Download Unauthorized Disclosure of Classified Information and ... and more Lecture notes Public Health in PDF only on Docsity!
Unclassified Information Student Guide
Unauthorized Disclosure of Classified Information and
Controlled Unclassified Information
Course Introduction
Introduction
Public service, notably service in the United States Department of Defense or DoD, is a public trust. That trust is bounded by the Oath of Office we took willingly.
To carry out our responsibilities, we are privy to some of the most sensitive and closely held information in our land. It is a violation of our oath to divulge, in any fashion, non-public DoD information, classified or unclassified, to anyone without the required security clearance as well as a specific need to know in performance of their duties. Divulging information in violation of these precepts places our troops, our intelligence operations, and our technological advantages over our foes at risk.
We must be vigilant in executing our responsibility to prevent disclosure of any Information not authorized for release outside of the Department of Defense: All hands must be alert to prevent unauthorized disclosure of non-public information for any reason, whether by implied acknowledgment or intentional release.
We are a Department at war, and the increasingly complex security challenges call for increased vigilance in protecting our secrets. We must always be mindful of the obligations we have to each other and the Nation we have sworn to protect.
Course Learning Objectives
Narrator: Welcome to the Unauthorized Disclosure or UD of Classified Information and Controlled Unclassified Information or CUI Course.
Following course completion, you should be able to describe unauthorized disclosure, demonstrate how to protect classified information and CUI from UD, and apply the steps fo reporting a UD.
r
Unclassified Information Student Guide
What Is UD?
Introduction
Learning Objectives
- Identify types of unauthorized disclosure (UD)
- Identify misconceptions about UD
- Distinguish between UD and protected disclosures under the Whistleblower Protection Enhancement Act (WPEA)
Getting Started
Narrator: JB, the security manager, enters the break room to post some material about Unauthorized Disclosure or UD of Classified Narrator: JB, the security manager, enters the break room to post some material about Unauthorized Disclosure or UD of Classified Information and Controlled Unclassified Information or CUI.
JB: Hi, I hope everyone is having a great day. I just posted a document about UD of Classified Information and CUI.
Martin: JB, I know you’re busy, but since you’re here would you mind giving me a brief overview of this before you go?
JB: Sure. Heather, would you like to listen in?
Heather: No thanks, I’m going to head back to my desk, I’ll try to check it out later.
Definition & Policy
JB: Let me first define Unauthorized Disclosure. Unauthorized Disclosure, or UD, is the communication or physical transfer of classified information or controlled unclassified information, or CUI, to an unauthorized recipient. Here is a list of key policies centered around UD.
Key Policies for Unauthorized Disclosure
- Executive Order (E.O.) 13526, Classified National Security Information
- Intelligence Community Directive (ICD) 701, Unauthorized Disclosure of Classified National Security Information
- DoD Directive (DoDD) 5210.50, Management of Serious Security Incidents Involving Classified Information
- DoD Manual (DoDM) 5200.01, Volume 3, DoD Information Security Program: Protection of Classified Information
- DoD Instruction 5200.48, Controlled Unclassified Information
Unclassified Information Student Guide
Espionage
JB: Espionage is activities designed to obtain, deliver, communicate, and/or transmit classified information or CUI intended to aid a foreign power. An example of espionage is when an individual with access to classified information willfully provides this information to a foreign intelligence entity.
Improper Safeguarding of Information
JB: Improper safeguarding of information is defined as using inappropriate measures and controls to protect classified information or CUI. An example of improper safeguarding of information is when an individual with access to classified information accidentally leaves this information in the bathroom and it is found by an uncleared facility custodian.
Types of UD (cont.)
JB: I want to discuss some misconceptions and the Whistleblower Protection Enhancement Act or WPEA. Following, I’ll send additional UD information to you via email.
Martin: Okay. Sounds good.
Misconceptions of UD
JB: There are a few misconceptions about UD like classified information or CUI appearing in the public domain, or journalist privilege and some additional misconceptions.
Classified Information or CUI Appearing in the Public Domain
JB: If classified information or CUI have been put in the public domain, then it is okay for employees to freely share it. This is a misconception!
Even though classified information or CUI appear in the public domain, such as in a newspaper or on the internet, it is still classified or designated as CUI until an official declassification decision has been made, or in the case of CUI, it is no longer designated as such.
Journalist Privilege
JB: Cleared employees who disclose classified information or CUI to a reporter or journalist may receive protection through “journalist privilege,” which allows reporters and journalists to protect their sources during grand jury proceedings. This is also a misconception!
Employees will not be afforded protection by journalist privilege if they disclose classified information or CUI to a reporter or journalist.
