret information Secret information can be transmitted and transported by: a. Any of the means approved for the transmission of Top Secret information. b. United States Postal Service (USPS) registered mail, within and between the U.S., the District of Columbia, and the Commonwealth of Puerto Rico. c. USPS Priority Mail Express (formerly referred to as Express mail) within and between the 50 States, the District of Columbia, and the Commonwealth of Puerto Rico. The “Waiver of Signature and Indemnity” block on the U.S. Postal Service Express Mail Label 11 – B may not be executed under any circumstances. The use of external (street side) Express Mail collection boxes is prohibited. d. USPS and Canadian registered mail with registered mail receipt between U.S. Government and Canadian government installations in the U.S. and Canada. e. USPS registered mail through Military Postal Service facilities outside the U.S. and its territories if the information does not at any time pass out of U.S. citizen control and does not pass through a foreign postal system or any foreign inspection. f. As an exception, in urgent situations requiring next-day delivery within the U.S. and its territories, commanders may authorize the use of the current holder of the GSA contract for overnight delivery of information for the Executive Branch as long as applicable postal regulations in accordance with chapter I of Title 39, CFR are met. Any such delivery service will be U.S. owned and operated, provide automated in-transit tracking of the classified information, and ensure package integrity during transit. The contract will require cooperation with U.S. Government inquiries in the event of a loss, theft, or possible compromise. The sender is responsible for ensuring that an authorized person at the receiving end is aware that the package is coming and will be available to receive the package, verifying the mailing address is correct, and confirming (by telephone or e-mail) that the package did in fact arrive within the specified time period. The package may be addressed to the recipient by name. The release signature block on the receipt label will not be executed under any circumstances. The use of external (street side) collection boxes is prohibited. Classified COMSEC, NATO information, SCI, and FGI will not be transmitted in this manner. See Multiple Award Schedule 48, (Transportation, Delivery and Relocation Solu- tions), on the GSA eLibrary website at https://www.gsaelibrary.gsa.gov/elibmain/home.do for a listing of commercial car- riers authorized for use under the provisions of this paragraph. Note: In many situations, the USPS Priority Mail Express can meet the next day delivery standards and should be used, as noted in paragraph 7-4c. g. Carriers cleared under the National Industrial Security Program providing a protective security service. This method is authorized only within CONUS when other methods are impractical, except that this method is also authorized 42 AR 380–5 • 22 October 2019 between U.S. and Canadian government approved locations documented in a transportation plan approved by U.S. and Canadian government security authorities. h. Appropriately cleared contractor employees, provided that the transmission meets the requirements specified in DODM 5220.22, Volume 2 and DOD 5220.22 – M. i. U.S. Government and U.S. Government contract vehicles, including aircraft, ships of the U.S. Navy, civil service- operated U.S. Navy ships, and ships of U.S. registry. Appropriately cleared operators of vehicles, officers of ships, or pilots of aircraft, who are U.S. citizens, may be designated as escorts and provided the control of the carrier is maintained on a 24-hour basis. The escort will protect the shipment at all times, through personal observation or authorized storage, to prevent inspection, tampering, pilferage, or unauthorized access. Observation of the shipment is not required during flight or sea transit, provided it is loaded into a compartment that is not accessible, to any unauthorized persons, or in a specialized secure, safe-like container. The escort will, if possible, observe the loading of the shipment. 7 – 5. Confidential information Confidential information may be transmitted and transported by: a. Any means approved for the transmission of Secret information. b. USPS registered mail will be used for Confidential material only as indicated below: (1) Material to and from military post office addressees (for example, Army Post Office or Fleet Post Office) located outside the U.S. and its territories. (2) Material when the originator is uncertain that the addressee’s location is within U.S. boundaries. c. USPS certified mail (or registered mail, if required above) for material addressed to DOD contractors or non-DOD agencies. d. USPS first class mail between DOD Component locations anywhere in the U.S. and its territories. The outer envelope or wrapper shall be endorsed: “Return Service Requested.” e. Commercial carriers that provide a constant surveillance service, as defined by DOD 5220.22 – M, within CONUS. f. Commanders or masters of ships of U.S. registry who are U.S. citizens. Confidential information shipped on ships of U.S. registry may not pass out of Government control. The commanders or masters will sign a receipt for the material and agree to: (1) Deny unauthorized persons access to the Confidential material, including customs inspectors, with the understand- ing that Confidential cargo that would be subject to customs inspection will not be unloaded. (2) Maintain control of the cargo until a receipt is obtained from an authorized representative of the consignee. Section II Transmission and Transportation of Classified Material 7 – 6. Transmission and transportation of classified material to Foreign Governments Classified information or material approved for release to a foreign government or international organization, in accord- ance with AR 380 – 10, will be transferred between representatives of each government through Government-to-Govern- ment channels or through other channels agreed to in writing by the designated authorities of the sending and receiving governments. a. For foreign government or international organization transfers of classified material, DA commands will follow guidance outlined below and within the appendix to DODM 5200.01, Volume 3, Enclosure 4. (1) U.S. Government control and accountability of classified information or material will be maintained from the point of origin to the ultimate destination, until it is officially transferred to the intended recipient government through its des- ignated government representative. (2) In urgent situations, appropriately cleared U.S. Government agency employees may be authorized to hand-carry classified material in accordance with this chapter and the appendix to DODM 5200.01, Volume 3, Enclosure 4. b. Each DA command entering into a contract or an international agreement that will involve the transfer of classified information and material to a foreign government, will consult with supporting DOD transportation and security authorities to confirm the appropriate transfer arrangements and establish responsibilities for the transfer arrangements prior to any execution of the agreement or contract. Transportation plan requirements are outlined in the appendix to DODM 5200.01, Volume 3, Enclosure 4. AR 380–5 • 22 October 2019 45 (5) Only the last four digits of the individual’s social security number will be used when filling out the DD Form 2501. (6) The use of the DD Form 2501 for identification and/or verification of authorization to hand-carry SCI or SAP information will be in accordance with policies and procedures, established by the official having security responsibility for such information or programs. 7 – 13. Hand-carrying or escorting classified material aboard commercial passenger aircraft a. Although pre-coordination is not typically required, in unusual situations advance coordination with the local Trans- portation Security Administration (TSA) field office may be warranted to facilitate clearance through airline screening processes. b. The individual designated as courier will possess a DOD or contractor-issued CAC and a Government-issued photo identification card. (If at least one of the identification cards does not contain date of birth, height, weight and signature, include these items in the written authorization). c. The courier will have courier orders (letter prepared on letterhead stationary of the agency authorizing the carrying of classified material), which will include: (1) The full name of the individual and his or her DA command or company. (2) A date of issue and an expiration date. (3) The name, title, signature, and phone number of the official issuing the letter. (4) The name of the person and official Government telephone number of the person designated to confirm the courier authorization. d. Upon arrival at the screening checkpoint the individual designated as courier will ask to speak to the TSA Supervisory Transportation Security Officer and will present the required identification and authorization documents. If the courier does not present all required documents, including valid courier authorization, DOD or contractor-issued CAC, and Gov- ernment-issued photo identification card, TSA officials will require the classified material to be screened in accordance with their standard procedures. e. The courier will go through the same airline ticketing and boarding process as other passengers. When the TSA supervisory transportation security officer confirms the courier’s authorization to carry