[Federal Register Volume 64, Number 185 (Friday, September 24, 1999)]
[Rules and Regulations]
[Pages 51854-51858]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-24813]



[[Page 51853]]

_______________________________________________________________________

Part III





National Archives and Records Administration





_______________________________________________________________________



Information Security Oversight Office



_______________________________________________________________________



32 CFR Part 2004



Safeguarding Classified National Security Information; Final Rule

  Federal Register / Vol. 64, No. 185 / Friday, September 24, 1999 / 
Rules and Regulations  

[[Page 51854]]



NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

Information Security Oversight Office

32 CFR Part 2004

RIN 3095-AA95


Safeguarding Classified National Security Information

AGENCY: Information Security Oversight Office (ISOO), National Archives 
and Records Administration (NARA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule promulgates a new Directive on Safeguarding 
Classified National Security Information, which applies to Federal 
agencies. It implements provisions of Executive Order 12958, Classified 
National Security Information, that pertain to the handling, storage, 
distribution, transmittal, destruction of, and accounting for 
classified information.

EFFECTIVE DATE: October 25, 1999.

FOR FURTHER INFORMATION CONTACT: Dan L. Jacobson, Staff Director, 
United States Security Policy Board, telephone 703-602-1030; or Steven 
Garfinkel, Director, ISOO, telephone 202-219-5250.

SUPPLEMENTARY INFORMATION: In accordance with section 5(c) of Executive 
Order 12958, ``Classified National Security Information,'' the 
President has approved the Directive for safeguarding classified 
information contained in this final rule. On behalf of the United 
States Security Policy Board, which prepared the Directive, and at the 
direction of the Executive Office of the President, NARA/ISOO is 
publishing this Directive as Part 2004 of Title 32, Code of Federal 
Regulations. This Directive complements and supplements the ISOO 
regulations in 32 CFR Chapter XX, which also implement particular 
provisions of E.O. 12958. Most specifically, this Directive should be 
read in conjunction with the Directive contained in 32 CFR part 2001 
and with E.O. 12958.
    This rule is being issued as a final rule without prior notice of 
proposed rulemaking as allowed by the Administrative Procedure Act, 5 
U.S.C. 553(b)(3)(A) for rules of agency procedure. This rule is not a 
significant regulatory action for the purposes of Executive Order 
12866. This rule is not a major rule as defined in 5 U.S.C. Chapter 8, 
Congressional Review of Agency Rulemaking. As required by the 
Regulatory Flexibility Act, we certify that this rule will not have a 
significant impact on a substantial number of small entities because it 
applies only to Federal agencies.

List of Subjects in 32 CFR Part 2004

    Archives and records, Authority delegations (Government agencies), 
Classified information, Executive orders, Freedom of information, 
Information, Intelligence, National defense, National security 
information, Presidential document, Security information, Security 
measures.
    For the reasons set forth in the preamble, NARA adds new part 2004 
to Chapter XX of title 32, Code of Federal Regulations, as follows:

PART 2004--DIRECTIVE ON SAFEGUARDING CLASSIFIED NATIONAL SECURITY 
INFORMATION:

Sec.
2004.1  Authority.
2004.2  General.
2004.3  Definitions.
2004.4  Responsibilities of holders.
2004.5  Standards for security equipment.
2004.6  Storage.
2004.7  Information controls.
2004.8  Transmission.
2004.9  Destruction.
2004.10  Loss, possible compromise or unauthorized disclosure.
2004.11  Special access programs.
2004.12  Telecommunications, automated information systems and 
network security.
2004.13  Technical security.
2004.14 Emergency authority.

Appendix A to Part 2004--Open Storage Areas.

Appendix B to Part 2004--Foreign Government Information.

    Authority: E.O. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 333.


Sec. 2004.1  Authority.

    This Directive is issued pursuant to Section 5.2 (c) of Executive 
Order (E.O.) 12958, ``Classified National Security Information.'' The 
E.O. and this Directive set forth the requirements for the safeguarding 
of classified national security information (hereinafter classified 
information) and are applicable to all U.S. Government agencies.


Sec. 2004.2  General.

