10.9.1 Classified National Security Information

Manual Transmittal

April 13, 2021

Purpose

(1) This transmits revised IRM 10.9.1, Classified National Security Information (NSI).

Material Changes

(1) Entirety of IRM makes use of the term National Security Information (NSI) to discuss classified material of any type and avoid it being associated with the Information Technology (IT) sphere.

(2) Subsections were relocated, reformatted, or organized to improve readability and internal controls added in compliance with IRM 1.11.2.

(3) Included information related to the program owner, authority, roles/responsibilities.

(4) Updated acronyms and security terms/definitions.

(5) Removed the following language/sections:

  1. Facilities Management and Security Services (FMSS) was responsible for communications security (COMSEC) as it no longer applies.

  2. Key Operated Locks as it no longer applies.

  3. Exhibits for the Receipt of Classified Information and Record of Security Violation forms, among others as it added unnecessary pages to the document.

(6) Added language/sections on the following:

  1. IRM 10.9.1.1.3 - The responsibilities of Senior Leadership

  2. IRM 10.9.1.4 - The marking of NSI documents

  3. IRM 10.9.1.8.3, IRM 10.9.1.8.4 & IRM 10.9.1.15 - The use of required forms (e.g., Standard Forms (SF) 700, 701, or 702)

  4. Exhibit 10.9.1-4 - The responsibilities of the Security Container Custodian

(7) Exhibit 10.9.1-1 - Added more detail to the Classified Document Custodian responsibilities, to include clarifying their responsibilities for Security Incidents and NSI assessments.

(8) IRM 10.9.1.1.3 - Added Interim Guidance Memorandum FMSS-10-0120-0002, Interim Guidance on the Senior Agency Official (SAO) for IRM 10.9.1, National Security Information dated 01-10-2020 to update the roles and responsibilities.

(9) Various grammatical and editorial changes throughout, and renumbered and/or renamed sections where applicable, to improve the flow of information.

Effect on Other Documents

This IRM supersedes IRM 10.9.1, dated August 14, 2012.
This IRM incorporates Interim Guidance Memorandum FMSS-10-0120-0002, Interim Guidance on the Senior Agency Official (SAO) for IRM 10.9.1, National Security Information dated January 10, 2020.

Audience

This IRM is for all personnel responsible for handling, processing, storing, transmitting, accounting for tracking and/or destruction of NSI

Effective Date

(04-13-2021)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope and Objectives

  1. This IRM implements minimum standards within the IRS for classification, safeguarding, transmission, and destruction of classified National Security Information (NSI). It implements policies and procedures for the handling of NSI, as well as processes if a security incident occurs.

  2. Purpose: To ensure that the IRS comes into, and remains, in compliance with National and Treasury level guidance in its NSI program and that the identification, creation, protection/handling, transmission, reproduction, and destruction of the NSI lifecycle is prioritized, understood, and practiced by holders of NSI. Those who have access to NSI must be trained via the NSI Refresher Training, and any additional warranted training, to carry out their duties.

  3. Audience: This IRM section provides policy and guidance to be used by authorized personnel responsible for NSI at any point in its lifecycle and the authorized personnel’s management. The provisions in this section apply to all offices, business, operating, and functional units, as well as any individuals/organizations these entities have contractual arrangements with, in the IRS who handle NSI.

  4. Policy Owner: Chief, Facilities Management and Security Services (FMSS) serves as the Senior Agency Official (SAO) for the IRS NSI Program.

  5. Program Owner: Chief, FMSS Protection Management.

  6. Primary Stakeholders: Criminal Investigations (CI), Cyber Security Incident Response Center (CSIRC), Personnel Security, Continuity of Operations (COOP), General Counsel, and any other IRS entity or employee that makes use of, or encounters, NSI during duties.

  7. Program Goals: The objectives of the program are to ensure the NSI that IRS holds or creates is safeguarded for the material’s lifecycle from the origination of NSI within IRS through its destruction in accordance with (IAW) the guiding documents and references contained in IRM 10.9.1.1.2, Authority.

Background

  1. This revision addresses policy updates to implement changes that will allow the IRS to provide clarity regarding required safeguards for NSI and appropriately handle NSI from its inception to destruction.

