1
Q
Risk management is a five-step process that provides a framework for collecting and evaluating information to:
A
- Assess assets (identify value of asset and degree of impact if asset is damaged or lost)
- Assess threats (type and degree of threat)
- Assess vulnerabilities (identification and extent of vulnerabilities)
- Assess risks (calculation of risks)
- Determine countermeasures (security countermeasure options that can reduce or mitigate risks cost effectively
2
Q
Assets can be assigned to one of five categories:
A
- People
- Information
- Equipment
- Facilities
- Activities & Operations
3
Q
T or F: The first step in the risk management process is to identify and assess your organization’s assets.
A
True
4
Q
T or F: An asset is anything of value or importance to the organization or an adversary, such as people, computers, buildings or strategic advantages.
A
True
5
Q
_____ is comprised of communications and the electronic and telemetry collection of information in the non-visible portion of the electromagnetic spectrum.
A
SIGINT (Signals Intelligence)
6
Q
_____ is intelligence derived from people through interviews, elicitation, or reports originating from people.
A
HUMINT (Human Intelligence)
7
Q
HUMINT insider – information collection techniques:
A
• Attempting to obtain information without need to know
• Making unusual use of or requests for classified publications
• Attempting to access classified databases
• Removing information without approval
• Placing classified material in a desk or briefcase
• Copying classified material in other offices
• Borrowing or making notes of classified material
• Bringing cameras or recording devices into cleared facilities
• Obtaining or attempting to obtain witness signatures on classified
destruction records
• Stockpiling classified or proprietary documents outside cleared area
8
Q
HUMINIT insider indicators - personnel who:
A
• Are disgruntled with management
• Are disgruntled with the U.S. Government
• Are fascinated with and have a strong desire to engage in spy
work
• Suddenly purchase high value items
• Suddenly settle large outstanding debts
• Travel to foreign countries repeatedly
• Make short trips overseas
• Have contact with foreign officials and representatives
• Attempt to conceal contacts with foreigners
• Have relatives or friends residing abroad
• Avoid or decline assignments requiring a counterintelligence-
oriented polygraph
• Work an unusual amount of overtime
• Sudden decline in work quality
9
Q
_____ involves using various sources, such as satellites, photos, infrared, imaging radar, and electro-optical for collecting image data.
A
IMINT (Imagery Intelligence)
10
Q
_____ It excludes signals intelligence and traditional imagery intelligence. When collected, processed, and analyzed, MASINT locates, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources. It includes the advanced data processing and exploitation of data from overhead and airborne imagery collection systems. MASINT data can be acquired from a variety of satellite, airborne, or ship borne platforms; remotely piloted vehicles; or from mobile or fixed ground-based collection sites.
A
MASINT (Measurement and Signatures Intelligence)
11
Q
_____ includes resources such as newspapers, internet, magazines, international conventions, Freedom of Information Act (FOIA) requests, seminars, and exhibits (e.g., CNN.com, The New York Times, Aviation Week, and Space & Technology).
A
OSINT (Open Source Intelligence)
12
Q
The Threat Level Decision Matrix requires assigning a level of critical (C), high (H), medium (M), or low (L) for each asset’s threat/adversary(s).
A
For example:
“yes + yes + yes” = critical
“no + no + no” = low
13
Q
Human Vulnerability Areas
Human vulnerability areas include persons who exhibit the following traits/issues:
A
• A big ego: Persons with a big ego may mishandle or improperly protect critical assets.
• Anger management problems: Persons with anger management problems may damage or destroy critical assets out of anger.
• Are ignorant of technology: Persons who are ignorant of technology fail to learn how to properly operate computers, secure telephones, etc. This may place sensitive
information at risk.
• Behavioral issues: Behavioral issues apply to disgruntled personnel, persons with personality disorders, etc. These persons may represent either a direct or indirect threat to assets.
• Boredom: Persons suffering from boredom may become careless.
• Greedy: Persons who are greedy may compromise or steal critical assets for personal gain.
• Loose lips: Persons with loose lips may compromise sensitive information.
• Mental illness: Persons with mental illness may represent a threat to critical assets or place critical assets in jeopardy either knowingly or unknowingly.