classified material, only the Gov- ernment classified material is exempted from any form of inspection; the courier and all of the courier’s personal property will be provided for screening. The classified material will remain within the courier’s sight at all times during the screen- ing process. When requested, the package(s) or the carry-on luggage containing the classified information may be pre- sented for security screening so long as the courier maintains visual sight and the packaging or luggage is not opened. f. Hand-carrying classified items aboard international commercial aircraft will be conducted only on an exception basis. DA personnel requiring access to classified materials at an overseas location will exhaust all other transmission options (for example, electronic file transfer, advance shipment by courier) before hand-carrying items aboard international com- mercial aircraft. In addition to the requirements in subparagraphs 7–13a throughe, for international travel, the authorization letter will describe the material being carried (for example, “three sealed packages (“9” x “8” x “24”),” addressee and sender) and the official who signed the authorization letter will sign each package or carton that is exempt, to facilitate its identification. g. Customs, police, and immigration officials. There is no assurance of immunity from search by the customs, police, and/or immigration officials of the various countries whose border the traveler may be crossing. Therefore, should such officials inquire into the contents of the consignment, the traveler will present the courier orders and ask to speak to the senior customs, police and/or immigration official. This action should normally suffice to pass the material through uno- pened. However, if the senior customs, police, and/or immigration official demands to see the actual contents of the pack- age, it should be opened only in his/her presence, and must be done in an area out of sight of the general public, if possible. If the traveler is permitted to pass, notification to his/her command will be done at the earliest possible time. (1) Precautions must be taken to show officials only as much of the contents as will satisfy them that the package does not contain any other item. The traveler should ask the official to repack or assist in repackaging of the material immedi- ately upon completion of the examination. (2) The senior customs, police, and/or immigration official, should be requested to provide evidence of the opening and inspection of the package, by sealing and signing it when closed, and confirming on the shipping documents, if any, or courier certificate, that the package has been opened. (3) If the package has been opened under such circumstances as those mentioned above, the traveler will inform, in writing, the addressee and the dispatching security officer of this fact. (4) Prior to travel, classified material to be carried by a traveler will be inventoried and a copy of the inventory retained by the traveler's security office. A copy of the inventory will be placed inside the classified package. h. For guidance on hand-carrying NATO information, travelers who are authorized to carry NATO classified material on international flights will refer to USSAN 1 – 07. 46 AR 380–5 • 22 October 2019 7 – 14. Consignor/Consignee responsibility for shipment of bulky material The consignor of a bulk shipment will— a. Select a carrier that will provide a single line service from the point of origin to destination, when such a service is available. b. Ship packages weighing less than 200 pounds in closed vehicles only. c. Notify the consignees and military transshipping activities of the nature of the shipment, including level of classifi- cation, the means of shipment, the serial number of the seals, if used, and the anticipated time and date of arrival by separate communication, at least 24 hours in advance of arrival of the shipment. d. Advise the first military transshipping activity that, in the event the material does not move on the conveyance orig- inally anticipated, the transshipping activity should advise the consignee with information of the firm date and estimated time of arrival. Upon receipt of the advance notice of a shipment of classified material, consignees and transshipping activities will take appropriate steps to receive the classified shipment and to protect it upon arrival. e. Annotate the bills of lading to require the carrier to notify the consignor immediately, by the fastest means, if the shipment is unduly delayed in route. Such annotations will not under any circumstances disclose the classified nature of the commodity. When seals are used, annotate substantially as follows: “DO NOT BREAK SEALS EXCEPT IN EMERGENCY OR UPON AUTHORITY OF CONSIGNOR OR CONSIGNEE. IF BROKEN, APPLY CARRIER’S SEALS AS SOON AS POSSIBLE AND IMMEDIATELY NOTIFY CONSIGNOR AND CONSIGNEE”. f. Require the consignee to advise the consignor of any shipment not received more than 48 hours after the estimated time of arrival furnished by the consignor or the transshipping activity. Upon receipt of such notice, the consignor will immediately trace the shipment. If there is evidence that the classified material was subjected to compromise, the proce- dures set forth in chapter 9 of this regulation for reporting compromises will apply. Chapter 8 Security Education and Training Section I Policy 8 – 1. General policy a. Commanders will establish security education programs. These programs will be aimed at promoting quality perfor- mance of security responsibilities by command personnel, and will be tailored, as much as possible, to the specific in- volvement of individuals in the information security program and the command's mission. The programs will— (1) Provide necessary knowledge and information to enable quality performance of security functions. (2) Promote understanding of information security program policies and requirements, and their importance to the na- tional security. (3) Instill and maintain continuing awareness of security requirements and the intelligence collection threat. (4) Assist in promoting a high degree of motivation to support program goals. b. The DCS, G – 2 has released standardized web-based security training products that can be used and will satisfy the requirements outlined below for initial security orientation and annual refresher training. Training is available on the Army Learning Management System (ALMS) site through Army Knowledge Online. c. Commanders will ensure training programs include CUI training requirements outlined in DODM 5200.01, Volume 4. Training may be combined into the overall program addressing both classified and CUI. 8 – 2. Methodology Security education must be a continuous, rather than periodic, influence on individual security performance. Periodic briefings, training sessions, and other formal presentations will be supplemented with other informational and promotional efforts to ensure maintenance of continuous awareness and performance quality. The use of external resources such as the training products produced by the DCSA, Center for Development of Security Excellence (CDSE), may be used when they are determined to be the most effective means of achieving program goals. The circulation of directives or similar material on a "read-and-initial" basis will not be considered as fulfilling any of the specific requirements of this chapter, because there is no basis to gauge effectiveness. Section II Briefings and Training AR 380–5 • 22 October 2019 47 8 – 3. Initial security orientation a. All DA personnel will be given an initial security orientation whether cleared for access to classified information or not. The purpose of the orientation will be: (1) To define classified information and CUI and explain the importance of protecting such information. (2) To develop a basic understanding of security policies and principles. (3) To ensure personnel are aware of the roles they are expected to play in the information security program, and inform them of the administrative, civil, and/or criminal sanctions that can be applied when appropriate. (4) To provide personnel with enough information to ensure the proper protection of classified information and CUI that is in their possession, including the actions to be taken if such information is discovered unsecured, a security vulner- ability is noted, or when a person may be seeking unauthorized access to the information. (5) To inform personnel of the requirement for review of all unclassified information prior to release to the public. b. In addition to paragraph 8–3a, DA personnel, upon initial access to classified information, will receive training on security policies and principles, and derivative classification practices. The training is intended to: (1) Develop a basic understanding of the nature of classified information and the importance of its protection to the national security. (2) Provide personnel enough information to ensure proper protection of classified information in their possession. Security educators will, at a minimum, include the following points in their Security education programs: (a) The nature of U.S. and FGI classified information, its importance to the national security, and the degree of damage associated with each level of classification/sensitivity. (b) How to recognize U.S. and FGI classified information that personnel may encounter, including their marking. (c) The individual's responsibility for protection of classified, and the consequences of failing to do so. (d) Procedures and criteria for authorizing access to classified information. (e) Procedures for safeguarding and control of classified information in the individual's work environment. (f) Proper response to discovery of information believed to be classified in the public media. (g) The security management and support structure within the command, to include sources of help with security prob- lems and questions and proper procedures for challenging classifications believed to be improper. (h) Penalties associated with careless handling or compromise of classified information. c. Before being granted access to classified information, employees must sign SF 312. See paragraph 5 – 2 of this regu- lation for details regarding the use of the SF 312. 