Authority

  1. Treasury Department Publication (TD P) 15-71, Department of the Treasury Security Manual, dated June 17, 2011.

  2. Treasury Order (TO) 105-19, Delegation of Original Classification Authority; Requirements for Downgrading and Declassification, dated June 17, 2011.

  3. Department of Treasury Security Classification Guide dated March 2, 2012.

  4. Information Security Oversight Office (ISOO) Directive No. 1, 32 Code of Federal Regulations (CFR) Parts 2001 and 2003, Classified National Security Information (implementing Executive Order 13526), dated June 22, 2010.

  5. ISOO, Marking Classified National Security Information, Rev. 4, dated January 2018.

  6. Executive Order (EO) 13526, Classified National Security Information, dated December 29, 2009.

  7. EO 12968, Access to Classified Information, dated August 2, 1995.

  8. EO 12829, National Industrial Security Program, dated January 8, 1993.

  9. DoD 5220-22M, National Industrial Security Program Operating Manual, Change 2, dated May 18, 2016.

  10. IRM 10.23.1, National Security Positions and Access to Classified Information.

  11. IRM 10.23.3, Personnel Security/Suitability Program for Employment and Personnel Security Operations.

  12. Treasury Directive Publication 85-01, Volume 1, Unclassified (Non-National Security) Systems.

  13. Treasury Directive Publication 85-01, Volume II Classified (National Security) Systems.

Roles and Responsibilities

  1. The IRS Commissioner, as the IRS head, responsibilities include:

    1. Demonstrating personal commitment and commit senior management to the successful implementation of the IRS NSI program.

    2. Committing necessary resources to the effective implementation of the NSI program.

    3. Ensuring that IRS records systems are designed and maintained to optimize the appropriate sharing and safeguarding of NSI, and to facilitate its declassification under the terms of EO 13526 when it no longer meets the standards for continued classification.

    4. Appointing a Senior Agency Official (SAO) to direct and administer the NSI program under which information is classified, safeguarded, and declassified to include establishment of IRS procedures in line with national guidance and ensure that NSI is accessible to the maximum extent required by individuals who meet the proscribed access criteria for NSI.

  2. The Chief, FMSS serves as the SAO for the IRS NSI and Industrial Security Programs. The Deputy Chief, FMSS serves as Acting SAO when the Chief, FMSS is unavailable. SAO responsibilities include:

    1. Overseeing the NSI security program and designating an NSI Program Manager (PM, henceforth known as NSI PM or IRS NSI PM).

    2. Promulgating implementing directives and regulations, to include this document.

    3. Establishing and maintaining security education and training programs IAW 32 CFR Part 2001.

    4. Establishing and maintaining an ongoing self-assessment program, which includes periodic review and assessment of the IRS’s NSI holdings and classification products IAW TD P 15-71, Chapter III, Section 31 and this IRM.

    5. Establishing procedures, with Personnel Security, to prevent unnecessary access to NSI, including procedures that require a need for access to NSI be established before initiating clearance procedures and ensure that the number of persons granted access to NSI meets mission and security needs.

    6. Ensuring, with Human Capital Office (HCO) and Business Units, that the system used to rate personnel performance includes the designation and management of NSI as a critical element to be evaluated in the rating of classification authorities, security managers, or security specialists, and all others whose duties significantly involve the creation, handling, or safeguarding of NSI.

    7. Accounting for the costs associated with the implementation of EO 13526.

    8. Providing support to the Business Units as they take appropriate and prompt corrective action in response to self-assessment findings and potential or actual security incidents.

    9. Liaising with Treasury’s Office of Security Programs (OSP) in the event of a classification challenge.

  3. The Associate Director (AD), FMSS Security administers the IRS NSI and Industrial Security Programs for the SAO. AD responsibilities include:

    1. Formulating IRS policy and procedures, issuing directives, and implementing, monitoring, inspecting, and reporting on the status of administration of the IRS NSI program.

    2. Serving as the IRS primary official and liaison with the Department of Treasury and other Federal agencies for the NSI program.

    3. Coordinating and performing self-assessments of the NSI program.

    4. Briefing upper management, as necessary, on security incidents that may incur media interest and classification challenges.

