[Federal Register Volume 60, Number 124 (Wednesday, June 28, 1995)]
[Proposed Rules]
[Pages 33376-33383]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-15707]



=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Part 159a


Information Security Program Regulation

AGENCY: Department of Defense.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Defense proposes to issue this amendment to 
accommodate Congressional language incorporated into the Fiscal Year 
1994 Appropriations Act which specifies that new purchases of 
combination locks for GSA-approved security containers, vault doors, 
and secure rooms shall conform to Federal Specifications FF-L-2740 as 
well as the findings and recommendations of a senior panel established 
by the Deputy Secretary of Defense regarding physical security measures 
required to adequately safeguard classified information in the 
possession of DoD activities.

DATES: Comments must be received by August 28, 1995.

ADDRESSES: Forward comments to the Office of the Assistant Secretary of 
Defense for Command, Control, Communications, and Intelligence, 6000 
Defense Pentagon, Washington, DC 20301-6000.

FOR FURTHER INFORMATION CONTACT: Mr. W. Bell, OUSD(P), 703-695-2289.

SUPPLEMENTARY INFORMATION: It has been determined that this amendment 
is not a significant regulatory action. It has also been determined 
that this amendment is not subject to the Regulatory Flexibility Act 
and does not impose any reporting or recordkeeping requirements under 
the Paperwork Reduction Act of 1980.

List of Subjects in 32 CFR Part 159a

    Classified information.

    Accordingly, 32 CFR part 159a is proposed to be amended to read as 
follows:

PART 159a--INFORMATION SECURITY PROGRAM REGULATION

    1. The authority citation for part 159a continues to read as 
follows:

    Authority: E.O. 12356, 5 U.S.C. 301.


Sec. 159a.9  [Amended]

    2. In Sec. 159a.9, paragraph(s), DoD Component, is amended by 
removing ``Organization'' and adding in its place ``Chairman'', by 
removing ``(OJCS)'' and by removing ``and Specified'' and adding in its 
place ``Combatant''.


Sec. 159a.12  [Amended]

    3. Section 159a.12 is amended in paragraph (c)(1)(i)(A) by removing 
``Office of the Deputy Under Secretary of Defense (Policy), 
(ODUSD(P)),'' and adding in its place ``Office of the Assistant 
Secretary of Defense for Command, Control, Communications, and 
Intelligence, (OASD(C3I))'', paragraph (c)(1)(i)(B) and (c)(1)(ii)(B) 
by removing ``including Specified Commands'', paragraph (c)(1)(i)(B) by 
removing ``wo'' and adding in its place ``who'', and paragraphs 
(c)(1)(ii)(C) by removing ``OJCS'' and adding in its place ``Chairman 
of the Joint Chiefs of Staff''.


Sec. 159a.26  [Amended]

    4. Section 159a.26(e)(7) is amended by removing ``ASD(PA)'' and 
adding in its place ``ATSD(PA)'' and removing ``OJCS'' and adding in 
its place ``the Chairman of the Joint Chiefs of Staff''.


Sec. 159a.33  [Amended]

    5. Section 159a.33(e)(2) is amended by removing ``7920.1'' and 
adding in its place ``8120.1''.


Sec. 159a.35  [Amended]

    6. Section 159a.35(g) is amended by adding ``O-'' before 
``5230.22''.
    7. Subpart F is revised to read as follows:

Subpart F--Safekeeping and Storage

Sec.
159a.37  Storage and storage equipment.
159a.38  Custodial precautions.
159a.39  Installation entry and exit inspection program.

Subpart F--Safekeeping and Storage


Sec. 159a.37  Storage and storage equipment.

    (a) General policy. Classified information shall be secured under 
conditions adequate to prevent access by unauthorized persons. The 
requirements specified in this part represent acceptable security 
standards. Exceptions to these requirements should be approved by the 
responsible DoD Component Senior Information Security Authority. This 
approval authority may be delegated to major commanders. Supplemental 
or compensatory security measures must be implemented to compensate for 
the inability to meet the baseline standard. DoD policy concerning the 
use of force for the protection of classified information is specified 
in DoD Directive 5210.56.\17\ Weapons or sensitive items such as funds, 
jewels, precious metals or drugs shall not be stored in the same 
container used to safeguard classified information. Security 
requirements for Sensitive Compartmented Information Facilities (SCIFs) 
are established by the Director of Central Intelligence. Current 
holdings of classified material shall be reduced to the minimum 
required for mission accomplishment.

    \17\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------

    (b) Standards for storage equipment. The GSA establishes and 
publishes minimum standards, specifications, and supply schedules for 
containers, vault doors, alarm systems, and associated security devices 
suitable for the storage and protection of classified information. DoD 
Directive 3224.3 \18\ describes acquisition requirements for physical 
[[Page 33377]] security equipment used within the Department of 
Defense.