8 – 4. Annual refresher training Security education programs will include efforts to maintain and reinforce quality performance of security responsibilities. At a minimum, all DA personnel will receive annual security refresher training that reinforces the policies, principles, and procedures covered in their initial and specialized training. In addition to the web-based training available and discussed in para 8–1b, security educators should also supplement this training by addressing issues or concerns identified during self-inspections. Whenever security policies and procedures change, personnel, whose duties would be impacted by these changes, must be briefed as soon as possible. 8 – 5. Training for managers and supervisors Web-based information security training will be completed initially and yearly thereafter for civilian supervisors, officers and enlisted personnel in the grade of corporal and above who manage personnel with security clearances and access to classified information (see para 8–1b and AR 350 – 1). This training is available on ALMS and is currently titled, “Annual Awareness-Managing Soldiers and Civilians with Security Clearance/Access.” Section III Special Requirements 8 – 6. General policy DA personnel in positions which require performance of specified roles in the information security program will be pro- vided security training sufficient to permit quality performance of those duties. The training will be provided before, con- current with, or not later than 6 months following assumption of those positions, unless otherwise specified in this regula- tion. 50 AR 380–5 • 22 October 2019 (4) FGI and NATO information will be reported to the Office of the Under Secretary of Defense (Policy), (OUSD (P)). These reports will be made through command channels through the DCS, G – 2, (DAMI – CD). (5) Classified information involving information technology, information systems, computer systems, terminals, or equipment will be reported in accordance with AR 25 – 2, through appropriate channels by the information assurance (IA) manager to the SM. Inquiries into and the resolution of incidents involving compromise of classified information resident on computers or IT systems, require coordination between IA personnel and security personnel. (6) Any incidents in which a deliberate compromise of classified information or involvement of a foreign intelligence service, international terrorist group, or organization is suspected will be reported to the appropriate Army Counterintelli- gence (CI) agency in accordance with AR 381 – 12. Commands will not initiate or continue an inquiry or investigation of a security incident unless it is fully coordinated with the Army CI agency. (7) Security incidents involving restricted data and/or formerly restricted data. In accordance with the provisions of Public Law 105 – 261, Section 3161 and its implementing plan, the Secretary of Energy must report to Congress inadvertent disclosure of RD or FRD occurring pursuant to automatic declassification processes. ACOMs, ASCCs, and DRUs will notify the DOE as necessary and provide a copy of the notification to the DCS, G – 2, (DAMI – CD) for reporting to the Deputy Assistant Secretary of Defense for Nuclear Matters and the Director of Security, OUSD(I). (8) Security incidents involving apparent violations of criminal law. Any incident in which an apparent violation of criminal law is suspected, but which is reasonably not believed to be espionage or involving matters described in 9-1b(3), will be reported immediately to the U.S. Army Criminal Investigation Command (CID). If CID accepts jurisdiction and initiates an investigation, the reporting organization will not initiate or continue an inquiry or investigation, so as not to jeopardize the integrity of the CID investigation. (9) Security incidents involving classified United States information provided to foreign governments. Actual or sus- pected compromise of U.S. classified information held by foreign governments will be reported to the originating com- mand, the OCA, through the DCS, G – 2 (DAMI – CD) to the Director of Security, OUSD(I), and the Director, International Security Programs, Defense Technology Security Administration, OUSD(P). (10) Security incidents involving improper transfer of classified information. Any DA command or organization that receives classified information that has been improperly handled, addressed, packaged, transmitted, or transported will make a determination as to whether the information has been subjected to compromise. If the command determines that the classified information has been subjected to compromise, the receiving command will immediately notify the sending activity, which will be responsible for initiating an inquiry or investigation, as appropriate. The receiving command will share information generated regarding the incident with the sending activity. The sending activity is responsible for re- quired notifications (for example, to the OCA). Classified information will be considered as having been subjected to compromise if it has been handled through foreign postal systems, its shipping container has been damaged to an extent that the contents are exposed, or it has been transmitted (for example, telephone, facsimile, message, e-mail, computer or data links) over communications circuits that are not approved for transmission of classified information. If the receiving activity determines classified information was not in fact compromised, but was nevertheless improperly prepared or trans- ferred, the receiving activity will report the discrepancy to the sending activity. (11) Security incidents involving contractors. Security incidents, including any inquiries or investigations required, involving contractors that are embedded/integrated will be handled in accordance with AR 380 – 49. Disciplinary action and sanctions are the responsibility of the contractor’s company unless specific contract provisions address such actions. SMs will furnish the results of inquiries to the company, with a copy to DCSA, to facilitate such action. (12) Security incidents involving critical program information. Upon learning that classified critical program infor- mation (CPI) or CPI related to classified contracts may have been or was actually compromised, security officials will inform the program manager of record and the cognizant Army CI agency. 9 – 2. Reporting and notifications a. Anyone finding classified material out of proper control, will take custody of and safeguard the material, if possible, and immediately notify the appropriate security authorities. In all cases, the individual's immediate supervisor is to be notified. b. Any person who becomes aware of the possible loss or potential compromise of classified information will immedi- ately report it to the commander, SM, or other official the commander may direct. c. If the person believes the commander, SM, or other official designated to receive such reports may have been in- volved in the incident, the person making the discovery will report it to the security authorities at the next higher level of command or supervision. d. Security incidents involving the following will be reported immediately through command channels to DCS, G – 2, (DAMI – CD). Where appropriate, a preliminary report will be provided outlining the facts, particularly when the fact of the incident may become public or attract media attention. DCS, G – 2, (DAMI – CD) will be notified of: AR 380–5 • 22 October 2019 51 (1) A violation involving espionage. (2) An unauthorized disclosure of classified information in the public media. See DODM 5200.01, Volume 3 for further procedures and information required in the notification. Additional notification is not required for reference to or republi- cation of a previously identified media disclosure. (3) Any violation wherein properly classified information is knowingly, willfully, or negligently disclosed to unauthor- ized persons or information is marked or is continued as classified in violation of this regulation: (a) Is reported to the oversight committees of Congress; (b) May attract significant public attention; (c) Involves large amounts of classified information; or (d) Reveals a potential systemic weakness in classification, safeguarding, or declassification policy or practices. (4) Any violation wherein a SAP is knowingly, willfully, or negligently created or continued contrary to the require- ments of AR 380 – 381, DOD and national policies. (5) A security failure or compromise of classified information relating to any defense operation, system, or technology that is likely to cause significant harm or damage to U.S. national security interests, for which Congressional reporting may be required by 10 USC 2723. e. Security incidents that do not meet the reporting criteria specified above will be filed in a retrievable format by the command and will be available for inspection or for further analysis, review, and potential investigation. 