Treasury Directive 71-10

Date: August 23, 1999

Sunset Review: August 23, 2003

SUBJECT: Department of the Treasury Security Manual

1. PURPOSE. This directive authorizes the issuance of the Department of the Treasury Security Manual.

2. SCOPE. This directive applies to all bureaus, the Departmental Offices (DO), the Office of Inspector General (OIG) and the Treasury Inspector General for Tax Administration (TIGTA). Those authorities reserved to the Special Assistant to the Secretary (National Security) concerning U.S. intelligence activities are not affected by this directive.

3. BACKGROUND. Treasury Directive (TD) 27-01, "Organization and Functions - Office of the Assistant Secretary of the Treasury (Management)," describes the responsibilities of the Deputy Assistant Secretary for Information Systems and the Director, Office of Security, pertaining to the direction and operation of certain security functions of the Department (which includes personnel and physical security, which includes industrial and information security, emergency preparedness, telecommunications and information systems security functions).

4. SECURITY MANUAL. This directive authorizes the Deputy Assistant Secretary for Information Systems/CIO and the Director, Office of Security to jointly prescribe and publish the Department of the Treasury Security Manual (Treasury Department Publication [TD P] 71-10), which shall be issued as a separate regulation and shall be binding on all Treasury bureaus. Any reference to TD 71-10 shall be deemed to include this directive and the Security Manual. The Security Manual:

a. provides uniform policies, standards and general procedures to be used by the bureaus to carry out their respective responsibilities in the areas of personnel, physical, telecommunications and information systems security, and emergency preparedness in accordance with the standards and guidelines issued by the Department, Department of Energy, office of Personnel Management (OPM), Federal Emergency Management Agency, National Security Agency, Department of Defense (DOD), Office of Management and Budget, General Services Administration, General Accounting Office, National Institute of Standards and Technology and the Security Policy Board;

b. implements and supplements, where necessary, Executive Orders, National Security directives, and other Government regulations by providing guidance when such regulations are not sufficiently detailed, or details are left to Departmental discretion; and

c. supersedes existing Treasury directives in the areas of personnel, physical, telecommunications and information systems security, and emergency preparedness, except that delegations of authority from the Assistant Secretary (Management) with respect to Office of Security programs will remain in effect. Existing Treasury directives in the Departmental directives system will stay in effect until a corresponding security manual chapter is issued and notice is given that a specific directive is canceled.

5. DEFINITION. The term "bureau" for purposes of this directive includes all bureaus, DO, the OIG and the TIGTA.

6. APPLICABILITY. The Security Manual is binding on all Treasury bureaus. It sets forth the minimum standards or requirements for the security functions of each bureau. The policies and procedures contained in the manual do not preclude a bureau from applying more stringent internal requirements where necessary to accomplish its mission, so long as additional standards or procedures adopted are consistent with those in the Security Manual.

7. RESPONSIBILITIES.

a. The Deputy Assistant Secretary (Administration), Heads of Bureaus, the Inspector General, and the Treasury Inspector General for Tax Administration, as it relates to their respective bureaus and offices, shall:

(1) carry out the policies and procedures set forth in the Security Manual; and

(2) submit the following new or revised bureau issuances to the Deputy Assistant Secretary for Information Systems/CIO or the Director, Office of Security, for review and approval PRIOR to publication:

(a) bureau security directives, regulations, handbooks or publications which implement or supplement the Security Manual;

(b) personnel security forms or questionnaires concerning applicants, employees or contractor personnel, except those published by the Office of Security, OPM, or for the industrial security program, DOD;

(c) forms which authorize the release of information or the release of financial information for use in personnel security matters, other than forms published by the Director, Office of Security or OPM; and

(d) any other forms which pertain to personnel, physical, telecommunications, information systems security or emergency preparedness.

No issuance listed above shall be published, implemented, adopted or used until approved by the Deputy Assistant Secretary for Information Systems/CIO or the Director, Office of Security. Bureau issuances which are currently in use, or which have been approved need not be submitted to the Deputy Assistant Secretary for Information Systems/CIO or the Director and may continue to be used unless approval is withdrawn Such existing issuances must be submitted to the Deputy Assistant Secretary for Information Systems/CIO or the Director whenever revised or rewritten.

b. The Director, Office of Security, shall:

(1) publish security policy and procedures in Chapters 1-V, VII-VIII of the Security Manual TD P 71-10 and formally coordinate the Security Manual with the bureaus, for review and comment prior to issuance; and,

(2) review and approve bureau issuances which implement and supplement Chapters 1-V, VII-VIII of the Security Manual.

c. The Deputy Assistant Secretary for Information Systems/CIO, shall:

(1) publish security policy, standards and procedures in Chapter VI of the Security Manual, "Systems Security," and formally coordinate the Security Manual with the bureaus for review and comment prior to issuance.

(2) review and approve bureau issuances which implement and supplement Chapter VI of the Security Manual.

d. The Bureau Chief Information Officers, shall designate a point of contact to coordinate all policy issues related to information systems security (including computer security, telecommunications security, operational security (threats/vulnerability assessments), emissions security (TEMPEST), certificate management, electronic authentication, disaster recovery and continuity of operations for systems, and critical infrastructure protection related to cyber threats).

8. SUPPLY OF MANUAL. The Security Manual and its amendments may be obtained from either the Office of the Deputy Assistant Secretary for Information Systems/CIO or the Office of Security.

9. AUTHORITIES.

a. TD 12-32, "Delegation of Authority Concerning Personnel Security."

b. TD 71-08, "Delegation of Authority for Physical Security Programs."

c. Public Law 100-235, "The Computer Security Act of 1987."

10. CANCELLATION. Treasury Directive 71-10, "Department of the Treasury Security Manual", dated January 16, 1992, is superseded.

11. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Information Systems/CIO and the Office of Security, Office of the Assistant Secretary (Management Operations).