• Overworked: Persons who are overworked may become careless.
• Practice poor security: Persons practicing poor security fail to comply with security requirements and may place critical assets in jeopardy.
• Seek revenge: Persons who seek revenge may attack critical assets to get even for a perceived wrong.
• Substance abusers: Persons who are substance abusers may pose a threat to critical assets by selling them for cash or being careless while under the influence.
14
Q
Operational Vulnerability Areas
Operational vulnerability areas include the following:
A
- Poor tradecraft practices that potentially place critical assets at risk. For example, failure to develop and operate a property control system places critical assets at risk
- Observables are practices, activities, or assets that can be surveilled. The information gained could be utilized to threaten critical assets. An example is an activity that uses roving security guard patrols at exact intervals. An adversary may be able to observe this fact and estimate a timeframe within which to infiltrate a facility.
- Other Operations Security (OPSEC) issues – OPSEC is an analytical process used to deny an adversary information, generally unclassified, concerning an organization’s intentions and capabilities by identifying, controlling, and protecting indicators associated with planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.
- Press exposure of sensitive information represents a potential vulnerability. For example, an activity with poor entry control procedures may be susceptible to loss/theft of property and may have implanted listening devices.
15
Q
Information Vulnerability Areas
Information vulnerability areas include the following:
A
- Information unnecessarily disseminated to a wide audience – the wider the dissemination the more difficult it is to protect.
- Failure to practice need-to-know - “Need-to-know” refers to the determination by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform an authorized governmental function.
- Poor program administration includes failure to properly safeguard sensitive information, improperly classifying information and failure to mark classified information.
- Failure to follow Freedom of Information Act (FOIA) requirements - Adversaries routinely request information through FOIA. Failure to properly evaluate information that has been requested for public release may pose a threat to critical assets
16
Q
Facility Vulnerability Areas
Facility vulnerability areas leave assets in jeopardy. These are some potential issues:
A
• Location – Areas designated as high crime areas or with a significant potential for natural disasters could be a concern.
• Poor perimeter fencing with holes, gaps, vegetation overgrowth, etc.
• Building design characteristics with floor plans that inhibit access control
measures, ground floor windows along a heavy pedestrian route, etc.
• Tunnels and drains that permit an avenue of approach by an adversary
• Unsecured doors that allow adversary access.
• Parking lots provide adversaries with a venue for observing a facility, perpetrating a crime, detonating mobile explosive devices, etc.
• Vehicle barriers – They must be reinforced and security personnel must be trained to be effective.
• Untrained guard forces may be ineffective in observing, preventing, or responding to an adversary attack. Guard forces must understand their duties and be trained to carry them out.
• Unsecured windows provide adversaries with a potential avenue of approach.
• Insufficient access control allows adversaries a potential means of entry either detected or undetected.
• Gates must be properly operated when in use, locked when not in use, and regularly evaluated to ensure they do not provide adversaries with a potential avenue of approach.
17
Q
Equipment Vulnerability Areas
Equipment vulnerability areas include the following:
A
- Signal interceptions that can occur when using devices like cell phones, wireless networked computers, and personal digital assistants (PDAs).
- TEMPEST emanations - TEMPEST is the short name referring to the investigation, study, and control of compromising emanations from telecommunications and information systems equipment. Computer equipment, typewriters, etc. emanate electronic signals that can be collected by an adversary. They can then interpret the signals and obtain the information that was being processed on the electronic equipment.
- Equipment tampering in which equipment is modified to permit collection of information by an adversary. For example, modifications to a reproduction machine might enable image storage of everything copied.
- Remote activation/operation that allows modifications or programming permitting an adversary to remotely activate and/or operate equipment.
18
Q
Additional sources that can assist with gathering vulnerability information include the following:
A
- Personnel who work at the “site”
- Existing site surveys
- Engineering drawings and blueprints
- Maps
- Security planning documents
- Surveys and audits
- Incident reports
19
Q
Regressive analysis is a five-step process:
A
- Assess the asset’s vulnerabilities in a pure, unprotected state.
- Reevaluate the asset’s vulnerabilities taking into consideration the efficacy of the existing countermeasures.
