[Federal Register Volume 64, Number 185 (Friday, September 24, 1999)]
[Rules and Regulations]
[Pages 51854-51858]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-24813]
[[Page 51853]]
_______________________________________________________________________
Part III
National Archives and Records Administration
_______________________________________________________________________
Information Security Oversight Office
_______________________________________________________________________
32 CFR Part 2004
Safeguarding Classified National Security Information; Final Rule
��Federal Register / Vol. 64, No. 185 / Friday, September 24, 1999 /
Rules and Regulations��
[[Page 51854]]
NATIONAL ARCHIVES AND RECORDS ADMINISTRATION
Information Security Oversight Office
32 CFR Part 2004
RIN 3095-AA95
Safeguarding Classified National Security Information
AGENCY: Information Security Oversight Office (ISOO), National Archives
and Records Administration (NARA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule promulgates a new Directive on Safeguarding
Classified National Security Information, which applies to Federal
agencies. It implements provisions of Executive Order 12958, Classified
National Security Information, that pertain to the handling, storage,
distribution, transmittal, destruction of, and accounting for
classified information.
EFFECTIVE DATE: October 25, 1999.
FOR FURTHER INFORMATION CONTACT: Dan L. Jacobson, Staff Director,
United States Security Policy Board, telephone 703-602-1030; or Steven
Garfinkel, Director, ISOO, telephone 202-219-5250.
SUPPLEMENTARY INFORMATION: In accordance with section 5(c) of Executive
Order 12958, ``Classified National Security Information,'' the
President has approved the Directive for safeguarding classified
information contained in this final rule. On behalf of the United
States Security Policy Board, which prepared the Directive, and at the
direction of the Executive Office of the President, NARA/ISOO is
publishing this Directive as Part 2004 of Title 32, Code of Federal
Regulations. This Directive complements and supplements the ISOO
regulations in 32 CFR Chapter XX, which also implement particular
provisions of E.O. 12958. Most specifically, this Directive should be
read in conjunction with the Directive contained in 32 CFR part 2001
and with E.O. 12958.
This rule is being issued as a final rule without prior notice of
proposed rulemaking as allowed by the Administrative Procedure Act, 5
U.S.C. 553(b)(3)(A) for rules of agency procedure. This rule is not a
significant regulatory action for the purposes of Executive Order
12866. This rule is not a major rule as defined in 5 U.S.C. Chapter 8,
Congressional Review of Agency Rulemaking. As required by the
Regulatory Flexibility Act, we certify that this rule will not have a
significant impact on a substantial number of small entities because it
applies only to Federal agencies.
List of Subjects in 32 CFR Part 2004
Archives and records, Authority delegations (Government agencies),
Classified information, Executive orders, Freedom of information,
Information, Intelligence, National defense, National security
information, Presidential document, Security information, Security
measures.
For the reasons set forth in the preamble, NARA adds new part 2004
to Chapter XX of title 32, Code of Federal Regulations, as follows:
PART 2004--DIRECTIVE ON SAFEGUARDING CLASSIFIED NATIONAL SECURITY
INFORMATION:
Sec.
2004.1 Authority.
2004.2 General.
2004.3 Definitions.
2004.4 Responsibilities of holders.
2004.5 Standards for security equipment.
2004.6 Storage.
2004.7 Information controls.
2004.8 Transmission.
2004.9 Destruction.
2004.10 Loss, possible compromise or unauthorized disclosure.
2004.11 Special access programs.
2004.12 Telecommunications, automated information systems and
network security.
2004.13 Technical security.
2004.14 Emergency authority.
Appendix A to Part 2004--Open Storage Areas.
Appendix B to Part 2004--Foreign Government Information.
Authority: E.O. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 333.
Sec. 2004.1 Authority.
This Directive is issued pursuant to Section 5.2 (c) of Executive
Order (E.O.) 12958, ``Classified National Security Information.'' The
E.O. and this Directive set forth the requirements for the safeguarding
of classified national security information (hereinafter classified
information) and are applicable to all U.S. Government agencies.