    5. Appointing an NSI PM to oversee and effectively implement the NSI program for IRS.

    6. Ensuring that the ISOO Standard Form (SF) 311, Agency Security Classification Management Program Data, is completed accurately and returned to Treasury’s OSP in a timely manner, which is specified each year when the request is sent.

    7. Serving as approval authority for the requirement of a Business Unit to hold Top Secret (TS) at their facility and require a Top Secret Control Officer (TSCO).

    8. Reviewing requests to upgrade spaces to transition them into Treasury Secure Data Network (TSDN) Limited Areas (LA) based on sound justification (i.e., the Business Unit recently was asked to take over a multi-year role in a joint task force that requires consistent access to Secret level intel/communication via TSDN).

    9. Signing courier letters or cards for IRS employees.

    10. Concurring, prior to the travel, on the hand-carrying of NSI by an IRS employee on travel.

  4. The senior management/executive responsible for an office or a business, functional or operating unit is accountable for the effective management of NSI within their organization. Senior management/executive is responsible for:

    1. Ensuring that NSI within their organization is appropriately marked, protected, handled, stored, reproduced, shared, and destroyed.

  5. The senior leadership in an office or a business, functional, or operating unit is responsible for the effective management of NSI within their organization. Senior leadership is responsible for:

    1. Designating primary and alternate Classified Document Custodian(s) (CDC) to carry out the responsibilities in Exhibit 10.9.1-1 at facilities storing or handling NSI and providing the designations to the NSI PM.

    2. Ensuring the CDC are trained and provided the resources to protect NSI.

    3. Justifying the need for and, if approved, appointing a TSCO to carry out the responsibilities in Exhibit 10.9.1-2 in writing through the NSI PM to AD, Security in advance of the Business Unit holding TS.

    4. Appointing and updating the CDC and TSCO in writing, as needed, IAW Exhibit 10.9.1-3.

    5. Ensuring CDC conduct self-assessments as prescribed by FMSS Security in addition to performing spot checks or assessments as necessary.

    6. Ensuring that subordinate managers and staff participate fully in the event of an inquiry into a security incident, to include at-fault parties within the organization being reprimanded appropriately.

    7. Justifying the requirement for the hand-carrying of NSI on official travel and validating that AD, Security has given concurrence prior to travel.

    8. Ensuring personnel with a clearance are rated on their protection of NSI.

  6. NSI PM is responsible for:

    1. Ensuring that this IRM and any other NSI policy necessary for having a nationally compliant program be created and maintained.

    2. Liaising with the AD, Security to approve or disapprove the justification for requiring a TSCO sent by senior leadership for the requesting Business Unit.

    3. Providing guidance and information, when asked, regarding the proper creation, handling, storage, and destruction of NSI to IRS clearance holders.

    4. Completing and sending in a timely manner, the timeline of which will be specified each year for that year, to AD, Security the ISOO SF 311.

    5. Serving as the liaison for classification challenges, reclassification requests, declassification confirmation, courier cards/letters, and security incidents between IRS and Department of Treasury and/or other Agencies as required.

    6. Providing a mechanism for the tracking of security containers to be maintained by the CDC.

    7. Advising on arrangements for the safe and secure travel of NSI outside of the U.S. and transfer of U.S. NSI to a foreign government, once determined by management to be required.

    8. Providing clarification or training, as needed, so that the CDC can efficiently and effectively perform the required self-assessments.

    9. Providing the training necessary for derivative classifiers to perform their duties.

    10. Ensuring the compliance of the annual NSI Refresher Training with 32 CFR 2001.

  7. Authorized holder of NSI are responsible for:

    1. Ensuring consistent protection of NSI from unauthorized access, to include securing it in approved equipment.

    2. Meeting safeguarding requirements prescribed in this IRM.

    3. Ensuring that NSI is not communicated over unsecured voice or data systems (e.g., IRS network), in public conveyances or places, or in any other manner that permits interception by unauthorized persons.

    4. Taking steps to secure NSI in the event of a potential or actual security incident, including reporting the incident to the local CDC in an unclassified manner (i.e., do not divulge NSI over unclassified systems).

    5. Participating with honesty and timeliness in the reviews conducted by CDC to ascertain and ensure the operational ability of the NSI program.