    \18\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------

    (c) Storage of classified information. Classified information is to 
be guarded or stored in a locked security container, vault, room, or 
area, as follows:
    (1) Top Secret. Top Secret information shall be stored in the 
following:
    (i) A GSA-approved security container or modular vault, in a vault; 
or in the U.S., in a secure room if under U.S. Government control (see 
appendix F to this part). Other rooms that were approved for the 
storage of Top Secret in the U.S. may continue to be used. When located 
in areas not under U.S. Government control, the storage container, 
vault, or secure room must be protected by an intrusion detection 
system or guarded when unoccupied. U.S. Government control means access 
to the classified material is controlled by an appropriately cleared 
U.S. Government civilian, military, or contractor employee. An 
intrusion detection system (IDS) used for this purpose shall meet the 
requirements of appendix G to this part. Security forces shall respond 
to the alarmed location within 15 minutes from time of notification.
    (ii) New purchases of combination locks for GSA-approved security 
containers, vault doors and secure rooms shall conform to Federal 
Specification FF-L-2740. Existing mechanical combination locks will not 
be repaired. If they should fail, they will be replaced with locks 
meeting FF-L-2740.
    (iii) Under field conditions during military operations, the 
commander may prescribe the measures deemed adequate to meet the 
storage standard contained in paragraphs (a) and (b) of this section.
    (iv) Protection of Top Secret outside the United States requires 
application of one or more supplementary controls, i.e., continuous 
guard or duty personnel, inspections of locked containers/vaults or an 
alarm system.
    (2) Secret and Confidential. Secret and Confidential information 
shall be stored in the manner prescribed for Top Secret; or in secure 
rooms that were approved for the storage of Secret or Confidential 
material by the DoD Components prior to October 1, 1995. Until October 
1, 2002, Secret and Confidential information may also be stored in 
unapproved or obsolete steel filing cabinets having a built-in 
combination lock or secured with a lockbar and approved combination 
padlock in areas under U.S. Government control, or in areas not under 
U.S. Government control provided the area is protected by an IDS or is 
guarded when unoccupied. Where IDS is used to protect such information 
it should meet the requirements of appendix G to this part. Security 
forces shall respond to the alarmed location within 45 minutes from 
time of notification.
    (3) Specialized security equipment--(i) Military platforms or 
classified munition items. The Heads of the DoD Components shall, 
consistent with this part, delineate the appropriate security measures 
required to protect classified information stored in containers on 
military platforms or for classified minution items.
    (ii) Special purpose containers. GSA-approved field safes and 
special purpose one and two drawer light-weight security containers 
approved by the GSA are used primarily for storage of classified 
information in the field and in military platforms. Such containers 
shall be securely fastened to the structure or under constant 
surveillance to prevent their theft. Use of these containers in 
ordinary office environmentas, or their procurement for this purpose, 
must be approved by major commands or equivalents.
    (iii) Map and plan files. GSA-approved map and plan files are 
available for storage of odd-sized items such as computer media, maps, 
charts, and classified equipment.
    (iv) Modular vaults. GSA-approved modular vaults meeting Federal 
Specification AA-V-2737 may be used to store classified information as 
an alternative to vault requirements described in Appendix F to this 
part.
    (4) Replacement of combination locks. The mission and location of 
the activity, the classification level and sensitivity of the 
information, and the overall security posture of the activity 
determines the priority for replacement of existing combination locks. 
All system components and supplemental security measures including 
electronic security systems (e.g., intrusion detection systems, 
automated entry control subsystems, and video assessment subsystems), 
and level of operations must be evaluated by the commander when 
determining the priority for replacement of security equipemnt. 
Appendix H to this part provides a matrix illustrating a prioritization 
scheme for the replacement of existing combination locks on GSA-
approved security containers and vault doors. Priority 1 requires 
immediate replacement.
    (5) Storage of bulky material. Storage areas for bulky material 
containing classified information may have access openings secured by 
GSA-approved changeable combination padlocks (Federal Specification FF-
P-110 series) or high security key-operated padlocks (Military 
Specification MIL-P-43607). Other security measures are required, in 
accordance with paragraph (c)(1) of this section.
    (i) The Heads of the DoD Components shall establish administrative 
procedures for the control and accountability of keys and locks 
whenever key-operated, high-security padlocks are utilized. The level 
of protection provided such keys shall be equivalent to that afforded 
the classified information being protected by the padlock.
    (ii) 10 U.S.C. 1386 makes unauthorized possession of keys, key-
blanks, keyways or locks adopted by any part of the Department of 
Defense for use in the protection of conventional arms, ammunition, or 
explosives, special weapons, and classified equipment, a criminal 
offense punishable by fine or imprisonment for up to 10 years, or both.
    (d) Procurement of new storage equipment.--(1) New security storage 
equipment shall be procured from those items listed on the GSA Federal 
Supply Schedule. Exceptions may be made by the heads of the DoD 
Components, with notification to the ASD(C31). Components should retain 
and apply serviceable storage equipment made available as consequence 
of draw downs, contractor turn-in of government furnished equipment, or 
other events; promptly report excess containers to property disposal; 
and fulfill requirements for added equipment through property disposal 
when that is cost beneficial.
    (2) Current holdings of classified material shall be reduced to the 
minimum required for mission accomplishment.
    (3) Nothing in this subpart shall be construed to modify existing 
Federal supply class management assignments made under DoD Directive 
5030.47 \19\

