












































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Applies to contractors in sensitive compartmented information facilities (SCIF) accredited by the Defense Intelligence Agency (DIA) and to DoD ...
Typology: Schemes and Mind Maps
1 / 52
This page cannot be seen from the preview
Don't miss anything!
NUMBER 5105.21, Volume 1 October 19, 2012 Incorporating Change 2, Effective October 6, 2020
USD(I&S)
SUBJECT: Sensitive Compartmented Information (SCI) Administrative Security Manual: Administration of Information and Information Systems Security
References: See Enclosure 1
a. Manual. This Manual is composed of several volumes, each containing its own purpose, and reissues DoD Manual (DoDM) 5105.21-M-1 (Reference (a)). The purpose of the overall Manual, in accordance with the authority in DoD Directive (DoDD) 5143.01 (Reference (b)), is to implement policy established in DoD Instruction (DoDI) 5200.01 (Reference(c)), and Director of Central Intelligence Directive (DCID) 6/1 (Reference (d)) for the execution and administration of the DoD Sensitive Compartmented Information (SCI) program. It assigns responsibilities and prescribes procedures for the implementation of Director of Central Intelligence and Director of National Intelligence (DNI) policies for SCI.
b. Volume. This Volume addresses administrative procedures for information security for SCI, including transmission and information systems (IS) security.
a. Applies to OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the DoD, the Defense Agencies except as noted in paragraph 2.c., the DoD Field Activities, and all other organizational entities within the DoD (hereafter referred to collectively as the “DoD Components”).
b. Applies to contractors in sensitive compartmented information facilities (SCIF) accredited by the Defense Intelligence Agency (DIA) and to DoD SCI contract efforts conducted within facilities accredited by other agencies and approved for joint usage by a co-utilization agreement.
Change 2, 10/06/2020 2
c. Does not apply to the National Security Agency/Central Security Service (NSA/CSS), National Geospatial-Intelligence Agency (NGA), and the National Reconnaissance Office (NRO), to which separate statutory and other Executive Branch authorities for control of SCI apply.
Michael G. Vickers Under Secretary of Defense for Intelligence
Enclosures
(a) DoD 5105.21-M-1, “Department of Defense Sensitive Compartmented Information Administrative Security Manual,” August 1998 (hereby cancelled) (b) DoD Directive 5143.01, “Under Secretary of Defense for Intelligence and Security (USD(I&S)),” October 24, 2014, as amended (c) DoD Instruction 5200.01, “DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI),” April 21, 2016, as amended (d) Intelligence Community Directive 703, “Protection of Classified National Intelligence, including Sensitive Compartmented Information,” June 21, 2013^1 (e) Public Law 116-92, “National Defense Authorization Act for Fiscal Year 2020,” December 20, 2019 (f) Intelligence Community Directive 701, “Security Policy Directive for Unauthorized Disclosures of Classified Information,” March 14, 2007 (g) DoD Directive 5240.06, “Counterintelligence Awareness and Reporting (CIAR),” May 17, 2011, as amended (h) DoD Manual 6025.18, “Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in DoD Health Care Programs,” March 13, 2019 (i) Parts 160 and 164 of Title 45, Code of Federal Regulations (j) DoD Directive 5210.50, “Management of Serious Security Incidents Involving Classified Information,” October 17, 2014, as amended (k) DoD Manual 5200.01, “DoD Information Security Program,” February 24, 2012, as amended (l) Executive Order 13526, “Classified National Security Information,” December 29, 2009 (m) National Security Agency, “Signals Intelligence Security Regulation (SISR),” May 26, 1999 (Classified SECRET//SI)^1 (n) National Security Telecommunications and Information System Security Advisory Memorandum (NSTISSAM) 2-95, “RED/BLACK Installation Guidance,” December 12, 1995^2 (o) Intelligence Community Directive 501, “Discovery and Dissemination or Retrieval of Information Within the Intelligence Community,” January 21, 2009 (p) Intelligence Community Directive 403 “Foreign Disclosure and Release of Classified National Intelligence” March 13, 2013 (q) “National Policy and Procedures for the Disclosure of Classified Military Information to Foreign Governments and International Organizations,” (short title: “National Disclosure Policy (NDP-1)), October 2, 2000 (Classified SECRET//NOFORN) (r) Director of Central Intelligence Directive 6/6 (Section V-X), “Security Controls on the Dissemination of Intelligence Information,” June 11, 2001
(^1) Available via JWICS at http://inteldocs.intelink.ic.gov/view.php?kt_path_info=ktcore.actions.document.view&fDocumentID= (^2) Available via SIPRNET at http://www.diateams.dse.dia.smil.mil/sites/issuances/default.aspx.