- Identify the asset’s vulnerability differences between the unprotected and protected assessments.
- Identify the ineffective countermeasures.
- Identify and characterize the specific vulnerabilities that still exist, given the
current countermeasures.
20
Q
T or F: The overall risk level varies with relation to the values of each item. The larger the risk area shared by assets, threats, and vulnerabilities, the higher the risk level.
A
True
21
Q
The three risk factors are incorporated into a formula to determine and assign a more precise risk rating:
A
Risk = Impact x (Threat x Vulnerability) or (R = I [T x V])
22
Q
Countermeasure Cost Determination:
The costs of implementing countermeasures must be considered relative to the following:
A
• Dollars - Consider the purchase price and the life-cycle maintenance costs (e.g.
installation, preventive maintenance, repair/warranty, replacement, and training).
• Inconvenience - Consider whether the inconvenience caused is offset by the
measure of risk reduction gained. If a countermeasure is inconvenient, people will
find a way to circumvent it.
• Time - Include the time to implement and oversee the countermeasure and the time
to prepare for its implementation, as well as any time required for follow-up and
evaluation.
• Personnel - Consider the number of personnel needed to manage the
countermeasure as well as the skills, knowledge, and abilities of the personnel
involved. Also consider personnel training needs and costs.
• Other - Consider the adverse publicity, political repercussions, reduced operational
efficiency, and unfavorable working conditions resulting from countermeasure implementation.
23
Q
Information Security Program, Volume 3, Enclosure 5: Security Education and Training
A
- Initial Orientation
- Special Requirements
- Continuing Security Education/Refresher Training
- Termination Briefings
- Program Oversight
24
Q
Personnel Security Program, Section 9.2: Security Education
A
- Initial Briefings
- Refresher Briefing
- Foreign Travel Briefing
- Termination Briefing
25
NISPOM, Chapter 3: Security Training and Briefings
* FSO Training
* Initial Security Briefings
* Refresher Training
* Debriefings
26
DD Form 441
Contractual agreement establishing industry's security responsibility
27
NISPOM
The manual that includes the security education requirements for industry
28
SF-312
The form all personnel must sign to access classified information
29
DOD 5200.2-R
Regulation mandating training prior to access to classified information
30
E.O. 12968
The overarching policy that mandates security education
31
DoDM 5200.01
Regulation mandating security education for DoD employees
32
______ is the uninterrupted assessment of an individual for retention of a security clearance and involves reinvestigation at given intervals. To maintain eligibility, employees must recognize and avoid behaviors that might jeopardize their security clearance. Employees, coworkers, supervisors, and managers all play an important role in the continuous evaluation program and all must receive training on their responsibilities.
Continuous evaluation
33
Initial Briefing
- Varies by role and whether DoD or industry - Includes basic security roles and responsibilities
- Includes overview of classification system
- Discusses penalties for unauthorized disclosure
34
Continuing Education
- Required for all cleared DoD personnel
- Supplement formal briefings
- Informational and promotional efforts
- Job performance aids
35
Refresher Training
- Performed at least annually
- Reinforce contents of initial briefing, including:
o Policies, principles, and procedures
o Penalties for engaging in espionage
- Address new threats and techniques and changes in security regulations
- Address issues or concerns identified during self-inspections
36
Termination Briefing
- Debrief employees when:
o Employee terminates employment or is discharged
o Employee’s access is terminated, suspended, or revoked
- Include:
o Continued responsibility to protect classified information
o Requirement to report unauthorized attempts to gain access
o Prohibition against retaining materials
o Civil and criminal penalties for violations
37
T or F: A new SF-312 must be executed and recorded in JPAS each time an individual needs access to classified information.
False
If the individual already has an SF-312 recorded in JPAS, then it does not need to be executed again.
38
T or F: Job-specific security procedures are usually included as part of an initial security briefing.
True
39
T or F: Information on current security threats must be included as part of security training.
True
40
T or F: Termination briefings should communicate the continued requirement for individuals to protect classified information, even after resigning or being discharged.
True
41
T or F: Refresher training is required only for individuals who have violated security procedures.
False
Refresher training is required for ALL cleared personnel.