    \19\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------

    (e) Equipment designations and combinations--(1) Numbering and 
designating storage facilities. There will be no external mark 
revealing the level of classified information authorized to be or 
actually stored in a given contianer or vault. Priorities for emergency 
evacuation and destruction will not be marked or posted on the exterior 
of storage containers or vaults.
    (2) Combinations to containers and vaults. (i) Changing. 
Combinations to security containers, vaults and secure rooms shall be 
changed only by individuals having that responsibility and an 
appropriate security clearance. Combinations shall be 
changed: [[Page 33378]] 
    (A) When placed in use;
    (B) Whenever an individual knowing the combination no longer 
requires access;
    (C) When the combination has been subject to possible compromise;
    (D) At least once every two years; or
    (E) When taken out of service. Built-in combination locks shall be 
reset to the standard combination 50-25-50; combination padlocks shall 
be reset to the standard combination 10-20-30.
    (ii) Selecting combinations. Combinations for each lock shall be 
unique to that lock and shall have no systematic relationship to other 
combinations used within a specific office. Combination numbers shall 
not be derived from numbers otherwise associated with the specific 
office or its personnel. The number within a combination shall be 
selected on a random basis without deliberate relationship of one to 
the other except to provide appropriate variance to operate the lock 
properly.
    (iii) Classifying combinations. The combination of a container, 
vault or secure room used for the storage of classified information 
shall be assigned a security classification equal to the highest 
category of the classified information stored therein. Any written 
record of the combination shall be marked with the classification. 
Declassification of combinations occurs at the time they are changed.
    (iv) Recording storage facility data. A record shall be maintained 
for each vault or secure room door, or container used for storage of 
classified information, showing location of the door or container, and 
the names, home addresses, and home telephone numbers of the 
individuals having knowledge of the combination. Standard Form 700, 
``Security Container Information,'' shall be used for this purpose.
    (A) Part 1 of the SF 700, when completed, shall be placed in an 
interior location in security cabinets and on vault or secure room 
doors. To the extent practical, Part 1 shall be on the inside face of 
the locking drawer of file cabinets, and on the inside surface of map 
and plan cabinet and vault doors.
    (B) SF 700, Parts 2 and 2A, shall be marked conspicuously on their 
front with the highest level of classification and any special access 
notice applicable to the information authorized for storage in the 
container and will be stored in a security container other than the one 
to which they apply.
    (C) Internal security procedures shall provide for prompt 
notification to the official responsible for the area if a container is 
found unsecured and unattended or show evidence of unauthorized entry 
attempt or SF 700 is inaccessible or not available.
    (D) Listings of persons having knowledge of the combination shall 
be continued as necessary on an attachment to Part 2.
    (E) Dissemination. Access to the combination of a vault or 
container used for the storage of classified information shall be 
granted only to those individuals who are authorized access to the 
classified information to be stored therein.
    (3) Access controls. Entrances to secure rooms or areas should be 
under visual control at all times during duty hours to preclude entry 
by unauthorized personnel or equipped with electric, mechanical or 
electromechanical access control devices to limit access during duty 
hours. Appendix I to this part provides standards for these access 
control devices; the use of automated systems described therein is 
encouraged.
    (f) Repair of damaged security containers. Neutralization of lock-
outs or repair of any damage that affects the integrity of a security 
container approved for storage of classified information shall be 
accomplished only by authorized persons who have been the subject of a 
trustworthiness determination in accordance with 32 CFR part 154 and 
are continuously escorted while so engaged.
    (1) With the exception of frames bent through application of 
extraordinary stress, a GSA-approved security container manufactured 
prior to October 1991 (identified by a silver GSA label with black 
lettering affixed to the exterior of the container) is considered to 
have been restored to its original state of security integrity as 
follows:
    (i) All damaged or altered parts, for example, the locking drawer, 
drawer head, or lock, are replaced; or
    (ii) Has been drilled immediately adjacent to or through the dial 
ring to neutralize a lockout, a replacement lock meeting FF-L-2740 is 
used, and the drilled hole is repaired with a tapered, hardened tool-
steel pin, or a steel dowel, drill bit, or bearing with a diameter 
slightly larger than the hole and of such length that when driven into 
the hole there shall remain at each end of the rod a shallow recess not 
less than \1/8\ inch nor more than \3/16\ inch deep to permit the 
acceptance of substantial welds, and the rod is welded both on the 
inside and outside surfaces. The outside of the drawer head must then 
be puttied, sanded, and repainted in such a way that no visible 
evidence of the hole or its repair remains on the outer surface.
    (2) In the interests of cost efficiency, the procedures identified 
in paragraph (f)(2)(1)(i) of this section should not be used for GSA-
approved security containers purchased after October 1991 
(distinguished by a silver GSA label with red lettering affixed to the 
outside of the container control drawer) until it is first determined 
whether warranty protection still applies. To make this determination, 
it will be necessary to contact the manufacturer and provide the serial 
number and date of manufacture of the container. If the container is 
under warranty, a lock-out will be neutralized using the procedures 
described in the Naval Facilities Engineering Service Center (NFESC) 
Technical Data Sheet (TDS) 2000-SHR.
    (3) Unapproved modification or repair of security containers and 
vault doors is considered a violation of the container's or door's 
integrity and the GSA label shall be removed. Thereafter, they may not 
be used to protect classified information except as otherwise 
authorized in this part.
    (g) Maintenance and operating inspections--(1) Maintenance. The 
Heads of the DoD Components shall establish procedures concerning 
maintenance of classified material security containers and vaults to 
accomplish the following:
    (i) Permit only those persons who have been the subject of a 
trustworthiness determination in accordance with 32 CFR part 154 to 
perform maintenance which affects the protective features of the 
container or vault.
    (ii) Require a record of all maintenance performed on a container 
or vault be maintained by the using activity and retained with the 
container or vault. The record shall reflect the operating problem 
requiring maintenance, the date maintenance was performed, the name and 
organization of the maintenance technician, the work accomplished, and 
the activity official certifying the subsequent proper operation of the 
container or vault. These records shall be retained for the service 
life of the container or vault.
    (iii) Refer any discovery of unauthorized tampering or modification 
of a container or vault to the supporting counterintelligence 
organization for investigation.
    (iv) Provide a preventive maintenance program for containers and 
vaults to detect and correct operating problems affecting their 
security.
    (2) Operating inspections. Containers and vaults shall be inspected 
before being used, and periodically thereafter, and whoever discovered 
open and unattended or evidence of actual or [[Page 33379]] attempted 
unauthorized forced or covert entry is present to assure the presence 
and proper operation of their protective security features before they 
may continue in use to store classified material.


Sec. 159a.38  Custodial precautions.

