联邦纪事:1999年9月24日(64卷,185号)
条款和规则
第51853-51858
国家档案和记录管理局_______________________________________________________________________信息安全监督办公室_______________________________________________________________________ 32 CFR 2004年部分保障国家安全机密信息;最终规则[[页51854]国家档案和记录管理局信息安全监督办公室32 CFR 2004年部分RIN 3095-AA95维护国家安全机密情报局:信息安全监督办公室(ISOO),国家档案和记录管理局(NARA)。作用:最终规则。-----------------------------------------------------------------------摘要:本最终规则颁布关于维护国家安全机密的信息,它适用于联邦机构一个新的指令。它实现了第12958号行政命令,国家安全机密信息的规定,属于该处理,储存,分发,传送,破坏,占机密信息。生效日期:10月25日,1999年。欲了解更多信息,请联系:丹L.雅各布森,员工主任,美国国家安全政策委员会,电话703-602-1030;或者史蒂芬加芬克尔,主任,ISOO,电话202-219-5250。补充信息:在第12958号行政命令的按照第5(C),“国家安全机密信息,”总统已经批准该指令为维护机密信息包含在此最终规则。我谨代表美国安全政策委员会,其编制的指令,并在总统行政办公室的方向,NARA / ISOO发布此指令在2004年部分标题32,联邦法规。 This Directive complements and supplements the ISOO regulations in 32 CFR Chapter XX, which also implement particular provisions of E.O. 12958. Most specifically, this Directive should be read in conjunction with the Directive contained in 32 CFR part 2001 and with E.O. 12958. This rule is being issued as a final rule without prior notice of proposed rulemaking as allowed by the Administrative Procedure Act, 5 U.S.C. 553(b)(3)(A) for rules of agency procedure. This rule is not a significant regulatory action for the purposes of Executive Order 12866. This rule is not a major rule as defined in 5 U.S.C. Chapter 8, Congressional Review of Agency Rulemaking. As required by the Regulatory Flexibility Act, we certify that this rule will not have a significant impact on a substantial number of small entities because it applies only to Federal agencies. List of Subjects in 32 CFR Part 2004 Archives and records, Authority delegations (Government agencies), Classified information, Executive orders, Freedom of information, Information, Intelligence, National defense, National security information, Presidential document, Security information, Security measures. For the reasons set forth in the preamble, NARA adds new part 2004 to Chapter XX of title 32, Code of Federal Regulations, as follows: PART 2004--DIRECTIVE ON SAFEGUARDING CLASSIFIED NATIONAL SECURITY INFORMATION: Sec. 2004.1 Authority. 2004.2 General. 2004.3 Definitions. 2004.4 Responsibilities of holders. 2004.5 Standards for security equipment. 2004.6 Storage. 2004.7 Information controls. 2004.8 Transmission. 2004.9 Destruction. 2004.10 Loss, possible compromise or unauthorized disclosure. 2004.11 Special access programs. 2004.12 Telecommunications, automated information systems and network security. 2004.13 Technical security. 2004.14 Emergency authority. Appendix A to Part 2004--Open Storage Areas. Appendix B to Part 2004--Foreign Government Information. Authority: E.O. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 333. Sec. 2004.1 Authority. This Directive is issued pursuant to Section 5.2 (c) of Executive Order (E.O.) 12958, "Classified National Security Information." The E.O. and this Directive set forth the requirements for the safeguarding of classified national security information (hereinafter classified information) and are applicable to all U.S. Government agencies. Sec. 2004.2 General. (a) Classified information, regardless of its form, shall be afforded a level of protection against loss or unauthorized disclosure commensurate with its level of classification. (b) Except for NATO and other foreign government information, agency heads or their designee(s) (hereinafter referred to as agency heads) may adopt alternative measures, using risk management principles, to protect against loss or unauthorized disclosure when necessary to meet operational requirements. When alternative measures are used for other than temporary, unique situations, the alternative measures shall be documented and provided to the Director, Information Security Oversight Office (ISOO), to facilitate that office's oversight responsibility. Upon request, the description shall be provided to any other agency with which classified information or secure facilities are shared. In all cases, the alternative measures shall provide protection sufficient to reasonably deter and detect loss or unauthorized disclosure. Risk management factors considered will include sensitivity, value and crucial nature of the information; analysis of known and anticipated threats; vulnerability; and countermeasures benefits versus cost. (c) NATO classified information shall be safeguarded in compliance with U.S. Security Authority for NATO Instructions I-69 and I-70. Other foreign government information shall be safeguarded as described herein for U.S. information except as required by an existing treaty, agreement or other obligation (hereinafter, obligation). When the information is to be safeguarded pursuant to an existing obligation, the additional requirements at Appendix B may apply to the extent they were required in the obligation as originally negotiated or are agreed upon during amendment. Negotiations on new obligations or amendments to existing obligations shall strive to bring provisions for safeguarding foreign government information into accord with standards for safeguarding U.S. information as described in this Directive. (d) An agency head who originates or handles classified information shall refer any matter pertaining to the implementation of this Directive that he or she cannot resolve to the Director, ISOO for resolution. Sec. 2004.3 Definitions. (a) Open storage area. An area, constructed