9 – 3. Security inquiries and investigations When an incident of actual or suspected compromise of classified information is reported, the commander will immediately initiate a written inquiry to determine the facts and circumstances of the incident, and to characterize the incident as an infraction or a violation. a. Report of inquiry will be completed in accordance with DODM 5200.01, Volume 3. The person appointed to conduct the inquiry will have the appropriate security clearance and accesses, the ability and available resources to conduct an effective inquiry, and will not be likely to have been involved, directly or indirectly, in the incident. Except in unusual circumstances, the SM will not be appointed to conduct the inquiry. It is typically the responsibility of the SM, unless command policy states otherwise, to make sure that an official is appointed to conduct the inquiry and to ensure that the inquiry is completed. Advice and assistance may be requested from the supporting CI organization. b. Inquiry reports will be classified, appropriately marked, and handled according to their content; at a minimum, FOUO. c. The inquiry will be initiated and completed as soon as possible but not to exceed 10 duty days, and the report of findings provided to the commander, SM, and others, as appropriate, and in accordance with this regulation and local command policy and procedures. d. The person appointed to conduct the inquiry will notify the OCA, or the originator when the OCA is not known, when it is determined there is a compromise, suspected compromise, or loss of classified information. The OCA will then take actions as required in DODM 5200.01, Volume 3. e. If, at any time during the inquiry, it appears that deliberate compromise of classified information may have occurred, the inquiry will stop and the incident will be immediately reported to the chain of command and supporting CI unit. Ap- parent violations of other criminal law will be reported to the supporting CID. In both cases, coordination with the com- mand's legal counsel is required. f. If the report from the inquiry is not sufficient to resolve the security incident, the command will initiate an investiga- tion under the provisions of AR 15 – 6. The inquiry report will become part of any formal investigation. Report of investi- gation will be completed in accordance with DODM 5200.01, Volume 3. If the inquiry is closed out as a compromise or suspected compromise, the appointing authority will notify the OCA to perform a damage assessment. 9 – 4. Classified information appearing in the public media a. If classified information appears in the public media, including public internet sites, or if approached by a representa- tive of the media, DA personnel will not make any statement or comment that confirms the accuracy of or verify the classified status of the information. Personnel will report the approach immediately to the appropriate command, security, and public affairs personnel. (1) It is essential that DA personnel are careful to neither confirm nor deny the existence of classified information or the accuracy of information in the public media. (2) The news article or other medium will not be marked as classified; however, the written report detailing the discov- ery of the information in the public media will be classified to the level of the information believed to have been compro- mised. Personnel will not discuss the matter with anyone without the express approval of the SM, or an individual so 52 AR 380–5 • 22 October 2019 designated by the SM or commander. An appropriate security clearance and need-to-know is required. No discussions will be made over non-secure circuits. b. Notifications of unauthorized disclosures of classified information in the public media required by paragraph 9–2d will be completed in accordance with DODM 5200.01, Volume 3. 9 – 5. Reporting results of the inquiry a. If the inquiry concludes that a compromise could have occurred, or that a compromise did occur and damage to the national security can result, the official initiating the inquiry will immediately notify the originator of the information or material involved. If the originator was not the original classification authority, the OCA will also be immediately notified. If the originator cannot be determined, the command's ACOM, ASCC, or DRU will be contacted for guidance. The ACOM, ASCC, or DRU will contact the DCS, G – 2, (DAMI – CD) for those cases in which the ACOM, ASCC, or DRU cannot direct the command to the appropriate activity. Notification of the originator and original classification authority will not be delayed pending completion of any additional inquiry or resolution of other related issues. b. If the conclusion of the inquiry is as stated in para 9–5a, the command will report the matter through command channels to its ACOM, ASCC, or DRU, or to the AASA. The ACOM, ASCC, DRU or the AASA will review the report for completeness and adequacy of the investigation. Such reports will be filed and retained for a period no less than 2 years and are subject to HQDA or other appropriate agency oversight. 9 – 6. Reevaluation and damage assessment When notified of possible or actual compromise, the holder of the information or material will ensure that the command with the original classification authority for each item of the information is notified of the incident. The OCA will verify and reevaluate the classification of the information and will conduct a damage assessment in accordance with DODM 5200.01, Volume 3. 9 – 7. Debriefings in cases of unauthorized access In cases where a person has had unauthorized access to classified information, it is advisable to discuss the situation with the individual to enhance the probability that they will appropriately protect it. Whether such a discussion, commonly called a "debriefing," is held, is to be decided by the commander, SM, or other designated official. This decision must be based on the circumstances of the incident, what is known about the person or persons involved, and the nature of the classified information. The following general guidelines apply: a. If the unauthorized access was by a person with the appropriate security clearance but no need to know, debriefing is usually unnecessary. Debriefing is required if the individual is not aware the information is classified and that it needs protection. Inform the person the information is classified and it requires protection. In these cases, the signing of a de- briefing statement is usually not necessary (see para 9–7e). b. If the unauthorized access was by U.S. Government civilian or military personnel without the appropriate security clearance, debriefing will be accomplished. Personnel will be advised of their responsibility to prevent further dissemina- tion of the information and of the administrative sanctions and criminal penalties which might follow if they fail to do so. The debriefing official will make sure the individual understands what classified information is and why its protection is important. c. If the person who had unauthorized access is an employee of a cleared U.S. Government contractor participating in the national industrial security program, the same guidelines apply as for U.S. Government personnel. Coordination with the employing firm's facility security officer is recommended unless such coordination would place the information at increased risk. d. If the person involved is neither U.S. Government personnel, nor an employee of a cleared U.S. Government con- tractor, the decision will be made by the commander. The key question to be decided is whether the debriefing will have any likely positive effect on the person's ability and/or willingness to protect the information. As a general rule, it is often more effective in the long run to explain a mistake occurred and the person had unauthorized access to certain sensitive Government information, which should not have happened and the U.S. Army needs the individual to understand the information must be protected and never further discussed or otherwise revealed to other unauthorized personnel. e. It is useful to have the person being debriefed sign a statement acknowledging the debriefing and their understanding of its contents. This may have a significant psychological effect in emphasizing the seriousness of the situation. If, when asked, the person refuses to sign a debriefing statement, this fact, and their stated reasons for refusing, will be made a matter of record in the inquiry. The nearest CI unit will immediately be notified so that a trained CI investigator can explain the reason for the debriefing and advise the individual that a refusal to sign could indicate an unwillingness to protect classified information and could place their clearance, if held at the time, in jeopardy. AR 380–5 • 22 October 2019 55 AR 190 – 45 Law Enforcement Reporting AR 195 – 2 Criminal Investigation Activities AR 350 – 1 Army Training and Leader Development AR 360 – 1 The Army Public Affairs Program AR 380 – 10 Foreign Disclosure and Contacts with Foreign Representatives AR 380 – 27 Control of Compromising Emanations AR 380 – 28 Army Sensitive Compartmented Information Security Program AR 380 – 40 Safeguarding and Controlling Communications Security Material AR 380 – 49 Industrial Security Program AR 380 – 53 Communications Security Monitoring AR 380 – 67 Personnel Security Program AR 380 – 381 Special Access Programs (SAPs) and Sensitive Activities AR 381 – 12 Threat Awareness and Reporting Program AR 381 – 