    (a) Responsibilities of custodians. Anyone who has been duly 
authorized/appointed to maintain classified information is responsible 
for its safekeeping, to include storing the material in approved 
storage containers or facilities when it is not in use or under the 
supervision of an authorized person.
    (b) Residential storage arrangements. Only the Head of a DoD 
Component, or single designee at the Component headquarters and major 
command levels, may authorize removal of classified material from 
designated working areas in off-duty hours, for work at home or 
otherwise, provided that a GSA-approved security container is furnished 
and appropriate regulations otherwise provide for the maximum 
protection possible under the circumstances. Any such arrangements 
approved before the effective date of this part shall be reevaluated 
and, if continued approval is warranted, compliance with this paragraph 
is necessary.
    (c) Care during working hours. (1) Classified material removed from 
storage shall be kept under constant surveillance by persons authorized 
access and having a need to know thereto and, when not in use, 
protected from unauthorized view of its classified contents until 
returned to storage. Such protection shall be provided, as applicable, 
by the material's unclassified cover or by an appropriate cover sheet. 
Cover sheets shall be Standard Forms 703, 704 and 705 for, 
respectively, Top Secret, Secret, and Confidential documents.
    (2) Preliminary drafts, carbon sheets, plates, stencils, 
stenographic notes, worksheets, computer and typewriter ribbons, 
transfer medium and other items containing classified information shall 
be safeguarded according to the level of classified information they 
contain and shall be accordingly destroyed after they have served their 
purpose. Transfer medium include drums, cartridges, belts, sheets, 
memory, and other material in copiers, printers, facsimile and other 
devices of items which receive or come in contact with classified 
information.
    (3) Destruction of personal computer printer or typewriter ribbons 
from which classified information can be obtained shall be accomplished 
in the manner prescribed for classified working papers of the same 
classification. After the upper and lower sections have been cycled 
through and overprinted five times in all ribbon or impact or typing 
positions, fabric ribbons may be treated as unclassified regardless of 
their previous classified use. Carbon and plastic ribbons and carbon 
paper that have been used in the production of classified information 
shall be destroyed in the manner prescribed for working papers of the 
same classification after initial usage. However, any typewriter ribbon 
that uses technology which enables the ribbon to be struck several 
times in the same area before it moves to the next position may be 
treated as unclassified.
    (d) End-of-day security checks. The Heads of activities that 
process or store classified information shall establish a system of 
security checks at the close of each working day to ensure that the 
area is secure. Standard Form 701, ``Activity Security Checklist,'' 
shall be used to record such checks. Standard Form 702. ``Security 
Container Check Sheet,'' shall be used to record the use of all vaults, 
secure rooms and containers used for the storage of classified 
material.
    (e) Emergency planning. (1) Plans shall be developed for the 
protection, removal, or destruction of classified material in case of 
fire, natural disaster, civil disturbance, terrorist activities, or 
enemy action. Such plans shall establish detailed procedures and 
responsibilities for the protection of classified material to ensure 
that the material does not come into the possession of unauthorized 
persons. These plans shall include the treatment of classified 
information located in foreign countries. Emergency destruction 
procedures are not needed for activities located inside the 50 states.
    (2) These emergency planning procedures do not apply to material 
related to COMSEC Planning for the emergency protection including 
emergency destruction under no-notice conditions of classified COMSEC 
material shall be developed in accordance with requirements of NACSI 
4006.
    (3) Emergency plans shall provide for the protection of classified 
material in a manner that will minimize the risk of injury or loss of 
life to personnel. In the case of fire or natural disaster, the 
immediate placement of authorized personnel around the affected area, 
preinstructed and trained to prevent the removal of classified material 
by unauthorized personnel, is an acceptable means of protecting 
classified material and reducing casualty risk. Such plans shall 
provide for emergency destruction to preclude capture of classified 
material when determined to be required in overseas locations.
    (f) Telecommunications conversations. (1) Classifed information 
shall not be discussed in telephone conversations except over approved 
secure communications circuits, that is, cryptographically protected 
circuits or protected distributions systems installed in accordance 
with National COMSEC Instruction 4009.
    (2) The Secure Telephone Unit-III (STU-III) is approved for 
classified discussions within the limitations displayed by the STU-III. 
The need-to-know must be established before discussing classified 
information.
    (3) Users of secure telephones shall assure that only persons with 
appropriate clearance and need-to-know are within hearing range of 
their conversation.
    (g) Removal of classified storage and information processing 
equipment. All classified storage containers and information processing 
equipment shall be inspected by properly cleared personnel before 
removal from protected areas or unauthorized persons are allowed access 
to them. The inspection shall be accomplished to assure no classified 
information remains within the equipment. Some examples of equipment 
which shall be inspected are:
    (1) Reproduction or facsimile machines and AIS components and other 
office equipment used to process classified information.
    (2) GSA-approved security containers, filing cabinets, or other 
storage containers used for safeguarding classified information; and
    (3) Other items of equipment that may inadvertently contain 
classified information.
    (h) Classified discussions, meetings and conferences. Security 
requirements and procedures governing disclosure of classified 
information at conferences, symposia, conventions, and similar 
meetings, and those governing the sponsorship and attendance of U.S. 
and foreign personnel at such meetings, are set forth in DoD Directive 
5200.12,\20\ DoD Instruction 5230.20,\21\ DoD 5220.22-R,\22\ and DoD 
5220.22-M.\23\

    \20\ See footnote 2 to Sec. 159a.3.
    \21\ See footnote 2 to Sec. 159a.3.
    \22\ See footnote 2 to Sec. 159a.3.
    \23\ See footnote 3 to Sec. 159a.3.
---------------------------------------------------------------------------

    (i) Safeguarding of U.S. classified information located in foreign 
countries. Except for classified information that has been authorized 
for release to a foreign government or international 
[[Page 33380]] organization pursuant to DoD Directive 5230.11 \24\ and 
is under the security control of such government or organization, the 
retention of U.S. classified material in foreign countries may be 
authorized only when that material is necessary to satisfy specific 
U.S. Government requirements. This includes classified material 
temporarily transferred into a foreign country through U.S. Government 
personnel authorized to escort or handcarry such material pursuant to 
Sec. 159a.59, as applicable. Whether permanently or temporarily 
retained, the classified materials shall be stored under U.S. 
Government control, as follows. See Sec. 159a.37(c) additional guidance 
on Top Secret information.