Sec. 2004.2 General.
(a) Classified information, regardless of its form, shall be
afforded a level of protection against loss or unauthorized disclosure
commensurate with its level of classification.
(b) Except for NATO and other foreign government information,
agency heads or their designee(s) (hereinafter referred to as agency
heads) may adopt alternative measures, using risk management
principles, to protect against loss or unauthorized disclosure when
necessary to meet operational requirements. When alternative measures
are used for other than temporary, unique situations, the alternative
measures shall be documented and provided to the Director, Information
Security Oversight Office (ISOO), to facilitate that office's oversight
responsibility. Upon request, the description shall be provided to any
other agency with which classified information or secure facilities are
shared. In all cases, the alternative measures shall provide protection
sufficient to reasonably deter and detect loss or unauthorized
disclosure. Risk management factors considered will include
sensitivity, value and crucial nature of the information; analysis of
known and anticipated threats; vulnerability; and countermeasures
benefits versus cost.
(c) NATO classified information shall be safeguarded in compliance
with U.S. Security Authority for NATO Instructions I-69 and I-70. Other
foreign government information shall be safeguarded as described herein
for U.S. information except as required by an existing treaty,
agreement or other obligation (hereinafter, obligation). When the
information is to be safeguarded pursuant to an existing obligation,
the additional requirements at Appendix B may apply to the extent they
were required in the obligation as originally negotiated or are agreed
upon during amendment. Negotiations on new obligations or amendments to
existing obligations shall strive to bring provisions for safeguarding
foreign government information into accord with standards for
safeguarding U.S. information as described in this Directive.
(d) An agency head who originates or handles classified information
shall refer any matter pertaining to the implementation of this
Directive that he or she cannot resolve to the Director, ISOO for
resolution.
Sec. 2004.3 Definitions.
(a) Open storage area. An area, constructed in accordance with
Appendix A and authorized by the agency head for open storage of
classified information.
(b) Authorized person. A person who has a favorable determination
of eligibility for access to classified information, has signed an
approved nondisclosure agreement, and has a need-to-know for the
specific classified information in the performance of official duties.
(c) Cleared commercial carrier. A carrier that is authorized by
law, regulatory body, or regulation, to transport SECRET and
CONFIDENTIAL
[[Page 51855]]
material and has been granted a SECRET facility clearance in accordance
with the National Industrial Security Program.
(d) Security-in-depth. A determination by the agency head that a
facility's security program consists of layered and complementary
security controls sufficient to deter and detect unauthorized entry and
movement within the facility. Examples include, but are not limited to,
use of perimeter fences, employee and visitor access controls, use of
an Intrusion Detection System (IDS), random guard patrols throughout
the facility during non-working hours, closed circuit video monitoring
or other safeguards that mitigate the vulnerability of open storage
areas without alarms and security storage cabinets during non-working
hours.
(e) Vault. An area approved by the agency head which is designed
and constructed of masonry units or steel lined construction to provide
protection against forced entry. A modular vault approved by the
General Services Administration (GSA) may be used in lieu of a vault as
prescribed in the first sentence of this paragraph (e). Vaults shall be
equipped with a GSA-approved vault door and lock.
Sec. 2004.4 Responsibilities of holders.
Authorized persons who have access to classified information are
responsible for:
(a) Protecting it from persons without authorized access to that
information, to include securing it in approved equipment or facilities
whenever it is not under the direct control of an authorized person;
(b) Meeting safeguarding requirements prescribed by the agency
head; and
(c) Ensuring that classified information is not communicated over
unsecured voice or data circuits, in public conveyances or places, or
in any other manner that permits interception by unauthorized persons.
Sec. 2004.5 Standards for security equipment.