(USD(I&S)). The USD(I&S), in accordance with Reference (b), serves as the senior DoD official for oversight of implementation of SCI security policies and procedures within the DoD. As such, the USD(I&S) represents the Secretary of Defense when coordinating SCI security policies and procedures established by the DNI. The USD(I&S) has established the Defense Special Security System (DSSS) to administer the SCI program within the DoD.
a. Administer the DoD SCI security policies and procedures consistent with DNI policies and procedures to protect intelligence and intelligence sources and methods.
b. Develop and implement standards for and oversee the operations of all SCI compartments for the DoD Components. In this capacity, the Director, DIA, shall:
(1) Direct, manage, and oversee the DSSS.
(2) Appoint a cognizant security authority (CSA) to serve as the authority for all aspects of security program management for the protection of SCI. This individual will also act as the CSA for OSD, the Chairman of the Joint Chiefs of Staff and Joint Staff, the DoD Field Activities, and the Combatant Commands and may delegate CSA responsibilities as necessary.
(3) Review and approve proposals for establishing new SCI security offices under the DIA CSA.
(4) Provide SCI security program direction, management, and oversight to the Military Departments.
(5) Administer SCI security support to other Federal agencies by special agreement as required.
(6) Administer uniform DoD SCI policy on the interrelated disciplines of information security, personnel security, physical security, technical security (e.g. TEMPEST and technical surveillance countermeasures (TSCM)), information assurance (IA), security education and awareness, and contractor SCI program administration to implement and supplement National Intelligence Board (NIB) and DNI SCI policy.
(7) Enforce DoD compliance with DoD and DNI SCI policy, correct deficiencies, and conduct inspections of DoD SCI facilities.
(8) Establish procedures with the Military Department HICEs to coordinate and accomplish program reviews and inspections to eliminate scheduling conflicts.
(9) Provide centralized physical security and TEMPEST accreditation for the DoD Components and DoD contractors except those under the security cognizance of NSA/CSS, NGA, and NRO. This authority may be delegated to a single official, who shall serve as the Accrediting Official.
(10) Validate and maintain records of waivers for DoD SCI facilities.
(11) Establish, manage, and conduct training programs for SCI security officials and other security personnel.
(12) Establish an SCI Policy Coordination Committee (SCIPCCOM).
(13) Develop and publish uniform SCI briefing materials for SCI indoctrination, debriefing, and execution of nondisclosure agreements (NdA) and nondisclosure statements (NdS) for the DoD Components. The indoctrination and debriefing materials shall emphasize awareness of unauthorized disclosure processes and individual reporting responsibilities. On a periodic basis, produce SCI security education materials for the DoD Components.
DEPARTMENTS. The HICEs for the Military Departments shall:
a. Administer the SCI security programs for their respective Departments and component commands of the Combatant Commands. Military Department execution will be based upon guidance in this Manual.
b. Provide implementing instructions for the operation and administration of SCI security programs for their respective agencies, departments, and components, including subordinate commands of the Combatant Commands, in accordance with this manual.
c. Assist the Director, DIA, in developing and recommending appropriate SCI security policy and procedures. Appoint a knowledgeable SCI security policy representative to the SCIPCCOM.
provide direct support to other SSOs, SSRs, or contractor SSOs and have direct access to the SIO.
b. Provide proper protection, use, and dissemination of SCI documents and material by enforcing SCI, information, personnel, physical, communications, industrial, and IA security rules and by developing standard operating procedures (SOPs) and practices.
c. Maintain the integrity of the SCI control system. SSO and contractor special security officer (CSSO) personnel shall not perform duties or details that conflict or interfere with their SCI security responsibilities or with the security of SCI.
d. Approve or validate the need to know for individuals (military, civilian Government employee, or contractor) requiring SCI access and validate the need to establish SCIFs, SCI communications, and IS.
e. Identify required communications electronics and communications security (COMSEC) equipment to local supporting communications elements. Establish a memorandum of agreement (MOA) with the supporting communications element to provide timely communications support to the intelligence mission, if necessary.