    \24\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------

    (1) At a U.S. military installation, or a location where the United 
States enjoys extraterritorial status, such as an embassy or consulate.
    (2) At a U.S. Government activity located in a building used 
exclusively by U.S. Government tenants, if the building is under 24-
hour control by U.S. Government personnel.
    (3) At a U.S. Government activity located in a building not used 
exclusively by U.S. Government tenants nor under host-government 
control, provided the classified material is stored in security 
containers approved by the GSA and is placed under 24-hour control by 
U.S. Government personnel.
    (4) At a U.S. Government activity located in a building not used 
exclusively by U.S. Government tenants, but which is under host-
government control, provided the classified material is stored in GSA-
approved security containers that are further secured in a locked room 
or area to which only U.S. personnel have access.
    (5) When host government and U.S. personnel are collocated, U.S. 
classified material that has not been authorized for release to the 
host government under DoD Directive 5230.11, shall, be segregated from 
releasable classified material to facilitate physical control and 
prevent inadvertent compromise. U.S. classified material that is 
releasable to the host country need not be subject to the 24-hour U.S. 
control requirement provided the host government exercises its own 
control measures over the pertinent areas or containers during nonduty 
hours.
    (6) Foreign nationals shall be escorted while in areas where 
nonreleasable U.S. classified material is handled or stored. When 
required by operational necessity, foreign nationals may be permitted, 
during duty hours unescorted entry to such areas provided the 
nonreleasable information is properly stored or is under the direct 
personal supervision and control of cleared U.S. personnel who can 
prevent unauthorized access.
    (7) Under field conditions during military operations, the 
commander may prescribe the measures deemed adequate to protect 
classified material.
    (j) Non-COMSEC classified information processing equipment. The 
Department of Defense has a variety of non-COMSEC approved equipment to 
process classified information. This includes copiers, fascimile 
machines, printers, scanners, cameras, printers for AISs, AISs, 
electronic typewriters, and other word processing systems among others. 
Because much of this equipment has known security vulnerabilities, its 
use can cause unauthorized disclosure.
    (1) Activities must identify those features, parts, or functions of 
equipment used to process classified information which may retain all 
or part of the information. Activity security procedures must prescribe 
safeguards to:
    (i) Prevent unauthorized access to that information.
    (ii) Replace and destroy equipment parts as classified material 
when the information cannot be removed from them. Alternatively, the 
equipment may be designated as ``classified'' and protected at least at 
the retained information's classification level.
    (2) Activities will select equipment that performs the needed 
function and presents the lowest acceptable risk to the classified 
information the equipment processes.
    (3) Activities will comply with guidance on security 
vulnerabilities issued by appropriate authority and must report 
equipment problems and failures.
    (k) Reporting equipment problems and vulnerabilities. (1) The 
equipment that the Department of Defense uses to safeguard, destroy or 
process classified information can fail to function properly or 
otherwise perform in a way that threatens that information. When that 
occurs, responsible individuals within the using activities must 
promptly:
    (i) Restore the protection to the information.
    (ii) Report the incident to their Component security office. Such 
report shall:
    (A) Be classified or transmitted by secure means, as warranted by 
the nature of the problem.
    (B) Describe the problem; the equipment's type, manufacturer, and 
any serial number; the number of equipment units involved; and any 
means found to overcome the problem.
    (C) Be in addition to those made to logistics, supply, or 
contracting offices, or those made in reporting security violations.
    (2) Component security offices receiving such reports shall assess 
the impact on other Component activities and advise them accordingly. 
They shall also promptly send a copy of the initial and any subsequent 
reports to the Director, Counterintelligence and Security Programs, 
ODASD(I&S), OASD(C3I). They shall include their assessment of the 
impact and a summery of the related Component actions.
    (3) Problems or vulnerabilities with COMSEC equipment and 
controlled Cryptographic Items shall be reported as prescribed by the 
controlling COMSEC authorities rather than under this paragraph. The 
COMSEC authority shall promptly coordinate these reports and correcting 
actions with the Director, Counterintelligence and Security Programs, 
OASD(C3I), when the problems or vulnerabilities are common to all such 
equipment.


Sec. 159a.39  Installation entry and exit inspection program.

    (a) Policy. Commanders shall prescribe procedures for inspecting 
persons, their property and vehicles at entry and exit points of 
installations or at designated secure areas within an installation and 
for search of persons and their possessions while on an installation.
    (1) This shall include determination of whether inspections are 
randomly conducted or mandatory for all, and shall prescribe procedures 
to ensure the safeguarding of classified information.
    (2) Examinations of individuals and their possessions while on the 
installation for the primary purpose of obtaining evidence is 
classified as a ``search'' under the fourth amendment and separate 
guidance regarding the conduct of these searches shall be issued.

    (3) All procedures shall be reviewed for legal sufficiency by the 
general counsel or legal advisor before issuance. These procedures 
shall require Commanders to consult with their servicing Judge Advocate 
or other legal advisor before authorizing gate inspections.