The Administrator of General Services shall, in coordination with
agency heads originating classified information, establish and publish
uniform standards, specifications and supply schedules for security
equipment designed to provide secure storage for and destruction of
classified information. Whenever new security equipment is procured, it
shall be in conformance with the standards and specifications
established by the Administratior of General Services, and shall, to
the maximum extent possible, be of the type available through the
Federal Supply System.
Sec. 2004.6 Storage.
(a) General. Classified information shall be stored only under
conditions designed to deter and detect unauthorized access to the
information. Storage at overseas locations shall be at U.S. Government
controlled facilities unless otherwise stipulated in treaties or
international agreements. Overseas storage standards for facilities
under a Chief of Mission are promulgated under the authority of the
Overseas Security Policy Board.
(b) Requirements for physical protection. (1) Top Secret. Top
Secret information shall be stored by one of the following methods:
(i) In a GSA-approved security container with one of the following
supplemental controls:
(A) Continuous protection by cleared guard or duty personnel;
(B) Inspection of the security container every two hours by cleared
guard or duty personnel;
(C) An Intrusion Detection System (IDS) with the personnel
responding to the alarm arriving within 15 minutes of the alarm
annunciation [Acceptability of Intrusion Detection Equipment (IDE): All
IDE must be UL-listed (or equivalent as defined by the agency head) and
approved by the agency head. Government and proprietary installed,
maintained, or furnished systems are subject to approval only by the
agency head.]; or
(D) Security-In-Depth conditions, provided the GSA-approved
container is equipped with a lock meeting Federal Specification FF-L-
2740.
(ii) An open storage area constructed in accordance with Appendix
A, which is equipped with an IDS with the personnel responding to the
alarm arriving within 15 minutes of the alarm annunciation if the area
is covered by Security-In-Depth or a five minute alarm response if it
is not.
(iii) An IDS-equipped vault with the personnel responding to the
alarm arriving within 15 minutes of the alarm annunciation.
(2) Secret. Secret information shall be stored by one of the
following methods:
(i) In the same manner as prescribed for Top Secret information;
(ii) In a GSA-approved security container or vault without
supplemental controls; or
(iii) In either of the following:
(A) Until October 1, 2012, in a non-GSA-approved container having a
built-in combination lock or in a non-GSA approved container secured
with a rigid metal lockbar and an agency head approved padlock; or
(B) An open storage area. In either case, one of the following
supplemental controls is required:
(1) The location that houses the container or open storage area
shall be subject to continuous protection by cleared guard or duty
personnel;
(2) Cleared guard or duty personnel shall inspect the security
container or open storage area once every four hours; or
(3) An IDS (per paragraph (b)(1)(i)(C) of this section) with the
personnel responding to the alarm arriving within 30 minutes of the
alarm annunciation. [In addition to one of these supplemental controls
specified in paragraphs (b)(2)(iii)(B)(1) through (3), security-in-
depth as determined by the agency head is required as part of the
supplemental controls for a non-GSA approved container or open storage
area storing Secret information.]
(3) Confidential. Confidential information shall be stored in the
same manner as prescribed for Top Secret or Secret information except
that supplemental controls are not required.
(c) Combinations. Use and maintenance of dial-type locks and other
changeable combination locks.
(1) Equipment in service. The classification of the combination
shall be the same as the highest level of classified information that
is protected by the lock. Combinations to dial-type locks shall be
changed only by persons having a favorable determination of eligibility
for access to classified information and authorized access to the level
of information protected unless other sufficient controls exist to
prevent access to the lock or knowledge of the combination.
Combinations shall be changed under the following conditions:
(i) Whenever such equipment is placed into use;
(ii) Whenever a person knowing the combination no longer requires
access to it unless other sufficient controls exist to prevent access
to the lock; or
(iii) Whenever a combination has been subject to possible
unauthorized disclosure.
(2) Equipment out of service. When security equipment is taken out
of service, it shall be inspected to ensure that no classified
information remains and the built-in combination lock shall be reset to
a standard combination.