Unclassified Information Student Guide Additional Misconceptions
JB: Manuscripts, books, etc. can be submitted to an editor or publisher before undergoing a security review from the Defense Office of Prepublication and Security Review or DOPSR.
This is incorrect. A security review protects classified information, CUI, and unclassified information that may individually or in compilation lead to the compromise of classified information or disclosure of operations security. I’ll talk more about security reviews later.
Once I leave my organization, the Non-Disclosure Agreement or NDA no longer applies.
This is also incorrect. Understand that the NDA we sign is a lifetime agreement with the federal government. I encourage you to review the Termination Briefing Short offered by CDSE.
Misconceptions of UD (cont.)
Martin: JB, I sort of remember some of this being said during my initial security briefing and even during my annual briefing. But to tell you the truth, it’s a lot of information to remember.
JB: I realize it’s a lot of information, but to carry out our responsibilities, we are privy to some of the most sensitive and closely held information. It’s a violation of our oath to divulge, in any fashion, classified information or CUI to anyone without the proper access.
Whistleblower Protection Enhancement Act
Martin: So, JB let me ask a question. Is whistleblowing the same as reporting a UD?
JB: That’s an excellent question. It’s very important to understand the difference between whistleblowing and reporting UD. Let’s talk about whistleblowing.
Whistleblower Protection Enhancement Act (cont.)
JB: Whistleblowing is used to report information an employee reasonably believes provides evidence of a violation of any law, rule, or regulation, gross mismanagement, a gross waste of funds, abuse of authority, or a substantial danger to public health and safety.
JB: The WPEA broadened the scope of the rights and protections for federal employees who “blow the whistle” on such violations. Within the DoD, there are five different statutes that provide whistleblower protections. Additionally, any and all classified, Special Access Program or SAP or Sensitive Compartmented Information or SCI must be reported via specific channels.
Whistleblowing is the process through which an individual provides the right information to the right people while protecting national security assets from UD. If you really want to learn more about whistleblowing and the WPEA, you should reference the DoD Inspector General (IG) website.
Unclassified Information Student Guide Answer: Espionage is identified as activities designed to obtain, deliver, communicate, or transmit classified information or CUI intended to aid a foreign power.
Question 4 of 7 Improper safeguarding of information is defined as using inappropriate measures and controls to protect classified information or CUI.
Answer: True: Improper safeguarding of information is defined as using inappropriate measures and controls to protect classified information or CUI.
Question 5 of 7 Classified information or CUI that has been put in the public domain is free to share.
Answer: False: Classified information or CUI that has been put in the public domain is not free to share.
Question 6 of 7 The policy for the Whistleblower Protection Enhancement Act (WPEA) is the same as that of Unauthorized Disclosure (UD).
Answer: False: There are five DoD Whistleblower statutes: Title 10 USC Sections 1034, 1587, and 2049; Title 5 USC Section 2302; and PPD 19 and the policy for UD is DoDD 5210.50.
Question 7 of 7 (multiple choice) Whistleblowing should be used to report which of the following?
- Gross mismanagement
- Gross waste of funds
- Substantial danger to public health and safety
- Information disclosed to a reporter or journalist
Answer: Whistleblowing should be used to report gross mismanagement, gross waste of funds, and substantial danger to public health and safety.
Unclassified Information Student Guide
Summary
Narrator: You should now be able to perform all the listed activities.
- Identify types of unauthorized disclosure
- Identify misconceptions about unauthorized disclosure
- Distinguish between unauthorized disclosure and protected disclosures under the Whistleblower Protection Enhancement Act (WPEA)
Unclassified Information Student Guide
Requirements for Access
Narrator: Authorized recipients must meet certain requirements for access to classified information and CUI.
They must have a favorable determination of eligibility at the proper level, have a “need-to-know”, and have signed an appropriate NDA before accessing classified information.
Any individual who fails to meet these requirements is not authorized to access classified information.
Authorized holders must also meet certain requirements to access CUI in accordance with a lawful government purpose which may include activity, mission, function, operation, and endeavor that the U.S Government authorizes or recognizes as within the scope of its legal authorities.
For more info, refer to: 32 CFR Part 2002 in the course Resources.
Safeguarding and Storage
Narrator: E.O. 13526, DoDM 5200.01, and the National Industrial Security Program Operating Manual, or NISPOM, provide guidance for safeguarding classified information from UD. It is your responsibility to follow this guidance.
You must properly handle classified information, including the use of classified document cover sheets when classified information is outside of a General Service Administration or GSA approved security containers.
Stored classified information in GSA-approved security containers or other approved methods when the information is not under personal observation and control, follow guidelines for the reproduction of classified information, which include using only copiers and printers designated specifically for reproducing classified information.