    (b) [Reserved]

Appendix C to Part 159a  [Amended]

    7. Appendix C to Part 159a, paragraphs 1.a. and 2.a., paragraphs 
2.b.(d)(4), introductory text, and 2.b.(d)(5)(b) paragraph c.(4)(b), 
and paragraphs 4.a. and 4.c. are amended by [[Page 33381]] adding 
``Chairman of the'' before ``Joint Chiefs of Staff''
    8. Appendices F through I to part 159a are added as follows:

Appendix F to Part 159a--Vault and Secure Room Construction Standards

1. Vault

    a. Floor and Walls. Eight inches of concrete reinforced to meet 
current structural standards. Walls are to extend to the underside 
of the roof slab above.
    b. Roof. Monolithic reinforced concrete slab of thickness to be 
determined by structural requirements, but not less than the floor 
and walls.
    c. Ceiling. The roof or ceiling must be reinforced concrete of a 
thickness to be determined by structural requirements, but not less 
than the floors and walls.
    d. Vault door and frame unit should conform to Federal 
Specification AA-D-2757 Class 8 vault door, or Federal Specification 
AA-D-600 Class 5 vault door.

2. Secure Room

    a. The walls, floor, and roof construction of secure rooms must 
be of permanent construction materials; i.e., plaster, gypsum 
wallboard, metal panels, hardboard, wood, plywood, or other 
materials offering resistance to, and evidence of unauthorized entry 
into the area. Walls shall be extended to the true ceiling and 
attached with permanent construction materials, wire mesh or 18 
gauge expanded steel screen.
    b. Ceiling. The ceilings shall be constructed of plaster, 
gypsum, wallboard material, hardwood, or any other acceptable 
material.
    c. Doors. The access door to the room shall be substantially 
constructed of wood or metal. The hinge pins of outswing doors shall 
be peened, brazed, or spot welded to prevent removal. Door should be 
equipped with a built-in GSA-approved combination lock meeting 
Federal Specification FF-L-2740.
    d. Windows. Windows which are less than 18 feet above the ground 
measured from the bottom of the window, or are easily accessible by 
means of objects directly beneath the windows, shall be constructed 
from or covered with materials which will provide protection from 
forced entry. The protection provided to the windows need be no 
stronger than the strength of the contiguous walls.
    e. Openings. Utility openings such as ducts and vents should be 
kept at less than man-passable (96 square inches) opening. Openings 
larger than 96 square inches will be hardened in accordance with 
Military Handbook 1013/1A.

Appendix G to Part 159a--IDS Standards

    1. An IDS must detect an unauthorized penetration in the secured 
area. An IDS complements other physical security measures and 
consists of the following:
    a. Intrusion Detection Equipment (IDE).
    b. Security forces.
    c. Operating procedures.
    2. System functions.
    a. IDS components operate as a system with the following four 
distinct phases:
    (1) Detection.
    (2) Communications.
    (3) Assessment.
    (4) Response.
    b. These elements are equally important, and none can be 
eliminated if an IDS is to provide an acceptable degree of 
protection.
    (1) Detection: The detection phase begins as soon as a detector 
or sensor reacts to stimuli it is designed to detect. The sensor 
alarm condition is then transmitted over cabling located within the 
protected area to the Premise Control Unit (PCU). The PCU may 
service many sensors. The PCU and the sensors it serves comprise a 
``zone'' at the monitor station. This shall be used as the 
definition of an alarmed zone for purposes of this part.
    (2) Reporting: The PCU receives signals from all sensors in a 
protected area and incorporates these signals into a communication 
scheme. Another signal is added to the communication for supervision 
to prevent compromise of the communication scheme. This supervised 
signal is intended to disguise the information and protect the IDS 
against tampering or injection of false information by an intruder. 
The supervised signal is sent by the PCU through the transmission 
link to the monitor station. Inside the monitor station either a 
dedicated panel or central processor monitors information from the 
PCU signals. When an alarm occurs, an annunciator generates an 
audible and visible alert to security personnel. Alarms result 
normally from intrusion, tampering, component failure, or system 
power failure.
    (3) Assessment: The assessment period is the first phrase that 
requires human interaction. When alarm conditions occur, the 
operator assesses the situation and dispatches the response force.
    (4) Response: The response phase begins as soon as the operator 
assesses an alarm condition. A response force must immediately 
respond to all alarms. The response phase must also determine the 
precise nature of the alarm and take all measures necessary to 
safeguard the secure area.

3. Use of IDS

    a. As determined by the commander all areas that reasonably 
afford access to the container, or where classified data is stored 
should be protected by IDS unless continually occupied. Prior to the 
installation of an IDS, commanders shall consider the threat, 
vulnerabilities, in-depth security measures and shall perform a risk 
analysis.
    b. Acceptability of Equipment: All IDE must be UL-listed (or 
equivalent) and approved by the DoD Component or government 
contractor. Government installed, maintained, or furnished systems 
are acceptable.