in accordance with Appendix A and authorized by the agency head for open storage of classified information. (b) Authorized person. A person who has a favorable determination of eligibility for access to classified information, has signed an approved nondisclosure agreement, and has a need-to-know for the specific classified information in the performance of official duties. (c) Cleared commercial carrier. A carrier that is authorized by law, regulatory body, or regulation, to transport SECRET and CONFIDENTIAL [[Page 51855]] material and has been granted a SECRET facility clearance in accordance with the National Industrial Security Program. (d) Security-in-depth. A determination by the agency head that a facility's security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an Intrusion Detection System (IDS), random guard patrols throughout the facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms and security storage cabinets during non-working hours. (e) Vault. An area approved by the agency head which is designed and constructed of masonry units or steel lined construction to provide protection against forced entry. A modular vault approved by the General Services Administration (GSA) may be used in lieu of a vault as prescribed in the first sentence of this paragraph (e). Vaults shall be equipped with a GSA-approved vault door and lock. Sec. 2004.4 Responsibilities of holders. Authorized persons who have access to classified information are responsible for: (a) Protecting it from persons without authorized access to that information, to include securing it in approved equipment or facilities whenever it is not under the direct control of an authorized person; (b) Meeting safeguarding requirements prescribed by the agency head; and (c) Ensuring that classified information is not communicated over unsecured voice or data circuits, in public conveyances or places, or in any other manner that permits interception by unauthorized persons. Sec. 2004.5 Standards for security equipment. The Administrator of General Services shall, in coordination with agency heads originating classified information, establish and publish uniform standards, specifications and supply schedules for security equipment designed to provide secure storage for and destruction of classified information. Whenever new security equipment is procured, it shall be in conformance with the standards and specifications established by the Administratior of General Services, and shall, to the maximum extent possible, be of the type available through the Federal Supply System. Sec. 2004.6 Storage. (a) General. Classified information shall be stored only under conditions designed to deter and detect unauthorized access to the information. Storage at overseas locations shall be at U.S. Government controlled facilities unless otherwise stipulated in treaties or international agreements. Overseas storage standards for facilities under a Chief of Mission are promulgated under the authority of the Overseas Security Policy Board. (b) Requirements for physical protection. (1) Top Secret. Top Secret information shall be stored by one of the following methods: (i) In a GSA-approved security container with one of the following supplemental controls: (A) Continuous protection by cleared guard or duty personnel; (B) Inspection of the security container every two hours by cleared guard or duty personnel; (C) An Intrusion Detection System (IDS) with the personnel responding to the alarm arriving within 15 minutes of the alarm annunciation [Acceptability of Intrusion Detection Equipment (IDE): All IDE must be UL-listed (or equivalent as defined by the agency head) and approved by the agency head. Government and proprietary installed, maintained, or furnished systems are subject to approval only by the agency head.]; or (D) Security-In-Depth conditions, provided the GSA-approved container is equipped with a lock meeting Federal Specification FF-L- 2740. (ii) An open storage area constructed in accordance with Appendix A, which is equipped with an IDS with the personnel responding to the alarm arriving within 15 minutes of the alarm annunciation if the area is covered by Security-In-Depth or a five minute alarm response if it is not. (iii) An IDS-equipped vault with the personnel responding to the alarm arriving within 15 minutes of the alarm annunciation. (2) Secret. Secret information shall be stored by one of the following methods: (i) In the same manner as prescribed for Top Secret information; (ii) In a GSA-approved security container or vault without supplemental controls; or (iii) In either of the following: (A) Until October 1, 2012, in a non-GSA-approved container having a built-in combination lock or in a non-GSA approved container secured with a rigid metal lockbar and an agency head approved padlock; or (B) An open storage area. In either case, one of the following supplemental controls is required: (1) The location that houses the container or open storage area shall be subject to continuous protection by cleared guard or duty personnel; (2) Cleared guard or duty personnel shall inspect the security container or open storage area once every four hours; or (3) An IDS (per paragraph (b)(1)(i)(C) of this section) with the personnel responding to the alarm arriving within 30 minutes of the alarm annunciation. [In addition to one of these supplemental controls specified in paragraphs (b)(2)(iii)(B)(1) through (3), security-in- depth as determined by the agency head is required as part of the supplemental controls for a non-GSA approved container or open storage area storing Secret information.] (3) Confidential. Confidential information shall be stored in the same manner as prescribed for Top Secret or Secret information except that supplemental controls are not required. (c) Combinations. Use and maintenance of dial-type locks and other changeable combination locks. (1) Equipment in service. The classification of the combination shall be the same as the highest level of classified information that is protected by the lock. Combinations to dial-type locks shall be changed only by persons having a favorable determination of eligibility for access to classified information and authorized access to the level of information protected unless other sufficient controls exist to prevent access to the lock or knowledge of the combination. Combinations shall be changed under the following conditions: (i) Whenever such equipment is placed into use; (ii) Whenever a person knowing the combination no longer requires access to it unless other sufficient controls exist to prevent access to the lock; or (iii) Whenever a combination has been subject to possible unauthorized disclosure. (2) Equipment out of service. When security equipment is taken out of service, it shall be inspected to ensure that no classified information remains and the built-in combination lock shall be reset to a standard combination. (d) Key operated locks. When special circumstances exist, an agency head may approve the use of key operated locks for the storage of Secret and Confidential information. Whenever such locks are used, administrative procedures for the control and accounting of keys and locks shall be established. [[Page 51856]] Sec. 2004.7 Information controls. (a) General. Agency heads shall establish a system of control measures which assure that access to classified information is limited to authorized persons. The control measures shall be appropriate to the environment in which the access occurs and the nature and volume of the information. The system shall include technical, physical, and personnel control measures. Administrative control measures which may include records of internal distribution, access, generation, inventory, reproduction, and disposition of classified information shall be required when technical, physical and personnel control measures are insufficient to deter and detect access by unauthorized persons. (b) Reproduction. Reproduction of classified information shall be held to the minimum consistent with operational requirements. The following additional control measures shall be taken: (1) Reproduction shall be accomplished by authorized persons knowledgeable of the procedures for classified reproduction; (2) Unless restricted by the originating Agency, Top Secret, Secret, and Confidential information may be reproduced to the extent required by operational needs, or to facilitate review for declassification; (3) Copies of classified information shall be subject to the same controls as the original information; and (4) The use of technology that prevents, discourages, or detects the unauthorized reproduction of classified information is encouraged. Sec. 2004.8 Transmission. (a) General. Classified information shall be transmitted and received in an authorized manner which ensures that evidence of tampering can be detected, that inadvertent access can be precluded, and that provides a method which assures timely delivery to the intended recipient. Persons transmitting classified information are responsible for ensuring that intended recipients are authorized persons with the capability to store classified information in accordance with this Directive. (b) Dispatch. Agency heads shall establish procedures which ensure that: (1) All classified information physically transmitted outside facilities shall be enclosed in two layers, both of which provide reasonable evidence of tampering and which conceal the contents. The inner enclosure shall clearly identify the address of both the sender and the intended recipient, the highest classification level of the contents, and any appropriate warning notices. The outer enclosure shall be the same except that no markings to indicate that the contents are classified shall be visible. Intended recipients shall be identified by name only as part of an attention line. The following exceptions apply: (i) If the classified information is an internal component of a packable item of equipment, the outside shell or body may be considered as the inner enclosure provided it does not reveal classified information; (ii) If the classified information is an inaccessible internal component of a bulky item of equipment, the outside or body of the item may be considered to be a sufficient enclosure provided observation of it does not reveal classified information; (iii) If the classified information is an item of equipment that is not reasonably packable and the shell or body is classified, it shall be concealed with an opaque enclosure that will hide all classified features; (iv) Specialized shipping containers, including closed cargo transporters or diplomatic pouch, may be considered the outer enclosure when used; and (v) When classified information is hand-carried outside a facility, a locked briefcase