42
Declassification authorities other than original classifiers must receive training addressing the standards, methods, and procedures for declassifying information as mandated by what executive orders and policies?
Executive Order 13526 and the DoDM 5200.01.
43
T or F: Declassification authorities are always U.S. Government employees or military members who have specifically been given this responsibility.
True
44
Derivative classifiers, security managers and specialists, classification management officers, and others with responsibilities relating to the oversight of classified information, must receive training and education on the following topics:
the processes for classifying information originally and derivatively, and the standards applicable to each, the avoidance of over classification, proper and complete classification markings, and the authorities, methods and process for downgrading and declassifying information.
45
A designated, cleared employee, whose principal duty is to transmit classified material to its destination. The classified material remains in the personal possession of the courier except for authorized overnight storage.
Courier
46
A designated, cleared employee, who occasionally hand carries classified material to its destination in connection with a classified visit or meeting. The classified material remains in the personal possession of the handcarrier except for authorized overnight storage.
Handcarrier
47
A designated, cleared person, who accompanies a shipment of classified material to its destination. The classified material does not remain in the personal possession of the escort but the conveyance in which the material is transported remains under the constant observation and control of the escort.
Escort
48
_____ is TOP SECRET RESTRICTED DATA or SECRET RESTRICTED DATA that reveals the theory of operation or design of the components of a thermonuclear or implosion-type fission bomb, warhead, demolition, munitions, or test device.
Critical Nuclear Weapons Design Information, CNWDI
49
In addition to TOP SECRET, SECRET, and CONFIDENTIAL, many foreign governments have a fourth classification level, known as ____________, for which there is no U.S. equivalent.
RESTRICTED
50
_____ is classified information derived from intelligence sources and requiring special handling.
Sensitive Compartmented Information (SCI)
51
_____ are additional security measures which may be used to ensure strict need-to-know protection when standard security measures are insufficient.
Alternative Compensatory Control Measures (ACCM)
52
_____ is a process of identifying critical information and analyzing friendly actions attendant to military operations and other activities.
Operations Security (OPSEC)
53
_____ are provided to personnel who will be traveling, either officially or unofficially, to foreign countries, professional meetings or conferences where foreign attendance is likely, and any other locations where there are concerns about possible foreign intelligence exploitation. This briefing is usually required for all personnel with SCI or SAP access.
Foreign Travel Briefing
54
These individuals must be receiving training on international security and foreign disclosure guidelines by taking either the International Security Requirements course offered by USD(P)
Internation Programs
55
Facility Security Officers / Roles and Responsibilities
• As deemed appropriate by CSA
• Based on facility’s involvement
• FSO Orientation for non-possessing facilities or FSO Program
Management course for possessing facilities
• Received within 1 year of appointment
56
ISSM / Roles and Responsibilities
- Training to level commensurate with IS complexity
- Responsibility for providing IS security education for relevant personnel,
prior to processing classified information on AIS
57
Couriers / Roles and Responsibilities
• Who is authorized to handcarry/escort classified information
• Procedures for handling classified information while in transit
• Modes of transportation that may be used
• Where classified information may be carried
• Points of contact in case of an emergency while performing courier
responsibilities
58
Personnel must participate in annual Cybersecurity awareness training:
* Threat identification
* Physical security
* Malicious content and logic
* Social engineering and other non-standard threats
59
Antiterrorism
• Defensive measures used to reduce vulnerability to terrorist acts
• Actions taken to prevent or mitigate hostile actions against DoD
personnel, resources, facilities, and critical information
• AT Briefing Levels
1. Antiterrorism awareness
2. Antiterrorism officers (ATOs)
3. Pre-command antiterrorism training
4. Executive seminar
60
Visits and Meetings
* Badges and escorts
* Physical security procedures
* Access areas
* Use of PEDs
* Verifying PCL
* Handling classified material
* Transmitting and/or transporting classified information
* Reporting requirements for security violations
61
Must receive security education and training that addresses the process for deciding whether information should be classified and the standards information must meet in order to be classified.
Original Classification Authorities
62
Must receive training on the procedures for handling classified information while in transit.
Couriers
63
Are responsible for providing security education for relevant personnel prior to processing classified information on AIS.