20 (U) Army Counterintelligence Program (regulation is classified Secret) AR 525 – 13 Antiterrorism AR 530 – 1 Operations Security AR 600 – 8 – 104 Army Military Human Resource Records Management CFR Title 22, Parts 120 through 130 International Traffic in Arms Regulations (Available at http://www.gpo.gov/.) CNSSI No. 4004.1 Committee on National Security Systems Instruction, Destruction and Emergency Protection Procedures for COMSEC and Classified Material (Available at https://www.cnss.gov/cnss/.) DOD 5220.22 – M National Industrial Security Program Operating Manual DODD 3020.40 Mission Assurance (MA) DODD 5000.01 The Defense Acquisition System 56 AR 380–5 • 22 October 2019 DODD 5142.01 Assistant Secretary of Defense for Legislative Affairs (ASD(LA)) DODD 5210.50 Management of Serious Security Incidents Involving Classified Information DODD 5230.09 Clearance of DOD Information for Public Release DODD 5230.11 Disclosure of Classified Military Information to Foreign Governments and International Organizations DODD 5230.20 Visits and Assignments of Foreign Nationals DODD 5405.2 Release of Official Information in Litigation and Testimony by DOD Personnel As Witnesses DODI 3305.13 DOD Security Education, Training, and Certification DODI 5000.02 Operation of the Defense Acquisition System DODI 5200.33 Defense Courier Operations (DCO) DODI 5200.39 Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E) DODI 5210.02 Access to and Dissemination of Restricted Data and Formerly Restricted Data DODI 5210.83 DOD Unclassified Controlled Nuclear Information (UCNI) DODI 5230.24 Distribution Statements on Technical Documents DODI 5230.29 Security and Policy Review of DOD Information for Public Release DODI 5240.04 Counterintelligence (CI) Investigations DODI 5400.04 Provision of Information to Congress DODI 5400.11 DOD Privacy and Civil Liberties Program DODI 5505.02 Criminal Investigations of Fraud Offenses DODI 7650.01 Government Accountability Office (GAO) and Comptroller General Requests for Access to Records DODM 5105.21 V1 – V3 (Three Volumes) Sensitive Compartmented Information (SCI) Administrative Security Manual DODM 5200.02 Procedures for the DOD Personnel Security Program (PSP) DODM 5220.22, Volume 2 National Industrial Security Program: Industrial Security Procedures for Government Activities AR 380–5 • 22 October 2019 57 EO 12333 United States intelligence activities EO 13549 Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities EO 13556 Controlled Unclassified Information FED – STD – 809D Inspection, Maintenance, Neutralization and Repair of GSA Approved Containers and Vault Doors (Available at https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improve- ments/dod_lock.html.) Federal Specification AA – F – 358J Filing Cabinet, Legal and Letter Size, Uninsulated, Security (Available at https://www.navfac.navy.mil/navfac_world- wide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html.) Federal Specification AA – V – 2737 Modular Vault Systems (Available at https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/prod- ucts_and_services/capital_improvements/dod_lock.html.) Federal Specification FED – STD 832 Construction Methods and Materials for Vaults (Available at https://www.navfac.navy.mil/navfac_worldwide/spe- cialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html.) Federal Specification FF – L – 2740B Locks, Combination, Electromechanical (Available at https://www.navfac.navy.mil/navfac_worldwide/specialty_cen- ters/exwc/products_and_services/capital_improvements/dod_lock.html.) Federal Specification FF – L – 2937 Mechanical Combination Locks (Available at https://www.navfac.navy.mil/navfac_worldwide/specialty_cen- ters/exwc/products_and_services/capital_improvements/dod_lock.html.) Federal Specification FF – P – 110 Combination Padlocks (Available at https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/prod- ucts_and_services/capital_improvements/dod_lock.html.) MIL – HDBK – 1013/1A Design Guidelines for Physical Security of Facilities (Available at https://www.navfac.navy.mil/navfac_worldwide/spe- cialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html.) NSA/CSS EPL 02 – 01 NSA/CSS Evaluated Products List for High Security Crosscut Paper Shredders (Available at https://www.nsa.gov/.) NSA/CSS EPL 02 – 02 NSA/CSS Evaluated Products List for High Security Disintegrators (Available at https://www.nsa.gov/.) NSA/CSS Policy Manual No. 3 – 16 Control of Communications Security (COMSEC) Material (Available to authorized recipients at www.iad.nsa.smil.mil/re- sources/library/nsa_office_of_policy_section/index.cfm.) NSTISSI 7003 Protected Distribution Systems (Available at https://www.cnss.gov/.) PL 105 – 261 Strom Thurmond National Defense Authorization Act for Fiscal Year 1999 (also known as “The Kyl-Lott Amendment”) (Available at https://www.archives.gov/federal-register/laws/past.) PL 106 – 65 National Defense Authorization Act for Fiscal Year 2000 (Available at https://www.archives.gov/federal-regis- ter/laws/past.) 60 AR 380–5 • 22 October 2019 Appendix B Internal Control Evaluation B – 1. Function This internal control evaluation assesses the command’s Information Security Program, including key controls in the fol- lowing areas: classification, downgrading/upgrading, declassification, marking, transmission, transportation, and safe- guarding of classified information. B – 2. Purpose The purpose of this evaluation is to assist commanders and SMs in evaluating key internal controls outlined below. It is not intended to cover all controls nor are all questions listed applicable to all levels of commands. B – 3. Instructions Answers must be based on the actual testing of key internal controls (for example, through document analysis, direct observation, sampling, or other method). Answers that indicate deficiencies must be explained, and the corrective action identified in supporting documentation. These internal controls must be evaluated at least once every 5 years. Certification that the evaluation has been conducted must be accomplished on DA Form 11 – 2 (Internal Control Evaluation Certifica- tion). B – 4. Test questions a. General provisions and program management. Does the DCS, G – 2 (DAMI – CD): (1) Ensure that policy, procedures, and programs are developed for the implementation of EO 13526 and DOD issu- ances? (2) Monitor, evaluate, and report on the administration of the Army Information Security Program? (3) Ensure that ACOMs, ASCCs, and DRUs establish and maintain ongoing self-inspection programs that include their subordinate commands, and cover periodic reviews and assessments of their classified and controlled unclassified infor- mation? (4) Coordinate information security matters pertaining to classified material that originated in an Army command that no longer exists and for which there is no successor in function, where applicable? (5) Delegate Secret and Confidential original classification authority to other Army officials, where applicable? (6) Commit needed resources for effective policy development and oversight of the programs established by this regu- lation? b. Responsibilities of the commander. Does the Commander— (1) Establish written local information security policies and procedures? (2) Initiate and supervise measures or instructions necessary to ensure continual control of classified information and materials? (3) Assure that persons requiring access to classified information are properly cleared? (4) Continually assess the individual trustworthiness of personnel who possess a security clearance? (5) Designate a SM by written appointment and of sufficient rank or grade to effectively discharge assigned duties and responsibilities? (6) Make sure the SM is afforded security training consistent with the duties assigned? (7) Make sure adequate funding and personnel are available to allow security management personnel to manage and administer applicable information security program requirements? (8) Review and inspect annually the effectiveness of the Information Security Program in subordinate commands? (9) Make sure prompt and appropriate responses are given, or forward for higher echelon decision, any problems, sug- gestions, requests, appeals, challenges, or complaints arising out of the implementation of this regulation? c. Responsibilities of the security manager. Does the SM— (1) Advise and represent the commander on matters related to the classification, downgrading, declassification, and safeguarding of national security information? (2) Establish and implement an effective security education program, as required by chapter 8 of this regulation? (3) Establish procedures for assuring that all persons handling classified material are properly cleared? (4) Advise and assist officials on classification problems and the development of classification guidance? (5) Ensure that security classification guides (SCGs) are properly prepared and maintained? (6) Conduct a periodic review of classifications assigned within the activity to ensure that classification decisions are proper? AR 380–5 • 22 October 2019 61 (7) Review all classified documents, in coordination with the organization or command records management officer, to ensure consistency with operational and statutory requirements? (8) Continually reduce, by declassification, destruction, or retirement, unneeded classified material? (9) Submit Standard Form 311 (Agency Security Classification Management Program Data) to DCS, G – 2 (DAMI – CDS), annually, as required by this regulation? (10) Supervise or conduct security inspections and spot checks and notify the commander regarding compliance