may serve as the outer enclosure. (2) Couriers and authorized persons designated to hand-carry classified information shall ensure that the information remains under their constant and continuous protection and that direct point-to-point delivery is made. As an exception, agency heads may approve, as a substitute for a courier on direct flights, the use of specialized shipping containers that are of sufficient construction to provide evidence of forced entry, are secured with a high security padlock, are equipped with an electronic seal that would provide evidence of surreptitious entry and are handled by the carrier in a manner to ensure that the container is protected until its delivery is completed. (c) Transmission methods within and between the U.S., Puerto Rico, or a U.S. possession or trust territory. (1) Top Secret. Top Secret information shall be transmitted by direct contact between authorized persons; the Defense Courier Service or an authorized government agency courier service; a designated courier or escort with Top Secret clearance; electronic means over approved communications systems. Under no circumstances will Top Secret information be transmitted via the U.S. Postal Service. (2) Secret. Secret information shall be transmitted by: (i) Any of the methods established for Top Secret; U.S. Postal Service Express Mail and U.S. Postal Service Registered Mail, as long as the Waiver of Signature and Indemnity block, item 11-B, on the U.S. Postal Service Express Mail Label shall not be completed; and cleared commercial carriers or cleared commercial messenger services. The use of street-side mail collection boxes is strictly prohibited; and (ii) Agency heads may, on an exceptional basis and when an urgent requirement exists for overnight delivery within the U.S. and its Territories, authorize the use of the current holder of the General Services Administration contract for overnight delivery of information for the Executive Branch as long as applicable postal regulations (39 CFR chapter I) are met. Any such delivery service shall be U.S. owned and operated, provide automated in-transit tracking of the classified information, and ensure package integrity during transit. The contract shall require cooperation with government inquiries in the event of a loss, theft, or possible unauthorized disclosure of classified information. The sender is responsible for ensuring that an authorized person will be available to receive the delivery and verification of the correct mailing address. The package may be addressed to the recipient by name. The release signature block on the receipt label shall not be executed under any circumstances. The use of external (street side) collection boxes is prohibited. Classified Communications Security Information, NATO, and foreign government information shall not be transmitted in this manner. (3) Confidential. Confidential information shall be transmitted by any of the methods established for Secret information or U.S. Postal Service Certified Mail. In addition, when the recipient is a U.S. Government facility, the confidential information may be transmitted via U.S. First Class Mail. However, confidential information shall not be transmitted to government contractor facilities via first class mail. When first class mail is used, the envelope or outer wrapper shall be marked to indicate that the information is not to be forwarded, but is to be returned to sender. The use of street-side mail collection boxes is prohibited. (d) Transmission methods to a U.S. Government facility located outside the U.S. The transmission of classified information to a U.S. Government facility located outside the 50 states, the District of Columbia, the [[Page 51857]] Commonwealth of Puerto Rico, or a U.S. possession or trust territory, shall be by methods specified above for Top Secret information or by the Department of State Courier Service. U.S. Registered Mail through Military Postal Service facilities may be used to transmit Secret and Confidential information provided that the information does not at any time pass out of U.S. citizen control nor pass through a foreign postal system. (e) Transmission of U.S. classified information to foreign governments. Such transmission shall take place between designated government representatives using the transmission methods described in paragraph (d) of this section. When classified information is transferred to a foreign government or its representative a signed receipt is required. (f) Receipt of classified information. Agency heads shall establish procedures which ensure that classified information is received in a manner which precludes unauthorized access, provides for inspection of all classified information received for evidence of tampering and confirmation of contents, and ensures timely acknowledgment of the receipt of Top Secret and Secret information by an authorized recipient. As noted in paragraph (e) of this section, a receipt acknowledgment of all classified material transmitted to a foreign government or its representative is required. Sec. 2004.9 Destruction. (a) General. Classified information identified for destruction shall be destroyed completely to preclude recognition or reconstruction of the classified information in accordance with procedures and methods prescribed by agency heads. The methods and equipment used to routinely destroy classified information