(d) Key operated locks. When special circumstances exist, an agency
head may approve the use of key operated locks for the storage of
Secret and Confidential information. Whenever such locks are used,
administrative procedures for the control and accounting of keys and
locks shall be established.
[[Page 51856]]
Sec. 2004.7 Information controls.
(a) General. Agency heads shall establish a system of control
measures which assure that access to classified information is limited
to authorized persons. The control measures shall be appropriate to the
environment in which the access occurs and the nature and volume of the
information. The system shall include technical, physical, and
personnel control measures. Administrative control measures which may
include records of internal distribution, access, generation,
inventory, reproduction, and disposition of classified information
shall be required when technical, physical and personnel control
measures are insufficient to deter and detect access by unauthorized
persons.
(b) Reproduction. Reproduction of classified information shall be
held to the minimum consistent with operational requirements. The
following additional control measures shall be taken:
(1) Reproduction shall be accomplished by authorized persons
knowledgeable of the procedures for classified reproduction;
(2) Unless restricted by the originating Agency, Top Secret,
Secret, and Confidential information may be reproduced to the extent
required by operational needs, or to facilitate review for
declassification;
(3) Copies of classified information shall be subject to the same
controls as the original information; and
(4) The use of technology that prevents, discourages, or detects
the unauthorized reproduction of classified information is encouraged.
Sec. 2004.8 Transmission.
(a) General. Classified information shall be transmitted and
received in an authorized manner which ensures that evidence of
tampering can be detected, that inadvertent access can be precluded,
and that provides a method which assures timely delivery to the
intended recipient. Persons transmitting classified information are
responsible for ensuring that intended recipients are authorized
persons with the capability to store classified information in
accordance with this Directive.
(b) Dispatch. Agency heads shall establish procedures which ensure
that:
(1) All classified information physically transmitted outside
facilities shall be enclosed in two layers, both of which provide
reasonable evidence of tampering and which conceal the contents. The
inner enclosure shall clearly identify the address of both the sender
and the intended recipient, the highest classification level of the
contents, and any appropriate warning notices. The outer enclosure
shall be the same except that no markings to indicate that the contents
are classified shall be visible. Intended recipients shall be
identified by name only as part of an attention line. The following
exceptions apply:
(i) If the classified information is an internal component of a
packable item of equipment, the outside shell or body may be considered
as the inner enclosure provided it does not reveal classified
information;
(ii) If the classified information is an inaccessible internal
component of a bulky item of equipment, the outside or body of the item
may be considered to be a sufficient enclosure provided observation of
it does not reveal classified information;
(iii) If the classified information is an item of equipment that is
not reasonably packable and the shell or body is classified, it shall
be concealed with an opaque enclosure that will hide all classified
features;
(iv) Specialized shipping containers, including closed cargo
transporters or diplomatic pouch, may be considered the outer enclosure
when used; and
(v) When classified information is hand-carried outside a facility,
a locked briefcase may serve as the outer enclosure.
(2) Couriers and authorized persons designated to hand-carry
classified information shall ensure that the information remains under
their constant and continuous protection and that direct point-to-point
delivery is made. As an exception, agency heads may approve, as a
substitute for a courier on direct flights, the use of specialized
shipping containers that are of sufficient construction to provide
evidence of forced entry, are secured with a high security padlock, are
equipped with an electronic seal that would provide evidence of
surreptitious entry and are handled by the carrier in a manner to
ensure that the container is protected until its delivery is completed.
(c) Transmission methods within and between the U.S., Puerto Rico,
or a U.S. possession or trust territory. (1) Top Secret. Top Secret
information shall be transmitted by direct contact between authorized
persons; the Defense Courier Service or an authorized government agency
courier service; a designated courier or escort with Top Secret
clearance; electronic means over approved communications systems. Under
no circumstances will Top Secret information be transmitted via the
U.S. Postal Service.
(2) Secret. Secret information shall be transmitted by:
(i) Any of the methods established for Top Secret; U.S. Postal
Service Express Mail and U.S. Postal Service Registered Mail, as long
as the Waiver of Signature and Indemnity block, item 11-B, on the U.S.