    (a) Classified information, regardless of its form, shall be 
afforded a level of protection against loss or unauthorized disclosure 
commensurate with its level of classification.
    (b) Except for NATO and other foreign government information, 
agency heads or their designee(s) (hereinafter referred to as agency 
heads) may adopt alternative measures, using risk management 
principles, to protect against loss or unauthorized disclosure when 
necessary to meet operational requirements. When alternative measures 
are used for other than temporary, unique situations, the alternative 
measures shall be documented and provided to the Director, Information 
Security Oversight Office (ISOO), to facilitate that office's oversight 
responsibility. Upon request, the description shall be provided to any 
other agency with which classified information or secure facilities are 
shared. In all cases, the alternative measures shall provide protection 
sufficient to reasonably deter and detect loss or unauthorized 
disclosure. Risk management factors considered will include 
sensitivity, value and crucial nature of the information; analysis of 
known and anticipated threats; vulnerability; and countermeasures 
benefits versus cost.
    (c) NATO classified information shall be safeguarded in compliance 
with U.S. Security Authority for NATO Instructions I-69 and I-70. Other 
foreign government information shall be safeguarded as described herein 
for U.S. information except as required by an existing treaty, 
agreement or other obligation (hereinafter, obligation). When the 
information is to be safeguarded pursuant to an existing obligation, 
the additional requirements at Appendix B may apply to the extent they 
were required in the obligation as originally negotiated or are agreed 
upon during amendment. Negotiations on new obligations or amendments to 
existing obligations shall strive to bring provisions for safeguarding 
foreign government information into accord with standards for 
safeguarding U.S. information as described in this Directive.
    (d) An agency head who originates or handles classified information 
shall refer any matter pertaining to the implementation of this 
Directive that he or she cannot resolve to the Director, ISOO for 
resolution.


Sec. 2004.3  Definitions.

    (a) Open storage area. An area, constructed in accordance with 
Appendix A and authorized by the agency head for open storage of 
classified information.
    (b) Authorized person. A person who has a favorable determination 
of eligibility for access to classified information, has signed an 
approved nondisclosure agreement, and has a need-to-know for the 
specific classified information in the performance of official duties.
    (c) Cleared commercial carrier. A carrier that is authorized by 
law, regulatory body, or regulation, to transport SECRET and 
CONFIDENTIAL

[[Page 51855]]

material and has been granted a SECRET facility clearance in accordance 
with the National Industrial Security Program.
    (d) Security-in-depth. A determination by the agency head that a 
facility's security program consists of layered and complementary 
security controls sufficient to deter and detect unauthorized entry and 
movement within the facility. Examples include, but are not limited to, 
use of perimeter fences, employee and visitor access controls, use of 
an Intrusion Detection System (IDS), random guard patrols throughout 
the facility during non-working hours, closed circuit video monitoring 
or other safeguards that mitigate the vulnerability of open storage 
areas without alarms and security storage cabinets during non-working 
hours.
    (e) Vault. An area approved by the agency head which is designed 
and constructed of masonry units or steel lined construction to provide 
protection against forced entry. A modular vault approved by the 
General Services Administration (GSA) may be used in lieu of a vault as 
prescribed in the first sentence of this paragraph (e). Vaults shall be 
equipped with a GSA-approved vault door and lock.


Sec. 2004.4  Responsibilities of holders.

    Authorized persons who have access to classified information are 
responsible for:
    (a) Protecting it from persons without authorized access to that 
information, to include securing it in approved equipment or facilities 
whenever it is not under the direct control of an authorized person;
    (b) Meeting safeguarding requirements prescribed by the agency 
head; and
    (c) Ensuring that classified information is not communicated over 
unsecured voice or data circuits, in public conveyances or places, or 
in any other manner that permits interception by unauthorized persons.


Sec. 2004.5  Standards for security equipment.

    The Administrator of General Services shall, in coordination with 
agency heads originating classified information, establish and publish 
uniform standards, specifications and supply schedules for security 
equipment designed to provide secure storage for and destruction of 
classified information. Whenever new security equipment is procured, it 
shall be in conformance with the standards and specifications 
established by the Administratior of General Services, and shall, to 
the maximum extent possible, be of the type available through the 
Federal Supply System.