f. Establish MOAs with other organizations, as necessary, on SCI areas of responsibility, training, operational needs, support, and services. Implement SOPs as required for further definition and clarification of security responsibilities.
g. Establish a co-utilization agreement (CUA) between the SSO and the local program security officer for any special access program (SAP) operating in the SCIF and monitor compliance with the CUA.
h. Train SSOs and SSRs to perform their respective duties and responsibilities.
i. Provide sufficient qualified personnel, funds, work space, facilities, and logistical support to effectively operate the SCI security program.
j. Evaluate and send to the Defense Messaging System requests to use the Defense Special Security Communication System (DSSCS) for SAPs and other special programs or projects.
k. Request that DoD Component counterparts responsible for military police activities direct subordinate military police activities to provide SSOs all derogatory information on SCI- indoctrinated personnel.
l. Keep the SSO informed of issues having SCI implications such as facilities utilization, IS requirements, base security, or base or post resource protection.
m. Designate SCI couriers for hand-carrying SCI outside the United States. The SIO may delegate this authority to the SSO except for couriering aboard foreign-flag aircraft.
n. Coordinate and approve or disapprove requests for waivers as designated in this Manual.
o. Validate the need to establish SSOs or SSRs at locations under their authority.
p. Provide direction to Contracting Officer’s Representatives involved in SCI contracts to coordinate DD Form 254, “Contract Security Classification Specification” with the SSO for proper approval. (DD Forms and Standard Forms (SFs) can be obtained on the Internet at http://www.dtic.mil/whs/directives/infomgt/forms/formsprogram.htm.)
q. Request that DoD Component counterparts responsible for medical services direct subordinate medical services activities to:
(1) Provide SSOs information about a person’s medical condition affecting their continued eligibility for SCI access and information concerning treatment that may temporarily affect an individual’s ability to perform SCI duties in accordance with DoDM 6025. (Reference (h)).
(2) Facilitate requests for such information from non-DoD sources in accordance with Parts 160 and 164 of title 45, Code of Federal Regulations (Reference (i)).
SSOs must provide such information to the appropriate central adjudication facility (CAF) for a determination of SCI eligibility.
r. Properly investigate security incidents, compromises, and unauthorized disclosure of SCI in accordance with Appendix 1, Enclosure 5, Volume 3 of this Manual; Reference (f); DoDD 5210.50 (Reference (j)) and DoDM 5200.01 (Reference (k)), and refer results to the supporting counterintelligence agency in accordance with Reference (g).
a. Approve all SOPs and Emergency Action Plans (EAPs) pertaining to their SCIFs.
b. Appoint in writing all SCI security officials within their organizations.
c. Oversee the protection of SCI through a comprehensive inspection program that includes self-inspections and random command/corporate-level reviews.
j. Direct each subordinate SCI official to conduct an annual self assessment and forwards it for SSO review within 14 days of completion. SSOs shall annually report to the DIA Deputy Director for Mission Services, Counterintelligence and Security Office (DAC) the results of the self-inspections along with action taken to address any shortcomings.
k. Report and investigate all unauthorized disclosures of classified intelligence information in accordance with this Manual and References (f), (j) and (k).
l. Interface with telecommunications centers, IS facilities, computer centers, and similar offices to establish and maintain SCI security operational channels. Provide telecommunications centers, watch centers, and the appropriate command centers with the non-duty telephone numbers of, and instructions for, contacting special security office personnel.
m. Conduct a continuing SCI security education training and awareness program to ensure all SCI-indoctrinated individuals are kept apprised of the requirements and guidelines for protecting SCI. Annual training of original classification authorities and biennial training derivative classifiers required by Executive Order 13526 (Reference (l)) will be included in this program.
n. Maintain appropriate accreditation documentation for each SCIF, communications system, and IS under the organization's security cognizance.
o. Review all reported derogatory information on SCI-indoctrinated personnel. Take appropriate action as required by applicable DoD personnel security regulations described in Enclosure 1 of Volume 3 of this Manual.
p. Manage, supervise, and provide support to special access programs (SAPs) based on approved co-utilization agreements.
q. Provide SSO support to DoD SCI contractors in accordance with applicable contracts, including processing, reviewing, and validating DD Form 254. Support provided to contractors of other components will be provided as agreed to in MOAs with user agencies. (This duty does not apply to CSSOs.)
r. Maintain continuing liaison, as required, with non-SCI security officials.