Information System Security Managers
64
T or F: A proactive program anticipates problems before they occur. On the other hand, a reactive program simply responds to problems after they occur, which in many cases is too late to prevent serious damage to national security.
True
65
When creating a training and education program of any kind, it is beneficial to practice sound instructional design. Instructional design is a systematic approach to designing and developing training courses and programs. The most basic and universally used of these models is known as the ______ model. This model is a five-step process that involves:
ADDIE model
* Analysis:
* Design:
* Development:
* Implementation:
* Evaluation:
66
The ADDIE model is a five-step process that involves:
* Analysis: The determination of the program's needs and overall purpose
* Design: The selection of the most appropriate instructional methods
* Development: The creation of the actual training materials
* Implementation: The delivery of the training
* Evaluation: The assessment of the training’s effectiveness
67
When your organization signed the DD Form ____ , it became a contractual responsibility to establish an effective security program and the responsibility to protect classified information fell on your shoulders as a Facility Security Officer.
DD Form 441
68
Newsletters
* Get input from employees
* Gather content and success stories
* Provide rewards for participating
* Use graphics
69
T or F: Only security experts should be involved in developing security education programs.
False
70
T or F: Security education programs should be proactive rather than reactive.
True
71
T or F: Creative and fun components of security education programs can motivate employees to participate.
True
72
T or F: Security education programs should be considered an expense rather than an investment.
False
73
T or F: Senior management should be involved in solving problems faced in development of a security education program.
True
74
(Match each ADDIE phase on the left with the statement that best describes it on the right) - Create security awareness posters, hire a company to build an eLearning course, and prepare PowerPoint slides for your next initial security briefing.
Development
ADDIE Model
75
(Match each ADDIE phase on the left with the statement that best describes it on the right) - Perform program oversight, assessing the effectiveness of the security education program, reporting any issues found and revising the training materials accordingly.
Evaluation
ADDIE Model
76
(Match each ADDIE phase on the left with the statement that best describes it on the right) - Write learning objectives for your next component of your security education program and decide that a series of round-table discussions is the most appropriate delivery method.
Design
ADDIE Model
77
(Match each ADDIE phase on the left with the statement that best describes it on the right) - Distribute an e-newsletter with the latest threat information.
Implementation
ADDIE Model
78
(Match each ADDIE phase on the left with the statement that best describes it on the right) - Establish overall program goals and identify target audience.
Analysis
ADDIE Model
79
_____ is the process of selecting and implementing security countermeasures to achieve an acceptable level of risk at an acceptable cost.
Risk Management
80
What is the difference between Risk Avoidance and Risk Management?
Risk Avoidance assumes all opponents are aggressive threats, counters ALL vulnerabilities, and plans for worst-case scenarios.
Risk Management on the other hand is a process that integrates the assessment of assets, threats and vulnerabilities and weighs the calculated risk against the projected cost of security.
81
The Risk Management Model incorporates a five-step process that will:
* Identify the critical assets that require protection
* Identify undesirable events and expected impacts
* Value and prioritize assets based on the consequence of loss
* Assess the risks and
* Determine countermeasures
82
Assets fall into 5 categories:
* People
* Information
* Equipment
* Facilities and
* Activities and Operations
83
_____ indicates that compromise to the assets targeted would have grave consequences leading to loss of life, serious injury, or mission failure. The rating scale is from 50-100.
Critical
84
A _____ value indicates that a compromise to assets would have serious consequences resulting in the loss of classified or highly sensitive data that could impair operations affecting national interests for a limited period of time. The rating scale is from 13-50.
High
85
An asset value of _____ indicates that a compromise to the assets would have moderate consequences resulting in the loss of confidential, sensitive data or costly equipment/property that would impair operations affecting national interests for a limited period of time. The rating scale is from 3-13.
Medium
86
A _____ value indicates that there is little or no impact on human life or the continuation of operations affecting national security or national interests. The rating scale is from 1-3.
Low
87
Threats are rated using the same four criteria of Critical, High, Medium and
Low.
The rating scale is set at 75-100%.
Critical
88
Threats are rated using the same four criteria of Critical, High, Medium and
Low.
The rating scale is 50-74%.