Sec. 2004.6  Storage.

    (a) General. Classified information shall be stored only under 
conditions designed to deter and detect unauthorized access to the 
information. Storage at overseas locations shall be at U.S. Government 
controlled facilities unless otherwise stipulated in treaties or 
international agreements. Overseas storage standards for facilities 
under a Chief of Mission are promulgated under the authority of the 
Overseas Security Policy Board.
    (b) Requirements for physical protection. (1) Top Secret. Top 
Secret information shall be stored by one of the following methods:
    (i) In a GSA-approved security container with one of the following 
supplemental controls:
    (A) Continuous protection by cleared guard or duty personnel;
    (B) Inspection of the security container every two hours by cleared 
guard or duty personnel;
    (C) An Intrusion Detection System (IDS) with the personnel 
responding to the alarm arriving within 15 minutes of the alarm 
annunciation [Acceptability of Intrusion Detection Equipment (IDE): All 
IDE must be UL-listed (or equivalent as defined by the agency head) and 
approved by the agency head. Government and proprietary installed, 
maintained, or furnished systems are subject to approval only by the 
agency head.]; or
    (D) Security-In-Depth conditions, provided the GSA-approved 
container is equipped with a lock meeting Federal Specification FF-L-
2740.
    (ii) An open storage area constructed in accordance with Appendix 
A, which is equipped with an IDS with the personnel responding to the 
alarm arriving within 15 minutes of the alarm annunciation if the area 
is covered by Security-In-Depth or a five minute alarm response if it 
is not.
    (iii) An IDS-equipped vault with the personnel responding to the 
alarm arriving within 15 minutes of the alarm annunciation.
    (2) Secret. Secret information shall be stored by one of the 
following methods:
    (i) In the same manner as prescribed for Top Secret information;
    (ii) In a GSA-approved security container or vault without 
supplemental controls; or
    (iii) In either of the following:
    (A) Until October 1, 2012, in a non-GSA-approved container having a 
built-in combination lock or in a non-GSA approved container secured 
with a rigid metal lockbar and an agency head approved padlock; or
    (B) An open storage area. In either case, one of the following 
supplemental controls is required:
    (1) The location that houses the container or open storage area 
shall be subject to continuous protection by cleared guard or duty 
personnel;
    (2) Cleared guard or duty personnel shall inspect the security 
container or open storage area once every four hours; or
    (3) An IDS (per paragraph (b)(1)(i)(C) of this section) with the 
personnel responding to the alarm arriving within 30 minutes of the 
alarm annunciation. [In addition to one of these supplemental controls 
specified in paragraphs (b)(2)(iii)(B)(1) through (3), security-in-
depth as determined by the agency head is required as part of the 
supplemental controls for a non-GSA approved container or open storage 
area storing Secret information.]
    (3) Confidential. Confidential information shall be stored in the 
same manner as prescribed for Top Secret or Secret information except 
that supplemental controls are not required.
    (c) Combinations. Use and maintenance of dial-type locks and other 
changeable combination locks.
    (1) Equipment in service. The classification of the combination 
shall be the same as the highest level of classified information that 
is protected by the lock. Combinations to dial-type locks shall be 
changed only by persons having a favorable determination of eligibility 
for access to classified information and authorized access to the level 
of information protected unless other sufficient controls exist to 
prevent access to the lock or knowledge of the combination. 
Combinations shall be changed under the following conditions:
    (i) Whenever such equipment is placed into use;
    (ii) Whenever a person knowing the combination no longer requires 
access to it unless other sufficient controls exist to prevent access 
to the lock; or
    (iii) Whenever a combination has been subject to possible 
unauthorized disclosure.
    (2) Equipment out of service. When security equipment is taken out 
of service, it shall be inspected to ensure that no classified 
information remains and the built-in combination lock shall be reset to 
a standard combination.
    (d) Key operated locks. When special circumstances exist, an agency 
head may approve the use of key operated locks for the storage of 
Secret and Confidential information. Whenever such locks are used, 
administrative procedures for the control and accounting of keys and 
locks shall be established.