4. Equipment

    a. Transmission Line Security: When the transmission line leaves 
the facility and traverses an uncontrolled area, Class I or Class II 
line supervision shall be used.
    (1) Class I: Class I line security is achieved through the use 
of DES or an algorithm based on the cypher feedback or cypher block 
chaining mode of encryption. Certification by NIST or another 
independent testing laboratory is required.
    (2) Class II: Class II line supervision refers to systems in 
which the transmission is based on pseudo random generated tones or 
digital encoding using an interrogation and response scheme 
throughout the entire communication, or UL Class AA line 
supervision. The signal shall not repeat itself within a minimum 6 
month period. Class II security shall be impervious to compromise 
using resistance, voltage, current, or signal substitution 
techniques.
    b. Internal Cabling: The cabling between the sensors and the PCU 
should be dedicated to IDE and must comply with national and local 
code standards.
    c. Entry Control Systems: If an entry control system is 
integrated into an IDS, reports from the automated entry control 
system should be subordinate in priority to reports from intrusion 
alarms.
    d. Maintenance Mode: When an alarm zone is placed in the 
maintenance mode, this condition shall be signaled to the monitor 
station. This signal must appear as an alarm or maintenance message 
at the monitor station and the IDS shall not be securable while in 
the maintenance mode. The alarm or message must be continually 
visible at the monitor station throughout the period of maintenance. 
A standard operating procedure must be established to address 
appropriate actions when maintenance access is indicated at the 
panel. All maintenance periods shall be archived in the system. A 
self-test feature shall be limited to one second per occurrence.
    e. Annunciation of Shunting or Masking Condition: Shunting or 
masking of any internal zone or sensor must be appropriately logged 
or recorded in archive. A shunted or masked internal zone or sensor 
must be displayed as such at the monitor station throughout the 
period the condition exists whenever there is a survey of zones or 
sensors.
    f. Indications of alarm status shall be revealed at the 
monitoring station and optionally within the confines of the secure 
area.
    g. Power Supplies: Primary power of all IDE shall be commercial 
AC or DC power. In the event of commercial power failure at the 
protected area or monitor station, the equipment shall change power 
sources without causing an alarm indication.
    (1). Emergency Power. Emergency power shall consist of a 
protected independent backup power source that provides a minimum of 
4 hours operating power battery and/or generator power. When 
batteries are used for emergency power, they shall be maintained at 
full charge by automatic charging circuits. The manufacturer's 
periodic maintenance schedule shall be followed and results 
documented.
    (2) Power Source and Failure Indication: An illuminated 
indication shall exist at the PCU of the power source in use (AC or 
DC). Equipment at the monitor station shall indicate a failure in 
power source, a change in power source, and the location of the 
failure or change.
    h. Component Tamper Protection: IDE components located inside or 
outside the secure area should be evaluated for a tamper protection 
requirement. If access to a [[Page 33382]] junction box or 
controller will enable an unauthorized modification, tamper 
protection should be provided.

5. System Requirements

    a. Independent Equipment. When many alarmed areas are protected 
by one monitor station, secure room zones must be clearly 
distinguishable from the other zones to facilitate a priority 
response. All sensors shall be installed within the protected area.
    b. Access and/or Secure Switch and PCU: No capability should 
exist to allow changing the access status of the IDS from a location 
outside the protected area. All PCUs must be located inside the 
secure area and should be located near the entrance. Assigned 
personnel should initiate all changes in access and secure status. 
Operation of the PCU may be restricted by use of a device or 
procedure that verifies authorized use. In the secure mode, any 
unauthorized entry into the space shall cause an alarm to be 
transmitted to the monitor station.
    c. Motion Detection Protection: Secure areas that reasonably 
afford access to the container or where classified data is stored 
should be protected with motion detection sensors; e.g., ultrasonic 
and passive infrared. Use of dual technology is authorized when one 
technology transmits an alarm condition independent from the other 
technology. A failed detector shall cause an immediate and 
continuous alarm condition.
    d. Protection of Perimeter Doors: Each perimeter door shall be 
protected by a balanced magnetic switch (BMS) that meets the 
standards of UL 634.
    e. Windows: All readily accessible windows (within 18 feet of 
ground level) shall be protected by an IDS, either independently or 
by the motion detection sensors in the space.
    f. IDS Requirements for Continuous Operations Facilities: A 
continuous operations facility may not require an IDS. This type of 
secure area should be equipped with an alerting system if the 
occupants cannot observe all potential entrances into the room. 
Duress devices may also be required.
    g. False and/or Nuisance Alarm: Any alarm signal transmitted in 
the absence of detected intrusion or identified as a nuisance alarm 
is a false alarm. A nuisance alarm is the activation of an alarm 
sensor by some influence for which the sensor was designed but which 
is not related to an intrusion attempt. All alarms shall be 
investigated and the results documented. The maintenance program for 
the IDS should ensure that incidents of false alarms should not 
exceed 1 in a period of 30 days per zone.

6. Personnel

    a. IDS Installation and Maintenance Personnel: Alarm 
installation and maintenance should be accomplished by U.S. citizens 
who have been subjected to a trustworthiness determination in 
accordance with 32 CFR part 154.
    b. Monitor Station Staffing: The monitor station should be 
supervised continuously by U.S. citizens who have been subjected to 
a trustworthiness determination in accordance with 32 CFR part 154.

Appendix H to Part 159a--Priority for Replacement

    Priorities range from 1 to 4, with 1 being the highest and 4 the 
lowest.

  Lock Replacement Priorities in the United States and its Territories  
------------------------------------------------------------------------
        Item             TS/SAP         TS         S/SAP         S-C    
------------------------------------------------------------------------
Vault Doors.........            1            1            3            4
Containers (A) \1\..            3            4            4            4
Containers (B) \2\..            1            1            1            2
Crypto..............            1            1            2            2
------------------------------------------------------------------------


      Lock Replacement Priorities Outside the United States and its     
                               Territories                              
------------------------------------------------------------------------
        Item             TS/SAP         TS         S/SAP         S-C    
------------------------------------------------------------------------
Vault Doors.........            1            1            2            2
Containers (A) \1\..            2            2            3            3
Containers (B) \2\..            1            1            1            2
Crypto..............            1            1            2            2
High Risk Areas.....            1            1            1            1
------------------------------------------------------------------------
\1\ A--Located in a controlled environment where the Department of      
  Defense has the authority to prevent unauthorized disclosure of       
  classified information. The Government may control or deny access to  
  the space, post guards, require identification, challenge presence,   
  inspect packages, program elevators, or take other reasonable measures
  necessary to deny unauthorized access.                                
\2\ B--Located in an uncontrolled area without perimeter security       
  measures.                                                             