Postal Service Express Mail Label shall not be completed; and cleared
commercial carriers or cleared commercial messenger services. The use
of street-side mail collection boxes is strictly prohibited; and
(ii) Agency heads may, on an exceptional basis and when an urgent
requirement exists for overnight delivery within the U.S. and its
Territories, authorize the use of the current holder of the General
Services Administration contract for overnight delivery of information
for the Executive Branch as long as applicable postal regulations (39
CFR chapter I) are met. Any such delivery service shall be U.S. owned
and operated, provide automated in-transit tracking of the classified
information, and ensure package integrity during transit. The contract
shall require cooperation with government inquiries in the event of a
loss, theft, or possible unauthorized disclosure of classified
information. The sender is responsible for ensuring that an authorized
person will be available to receive the delivery and verification of
the correct mailing address. The package may be addressed to the
recipient by name. The release signature block on the receipt label
shall not be executed under any circumstances. The use of external
(street side) collection boxes is prohibited. Classified Communications
Security Information, NATO, and foreign government information shall
not be transmitted in this manner.
(3) Confidential. Confidential information shall be transmitted by
any of the methods established for Secret information or U.S. Postal
Service Certified Mail. In addition, when the recipient is a U.S.
Government facility, the confidential information may be transmitted
via U.S. First Class Mail. However, confidential information shall not
be transmitted to government contractor facilities via first class
mail. When first class mail is used, the envelope or outer wrapper
shall be marked to indicate that the information is not to be
forwarded, but is to be returned to sender. The use of street-side mail
collection boxes is prohibited.
(d) Transmission methods to a U.S. Government facility located
outside the U.S. The transmission of classified information to a U.S.
Government facility located outside the 50 states, the District of
Columbia, the
[[Page 51857]]
Commonwealth of Puerto Rico, or a U.S. possession or trust territory,
shall be by methods specified above for Top Secret information or by
the Department of State Courier Service. U.S. Registered Mail through
Military Postal Service facilities may be used to transmit Secret and
Confidential information provided that the information does not at any
time pass out of U.S. citizen control nor pass through a foreign postal
system.
(e) Transmission of U.S. classified information to foreign
governments. Such transmission shall take place between designated
government representatives using the transmission methods described in
paragraph (d) of this section. When classified information is
transferred to a foreign government or its representative a signed
receipt is required.
(f) Receipt of classified information. Agency heads shall establish
procedures which ensure that classified information is received in a
manner which precludes unauthorized access, provides for inspection of
all classified information received for evidence of tampering and
confirmation of contents, and ensures timely acknowledgment of the
receipt of Top Secret and Secret information by an authorized
recipient. As noted in paragraph (e) of this section, a receipt
acknowledgment of all classified material transmitted to a foreign
government or its representative is required.
Sec. 2004.9 Destruction.
(a) General. Classified information identified for destruction
shall be destroyed completely to preclude recognition or reconstruction
of the classified information in accordance with procedures and methods
prescribed by agency heads. The methods and equipment used to routinely
destroy classified information include burning, cross-cut shredding,
wet-pulping, melting, mutilation, chemical decomposition or
pulverizing.
(b) Technical guidance. Technical guidance concerning appropriate
methods, equipment, and standards for the destruction of classified
electronic media and processing equipment components may be obtained by
submitting all pertinent information to the National Security Agency/
Central Security Service, Directorate for Information Systems Security,
Fort Meade, MD 20755. Specifications concerning appropriate equipment
and standards for the destruction of other storage media may be
obtained from the GSA.
Sec. 2004.10 Loss, possible compromise or unauthorized disclosure.
(a) General. Any person who has knowledge that classified
information has been or may have been lost, possibly compromised or
disclosed to an unauthorized person(s) shall immediately report the
circumstances to an official designated for this purpose.