High
89
Threats are rated using the same four criteria of Critical, High, Medium and
Low.
The rating scale is set from 25-49%.
Medium
90
Threats are rated using the same four criteria of Critical, High, Medium and
Low.
The rating scale is set at 0-24%.
Low
91
Information which is originated by or for the DoD, or its Agencies, or is under their jurisdiction or control, and which requires protection in the interests of national security.
Classified military information (CMI)
92
CMI is designated TOP SECRET, SECRET, and CONFIDENTIAL as described in Executive Order (EO) ________ .
Executive Order (EO) 13526
93
T or F: CMI may be found in DoD acquisition programs, intelligence programs, or in military operations.
True
94
There are eight categories of CMI.
The categories of information can occur in various situations depending on the circumstance.
- CMI categories 2, 3, and 4 typically apply to DoD acquisitions programs.
- CMI Categories 1, 5, 6, and 7 typically apply to DoD operations programs.
- CMI Category 8 typically supports Operations and applies to DoD intelligence.
95
Categories of CMI
Category 1 – Organization, Training, and Employment of Military Forces
Category 2 – Military Materiel and Munitions
Category 3 – Applied Research and Development Information and Materiel
Category 4 – Production Information
Category 5 – Combined Military Operations, Planning, and Readiness
Category 6 - U.S. Order of Battle
Category 7 – North American Defense
Category 8 – Military Intelligence
96
A Principal Disclosure Authority (PDA) is a
is a senior military or government official, appointed in writing, by the head of an OSD organizational element or a DoD Component, as the senior foreign disclosure authority for that OSD organizational element or Component, and who is responsible for the establishment of an effective Foreign Disclosure Program.
97
A Designated Disclosure Authority (DDA) is a
is a military or civilian government official who is appointed, in writing, by the head of an OSD organizational element or a DoD Component, or by their PDA, and delegated authority to control disclosure of CMI to foreign governments and international organizations for that element or Component. The DDA is an official of such grade and position that the person has access to the appointing PDA, or Head of the OSD Organizational element or DOD Component.
98
_______ is the key criteria from which all other foreign disclosure criteria are then considered. It lists the delegated authority levels for specific countries to receive CMI.
NDP-1’s Annex A
99
Who are the only DoD officials who have original authority to grant exceptions to the policy contained in DoDD 5230.11 for CMI Categories 1-8
The Secretary of Defense and the Deputy Secretary of Defense
Note: The Secretary of Defense has delegated authority to the NDPC to consider and grant requests for exceptions to policy in compliance with DoDD 5230.11
100
A written confirmation, by a responsible foreign government official, that the recipient of the information is approved by the government for access to information of the security classification involved on behalf of the government, and possesses the requisite security clearance and need-to-know for the classified information to be disclosed.
Security Assurance
Note: The Security Assurance certifies that the recipient government will protect the information in accordance with the international agreement between the United States and the foreign government.
101
_____ is the program established to process visits and assignments of foreign nationals to the DoD Components, and cleared contractor facilities. The program ensures classified information to be disclosed to visitors has been properly authorized for disclosure to their governments.
The International Visits Program (IVP)
Note: It ensures the requesting foreign government provides a Security Assurance when classified information is involved, and it facilitates administrative arrangements – such as date, time, and place - for the visit or assignment.
102
Government disclosure methods also include sales, leases, loans, and grants of defense articles and services. These are known as _____
These are known as Foreign Military Sales (FMS). Prior to the sale, lease, loan, or grant of defense articles and services, the appropriate DDA must provide disclosure authorization and prescribe transfer arrangements.
103
Programs that comprise one or more specific cooperative projects with a foreign government or international organization whose arrangements are defined in a written agreement between the parties covering research, development, test, and evaluation; and joint production.
Cooperative Programs
104
What governs the export of defense articles and services and related technical data?
Arms Export Control Act (AECA)
105
Form _____ is used for the export or temporary import of classified defense articles and services and any classified technical data.
Department of State form DSP-85
106
_______ is a government-to-government agreement negotiated through diplomatic channels. It states that each party to the agreement will afford to classified information provided by the other, substantially the same degree of security protection afforded to the information by the providing party.