with this regulation and other applicable security directives? Assist and advise the commander on matters pertaining to the enforcement of regulations governing the dissemination, reproduction, transmission, safeguarding, and destruction of clas- sified material? (11) Make recommendations on requests for visits by foreign nationals and foreign government representatives? Pro- vide security and disclosure guidance if visit is approved? (12) Ensure the completion of inquiries and the reporting of security violations, including compromises or other threats to the safeguarding of classified information? (13) Advise the decision official concerning potential violations, and/or corrective actions that could be taken concern- ing security violations? (14) Make sure proposed public releases on classified programs pursuant to the FOIA are reviewed to preclude the release of classified information or CUI? (15) Establish and maintain visit control procedures for visitors who are authorized access to classified information? (16) Issue contingency plans for the emergency destruction of classified information and, where necessary, for the safeguarding of classified information used in or near hostile or potentially hostile areas? (17) Report data as required by this regulation? d. Responsibilities of the supervisor. Does the Supervisor— (1) Make sure subordinate personnel who require access to classified information are properly cleared and are given access only to that information for which they have a need–to–know? (2) Make sure subordinate personnel are trained in, understand, and follow the requirements of this regulation and local command policy and procedures concerning the information security program? (3) Continually assess security clearance eligibility for access to classified information of subordinate personnel and report to the SM any information that may have a bearing on that eligibility? (4) Supervise personnel in the execution of procedures necessary to allow the continuous safeguarding and control of classified information? (5) Include the management of classified information as a critical element/item/objective in personnel performance evaluations? (6) Is classified material identified clearly by marking, designations, electronic labeling, or if physical marking of the medium is not possible, by some other means? (7) Does the SM ensure that marking is completed in accordance with DODM 5200.01, Volume 2, as stated throughout this regulation? e. Classification management. (1) Are personnel designated, in writing, by either the Secretary of the Army (SECARMY) or DCS, G – 2, as original classification authorities where applicable? (2) Are requests for original classification authority submitted through command channels to DCS, G – 2, (DAMI – CD)? (3) Do officials who have been delegated authority as an OCA receive training, as required by chapters 2 and 8 of this regulation, before exercising this authority? (4) Do derivative classifiers make sure that the classification is properly applied based on the original source material marking and local SCGs? (5) Do personnel applying derivative classification: (a) Observe and respect the classification determinations made by original classification authorities? (b) Apply markings or other means of identification to the derivatively classified material, as required by DODM 5200.01, Volume 2, at the level and for the duration specified by the classification guide or source document? (c) Use only authorized sources such as classification guides, other forms of official classification guidance, and mark- ings on source material from which the information is extracted, to determine the material’s classification? (d) Use caution when paraphrasing or restating information extracted from a classified source to determine whether the classification could have been changed in the process? (e) Make a list of sources used when material is derivatively classified based on “Multiple Sources” (more than one SCG, classified source document, or any combination)? Is a copy of this list included in or attached to the file and/or record copy of the material? 62 AR 380–5 • 22 October 2019 (f) Contact the classifier of the source document for resolution in cases in which the derivative classifier believes the classification applied to the information is not accurate? (6) Are derivative classifiers receiving the required training, as required in chapter 8 of this regulation? (7) In making a decision to originally classify an item of information, do OCAs: (a) Determine that the information has not already been classified? (b) Determine that the information is eligible for classification pursuant to paragraph 2 – 8 of this regulation? (c) Determine that classification of the information is a realistic course of action and that it can only be protected from unauthorized disclosure when classified? (d) Decide that unauthorized disclosure of the information could reasonably be expected to cause damage to the Na- tional Security that this disclosure is identifiable and can be described? (e) Select the appropriate level or category of classification to be applied to the information, based on a judgment as to the degree of damage unauthorized disclosure could cause? (f) Determine and include the appropriate declassification, and when applicable, downgrading instruction to be applied to the information? (g) Make sure that the classification decision is properly communicated so that the information will receive appropriate protection? (8) U.S. classification can only be applied to information that is owned by, produced by or for, or is under the control of the U.S. Government. Does the OCA determine that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, and that the information falls within one or more of the categories specified in EO 13526, Section 1.4? (9) Does the OCA determine that, if classification is applied or reapplied, there is a reasonable possibility that the information will be provided protection from unauthorized disclosure? (10) Once a decision is made to classify, information will be classified at one of three levels. For each level, is the OCA able to identify or describe the damage that unauthorized disclosure reasonably could be expected to cause to the national security? (11) Is information declassified as soon as it no longer meets the standards for classification? (12) At the time of original classification, does the OCA attempt to establish a specific date or event for declassification based upon the duration of the national security sensitivity of the information? (13) Is a SCG issued for each, plan, program, project, or operation in which classified information is involved? (14) Do SCGs, at a minimum, include the information outlined in paragraph 2 – 17? (15) Are SCGs personally approved in writing by the OCA who is authorized to classify information at the highest level designated by the guide, and who has program support or supervisory responsibility for the information or for the organization’s Information Security Program? (16) Are SCGs distributed to those commands, contractors, or other activities expected to be derivatively classifying information covered by the guide? (17) Are SCGs revised whenever necessary to promote effective derivative classification? (18) Are SCGs reviewed by the originator for currency and accuracy at least once every five years, or if concerning a defense acquisition program, prior to each acquisition program milestone, whichever occurs first? (19) Does the commander establish procedures through which authorized holders of classified information, within their commands, can challenge a classification decision, and make sure that command personnel are made aware of the estab- lished procedures? (20) Does each OCA: (a) Establish a system for processing, tracking, and recording formal challenges to classification? (b) Provide an acknowledgment or written response to the challenge within 60 calendar days following the receipt of the challenge? (c) Advise the challenger of the right to appeal the decision, if the challenge is denied and the OCA determines that the information is properly classified? (d) Ensure information that is the subject of a classification challenge, continues to be classified and appropriately safeguarded until a decision is made to declassify it? f. Declassification, downgrading, upgrading, and destruction. (1) Is information declassified when it no longer meets the standards and criteria for classification? (2) Do ACOMS, ASCCs, and DRUs establish programs to make sure that records are reviewed and either declassified or exempted prior to the date for automatic declassification? (3) Is declassification of RD and FRD information only with the express specific approval of the OCA for the infor- mation? AR 380–5 • 22 October 2019 65 (d) When taken out of service, and are built–in combination locks reset to the standard combination in accordance with paragraph 6 – 8? (7) Is the combination of a container, vault or secure room used for the storage of classified information treated as information having a classification equal to the highest category of the classified information stored inside? (8) Is a record maintained for each vault or secure room door, or container used for storage of classified information, using SF 700 (Security Container Information)? (9) Is access to the combination of a vault or container used for the storage of classified information granted only to those individuals who are authorized access to the classified information that is to be stored inside? (10) Are entrances to secure rooms or areas either