(b) Cases involving information originated by a foreign government
or another U.S. government agency. Whenever a loss or possible
unauthorized disclosure involves the classified information or
interests of a foreign government agency, or another government agency,
the department or agency in which the compromise occurred shall advise
the other government agency or foreign government of the circumstances
and findings that affect their information or interests. However,
foreign governments normally will not be advised of any security system
vulnerabilities that contributed to the compromise.
(c) Inquiry/investigation and corrective actions. Agency heads
shall establish appropriate procedures to conduct an inquiry/
investigation of a loss, possible compromise or unauthorized disclosure
of classified information, in order to implement appropriate corrective
actions, which may include disciplinary sanctions, and to ascertain the
degree of damage to national security.
(d) Department of Justice and legal counsel coordination. Agency
heads shall establish procedures to ensure coordination with legal
counsel whenever a formal action, beyond a reprimand, is contemplated
against any person believed responsible for the unauthorized disclosure
of classified information. Whenever a criminal violation appears to
have occurred and a criminal prosecution is contemplated, agency heads
shall use established procedures to ensure coordination with--
(1) The Department of Justice, and
(2) The legal counsel of the agency where the individual
responsible is assigned or employed.
Sec. 2004.11 Special access programs.
(a) General. The safeguarding requirements of this Directive may be
enhanced for information in Special Access Programs (SAP), established
under the provisions of Section 4.4 of E.O. 12958, by the agency head
responsible for creating the SAP. Agency heads shall ensure that the
enhanced controls are based on an assessment of the value, critical
nature, and vulnerability of the information.
(b) Significant interagency support requirements. Agency heads must
ensure that a Memorandum of Agreement/Understanding (MOA/MOU) is
established for each Special Access Program that has significant
interagency support requirements, to appropriately and fully address
support requirements and supporting agency oversight responsibilities
for that SAP.
Sec. 2004.12 Telecommunications, automated information systems and
network security.
Each agency head shall ensure that classified information
electronically accessed, processed, stored or transmitted is protected
in accordance with applicable national policy issuances identified in
the Index of National Security Telecommunications and Information
Systems Security Issuances (NSTISSI) and Director of Central
Intelligence Directive (DCID)
6/3.
Sec. 2004.13 Technical security.
Based upon the risk management factors referenced in Sec. 2004.2 of
this directive agency heads shall determine the requirement for
technical countermeasures such as Technical Surveillance
Countermeasures (TSCM) and TEMPEST necessary to detect or deter
exploitation of classified information through technical collection
methods and may apply countermeasures in accordance with NSTISSI 7000,
entitled Tempest Countermeasures for Facilities, and SPB Issuance 6-97,
entitled National Policy on Technical Surveillance Countermeasures.
Sec. 2004.14 Emergency authority.
Agency heads may prescribe special provisions for the
dissemination, transmittal, destruction, and safeguarding of classified
information during military operations or other emergency situations.
Appendix A to Part 2004--Open Storage Areas
This Appendix describes the construction standards for open
storage areas.
1. Construction. The perimeter walls, floors, and ceiling will
be permanently constructed and attached to each other. All
construction must be done in a manner as to provide visual evidence
of unauthorized penetration.
2. Doors. Doors shall be constructed of wood, metal, or other
solid material. Entrance doors shall be secured with a built-in GSA-
approved three-position combination lock. When special circumstances
exist, the agency head may authorize other locks on entrance doors
for Secret and Confidential storage. Doors other than those secured
with the aforementioned locks shall be secured from the inside with
either deadbolt
[[Page 51858]]
emergency egress hardware, a deadbolt, or a rigid wood or metal bar
which extends across the width of the door, or by other means
approved by the agency head.
3. Vents, ducts, and miscellaneous openings. All vents, ducts,
and similar openings in excess of 96 square inches (and over 6
inches in its smallest dimension) that enter or pass through an open
storage area shall be protected with either bars, expanded metal
grills, commercial metal sound baffles, or an intrusion detection
system.