    6. Completing the required annual NSI Refresher Training.

Program Management and Review

  1. Program Reports: The NSI program will be assessed at a periodicity set by AD, Security via the NSI PM. The designated CDC in local field offices where NSI is held will be responsible for conducting the self-assessment. CDCs will be given at least 60 calendar days to complete both the self-assessment and report. Once the self-assessment has been conducted, the CDC will provide the results back to the NSI PM prior to the end of the assessment period. Reports will be consolidated by the NSI PM in order to report on and manage the operational ability of the NSI program in concert with FMSS management. Annual reporting via OSP to ISOO will occur by the end of fiscal year.

  2. Program Effectiveness: The NSI program’s operational ability will be gauged by self-assessments to ensure compliance with national, Treasury, and IRS level policies.

Terms/Definitions/Acronyms

  1. Access - The ability and opportunity to obtain knowledge or possession of NSI.

  2. Agency - Any "Executive Agency," as defined in 5 United States Code (USC) 105, and any other entity within the executive branch that comes into the possession of NSI.

  3. Authorized Person(s/nel) - A person who has a favorable determination of eligibility (e.g., security clearance) for access to NSI, signed an approved nondisclosure agreement, and has a need-to-know the NSI in the performance of official duties. Authorized Personnel also fulfill the requirement to take the annual NSI Refresher Training.

  4. Automated Information System (AIS) - An assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process, store, or control data or information.

  5. Automatic Declassification - The declassification of information based solely on the occurrence of a specific date or event as determined by an Original Classification Authority (OCA) or the expiration of a maximum timeframe for the duration of classification established under EO 13526.

  6. Classification - The process by which information is determined to be NSI.

  7. Classification Guide - A documentary form of classification guidance issued by an OCA that identifies the elements of information regarding a specific subject that must be classified and establishes the level and duration of classification for each such element. As IRS does not have its own Classification Guide, OSP’s guidance will be used.

  8. Classification Management - Classification management seeks to ensure that official information is classified only when required in the interest of national security and is properly identified and retains the classification assigned if necessary.

  9. Classified National Intelligence (CNI) - National Intelligence as defined in 50 USC 401a (5), classified pursuant to EO 13526. Sensitive Compartmented Information (SCI) is part of CNI.

  10. Classified National Security Information (NSI) - Information that has been determined pursuant to EO 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status regardless of its form (document, technology equipment, etc.). Termed "NSI" in this IRM.

  11. Communications Security (COMSEC) - Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such communications. COMSEC includes cryptographic security, transmission security, emission security, and physical security of COMSEC material.

  12. Compromise - The unauthorized disclosure of NSI to an individual without the appropriate clearance or need-to-know.

  13. Confidential - The classification level applied only to information the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the OCA is able to identify or describe.

  14. Control - The authority of an agency that originates NSI, or its successor in function, to regulate access to the information.

  15. Custodian - The authorized person who has possession or is otherwise charged with the responsibility for safeguarding NSI.

  16. Declassification - The authorized change in the status of information from NSI to unclassified and the subsequent revision of associated markings.

  17. Declassification Authority - Officials delegated declassification authority in writing by the Secretary of Treasury or Treasury’s Senior Agency Official (SAO) responsible for Treasury’s NSI program.

  18. Declassification Guide - The written instructions issued by a declassification authority that detail what specific elements of information may be declassified and the elements that must remain classified.

  19. Derivative Classification - The incorporating, paraphrasing, restating, or generating, in new form, information that is already classified and marking the newly developed material consistent with the classification markings that apply to the source information. Derivative classification includes the classification of information based on a classification guide. The duplication or reproduction, such as copying or printing, of existing NSI is not derivative classification.

  20. Disclosure - The communication or physical transfer of NSI to an unauthorized recipient by showing or revealing NSI, whether orally, in writing or any other medium (e.g., video, graphic, etc.).

  21. Downgrading - A determination by a downgrading/declassification authority that information classified and safeguarded at a specified level must be classified and safeguarded at a lower level.

  22. Industrial Security - The segment of security concerned with protecting NSI released to and in the possession of contractors. This term describes the program under which the United States Government (USG) engages in a contract that has security policies and responsibilities for safeguarding the NSI, NSI systems, assets or facilities, which are imposed on the contractor, and in which the USG provides guidance to and conducts oversight of contractor implementation of those policies.