[[Page 51856]]

Sec. 2004.7  Information controls.

    (a) General. Agency heads shall establish a system of control 
measures which assure that access to classified information is limited 
to authorized persons. The control measures shall be appropriate to the 
environment in which the access occurs and the nature and volume of the 
information. The system shall include technical, physical, and 
personnel control measures. Administrative control measures which may 
include records of internal distribution, access, generation, 
inventory, reproduction, and disposition of classified information 
shall be required when technical, physical and personnel control 
measures are insufficient to deter and detect access by unauthorized 
persons.
    (b) Reproduction. Reproduction of classified information shall be 
held to the minimum consistent with operational requirements. The 
following additional control measures shall be taken:
    (1) Reproduction shall be accomplished by authorized persons 
knowledgeable of the procedures for classified reproduction;
    (2) Unless restricted by the originating Agency, Top Secret, 
Secret, and Confidential information may be reproduced to the extent 
required by operational needs, or to facilitate review for 
declassification;
    (3) Copies of classified information shall be subject to the same 
controls as the original information; and
    (4) The use of technology that prevents, discourages, or detects 
the unauthorized reproduction of classified information is encouraged.


Sec. 2004.8  Transmission.

    (a) General. Classified information shall be transmitted and 
received in an authorized manner which ensures that evidence of 
tampering can be detected, that inadvertent access can be precluded, 
and that provides a method which assures timely delivery to the 
intended recipient. Persons transmitting classified information are 
responsible for ensuring that intended recipients are authorized 
persons with the capability to store classified information in 
accordance with this Directive.
    (b) Dispatch. Agency heads shall establish procedures which ensure 
that:
    (1) All classified information physically transmitted outside 
facilities shall be enclosed in two layers, both of which provide 
reasonable evidence of tampering and which conceal the contents. The 
inner enclosure shall clearly identify the address of both the sender 
and the intended recipient, the highest classification level of the 
contents, and any appropriate warning notices. The outer enclosure 
shall be the same except that no markings to indicate that the contents 
are classified shall be visible. Intended recipients shall be 
identified by name only as part of an attention line. The following 
exceptions apply:
    (i) If the classified information is an internal component of a 
packable item of equipment, the outside shell or body may be considered 
as the inner enclosure provided it does not reveal classified 
information;
    (ii) If the classified information is an inaccessible internal 
component of a bulky item of equipment, the outside or body of the item 
may be considered to be a sufficient enclosure provided observation of 
it does not reveal classified information;
    (iii) If the classified information is an item of equipment that is 
not reasonably packable and the shell or body is classified, it shall 
be concealed with an opaque enclosure that will hide all classified 
features;
    (iv) Specialized shipping containers, including closed cargo 
transporters or diplomatic pouch, may be considered the outer enclosure 
when used; and
    (v) When classified information is hand-carried outside a facility, 
a locked briefcase may serve as the outer enclosure.
    (2) Couriers and authorized persons designated to hand-carry 
classified information shall ensure that the information remains under 
their constant and continuous protection and that direct point-to-point 
delivery is made. As an exception, agency heads may approve, as a 
substitute for a courier on direct flights, the use of specialized 
shipping containers that are of sufficient construction to provide 
evidence of forced entry, are secured with a high security padlock, are 
equipped with an electronic seal that would provide evidence of 
surreptitious entry and are handled by the carrier in a manner to 
ensure that the container is protected until its delivery is completed.
    (c) Transmission methods within and between the U.S., Puerto Rico, 
or a U.S. possession or trust territory. (1) Top Secret. Top Secret 
information shall be transmitted by direct contact between authorized 
persons; the Defense Courier Service or an authorized government agency 
courier service; a designated courier or escort with Top Secret 
clearance; electronic means over approved communications systems. Under 
no circumstances will Top Secret information be transmitted via the 
U.S. Postal Service.
    (2) Secret. Secret information shall be transmitted by:
    (i) Any of the methods established for Top Secret; U.S. Postal 
Service Express Mail and U.S. Postal Service Registered Mail, as long 
as the Waiver of Signature and Indemnity block, item 11-B, on the U.S. 
Postal Service Express Mail Label shall not be completed; and cleared 
commercial carriers or cleared commercial messenger services. The use 
of street-side mail collection boxes is strictly prohibited; and
    (ii) Agency heads may, on an exceptional basis and when an urgent 
requirement exists for overnight delivery within the U.S. and its 
Territories, authorize the use of the current holder of the General 
Services Administration contract for overnight delivery of information 
for the Executive Branch as long as applicable postal regulations (39 
CFR chapter I) are met. Any such delivery service shall be U.S. owned 
and operated, provide automated in-transit tracking of the classified 
information, and ensure package integrity during transit. The contract 
shall require cooperation with government inquiries in the event of a 
loss, theft, or possible unauthorized disclosure of classified 
information. The sender is responsible for ensuring that an authorized 
person will be available to receive the delivery and verification of 
the correct mailing address. The package may be addressed to the 
recipient by name. The release signature block on the receipt label 
shall not be executed under any circumstances. The use of external 
(street side) collection boxes is prohibited. Classified Communications 
Security Information, NATO, and foreign government information shall 
not be transmitted in this manner.
    (3) Confidential. Confidential information shall be transmitted by 
any of the methods established for Secret information or U.S. Postal 
Service Certified Mail. In addition, when the recipient is a U.S. 
Government facility, the confidential information may be transmitted 
via U.S. First Class Mail. However, confidential information shall not 
be transmitted to government contractor facilities via first class 
mail. When first class mail is used, the envelope or outer wrapper 
shall be marked to indicate that the information is not to be 
forwarded, but is to be returned to sender. The use of street-side mail 
collection boxes is prohibited.
    (d) Transmission methods to a U.S. Government facility located 
outside the U.S. The transmission of classified information to a U.S. 
Government facility located outside the 50 states, the District of 
Columbia, the