4. Windows.
a. All windows which might reasonably afford visual observation
of classified activities within the facility shall be made opaque or
equipped with blinds, drapes, or other coverings.
b. Windows at ground level will be constructed from or covered
with materials which provide protection from forced entry. The
protection provided to the windows need be no stronger than the
strength of the contiguous walls. Open storage areas which are
located within a controlled compound or equivalent may eliminate the
requirement for forced entry protection if the windows are made
inoperable either by permanently sealing them or equipping them on
the inside with a locking mechanism and they are covered by an IDS
(either independently or by the motion detection sensors within the
area.)
Appendix B to Part 2004--Foreign Government Information
The requirements described below are additional baseline
safeguarding standards that may be necessary for foreign government
information, other than NATO information, that requires protection
pursuant to an existing treaty, agreement, or other obligation. NATO
classified information shall be safeguarded in compliance with
United States Security Authority for NATO Instructions I-69 and I-
70. To the extent practical, and to facilitate its control, foreign
government information should be stored separately from other
classified information. To avoid additional costs, separate storage
may be accomplished by methods such as separate drawers of a
container. The safeguarding standards described below may be
modified if required or permitted by treaties or agreements, or for
other obligations, with the prior written consent of the National
Security Authority of the originating government.
1. Top Secret. Records shall be maintained of the receipt,
internal distribution, destruction, access, reproduction, and
transmittal of foreign government Top Secret information.
Reproduction requires the consent of the originating government.
Destruction will be witnessed.
2. Secret. Records shall be maintained of the receipt, external
dispatch and destruction of foreign government Secret information.
Other records may be necessary if required by the originator. Secret
foreign government information may be reproduced to meet mission
requirements unless prohibited by the originator. Reproduction shall
be recorded unless this requirement is waived by the originator.
3. Confidential. Records need not be maintained for foreign
government Confidential information unless required by the
originator.
4. Restricted and other foreign government information provided
in confidence. In order to assure the protection of other foreign
government information provided in confidence (e.g., foreign
government ``Restricted,'' ``Designated,'' or unclassified provided
in confidence), such information must be classified under E.O.
12958. The receiving agency, or a receiving U.S. contractor,
licensee, grantee, or certificate holder acting in accordance with
instructions received from the U.S. Government, shall provide a
degree of protection to the foreign government information at least
equivalent to that required by the government or international
organization that provided the information. When adequate to achieve
equivalency, these standards may be less restrictive than the
safeguarding standards that ordinarily apply to US CONFIDENTIAL
information. If the foreign protection requirement is lower than the
protection required for US CONFIDENTIAL information, the following
requirements shall be met:
a. Documents may retain their original foreign markings if the
responsible agency determines that these markings are adequate to
meet the purposes served by U.S. classification markings. Otherwise,
documents shall be marked, ``This document contains (insert name of
country) (insert classification level) information to be treated as
US (insert classification level).'' The notation, ``Modified
Handling Authorized,'' may be added to either the foreign or U.S.
markings authorized for foreign government information. If remarking
foreign originated documents or matter is impractical, an approved
cover sheet is an authorized option;
b. Documents shall be provided only to those who have an
established need-to-know, and where access is required by official
duties;
c. Individuals being given access shall be notified of
applicable handling instructions. This may be accomplished by a
briefing, written instructions, or by applying specific handling
requirements to an approved cover sheet;
d. Documents shall be stored in such a manner so as to prevent
unauthorized access;
e. Documents shall be transmitted in a method approved for
classified information, unless this method is waived by the
originating government.
5. Third-country transfers. The release or disclosure of foreign
government information to any third-country entity must have the
prior consent of the originating government if required by a treaty,
agreement, bilateral exchange, or other obligation.
Dated: September 17, 1999.
John W. Carlin,
Archivist of the United States.
[FR Doc. 99-24813 Filed 9-23-99; 8:45 am]
BILLING CODE 7515-01-P