  23. Information Security - The program established by EO for the classification, declassification, downgrading, and safeguarding of NSI. This includes protection of Sensitive but Unclassified (SBU), non-national security information.

  24. Infraction - A security incident involving a deviation from governing security regulations that does not result in an unauthorized disclosure or compromise of NSI nor otherwise constitutes a security violation.

  25. Lines of Inquiry (LOI) - Discreet, measurable items reviewed during an assessment that, when combined with other LOIs, is meant to ascertain the operational ability of a program.

  26. Mandatory Declassification Review - The review for declassification of NSI in response to a request for declassification that meets the requirements for EO 13526.

  27. Material - In the context of a security incident, an individual is considered material to the inquiry if they were a part of the issue that lead to the incident or if they have knowledge regarding the incident that will influence, or is crucial to, the inquiry.

  28. National Security - The national defense or foreign relations of the U.S. and includes, with a Treasury context, U.S. economic vitality, global competitiveness, market sensitivity, and tracking terrorist assets/financial crimes.

  29. National Security Clearance - Certification issued by a designated personnel security official or designee that a person may access up to Secret or Top Secret NSI on a need-to-know basis granted after a valid, in scope Tier 3 or Tier 5 investigation, respectively.

  30. Need-to-know - A determination by direct management and HCO that an employee requires access to NSI to perform or assist in a lawful and authorized governmental function.

  31. Non-Disclosure Agreement (NDA) - An officially authorized contract between an individual and the USG signed by an individual as a condition of access to NSI and specifying the security requirements for the access and details the penalties for noncompliance carried out via the SF 312, Classified Information Nondisclosure Agreement.

  32. Open Storage - The storage of NSI openly (i.e., not requiring storage inside a security container) when authorized personnel do not occupy the facility. In all instances, "open storage" must be specifically approved in writing by OSP to store NSI at the Secret level. This term is used in concert with TSDN LA.

  33. Original Classification - The initial determination that information requires, in the interest of national security, protection against unauthorized disclosure.

  34. Original Classification Authority(ies) (OCA) - An individual authorized in writing, either by the President or by agency heads, or other officials designated by the President, to classify information in the first instance. Within Treasury, OCA are designated by the Secretary (at the TS, Secret, or Confidential levels) or by the Department’s SAO (at the Secret or Confidential levels). IRS does not have an OCA.

  35. Paragraph or Portion Markings - Required markings on classified documents to indicate the specific level of classification applicable to each paragraph or portion of a document shown in parenthetical form as follows: (TS) for Top Secret, (S) for Secret, (C) for Confidential, and (U) for Unclassified.

  36. Personnel Security - The segment of security that concerns the trustworthiness and integrity of Federal employees and others associated with the USG. It is also the process in the USG for complying with national security interest requirements under EO 10450 or with other similar authority.

  37. Physical Security - The segment of security concerning protective requirements and means for safeguarding IRS personnel, property, facilities, and information.

  38. Public Trust - Investigations (Tier 1, Low Risk; Tier 2, Moderate Risk; Tier 4, High Risk) performed to ascertain whether an individual is suitable or eligible to work in sensitive or public trust positions.

  39. Safeguarding or Safeguards - Physical, procedural, or electronic measures and controls prescribed to ensure NSI and Sensitive but Unclassified (SBU) is not accessed inadvertently or improperly.

  40. Secret - The classification level applied only to information the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the OCA is able to identify or describe.

  41. Secure Telephone Equipment (STE) - The USG current encrypted telephone communications system for wired or "landline" communications.

  42. Security Classification Guide (SCG) - A documentary form of guidance, issued by an OCA, providing the user with instructions on what types of information may be classified and the level/duration thereof.

  43. Security Container (also known as a safe) - A General Services Administration (GSA) approved security container equipped with built-in (mounted), dial-type, changeable combination lock, specifically designed for the NSI. A security container may be used for protecting money and other highly negotiable materials or assets; however, this IRM only applies to any container housing NSI.

  44. Security Clearance - An administrative authorization for access to NSI, up to a stated classification level (TS, Secret, or Confidential), and referred to as a clearance.

  45. Security Countermeasures - Actions, devices, procedures, and/or techniques to reduce security risks.

  46. Security Incident - An act that constitutes a threat to a security program or is a deviation from existing security regulations. Security incidents will be categorized as security infractions or violations.