[[Page 51857]]

Commonwealth of Puerto Rico, or a U.S. possession or trust territory, 
shall be by methods specified above for Top Secret information or by 
the Department of State Courier Service. U.S. Registered Mail through 
Military Postal Service facilities may be used to transmit Secret and 
Confidential information provided that the information does not at any 
time pass out of U.S. citizen control nor pass through a foreign postal 
system.
    (e) Transmission of U.S. classified information to foreign 
governments. Such transmission shall take place between designated 
government representatives using the transmission methods described in 
paragraph (d) of this section. When classified information is 
transferred to a foreign government or its representative a signed 
receipt is required.
    (f) Receipt of classified information. Agency heads shall establish 
procedures which ensure that classified information is received in a 
manner which precludes unauthorized access, provides for inspection of 
all classified information received for evidence of tampering and 
confirmation of contents, and ensures timely acknowledgment of the 
receipt of Top Secret and Secret information by an authorized 
recipient. As noted in paragraph (e) of this section, a receipt 
acknowledgment of all classified material transmitted to a foreign 
government or its representative is required.


Sec. 2004.9  Destruction.

    (a) General. Classified information identified for destruction 
shall be destroyed completely to preclude recognition or reconstruction 
of the classified information in accordance with procedures and methods 
prescribed by agency heads. The methods and equipment used to routinely 
destroy classified information include burning, cross-cut shredding, 
wet-pulping, melting, mutilation, chemical decomposition or 
pulverizing.
    (b) Technical guidance. Technical guidance concerning appropriate 
methods, equipment, and standards for the destruction of classified 
electronic media and processing equipment components may be obtained by 
submitting all pertinent information to the National Security Agency/
Central Security Service, Directorate for Information Systems Security, 
Fort Meade, MD 20755. Specifications concerning appropriate equipment 
and standards for the destruction of other storage media may be 
obtained from the GSA.


Sec. 2004.10  Loss, possible compromise or unauthorized disclosure.