include burning, cross-cut shredding, wet-pulping, melting, mutilation, chemical decomposition or pulverizing. (b) Technical guidance. Technical guidance concerning appropriate methods, equipment, and standards for the destruction of classified electronic media and processing equipment components may be obtained by submitting all pertinent information to the National Security Agency/ Central Security Service, Directorate for Information Systems Security, Fort Meade, MD 20755. Specifications concerning appropriate equipment and standards for the destruction of other storage media may be obtained from the GSA. Sec. 2004.10 Loss, possible compromise or unauthorized disclosure. (a) General. Any person who has knowledge that classified information has been or may have been lost, possibly compromised or disclosed to an unauthorized person(s) shall immediately report the circumstances to an official designated for this purpose. (b) Cases involving information originated by a foreign government or another U.S. government agency. Whenever a loss or possible unauthorized disclosure involves the classified information or interests of a foreign government agency, or another government agency, the department or agency in which the compromise occurred shall advise the other government agency or foreign government of the circumstances and findings that affect their information or interests. However, foreign governments normally will not be advised of any security system vulnerabilities that contributed to the compromise. (c) Inquiry/investigation and corrective actions. Agency heads shall establish appropriate procedures to conduct an inquiry/ investigation of a loss, possible compromise or unauthorized disclosure of classified information, in order to implement appropriate corrective actions, which may include disciplinary sanctions, and to ascertain the degree of damage to national security. (d) Department of Justice and legal counsel coordination. Agency heads shall establish procedures to ensure coordination with legal counsel whenever a formal action, beyond a reprimand, is contemplated against any person believed responsible for the unauthorized disclosure of classified information. Whenever a criminal violation appears to have occurred and a criminal prosecution is contemplated, agency heads shall use established procedures to ensure coordination with-- (1) The Department of Justice, and (2) The legal counsel of the agency where the individual responsible is assigned or employed. Sec. 2004.11 Special access programs. (a) General. The safeguarding requirements of this Directive may be enhanced for information in Special Access Programs (SAP), established under the provisions of Section 4.4 of E.O. 12958, by the agency head responsible for creating the SAP. Agency heads shall ensure that the enhanced controls are based on an assessment of the value, critical nature, and vulnerability of the information. (b) Significant interagency support requirements. Agency heads must ensure that a Memorandum of Agreement/Understanding (MOA/MOU) is established for each Special Access Program that has significant interagency support requirements, to appropriately and fully address support requirements and supporting agency oversight responsibilities for that SAP. Sec. 2004.12 Telecommunications, automated information systems and network security. Each agency head shall ensure that classified information electronically accessed, processed, stored or transmitted is protected in accordance with applicable national policy issuances identified in the Index of National Security Telecommunications and Information Systems Security Issuances (NSTISSI) and Director of Central Intelligence Directive (DCID) 6/3. Sec. 2004.13 Technical security. Based upon the risk management factors referenced in Sec. 2004.2 of this directive agency heads shall determine the requirement for technical countermeasures such as Technical Surveillance Countermeasures (TSCM) and TEMPEST necessary to detect or deter exploitation of classified information through technical collection methods and may apply countermeasures in accordance with NSTISSI 7000, entitled Tempest Countermeasures for Facilities, and SPB Issuance 6-97, entitled National Policy on Technical Surveillance Countermeasures. Sec. 2004.14 Emergency authority. Agency heads may prescribe special provisions for the dissemination, transmittal, destruction, and safeguarding of classified information during military operations or other emergency situations. Appendix A to Part 2004--Open Storage Areas This Appendix describes the construction standards for open storage areas. 1. Construction. The perimeter walls, floors, and ceiling will be permanently constructed and attached to each other. All construction must be done in a manner as to provide visual evidence of unauthorized penetration. 2. Doors. Doors shall be constructed of wood, metal, or other solid material. Entrance doors shall be secured with a built-in GSA- approved three-position combination lock. When special circumstances exist, the agency head may authorize other locks on entrance doors for Secret and Confidential storage. Doors other than those secured with the aforementioned locks shall be secured from the inside with either deadbolt [[Page 51858]] emergency egress hardware, a deadbolt, or a rigid wood or metal bar which extends across the width of the door, or by other means approved by the agency head. 3. Vents, ducts, and miscellaneous openings. All vents, ducts, and similar openings in excess of 96 square inches (and over 6 inches in its smallest dimension) that enter or pass through an open storage area shall be protected with either bars, expanded metal grills, commercial metal sound baffles, or an intrusion detection system. 