  47. Security-in-Depth - A determination by the agency head, or designee, that a facility’s security program consists of layered and complementary security controls enough to deter and detect unauthorized entry and movement within a facility. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an intrusion detection system, random guard controls, etc.

  48. Security Infraction - Any knowing, willful, or negligent action contrary to the requirements of EO 13526 or its implementing directives that does not result in an unauthorized disclosure NSI.

  49. Security Violation - Any knowing, willful, or negligent action that could reasonably be expected 1) to result in an unauthorized disclosure of NSI, 2) to classify or continue the classification of information contrary to the requirements of EO 13526 or its implementing directives, or 3) to create or continue a special access program contrary to EO 13526.

  50. Senior Agency Official (SAO) - The official designated by the agency head under EO 13526 to direct and administer the agency’s security program, under which information is classified, safeguarded, handled, or declassified.

  51. Sensitive but Unclassified (SBU) - Treasury, bureaus, or another authority has determined to require protection from unauthorized or unwarranted public disclosure.

  52. Sensitive Compartmented Information (SCI) - A subset of CNI concerning or derived from intelligence sources, methods, or analytical processes that is required to be protected within formal access control systems established by the Director National Intelligence (DNI).

  53. SCI Facility(ies) (SCIF) - An accredited area or installation certified and accredited as meeting DNI security standards for the processing, storage and/or discussion of SCI. SCIF must be coordinated with Treasury’s Special Security Office (SSO) in advance of construction. IRS does not have SCIF.

  54. Sensitive Position - Any position the occupant of which could bring about, by virtue of the nature of the position and access to NSI, a materially adverse effect on the national security, the mission of the Department, or the "efficiency of the service." All sensitive positions are designated as either non-critical sensitive, critical sensitive, or special sensitive.

  55. Source Document - An existing document containing NSI that can be incorporated, paraphrased, restated, or generated into a new document.

  56. Systemic Declassification Review - The review for declassification of NSI contained in records the Archivist of the U.S. has determined to have a permanent historical value IAW 44 U.S.C. 2107.

  57. Threat - The intention and capability of an adversary to undertake actions that would be detrimental to the interests of the U.S.

  58. Top Secret - The classification level applied only to information the unauthorized disclosure of which could reasonably be expected to cause exceptionally grave damage to the national security that the OCA is able to identify or describe. Approval from the AD, Security is needed prior to storing Top Secret.

  59. Treasury Secure Data Network (TSDN) Limited Area (LA) - A room that offers the protection necessary to store NSI systems and material up to the Secret level through a combination of Protective Service Officers (PSO), responders, detectors/alarms, and/or locking devices.

  60. Acronyms

    Acronym Definition
    CDC Classified Document Custodian
    CFR Code of Federal Regulations
    COMSEC Communications Security
    DO Treasury’s Departmental Offices
    EO Executive Order
    EPL Evaluated Product List
    FGI Foreign Government Information
    IAW In Accordance With
    ISOO Information Security Oversight Office (part of National Archives and Records Administration)
    LOI Line of Inquiry
    NDA Non-Disclosure Agreement, i.e., SF 312
    NSA National Security Agency, aka NSS/Central Security Service (CSS)
    NSI Classified National Security Information
    NSI PM National Security Information Program Manager
    OSP Office of Security Program (part of Treasury)
    SAO Senior Agency Official
    SCI Sensitive Compartmented Information
    SCIF SCI Facility
    SCG Security Classification Guide
    SF Standard Form
    SSO Special Security Office (part of Treasury)
    STE Secure Telephone Equipment
    TCS Treasury Communications System
    TD Treasury Directive
    TD F Treasury Department Form
    TD P Treasury Directive Publication
    TO Treasury Order
    TSCO Top Secret Control Officer
    TSDN LA Treasury Secure Data Network Limited Area
    USG United States (U.S.) Government
     

Related Resources

  1. IRS NSI Website, updated as new versions of the forms are issued

  2. ISOO Marking Guide

  3. Department of Treasury Security Classification Guide

  4. NSA/CSS EPL for Shredders

  5. NSA/CSS EPL for Degaussers

  6. SF 311

Classification Levels

  1. NSI will be identified by one of the following three levels:

    1. "Top Secret" will be applied to information that could be expected to cause exceptionally grave damage to the National Security; the OCA must be able to identify or describe that exceptionally grave damage to the national security may occur.