under visual control at all times during duty hours to preclude entry by unauthorized personnel, or are the entrances equipped with electric, mechanical, or electro–mechanical access control devices to limit access during duty hours? (11) Have there been unapproved modifications or repairs to security containers and vault doors? (Considered a viola- tion of the container’s or door’s integrity and the GSA label will be removed). If so, has the GSA label been removed? (12) Have commands established procedures concerning repair and maintenance of classified material security contain- ers, vaults, and secure rooms, to include a schedule for periodic maintenance? (13) Is security equipment inspected before turn–in or transfer to ensure that classified material is not left in the con- tainer? j. Transmission and transportation. (1) Have commands established local procedures to meet the minimum requirements to minimize risk of compromise while permitting use of the most effective transmission or transportation means? (2) Is Top Secret information transmitted only as outlined in paragraph 7 – 3? (3) Is Secret information transmitted only as outlined in paragraph 7 – 4? (4) Is Confidential information transmitted only as outlined in paragraph 7 – 5? (5) Is classified information or material approved for release to a foreign government in accordance with AR 380 – 10? (6) If required, is the material transferred only between authorized representatives of each government in compliance with the provisions of chapter 7 of this regulation? (7) When classified material is hand-carried for delivery to a foreign government representative, or when classified information is discussed with or otherwise disclosed to foreign national personnel, are the requirements of AR 380 – 10 strictly followed? (8) Where applicable, have commands established procedures for shipment of bulk classified material as freight, to include provisions for shipment in closed vehicles when required, appropriate notice to the consignee concerning the ship- ment, procedures at transshipment activities, and action to be taken in case of non–delivery or unexpected delay in deliv- ery? (9) When classified information is transferred, is it enclosed in two opaque, sealed envelopes, wrappings, or containers, durable enough to properly protect the material from accidental exposure and to ease in detecting tampering, except where exempted by paragraph 7 – 8? (10) Is the outer envelope or container for classified material addressed to an official government activity or to a DOD contractor with a facility clearance and appropriate storage capability? (11) Does the inner envelope or container show the address of the receiving activity, the address of the sender, the highest classification of the contents, including, where appropriate, any special markings, and any other special instruc- tions? (12) Is the requirement that the outer envelope or single container not bear a classification marking or any other unusual marks that might invite special attention to the fact that the contents are classified strictly followed? (13) Is hand-carrying of classified material limited to situations of absolute necessity and carried out to make sure it does not pose an unacceptable risk to the information? (14) Do responsible officials provide a written statement to all individuals escorting or carrying classified material authorizing such transmission? (15) Do travelers who are authorized to carry classified material on international flights, or by surface conveyance if crossing international borders, have courier orders? (16) Is the individual designated as courier in possession of a DOD or contractor–issued CAC that includes a photo- graph, descriptive data, and signature of the individual? (If the identification card does not contain date of birth, height, weight, and signature, these items must be included in the written authorization.) k. Security education and training. (1) Has the commander established a Security Education and Awareness Program? (2) Have all DA personnel completed the initial security orientation, and annual training in accordance with chapter 8 of this regulation? 66 AR 380–5 • 22 October 2019 (3) Before being granted access to classified information, have all employees signed a SF 312? (4) Are DA personnel, who are in positions which require performance of specified roles in the Information Security Program, provided security education sufficient to permit quality performance of those duties? (5) Is the training provided before, concurrent with, or not later than six months following assumption of those posi- tions, unless otherwise noted? (6) Are officials who have been granted original classification authority trained in their responsibilities before they exercise the delegated authority, and annually thereafter? (7) Has the OCA certified in writing that they received the training? (8) Are all DA personnel, whose responsibilities include derivative classification, trained in requirements and proce- dures appropriate to the information and material they will be classifying, to include the proper use of classification guides and source documents, and before exercising any derivative classifications? (9) Are SMs, security staff members, and others with significant responsibility for management of the Information Security Program, trained and educated to fulfill their roles? (10) Are DA personnel that have been briefed on their responsibilities for protecting U.S. classified information, briefed simultaneously on the requirements for protecting NATO information? (11) Do commands include in their security education programs, either in the general program or as part of special briefings to select personnel affected, provisions regarding special education and training for personnel who: (a) Use information systems to store, process, or transmit classified information? (b) Will be traveling to foreign countries where special concerns about possible exploitation exist or will be attending professional meetings or conferences where foreign attendance is likely? (c) Will be escorting, hand-carrying, or serving as a courier for classified material? (d) Are authorized access to classified information requiring special control or safeguarding measures? (e) Are involved with international programs? (12) Do commanders ensure that security education programs are appropriately evaluated during self–inspections and during oversight activities of subordinate commands or organizational units? (13) Do commands ensure that security education programs incorporate or provided separately training related to the protection, handling, and safeguarding of CUI? (14) Do commands maintain a record of the programs offered and of the personnel that participated? Are these records maintained for two years and available for review during oversight inspections and assistance visits? l. Security incidents and reporting involving classified information. (1) Are personnel aware of their responsibilities in the event of an actual or possible compromise or loss of classified information or material? (2) When an incident of possible loss or compromise of classified information is reported, does the command immedi- ately initiate an inquiry into the incident? (3) Does the person appointed to conduct the inquiry have the appropriate security clearance, the ability and available resources to conduct an effective inquiry, and is not likely to have been involved, directly or indirectly, in the incident? (4) In cases of apparent loss of classified material, has the person conducting the inquiry ensured that a thorough search for the material has been conducted, and has documented the steps taken to locate the material? (5) Does the inquiry sufficiently answer the questions outlined in DODM 5200.01, Volume 3? (6) If at any time during the inquiry, it appears that deliberate compromise of classified information may have occurred, has the situation been immediately reported to the chain of command and supporting counterintelligence unit? (7) Have apparent violations of other criminal law been reported to the supporting criminal investigative activity? When notified of possible or actual compromise, has the holder of that information or material ensured that the OCA responsible for each item of information, was notified of the incident? (8) If classified information appears in the public media, including public internet sites, or if approached by a repre- sentative of the media or other individual, are personnel briefed on not making any statement or comment that confirms the accuracy of or verifies the classified status of the information, and to report the contact immediately to the appropriate command security and public affairs authorities? (9) In cases where a person has had unauthorized access to classified information, has the person been debriefed to enhance the probability that they will properly protect it? (10) Have ACOMS, ASCCs, and DRUs established necessary reporting and oversight mechanisms to make sure that inquiries are conducted, when required, that they are done in a timely and effective manner, and that appropriate manage- ment action is taken to correct identified problem areas? (11) Have ACOMS, ASCCs, and DRUs established a system of controls and procedures to make sure that reports of security inquiries and damage assessments are conducted, when required, and that their results are available as needed? AR 380–5 • 22 October 2019 67 (12) When an individual who has had access to classified information is absent without authorization, commits or at- tempts to commit suicide, or is temporarily or permanently incapacitated, has the command inquired into the situation to see if there are indications of activities, behavior, or associations, that could indicate classified information might be at risk? B – 5. Comments Help make this a better tool for evaluating internal controls. Submit comments to the DCS, G – 2 (DAMI – CDS), 1000 Army Pentagon, Room 2D350, Washington, DC 20310 – 1000. B – 6. Supersession This evaluation replaces the checklist previously published in AR 380 – 5, dated 29 September 2000. 