Follow appropriate procedures for transmission and transportation of classified information, and follow appropriate guidelines when destroying or disposing of classified information.
Safeguarding and Storage (con’t.)
Narrator: CUI must always be safeguarded in a manner that minimizes the risk of UD while allowing timely access by authorized holders. For more information, reference the CUI Toolkit in the course Resources. You are required to protect classified information throughout your life, even when you are no longer affiliated with the federal government and/or the military.
Reference DoDM 5200.01, Volume 3, Enclosure 2 and Enclosure 3 in the course Resources.
Unclassified Information Student Guide
Marking
Narrator: Following JB’s suggestion, Martin conducts a search on the intranet for information on markings and classification types.
Martin’s Desktop Intranet
Intranet – Unauthorized Disclosure Marking Classification Types
Marking
Narrator: All classified information shall be clearly identified by authorized security classification and control markings; authorized abbreviations and portion markings.
Markings must be conspicuous, immediately apparent, and alert holders to the presence of classified information, identify, as specifically as possible.
The exact information needing protection and the level of protection required, give information on the sources and reasons for classification of the information, identify the office of origin and document originator.
Applying the classification markings, provide guidance on information sharing, and warn holders of special access, dissemination control, and safeguarding requirements, and provide guidance on downgrading and declassification of classified information.
More information can be found in DoDM 5200.01, Volume 2 in the course Resources.
Classification Types
Narrator: There are two types of classification; original and derivative.
Original classification Original classification is the initial determination that information needs protection because its disclosure could be reasonably expected to cause identifiable or describable damage to national security.
Derivative classification Derivative classification is incorporating, paraphrasing, restating, or generating in new form information that is already classified and marking the newly developed material consistent with the classification markings that apply to the source information.
More Information: See DoDM 5200.01, Volume 3 and DoDM 5200.45 available in the course Resources.
Unclassified Information Student Guide JB: Martin you are asking some great questions. The PAO is distinctly different from DOPSR. Let’s take a look at their role.
Who has to submit for prepublication review? Past and present:
- Government civilian employees
- Contractor personnel
- Military personnel
- Retirees
DOPSR Prepublication Brochure Refer to the DOPSR Prepublication Brochure for:
- What to submit
- Where to submit
- Submission timelines
Note: It is a best practice to ensure your current/previous command conduct a security review of your resume and cover letter prior to your releasing it to the public. Resumes and cover letters are not sent to DOPSR for review.
Public Affairs Office (PAO)
JB: Although the PAO, does not review material for classified information or CUI, they do play a role in the process of information that is released to the public. The PAO conducts a review for specific considerations like, political views, things that bring discredit to the military or federal government, or are otherwise offensive.
With that in mind, the following sequential steps are used to incorporate the PAO into a process for releasing information to the public:
- Security review, to be conducted by local/command security manager and then the DOPSR.
- The PAO conducts a review for public affairs-specific considerations.
- Following approval, information may be released to the public, via appropriate channels.
JB: The last item to review is social media guidance.
Unclassified Information Student Guide
Social Media Guidance
JB: You must always be mindful of your obligation to protect classified information and CUI to prevent its unauthorized disclosure.
DoDM 5200.01, Volume 3 states that when using social networking services, such as Facebook, Twitter, YouTube, LinkedIn, wikis, Instagram, and blogs, the requirements for protecting classified information and CUI from UD, and the penalties for ignoring those requirements, are the same as when using other media and methods of dissemination.
JB: On a side note, many years ago there was a military secrecy campaign that stated: What you see here, what you hear here, what you do here, when you leave here, it stays here.
Martin: Hmm, that’s interesting. Perhaps, we should resurrect that campaign?
More Information: Do’s and Don’ts can be found on the course Resources.
Knowledge Check 2
Narrator: Before moving on, complete these knowledge checks.
Question 1 of 6 (multiple answer) You have a classified document you would like to share with your coworker, Julie. What requirements must Julie meet to be an authorized recipient?
- Need-to-know
- The same rank or position you hold or higher
- Signed NDA
- Favorable eligibility determination for access to the level of the classified information to be shared
Answer: Julie must have a need-to-know, a signed NDA, and a favorable eligibility determination for access to the level of the classified information to be shared.
Question 2 of 6 (multiple answer) Which of the following describes your responsibility to protect classified information from unauthorized disclosure?
- Take it home to analyze the information first
- Use classified document cover sheets
- Follow guidelines for the reproduction of classified information
- Store classified information in
- GSA-approved security containers or other approved methods
Unclassified Information Student Guide
Question 6 of 6 You may disclose classified information when using social media outlets.
Answer: You may not disclose classified information when using social media outlets.
Summary
JB: Martin, thanks for spending time with me to discuss protecting classified information and CUI. I hope you found the information helpful.