    (a) General. Any person who has knowledge that classified 
information has been or may have been lost, possibly compromised or 
disclosed to an unauthorized person(s) shall immediately report the 
circumstances to an official designated for this purpose.
    (b) Cases involving information originated by a foreign government 
or another U.S. government agency. Whenever a loss or possible 
unauthorized disclosure involves the classified information or 
interests of a foreign government agency, or another government agency, 
the department or agency in which the compromise occurred shall advise 
the other government agency or foreign government of the circumstances 
and findings that affect their information or interests. However, 
foreign governments normally will not be advised of any security system 
vulnerabilities that contributed to the compromise.
    (c) Inquiry/investigation and corrective actions. Agency heads 
shall establish appropriate procedures to conduct an inquiry/
investigation of a loss, possible compromise or unauthorized disclosure 
of classified information, in order to implement appropriate corrective 
actions, which may include disciplinary sanctions, and to ascertain the 
degree of damage to national security.
    (d) Department of Justice and legal counsel coordination. Agency 
heads shall establish procedures to ensure coordination with legal 
counsel whenever a formal action, beyond a reprimand, is contemplated 
against any person believed responsible for the unauthorized disclosure 
of classified information. Whenever a criminal violation appears to 
have occurred and a criminal prosecution is contemplated, agency heads 
shall use established procedures to ensure coordination with--
    (1) The Department of Justice, and
    (2) The legal counsel of the agency where the individual 
responsible is assigned or employed.


Sec. 2004.11  Special access programs.

    (a) General. The safeguarding requirements of this Directive may be 
enhanced for information in Special Access Programs (SAP), established 
under the provisions of Section 4.4 of E.O. 12958, by the agency head 
responsible for creating the SAP. Agency heads shall ensure that the 
enhanced controls are based on an assessment of the value, critical 
nature, and vulnerability of the information.
    (b) Significant interagency support requirements. Agency heads must 
ensure that a Memorandum of Agreement/Understanding (MOA/MOU) is 
established for each Special Access Program that has significant 
interagency support requirements, to appropriately and fully address 
support requirements and supporting agency oversight responsibilities 
for that SAP.


Sec. 2004.12  Telecommunications, automated information systems and 
network security.

    Each agency head shall ensure that classified information 
electronically accessed, processed, stored or transmitted is protected 
in accordance with applicable national policy issuances identified in 
the Index of National Security Telecommunications and Information 
Systems Security Issuances (NSTISSI) and Director of Central 
Intelligence Directive (DCID)
6/3.


Sec. 2004.13  Technical security.

    Based upon the risk management factors referenced in Sec. 2004.2 of 
this directive agency heads shall determine the requirement for 
technical countermeasures such as Technical Surveillance 
Countermeasures (TSCM) and TEMPEST necessary to detect or deter 
exploitation of classified information through technical collection 
methods and may apply countermeasures in accordance with NSTISSI 7000, 
entitled Tempest Countermeasures for Facilities, and SPB Issuance 6-97, 
entitled National Policy on Technical Surveillance Countermeasures.


Sec. 2004.14  Emergency authority.

    Agency heads may prescribe special provisions for the 
dissemination, transmittal, destruction, and safeguarding of classified 
information during military operations or other emergency situations.

Appendix A to Part 2004--Open Storage Areas

    This Appendix describes the construction standards for open 
storage areas.
    1. Construction. The perimeter walls, floors, and ceiling will 
be permanently constructed and attached to each other. All 
construction must be done in a manner as to provide visual evidence 
of unauthorized penetration.
    2. Doors. Doors shall be constructed of wood, metal, or other 
solid material. Entrance doors shall be secured with a built-in GSA-
approved three-position combination lock. When special circumstances 
exist, the agency head may authorize other locks on entrance doors 
for Secret and Confidential storage. Doors other than those secured 
with the aforementioned locks shall be secured from the inside with 
either deadbolt

[[Page 51858]]

emergency egress hardware, a deadbolt, or a rigid wood or metal bar 
which extends across the width of the door, or by other means 
approved by the agency head.
    3. Vents, ducts, and miscellaneous openings. All vents, ducts, 
and similar openings in excess of 96 square inches (and over 6 
inches in its smallest dimension) that enter or pass through an open 
storage area shall be protected with either bars, expanded metal 
grills, commercial metal sound baffles, or an intrusion detection 
system.
    4. Windows.
    a. All windows which might reasonably afford visual observation 
of classified activities within the facility shall be made opaque or 
equipped with blinds, drapes, or other coverings.
    b. Windows at ground level will be constructed from or covered 
with materials which provide protection from forced entry. The 
protection provided to the windows need be no stronger than the 
strength of the contiguous walls. Open storage areas which are 
located within a controlled compound or equivalent may eliminate the 
requirement for forced entry protection if the windows are made 
inoperable either by permanently sealing them or equipping them on 
the inside with a locking mechanism and they are covered by an IDS 
(either independently or by the motion detection sensors within the 
area.)