COR/COTR who is responsible for overseeing performance of contracts involving SCI information or material shall be SCI-indoctrinated Government personnel who are familiar with the daily operational requirements of contract execution. The COR/COTR shall:
a. Provide DD Form 254 to the supporting organizational SSO for approval prior to incorporation in the contract.
b. In conjunction with the designated contractor representative or CSSO, prepare the initial request for establishment of a contractor SCIF, if required by the DD Form 254.
c. If a Defense Courier Division (DCD) account is required by the SCI contract, prepare a Defense Courier Account Record form and have the supporting SSO sign as the certifying official. Forward the original U.S. Transportation Command Defense Courier Account Record form and a copy of the DD Form 254 (if applicable) to the servicing DCD facility.
a. Report to proper authorities (SSO, security official, supervisor) any information that could reflect on their trustworthiness or on that of other individuals who have access to SCI, such as, but not limited to things such as:
(1) Violation of security regulations.
(2) Unexplained affluence, financial delinquency, garnishment of wages, lien placed on property for failure to pay a creditor, bankruptcy, or excessive indebtedness.
(3) Unlawful acts, except for traffic offenses where fines are less than $300 and do not involve alcohol or drugs.
(4) Apparent mental or emotional problems.
(5) Coercion or harassment attempts.
(6) Blackmail attempts.
(7) On-going contacts with foreign nationals.
(8) Planned or actual cohabitation with or marriage to a foreign national.
(9) Foreign travel (official and unofficial).
(10) Arrests, whether or not found guilty.
(11) Alcohol incidents, DUI arrest, obtaining alcohol abuse counseling or treatment.
a. Users should refer to DCIDs, ICDs, intelligence community (IC) policy memorandums and guidance, DoD issuances, the Signals Intelligence Security Regulation (Reference (m)), National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM) 2-95 (Reference (n)), and other documents cited herein for guidance on classification level, compartmentalization, decompartmentalization, sanitization, release to foreign governments, emergency use, and additional security policy and procedures for the protection of information controlled in SCI compartments.
b. Recommendations on SCI policy changes made by the DoD SCI security community shall be raised at the SCIPCCOM. This committee, chaired by the Chief, DIA DAC or designee, is composed of senior SCI security policy representatives of the USD(I&S) and the Military Departments. This committee shall meet at least semi-annually and the chairperson shall forward recommendations to the security directors of DIA and the Military Departments for presentation to the DNI Special Security Center as appropriate.
c. Information sharing has become a critical component of providing our war fighters the required intelligence information when needed. ICD 501 (Reference (o)) sets forth guidance on sharing intelligence information. The goal of information sharing is to provide appropriately cleared customers (i.e., those with the necessary clearance, access approval, and need to know) with all the intelligence information they need to fulfill their missions.
d. The procedures set forth in this Volume are the standards for protecting SCI. The DoD Components shall not establish or disseminate operational or administrative procedures inconsistent with the security standards prescribed herein. HICE may impose more stringent procedures if they believe extraordinary conditions and circumstances warrant.
e. In emergencies or when there is a danger of compromise, the DoD Components and DoD contractors are authorized to communicate directly with the DAC concerning SCI policy matters. All other matters should be resolved through the established chain of command.
f. During hostilities, wartime, or exercise conditions, the authority and reporting channels for SCI security cognizance shall run parallel to the theater command and operational lines of authority. This procedure exists because staff oversight of SCI security is the direct responsibility of the SIO responsible for the theater. The SSO of the Combatant Command has SCI security cognizance for units deployed in the Combatant Command’s theater of operations.
g. Service Cryptologic Components, those Military Service elements that are assigned to the CSS, are under the direction and management of the Director, NSA/Chief, CSS, for physical,
TEMPEST, and IS security matters. Any SCI policy conflict shall be resolved by negotiation between the Military Department and NSA.
a. SCI security officials shall employ the principles of risk management and risk-based analysis when developing and implementing protective measures. Risk-based analysis should provide for increased efficiency of operations and co-utilization of facilities wherever practical. SCI security officials shall request waivers to SCI security policy from their respective CSAs and justify the need for deviation from established security methods.
b. SCI security officials shall obtain a threat assessment of the current criminal, espionage, sabotage, subversion, and terrorist threat situation from their supporting law enforcement agency and counterintelligence support office or equivalent. Security countermeasures to meet these threats shall be tailored based on risk management.