The General Security Agreement, or GSA, also called a General Security of Information Agreement, or GSOIA
Note: The GSA or GSOIA also provides that both parties agree to report any compromise, or possible compromise, of classified information provided by the other party and states that both parties will permit visits by security experts of the other party for the purpose of conducting reciprocal security surveys.
107
______ is a subset of the agreements previously mentioned and is narrowly focused on CMI produced by or for DoD.
A General Security of Military Information Agreement (GSOMIA)
108
_____ reporting expedites the disclosure authorization process by providing a comprehensive historical record of foreign disclosure decisions, including visits, exceptions to National Disclosure Policy, NDPC Records of Action, and licensing decisions.
Security Policy Automation Network (SPAN)
Note: SPAN comprises several component systems, two of which are depicted here
109
SPAN comprises several component systems, two of which are depicted here.
The Foreign Visit System (FVS)
The National Disclosure Policy System (NDPS)
110
T or F: NOFORN is used only for intelligence information and to indicate that such disclosure is prohibited. Only the originator may authorize its disclosure.
True
Note: The control marking NOT RELEASABLE TO FOREIGN NATIONALS (NOFORN) is authorized for use only on intelligence and intelligence-related information.
111
When an authorized disclosure authority determines CMI is eligible for foreign disclosure, that authorization is indicated with what control marking?
REL TO
112
Note: Within the DoD, the use of NOFORN outside of intelligence information is limited only to Naval Nuclear Propulsion Information and the NDP-1 and documents marked in accordance with the NDP-1 Security Classification Guide. No other types of DoD information are authorized to use the NOFORN marking.
Note only
113
NOT RELEASABLE TO FOREIGN NATIONALS (NOFORN)
```
• Is authorized for use ONLY on intelligence and intelligence-related information and products under the purview of the DNI, in accordance with DNI policy
• Is not authorized for use within DoD on non-intelligence information with the exception of:
o Naval Nuclear Propulsion Information (NNPI)
o TheNationalDisclosurePolicy(NDP-1)and documents marked in accordance with the NDP-1 Security Classification Guide
```
114
Authorized Distribution Statements
DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.
DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government Agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).
DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government Agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).
DISTRIBUTION STATEMENT D. Distribution authorized to the DoD and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).
DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).
DISTRIBUTION STATEMENT F. Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.
115
Export Control Warning
All technical documents that are determined to contain export-controlled technical data must also be marked with this export-control statement.
116
Sanitization
As you learned earlier, when a foreign disclosure is made, the disclosure is limited to the information necessary to meet the disclosure’s purpose. As such, foreign disclosure often requires documents to be sanitized. Text, charts, graphs, and entire sections may need to be removed before a document is provided to a foreign government.
117
Before CMI may be disclosed to a foreign government, that government must demonstrate intent and capability to safeguard the information. All international transfers must take place through government-to-government channels or channels agreed upon by the governments involved with the transfer.
Transmission and Transportation
118
Through the Foreign Military Sales process, the U.S. sells some fighter aircraft, along with their associated classified components and technical data, to a friendly foreign nation. What Category of CMI is the equipment and data?
Category 2: Military Materiel and Munitions
119
In support of a coalition operation, a coalition partner asks the U.S. for classified order of battle information about the forces of another coalition partner. What Category of CMI is this information?
Category 5: Combined Military Operations, Planning, and Readiness
120
The U.S. discloses classified radar track data on unidentified flying objects entering U.S. airspace. What Category of CMI is this data?
Category 7: North American Defense
121
To support the training of a foreign special operations unit, the U.S. provides a classified tactics manual used to train U.S. military forces. What Category of CMI is the manual?
Category 1: Organization, Training, and Employment of Military Forces
122
The foreign ally involved in the joint research project on new radar search techniques now enters into co-production program with the U.S. to build a new radar system, and requests copies of the classified U.S. design blueprints for the new system. What Category of CMI is this data?
Category 4: Production Information
NOTE: The data owner would have to request an Exception to NDP-1, approved by the NDPC, to disclose this information because there is no delegated disclosure authority for Category 4 CMI for any nation.