70 AR 380–5 • 22 October 2019 DoS Department of State DRU direct reporting unit DTIC Defense Technical Information Center DTS Defense Transportation System DVD Digital versatile disc EO Executive Order EPL evaluated products list FAX facsimile FED – STD Federal Standard FGI foreign government information FOIA Freedom of Information Act FOUO for official use only FRD formerly restricted data GAO General Accounting Office GC general counsel GPO Government Printing Office GS general schedule GSA General Services Administration HQDA Headquarters, Department of the Army ID identification IDE intrusion detection equipment IDS Intrusion Detection System IG inspector general AR 380–5 • 22 October 2019 71 IR&D independent research and development IS Information System ISCAP Interagency Security Classification Appeals Panel ISOO Information Security Oversight Office IT information technology JCS Joint Chiefs of Staff JPAS Joint Personnel Adjudication System MDR mandatory declassification review MIL – HDBK Military Handbook MIL – STD Military Standard NATO North Atlantic Treaty Organization NDA nondisclosure agreement NDP National Disclosure Policy NIPRNET non-classified internet protocol router network NSA National Security Agency NSTISSI National Security Telecommunications and Information Systems Security Instruction OADR Originating Agency’s Determination Required OCA original classification authority OCONUS outside the continental United States OMB Office of Management and Budget OPF official personnel folder (file) OPSEC operations security OUSD(I) Office of the Under Secretary of Defense (Intelligence) 72 AR 380–5 • 22 October 2019 OUSD(P) Office of the Under Secretary of Defense (Policy) PA public affairs PED personal electronic device PIN personal identification number RD restricted data RDT&E research, development, test, and evaluation RMDA Records Management and Declassification Agency S Secret SAP Special Access Program SBU sensitive but unclassified SCG security classification guide SCI sensitive compartmented information SCIF sensitive compartmented information facility SEALS Security Equipment and Locking Systems SECARMY Secretary of the Army SF Standard Form SIGINT signals intelligence SIGSEC signals security SIPRNET secret internet protocol router network SM security manager SNM special nuclear material STE secure terminal equipment TDA tables of distribution and allowances AR 380–5 • 22 October 2019 75 Damage to the National Security Defined in DODM 5200.01, Volume 3. Declassification Defined in DODM 5200.01, Volume 1. Declassification authority Defined in DODM 5200.01, Volume 3. Declassification guide Defined in DODM 5200.01, Volume 3. Department of Defense Component Defined in DODM 5200.01, Volume 1. Department of the Army personnel Includes any Regular Army, U.S. Army Reserve, or ARNG/Army National Guard of the United States military personnel assigned or attached to a Department of the Army installation or activity, and civilian persons employed by, assigned to, or acting for an activity within the Department of the Army. Derivative classification Defined in DODM 5200.01, Volume 3. Document Defined in DODM 5200.01, Volume 3. Downgrading Defined in DODM 5200.01, Volume 3. Escort Defined in DODM 5200.01, Volume 3. Event An occurrence or happening that is reasonably certain to occur, and which can be set as the signal for automatic declassi- fication of information. Exception Defined in DODM 5200.01, Volume 1. File series Defined in DODM 5200.01, Volume 1. For official use only Defined in DODM 5200.01, Volume 1. Foreign Government Information Defined in DODM 5200.01, Volume 3. Foreign Government representative For the purposes of this regulation, foreign nationals or U.S. citizens or nationals who are acting as representatives of either a foreign government or a firm or person sponsored by a foreign government. These individuals may interact officially with DA elements only in support of an actual or potential U.S. Government program (for example, Foreign Military Sales, U.S. government contract, or international agreement). Foreign Nationals A person who is not a citizen or national of the U.S. or its territories. This definition does not include permanent residents (formerly immigrant aliens, resident aliens, or intending U.S. citizens). For the purposes of this regulation, a private non- U.S. citizen or national having no official affiliation with their government of origin. See definition of foreign government representative. Formerly restricted data Defined in DODM 5200.01, Volume 3. Hard copy Printed format output of a document. 76 AR 380–5 • 22 October 2019 Information Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the U.S. Government. Information security Defined in DODM 5200.01, Volume 1. Information System An assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, dissemi- nate, process, store, or control data or information. Infraction Defined in DODM 5200.01, Volume 3. Inquiry Defined in DODM 5200.01, Volume 3. Integrity Defined in DODM 5200.01, Volume 3. Intelligence activity An activity that an agency within the intelligence community is authorized to conduct under EO 12333. Investigation Defined in DODM 5200.01, Volume 3. Loss The inability to physically locate or account for classified information. Mandatory declassification review Review for declassification of classified information in response to a request for declassification that meets the require- ments under EO 13526, Section 3.5. Material Defined in DODM 5200.01, Volume 1. National Security Defined in DODM 5200.01, Volume 1. Need to know Defined in DODM 5200.01, Volume 3. Network Defined in DODM 5200.01, Volume 3. Nickname Defined in DODM 5200.01, Volume 3. Open storage An area constructed in accordance with this regulation and authorized by the commander or other official where so desig- nated for open storage of classified information. Operations security The process of denying adversaries information about friendly capabilities and intentions by identifying, controlling, and protecting indicators associated with the planning and conducting of military operations and other activities. Original classification Defined in DODM 5200.01, Volume 1. Original classification authority In addition to the DODM 5200.01, Volume 3 definition, this term also includes: An individual’s position, which has been authorized in writing, either by the President, Secretary of the Army, or the DCS, G – 2 to originally classify information up to and including a certain classification level. Permanent historical value In addition to the DODM 5200.01, Volume 3 definition, this term also includes: Those records that have been identified in an agency records schedule as being permanently valuable. For Army records, see AR 25 – 400 – 2. AR 380–5 • 22 October 2019 77 Personal identifier Any grouping of letters or numbers, used in an organization code, that the command uses to identify a position. Personally identifiable information Defined in DODM 5200.01, Volume 3. Restricted data Defined in DODM 5200.01, Volume 3. Safeguarding Defined in DODM 5200.01, Volume 3. Secret Defined in DODM 5200.01, Volume 1. Secure room Defined in DODM 5200.01, Volume 3 (see open storage definition). Security classification guide Defined in DODM 5200.01, Volume 1. Security clearance Defined in DODM 5200.01, Volume 1. Security educator Person(s) responsible for providing security training as outlined in chapter 8 of this regulation. Security–in–depth In addition to the DODM 5200.01, Volume 3 definition, this term also includes: A determination by the commander or other official where so designated, that a facility’s security program consists of layered and complementary security con- trols sufficient to deter and detect unauthorized entry and movement within the facility. Examples include, but are not limited to use of perimeter fences, employee and visitor access controls, use of an Intrusion Detection System, random guard patrols throughout the facility especially during nonworking hours, closed circuit video monitoring or other safe- guards that mitigate the vulnerability of unalarmed open storage areas and security containers during nonworking hours. Self–inspection Defined in DODM 5200.01, Volume 3. Senior agency official In addition to the DODM 5200.01, Volume 3 definition, this term also includes: Within the Department of the Army, the Secretary of the Army has appointed the DCS, G – 2 as the Senior Agency Official. Sensitive but unclassified Defined in DODM 5200.01, Volume 4. Sensitive Compartmented Information Facility Defined in DODM 5105.21 Sensitive Information Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an executive order or an Act of Congress to be kept Secret in the interest of national defense or foreign policy. Soft Copy A document that is in digital format, either on an IS or storage media. Source Document An existing document that contains classified information that is incorporated, paraphrased, restated, or generated in new form into a new document. Special Access Program Defined in DODM 5200.01, Volume 1. UNCLASSIFIED PIN 004067–000