4. Windows. a. All windows which might reasonably afford visual observation of classified activities within the facility shall be made opaque or equipped with blinds, drapes, or other coverings. b. Windows at ground level will be constructed from or covered with materials which provide protection from forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. Open storage areas which are located within a controlled compound or equivalent may eliminate the requirement for forced entry protection if the windows are made inoperable either by permanently sealing them or equipping them on the inside with a locking mechanism and they are covered by an IDS (either independently or by the motion detection sensors within the area.) Appendix B to Part 2004--Foreign Government Information The requirements described below are additional baseline safeguarding standards that may be necessary for foreign government information, other than NATO information, that requires protection pursuant to an existing treaty, agreement, or other obligation. NATO classified information shall be safeguarded in compliance with United States Security Authority for NATO Instructions I-69 and I- 70. To the extent practical, and to facilitate its control, foreign government information should be stored separately from other classified information. To avoid additional costs, separate storage may be accomplished by methods such as separate drawers of a container. The safeguarding standards described below may be modified if required or permitted by treaties or agreements, or for other obligations, with the prior written consent of the National Security Authority of the originating government. 1. Top Secret. Records shall be maintained of the receipt, internal distribution, destruction, access, reproduction, and transmittal of foreign government Top Secret information. Reproduction requires the consent of the originating government. Destruction will be witnessed. 2. Secret. Records shall be maintained of the receipt, external dispatch and destruction of foreign government Secret information. Other records may be necessary if required by the originator. Secret foreign government information may be reproduced to meet mission requirements unless prohibited by the originator. Reproduction shall be recorded unless this requirement is waived by the originator. 3. Confidential. Records need not be maintained for foreign government Confidential information unless required by the originator. 4. Restricted and other foreign government information provided in confidence. In order to assure the protection of other foreign government information provided in confidence (e.g., foreign government "Restricted," "Designated," or unclassified provided in confidence), such information must be classified under E.O. 12958. The receiving agency, or a receiving U.S. contractor, licensee, grantee, or certificate holder acting in accordance with instructions received from the U.S. Government, shall provide a degree of protection to the foreign government information at least equivalent to that required by the government or international organization that provided the information. When adequate to achieve equivalency, these standards may be less restrictive than the safeguarding standards that ordinarily apply to US CONFIDENTIAL information. If the foreign protection requirement is lower than the protection required for US CONFIDENTIAL information, the following requirements shall be met: a. Documents may retain their original foreign markings if the responsible agency determines that these markings are adequate to meet the purposes served by U.S. classification markings. Otherwise, documents shall be marked, "This document contains (insert name of country) (insert classification level) information to be treated as US (insert classification level)." The notation, "Modified Handling Authorized," may be added to either the foreign or U.S. markings authorized for foreign government information. If remarking foreign originated documents or matter is impractical, an approved cover sheet is an authorized option; b. Documents shall be provided only to those who have an established need-to-know, and where access is required by official duties; c. Individuals being given access shall be notified of applicable handling instructions. This may be accomplished by a briefing, written instructions, or by applying specific handling requirements to an approved cover sheet; d. Documents shall be stored in such a manner so as to prevent unauthorized access; e. Documents shall be transmitted in a method approved for classified information, unless this method is waived by the originating government. 5. Third-country transfers. The release or disclosure of foreign government information to any third-country entity must have the prior consent of the originating government if required by a treaty, agreement, bilateral exchange, or other obligation. Dated: September 17, 1999. John W. Carlin, Archivist of the United States. [FR Doc. 99-24813 Filed 9-23-99; 8:45 am] BILLING CODE 7515-01-P