123
Due to a regime change, the once-friendly nation that received U.S.-built fighter aircraft under a Foreign Military Sales case has become hostile to U.S. interests, and the U.S. now needs to disclose classified information on the current capabilities of those fighter aircraft to our allies. What Category of CMI is this information?
Category 8: Military Intelligence
NOTE: Even though the U.S. originally built the aircraft, once they enter the inventory of the foreign nation, any classified information about their capabilities becomes Category 8 CMI.
124
U.S. military aircraft are stationed in the allied country of Bandaria. The U.S. provides Bandaria with classified information on the numbers and types of aircraft deployed at various airbases in Bandaria. What Category of CMI is this information?
Category 6: U.S. Order of Battle
125
A foreign ally involved in a joint research project on new radar search
techniques requests classified U.S. data. What Category of CMI is this data?
Category 3: Applied Research and Development Information and Materiel
126
Requires appointment, in writing, of disclosure authorities and recording of disclosure determinations.
DoDD 5230.11
Note: DoDD 5230.11 requires appointment, in writing, of disclosure authorities and recording of disclosure determinations.
127
Contains the procedures for disclosure of U.S. classified military information to foreign governments and international organizations
NDP-1
National Disclosure Policy (NDP-1) contains the procedures for disclosure of U.S. classified military information to foreign governments and international organizations.
128
Governs the export of defense articles and services and related technical data and is the legal basis for most international activities
AECA
The Arms Export Control Act (AECA) governs the export of defense articles and services and related technical data and is the legal basis for most international activities.
129
T or F: International agreements must be in writing.
False
In addition to written agreements, any oral agreement that meets the criteria is also an international agreement.
130
T or F: Approval authority over international agreements may be delegated.
True
Approval authority over international agreements may be delegated.
131
T or F: International agreements involving classified military information must be consistent with NDP-1.
True
International agreements involving classified military information must be
consistent with NDP-1.
132
T or F: An international agreement is always required before sharing any U.S. CMI.
False
Delegated disclosure authority is required, but not necessarily an international agreement.
133
T or F: Foreign disclosure determinations should consider foreign availability.
True
Foreign availability may decrease the implications of providing U.S. systems.
134
T or F: Foreign disclosure must support a lawful and authorized U.S. Government purpose.
True
Foreign disclosure must support a lawful and authorized U.S. Government purpose.
135
T or F: Foreign disclosure of classified military information is made by the originator or controlling agency.
True
Foreign disclosure of classified military information is made by the originator or controlling agency.
136
T or F: Classified military information must be marked with both the proper classification markings and control markings prior to disclosure.
True
CMI must be marked with both the proper classification markings and control markings prior to disclosure.
137
T or F: Distribution statements include a listing of the document portions that were extracted during sanitization.
False
Distribution statements contain the authorized audience, reason for restriction, DoD Controlling Office (DCO), and date of publication.
138
T or F: Foreign transfer of classified military information must occur within government-to-government channels or channels agreed upon by the governments involved with the transfer.
True
Foreign transfer of classified military information must occur within government- to-government channels or channels agreed upon by the governments involved with the transfer.
139
T or F: When a document is authorized for foreign disclosure, it must be disclosed in its entirety.
False
Foreign disclosure is limited to the information necessary to the meet the disclosure’s purpose. In many cases, this requires portions of the document to be redacted or sanitized.
140
Senior Foreign Disclosure and Release Authority (SFDRA):
The senior civilian or military official(s) within an IC element designated in writing by an IC element head as responsible for that element's disclosure and release program and other U.S. Government officials as may be designated by the DNI.
141
Foreign Disclosure and Release Officer (FDRO):
IC element personnel to whom a SFDRA has delegated in writing the authority to approve or deny requests for authorization to disclose and release intelligence under that SFDRA's jurisdiction or as authorized by the disclosure or release markings on the intelligence information.
142
RELIDO
The control marking RELEASABLE BY INFORMATION DISCLOSURE OFFICIAL (RELIDO) is only used in conjunction with intelligence. By using this control marking, the originator indicates that he/she authorizes designated disclosure authorities in other Departments or Agencies to make further release determinations in accordance with existing foreign disclosure policies, guidance, and procedures.
SFPC
flashcards
Decks in class (5)
# Cards