a. SCI shall not be published, released to, or discussed with, unauthorized persons or the public media. HICEs shall not authorize declassification of SCI for public release without the prior written approval of the appropriate DNI security executive agent. Requests for such declassification action shall be forwarded through command SCI security channels to the appropriate DNI executive agent. Requests for news media information shall be forwarded through the appropriate command SCI security channels to the appropriate HICE or designee.
b. Unauthorized disclosure of SCI (disclosure that has not been approved for release by the HICE or appropriate DNI security executive agent) in public media does not alter the basic security policies and procedures contained in this Manual or the information’s original classification. Such information remains classified. Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the provisions of SF 312, “Classified Information Nondisclosure Agreement,” and DD Form 1847-1, “Sensitive Compartmented Information Nondisclosure Statement.” No additional facts, amplification, or comments shall be made about unauthorized disclosures of classified information.
b. Access to SCI is based on ICD 704 (Reference (s)) eligibility, need-to-know, formal access approval, and indoctrination. SCI will be disseminated at the lowest level of classification that will satisfy official requirements.
c. All DoD Components will ensure that the intelligence they produce and disseminate excludes, sanitizes, or generalizes in descending order of preference the source and method data. Producers of finished intelligence shall:
(1) Avoid publishing products that must be controlled in collection system compartments. When treatment of a particular subject in an intelligence product requires discussion of operationally compartmented sources and methods, a special supplement, appropriately controlled in compartmented channels, is the preferred approach.
(2) Ensure unavoidable references to intelligence sources or methods are as non-specific as practicable. Subject to the provisions of collection system manuals, generalized discussion of compartmented collection capabilities is permitted in finished intelligence products controlled in a product-oriented compartment. Discussion of collection gaps, capabilities to provide indications and warning intelligence, or advice on the reliability of sources in finished intelligence at a relatively low level of compartmentalization must not exceed allowable boundaries of SCI control and thereby risk exposure of particularly sensitive intelligence.
d. The policy constraint on the use of compartmented information regarding sources and methods in finished intelligence products applies to all DoD publications including formal and informal memorandums and studies.
a. Except as otherwise stated, the HICEs may waive the provisions of this Manual under extraordinary circumstances. The HICE may delegate this authority to the CSA. Waivers will be issued for a specific period, usually 1 year, or as otherwise specified by the waiver. The requester must correct the situation covered by the waiver prior to the expiration date or request an extension of the waiver. The local SCI security official shall inform other agencies or services desiring to share the facility of the waiver condition. Exceptions to policy shall be kept on file in the SSO and in the field unit SCIF, as applicable.
b. Waivers for the physical or technical security of a SCIF shall be done in accordance with the procedures outlined in ICD 705 (Reference (t)) and Volume 2 of this Manual.
c. This Manual does NOT authorize the waiver of reporting requirements to law enforcement or counterintelligence agencies.
a. Periodic inspections will be scheduled based on threat, sensitivity, physical modifications, and past security performance. Inspections may occur at any time, announced or unannounced. Additional inspections may be conducted in the event of suspected compromise or incidents, history of deficiencies, major facility modification, or change in threat level.
b. Authorized inspectors (See Glossary for definition) will be admitted to a SCIF without delay or hindrance. Government-owned inspection equipment will be admitted into a SCIF without delay.
c. Inspectors will submit a written report following each inspection identifying any deficiencies and corrective action to be taken. The report will be forwarded to appropriate SCI officials and a copy maintained within the inspected SCIF and by DAC. Joint users of the SCIF will accept the results of DIA security reviews for validation of security compliance. These written reports will be available to the DNI or designee upon request.
d. Staff assistance visits (SAVs) must be conducted to review security support actions and administrative inquiries, and to support program review and approval as deemed appropriate by the CSA. Any recommendations that affect physical security, TEMPEST, or technical security will be validated by DAC prior to corrective action or expenditure of funds. When a report is issued by an SCI security official, findings and corrective actions are subject to review during the next inspection.
e. SCI security officials shall conduct self-inspections of their SCIFs annually and will use the self-inspection checklist provided on the DIA/DAC Joint Worldwide Intelligence Communication System(JWICS) webpage at http://www.dia.ic.gov/homepage/da/security/field/scifforms.html. The purpose of the self- inspection is to ensure compliance with the policies and procedures contained in this Manual and other applicable SCI security regulations and directives. Self-inspections will be coordinated with the site IA manager (IAM) and will include the areas of SCI security policy and procedures,