Appendix I to Part 159a--Access Controls

    1. Access Controls: The perimeter entrance should be under 
visual control at all times during working hours to preclude entry 
by unauthorized personnel. This may be accomplished by several 
methods (e.g., employee work station, guard, and CCTV). Regardless 
of the method utilized, an access control system shall be used on 
the entrance. Uncleared persons are to be escorted within the 
facility by a cleared person who is familiar with the security 
procedures at the facility.
    a. Automated Entry Control Systems: An automated entry control 
system may be used to control admittance during working hours 
instead of visual control, if it meets the criteria stated below.
    The automated entry control system must identify an individual 
authenticate that person's authority to enter the area through the 
use of an identification (ID) badge or card, and number or by 
personal identity verification. Exist should also be recorded.
    (1) ID Badges or Key Cards. The ID badge or key card must use 
embedded sensors, integrated circuits, magnetic stripes or other 
means of encoding data that identifies the facility and the 
individual to whom the card is issued.
    (2) Personal Identity Verification. Personel identity 
verification (biometrics device) identifies the individual 
requesting access by some unique personal characteristic, such as:
    (a) Fingerprinting
    (b) Hand Geometry
    (c) Handwriting
    (d) Retina
    (e) Voice recognition. A biometrics device may be required for 
access to most sensitive information.
    2. In conjunction with subparagraph 1.a(2)(a), above, a personal 
identification number (PIN) may be required. The PIN must be 
separately entered into the system by each individual using a keypad 
device and shall consist of four or more digits, randomly selected, 
with no known or logical association with the individual. The PIN 
must be changed when it is believed to have been compromised or 
subjected to compromise.
    3. Authentication of the individual's authorization to enter the 
area must be accomplished within the system by the inputs from the 
ID badge and/or card or the personal identity verification device or 
the keypad with an electronic data base of individuals authorized 
into the area. A procedure must be established for removal of the 
individual's authorization to enter the area upon reassignment, 
transfer or termination, or when the individual's access is 
suspended, revoked, or downgraded to a level lower than required.
    4. Protection must be established and continuously maintained 
for all devices and/ [[Page 33383]] or equipment that constitute the 
system. The level of protection may vary depending on the type of 
devices and/or equipment being protected with the basic intent of 
utilizing the security controls already in effect within the 
facility.
    a. Location where authorization data, card encoded data, and 
personal identification or verification data is input, stored, or 
recorded must be protected.
    b. Card readers, keypads, communication, or interface devices 
located outside the entrance to a controlled area shall have tamper 
resistant enclosures, and be securely fastened to a wall or other 
structure. Control panels located within a controlled area shall 
require only a minimal degree of physical security protection 
sufficient to preclude unauthorized access to the mechanism.
    c. Keypad devices shall be designed or installed in such a 
manner that an unauthorized person in the immediate vicinity cannot 
observe the selection of input numbers.
    d. Systems that utilize transmission lines to carry access 
authorizations, personal identification, or verification data 
between devices/equipment located outside the controlled area shall 
have line supervision.
    e. Electric strikes used in access control systems shall be 
heavy duty industrial grade.
    5. Access to records and information concerning encoded ID data 
and PINs shall be restricted. Access to identification or 
authorization data, operating system software or any identifying 
data associated with the access control system shall be limited to 
the fewest number personnel as possible. Such data or software shall 
be kept secure when unattended.
    6. Records shall be maintained reflecting active assignment of 
ID badge and/or card, PIN, level of access, access, and similar 
system-related records. Records concerning personnel removed form 
the system shall be retained for 90 days. Records of entries shall 
be retained for at least 90 days or until investigations of system 
violations and incidents have been successfully resolved and 
recorded.
    7. Personnel entering or leaving an area shall be require to 
immediately secure the entrance or exit point. Authorized personnel 
who permit another individual to enter the area are responsible for 
confirming the individual's access and need-to-know. The Heads of 
the DOD components may approve the use of standardized AECS, which 
meet the following criteria:
    a. For a Level 1 key card system, the AECS must provide a 0.95 
probability of granting access to an authorized user providing the 
proper identifying information within three attempts. Additionally, 
the system must ensure an unauthorized user is granted access with 
less than 0.05 probability after three attempts to gain entry have 
been made.
    b. For a Level 2 key card and PIN system, the AECS must provide 
a 0.97 probability of granting access to an authorized user 
providing the proper identifying information within three attempts. 
Additionally, the system must ensure an unauthorized user is granted 
access with less than 0.010 probability after three attempts to gain 
entry have bee made.
    c. For a Level 3 key card and PIN and biometrics identifier 
system, the AECS must provide a 0.99 probability of granting access 
to an authorized user providing the proper identifying information 
within three attempts. Additionally, the system must ensure an 
unauthorized user is granted access with less than 0.005 probability 
after three attempts to gain entry have been made.
    1. Electric, Mechanical, or Electromechanical Access Control 
Devices. Electric, mechanical, or electromechanical devices which 
meet the criteria stated in subparagraphs 7.c.2. and 3, below, may 
be used to control admittance to secure areas during duty hours if 
the entrance is under visual control. These devices are also 
acceptable to control access to compartmented areas within a secure 
area. Access control devices must be installed in the following 
manner:
    2. The electronic control panel containing the mechanical 
mechanism by which the combination is set is to be located inside 
the area. The control (located within the area) shall require only 
minimal degree of physical security designated to preclude 
unauthorized access to the mechanism.
    3. The control panel shall be installed in such a manner, or 
have a shielding device mounted, so that an unauthorized person in 
the immediate vicinity cannot observe the setting or changing of the 
combination.
    4. The selection and setting of the combination shall be 
accomplished by an individual cleared at the same level as the 
highest classified information controlled within.
    5. Electrical components, wiring included, or mechanical links 
(cables, rods, etc.) should be accessible only from inside the area, 
or if they traverse an uncontrolled area they should be secured 
within protecting covering to preclude surreptitious manipulation of 
components.

    Dated: June 22, 1995.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 95-15707 Filed 6-27-95; 8:45 am]
BILLING CODE 5000-04-M