DR 3440-001
Department of
Agriculture
|
Departmental
Administration
Office
of Security Services
Personnel
and Document Security Division
USDA Classified
National Security Information Program Regulation
DR 3440-001
DEPARTMENTAL REGULATION |
Number: 3440-001 |
|
SUBJECT: USDA Classified National Security Information Program
Regulation |
DATE: January 9, 2008 |
|
OPI: Office
of Security Services |
||
1.
PURPOSE
This
regulation prescribes Departmental roles and responsibilities for the
classification, declassification, and safeguarding of classified national
security information, and promulgates a revised Departmental Manual 3440-001,
USDA Information Security Program Manual.
2.
CANCELLATION
This regulation
supersedes Departmental Regulation (DR) 3440-001, dated August 26, 1983.
3.
BACKGROUND
The Secretary of Agriculture has
been delegated the original classification authority (OCA) by Presidential
Order (67 FR 189), effective September 26, 2002, and may classify USDA
information as either Confidential or Secret.
Executive Order (E.O.) 12958, as
amended by Executive Order 13292, “Classified National Security Information”
(hereafter, E.O. 12958), and Information Security Oversight Office (ISOO)
Directive 1, “Classified National Security Information,” establish the minimum
standards and procedures for protecting classified national security
information (hereafter, classified information). Security procedures and
guidance are detailed in Departmental Manual (DM) 3440-001 “Information
Security Program Manual”.
4.
POLICY
Departmental
agencies and offices must comply with E.O. 12958, ISOO Directive 1, and this DR.
This DR is applicable to USDA employees, contractors, and individuals who serve
in advisory, consultant, or non-employee affiliate capacities who have been granted
access to classified information. It is
the policy of USDA that:
a.
The Secretary may base
a classification determination on one or more of the following categories:
(1) Government information;
(2) Foreign relations or foreign activities of the
(3) Scientific, technological, or economic matters
relating to the national security, which includes defense against transnational
terrorism;
(4) Vulnerabilities or capabilities of systems,
installations, infrastructures, projects, plans, or protection services
relating to the national security, which includes defense against transnational
terrorism; or
(5) Weapons of mass destruction.
b.
Classified national security
information consists of information that has been determined pursuant E.O.
12958 to require protection against unauthorized disclosure and is marked to
indicate its classified status when in documentary form in accordance with the
Executive Order and DM 3440-001. Minimum safeguarding of
classified information requires storage in a General Services Administration (GSA)
approved security container. Security
containers meeting the standards and specifications established by GSA may be
procured through the Federal Supply System.
c.
USDA agencies shall prevent
unnecessary access to classified information by establishing a need for access
to classified information, limiting access to a minimum consistent with
operational and security requirements and needs, and ensuring classified
information is not
released to, or shared with, persons who do not possess an active security
clearance equal to or higher than the classification level of the material in
question.
d.
USDA will ensure
declassification of information as soon as feasible, but not longer than 25
years from the time of classification.
Declassification is accomplished using the systematic, automatic, and
mandatory declassification processes outlined in E.O. 12958.
e.
Continuous security
awareness training is required of all employees holding national security
clearances. Training will be coordinated
and presented by the Office of Security Services (OSS).
f.
Destruction and
disposal of classified information must be done in compliance with EO 12958 and
the ISOO Directive 1. Confidential and
Secret information can be shredded using a National Security Agency (NSA) approved
shredder. NSA approved shredders may be
procured through the Federal Supply System.
g.
Incidents involving
the mishandling of classified information must be reported to the agency’s
Information Security Coordinator, or the
5.
ROLES AND
RESPONSIBILITIES
a.
The Secretary of
Agriculture may only re-delegate OCA to the Deputy Secretary. The Secretary must designate a Senior Agency
Official responsible for the development and administration of the Information
Security Program. This designation is
currently in a delegation of authority made to the Assistant Secretary for
Administration and has been re-delegated to the Director,
b.
The Senior Agency
Official is the primary liaison between USDA and the ISOO. This position is responsible for identifying
necessary resources to manage the Information Security Program and providing program
oversight.
c.
Subcabinet Officers, Agency
Administrators, and Office Directors, whose organizations require access to
classified material are responsible for:
(1) Designating
an Information Security Coordinator to serve as a liaison to the PDSD;
(2) Providing
subject matter experts to assist with the development of recommendations for the
Secretary to exercise the OCA;
(3) Ensuring
classified information is created, marked, stored, transmitted, and destroyed
in accordance with this DR and DM 3440-001;
(4) Ensuring the
number of persons granted access to classified information is limited to those
with a “need-to-know” to effectively and efficiently carry out USDA program
responsibilities;
(5) Ensuring employees who hold
a security clearance receive initial security indoctrination training, annual
security refresher training, and a
debriefing after classified information access is no longer required; and
(6) Ensuring that applicable
performance standards include language requiring the proper protection of
classified information for all employees who routinely handle classified
information.
d.
The Director,
(1) Establishing and administering the USDA
Information Security Program in accordance with E.O. 12958, ISOO Directive 1,
and this
DR;
(2)
Maintaining an
oversight role to ensure consistent and effective implementation of the
Information Security Program throughout
USDA; and
(3)
Serving as the
Deciding Official for the suspension, denial, and revocation of security
clearances involving USDA personnel.
e.
The Chief Information
Officer is responsible for:
(1) Certifying and accrediting USDA
computer systems for processing collateral classified information;
(2)
Coordinating with the
networks; and
(3)
Incorporating, where
appropriate, applicable USDA information security policies and procedures into
USDA policies and standards
for Information Technology system protection.
f.
The
(1) Day-to-day
management of the Department’s information security program;
(2)
Issuing and updating
Department-wide information security policies and procedures;
(3)
Coordinating and
providing initial security indoctrination training, annual refresher training,
and security debriefings;
(4)
Approving rooms for
the storage, discussion, and processing of classified information up to and
including Sensitive Compartmented
Information; and
(5)
Receiving reports of
incidents of suspected mishandling or inadvertent disclosure of classified
information and conducting
requisite security inquiries when
appropriate.
g.
Information Security
Coordinators are responsible for being the primary liaison between their agency
and the
(1)
Advising their agency on
properly marking, storing, processing, disclosing, transmitting, and destroying
classified information;
(2)
Conducting
self-inspections within the agency to ensure they are properly handling
classified information;
(3)
Coordinating
information security refresher training;
(4)
Gathering information
annually for ISOO reports;
(5)
Assisting with
classification, declassification, and challenges to classification; and
(6)
Reporting security
violations and concerns to
h. Employees, contractors, and individuals maintaining a security clearance
for working with classified information at USDA are responsible for the following:
(1) Adhering to the provisions of this
DR and DM 3440-001;
(2)
Immediately reporting
security irregularities and security violations to their respective information
security coordinators and supervisors; and
(3)
Completing the initial
security indoctrination training, annual security refresher training and
security debriefings.
END