Appendix B to Part 2004--Foreign Government Information

    The requirements described below are additional baseline 
safeguarding standards that may be necessary for foreign government 
information, other than NATO information, that requires protection 
pursuant to an existing treaty, agreement, or other obligation. NATO 
classified information shall be safeguarded in compliance with 
United States Security Authority for NATO Instructions I-69 and I-
70. To the extent practical, and to facilitate its control, foreign 
government information should be stored separately from other 
classified information. To avoid additional costs, separate storage 
may be accomplished by methods such as separate drawers of a 
container. The safeguarding standards described below may be 
modified if required or permitted by treaties or agreements, or for 
other obligations, with the prior written consent of the National 
Security Authority of the originating government.
    1. Top Secret. Records shall be maintained of the receipt, 
internal distribution, destruction, access, reproduction, and 
transmittal of foreign government Top Secret information. 
Reproduction requires the consent of the originating government. 
Destruction will be witnessed.
    2. Secret. Records shall be maintained of the receipt, external 
dispatch and destruction of foreign government Secret information. 
Other records may be necessary if required by the originator. Secret 
foreign government information may be reproduced to meet mission 
requirements unless prohibited by the originator. Reproduction shall 
be recorded unless this requirement is waived by the originator.
    3. Confidential. Records need not be maintained for foreign 
government Confidential information unless required by the 
originator.
    4. Restricted and other foreign government information provided 
in confidence. In order to assure the protection of other foreign 
government information provided in confidence (e.g., foreign 
government ``Restricted,'' ``Designated,'' or unclassified provided 
in confidence), such information must be classified under E.O. 
12958. The receiving agency, or a receiving U.S. contractor, 
licensee, grantee, or certificate holder acting in accordance with 
instructions received from the U.S. Government, shall provide a 
degree of protection to the foreign government information at least 
equivalent to that required by the government or international 
organization that provided the information. When adequate to achieve 
equivalency, these standards may be less restrictive than the 
safeguarding standards that ordinarily apply to US CONFIDENTIAL 
information. If the foreign protection requirement is lower than the 
protection required for US CONFIDENTIAL information, the following 
requirements shall be met:
    a. Documents may retain their original foreign markings if the 
responsible agency determines that these markings are adequate to 
meet the purposes served by U.S. classification markings. Otherwise, 
documents shall be marked, ``This document contains (insert name of 
country) (insert classification level) information to be treated as 
US (insert classification level).'' The notation, ``Modified 
Handling Authorized,'' may be added to either the foreign or U.S. 
markings authorized for foreign government information. If remarking 
foreign originated documents or matter is impractical, an approved 
cover sheet is an authorized option;
    b. Documents shall be provided only to those who have an 
established need-to-know, and where access is required by official 
duties;
    c. Individuals being given access shall be notified of 
applicable handling instructions. This may be accomplished by a 
briefing, written instructions, or by applying specific handling 
requirements to an approved cover sheet;
    d. Documents shall be stored in such a manner so as to prevent 
unauthorized access;
    e. Documents shall be transmitted in a method approved for 
classified information, unless this method is waived by the 
originating government.
    5. Third-country transfers. The release or disclosure of foreign 
government information to any third-country entity must have the 
prior consent of the originating government if required by a treaty, 
agreement, bilateral exchange, or other obligation.

    Dated: September 17, 1999.
John W. Carlin,
Archivist of the United States.
[FR Doc. 99-24813 Filed 9-23-99; 8:45 am]
BILLING CODE 7515-01-P