You should be able to address these items.
Keep in mind that the message on the back of the binder is something that people working with sensitive information should live by. What you see here, what you hear here, what you do here, when you leave here, it stays here.
- Recognize access, safeguarding, marking, storage, and classification requirements for classified information
- Interpret prepublication review requirements
- Recognize the role of the Public Affairs Office (PAO)
- Recognize DoD policy and authorized use of social media
Unclassified Information Student Guide
UD Reporting
Introduction to UD Reporting
Learning Objectives
- Explain how to respond to information appearing in the public domain
- Sequence the steps for reporting unauthorized disclosures
Introduction to UD Reporting (con’t.)
Martin: JB, this has been great.
JB: Let’s break for lunch and when we come back, we can talk about UD reporting.
Narrator: As Martin goes next door to grab a salad, he sees his colleague, Heather, sitting a few tables away and talking with Angela, a local reporter from Channel news.
He can see that they are conducting an interview in which notes are being taken and a voice recorder is being used.
However, Martin isn’t alarmed, until he hears a classified project mentioned. That’s when he listens closer.
Angela: Again, I want to thank you for your time today. To wrap up this report, I just have one last question.
Heather: Okay.
Angela: Has your department had issues developing the new Wing Model Five Missile?
Heather: I’m sorry, I can’t provide any additional information.
Information Appearing in the Public Domain
Narrator: After overhearing one of his colleagues discuss a classified project with a reporter, Martin immediately goes to JB’s office to discuss what he witnessed.
JB: Hi, Martin. Are you ready to get started?
Martin: Before we get started, I want to discuss something I overheard on my lunch break.
JB: Okay, I’m listening.
Unclassified Information Student Guide
Step 7 - Correct
Step 8 - Sanction
Step 1: Safeguarding
JB: The first step is safeguarding. Safeguarding is when classified information is secured by placing it into a GSA-approved security container or other approved methods. CUI must also be safeguarded in a manner that minimizes the risk of UD.
Step 2: Reporting
JB: Step two is reporting the information to your security manager or FSO. The first two steps are essential and the responsibility of anyone who believes they have witnessed, have discovered, or have knowledge of a UD.
Before moving on, it is important to note that steps three through seven are the responsibility of the security manager or FSO.
Narrator: Steps one through two applies to everyone, however, if you are a security manager or FSO please reference the downloadable job aid on the course Resource page to see which steps applies directly to your personnel.
JB: When classified information is involved, a report is always made to the Original Classification Authority, or OCA, who will conduct a damage assessment. The report to the OCA may vary depending on whether you are a security manager or FSO. Certain types of classified information or specific circumstances require unique handling or consideration of additional reporting requirements.
For further clarification, see the student job aid on course Resources.
Step 8: Sanction
JB: Finally, step eight is where sanctions are handed down. Criminal, civil, and/or administrative sanctions may be brought against an individual who fails to protect classified information and CUI from UD. As a reminder, this step applies to everyone along with step one and two.
More information: According to DoDD 5210.50 “Management of Serious Security Incidents Involving Classified Information”:
- Training on the prevention, identification, and reporting of serious security incidents will be provided to all DoD personnel authorized access to classified information. For more information on sanctions involving CUI, please refer to DoDI 5200.48 Controlled Unclassified Information.
Unclassified Information Student Guide
- The prevention of serious security incidents is a responsibility shared by all DoD personnel. For further clarification, see the job aid on course Resources.
Knowledge Check 3
Narrator: Let’s see how well you can answer the following questions.
Question 1 of 3 (multiple choice) What is the first step in reporting an incident of Unauthorized Disclosure?
- Place items in an opaque zip lock bag
- Place items in a GSA-approved security container or other approved method
- Place items in a manila folder
- Hand items to your security manager as quickly as possible
Answer: The first step in reporting an incident of Unauthorized Disclosure is to place items in a GSA-approved security container or other approved method.
Question 2 of 3 (multiple choice) After completing step one of reporting an Unauthorized Disclosure incident, what is your next step?
- Conduct inquiry field experiment
- Report to your security manager or FSO
- Call the Federal Bureau of Investigation
- Tell your co-worker
Answer: Step two of reporting is to report the incident to your security manager or FSO.
Question 3 of 3 (multiple answer) What must you do if approached or contacted by a representative of the media seeking a response to information appearing in the public domain?
- Report it to your security manager or FSO
- Make a statement
- Neither confirm nor deny the information in question
- Always tell the truth
Answer: Do not make any statements or comments that confirm or deny the information in question and report it to your security manager or FSO.
Summary
JB: I’m glad I could bring everything full circle for you. You did the right thing and we all appreciate it.