    2. "Secret" will be applied to information that could be expected to cause serious damage to the national security; the OCA must be able to identify or describe that serious damage to the national security may occur.

    3. "Confidential" will be applied to information that could be expected to cause damage to the national security; the OCA must be able to identify or describe that damage to the national security may occur.

  2. No terms other than Top Secret, Secret, or Confidential will be used to identify NSI, except as otherwise provided by statute.

  3. IRS does not have the capability to store Sensitive Compartmented Information (SCI), and it must not be stored in IRS facilities.

Original Classification and Original Classification Authority

  1. NSI is information that has been determined pursuant to EO 13526 Section 1.4, any predecessor order, and its implementing directive Information Security Oversight Office (ISOO) Directive No. 1, 32 CFR Parts 2001 and 2003, Classified National Security Information to require protection against unauthorized disclosure and is marked to indicate its classified status. Information may be originally classified only if its unauthorized disclosure could reasonably be expected to result in damage to the national security.

    1. Original Classification Authority (ies) (OCA) are those authorized to originally classify information. OCA are designated by the President and are typically heads of agencies or other officials.

    2. Delegations of OCA by agency heads to subordinates are limited and the agency head must ensure that the subordinates have demonstrable and continuing need to maintain the delegation.

  2. No information may remain classified indefinitely; declassification instructions are created by the OCA at the time of original classification based on EO 13526.

    1. Upon reaching the date or event specified on the NSI, the information will be automatically declassified.

  3. OCA must be delegated in writing to IRS officials by the Secretary of Treasury and Treasury’s SAO.

    1. As there is no OCA in IRS (currently or historically), the requirements for declassification reviews noted in EO 13526 do not apply.

  4. Should a need for OCA authority develop within IRS, the official requesting it will coordinate with FMSS via the NSI PM in advance.

Limits to Classification and Reclassification

  1. In no case will NSI remain classified or be reclassified in order to:

    1. Conceal violations of law, inefficiency, or administrative error.

    2. Prevent embarrassment to a person, organization, or agency.

    3. Restrain competition.

    4. Prevent or delay the release of information that does not require protection in the interest of the national security.

  2. Information may not be reclassified after declassification and subsequent release to the public under proper authority unless:

    1. The reclassification action is personally approved in writing by the Secretary of Treasury based on the determination that reclassification is required to prevent significant, demonstrable damage to national security and the information may be reasonably recovered without bringing undue attention.

    2. The reclassification request is reported promptly through the NSI PM to the Director, OSP.

Derivative Classification

  1. Derivative classification is the restatement of existing NSI by persons who reproduce, extract, summarize, or apply classification markings derived from source material or as directed by a classification guide. Derivative can also mean incorporating, paraphrasing, restating, or generating in new form or information that is already classified and marking the newly developed material consistent with the classification markings that apply to the source information.

  2. The basis for derivative classification actions involves use of one or more of the following types of information:

    1. Existing classified source document.

    2. Approved classification guide.

    3. Classified communication, e.g., information provided orally via secure phone or obtained/discussed during a classified meeting.

  3. Derivative classification may be exercised by any authorized personnel and consultants or contractors under the National Industrial Security Program (NISP) who are current on the required bi-annual derivative training.

    1. Derivative classifiers will keep accessible up-to-date, official materials that aid in their ability to perform accurate derivative classification (i.e., TD P 15-71, Chapter III, Section 6; ISOO Marking Guide; ISOO Derivative Classification training video).

Record Requirements and Chronological Files

  1. All derivative classification actions made by IRS personnel (employees, consultants, and contractor personnel) must be accounted for annually, in September, and reported through the NSI PM to OSP.

    1. This accounting includes NSI email (equivalent to final documents or position papers) prepared on equipment approved for processing NSI.

  2. It is recommended that derivative classifiers establish an annual, unclassified chronological file to note: the level (Confidential, Secret, or TS), if multiple sources were used to create the document and whether a list of sources was attached to the document, date created, and other pertinent unclassified information that the owner finds to be helpful indicators (e.g., title or unclassified version of title).

Classification Challenges

  1. Information classified under EO 13526 and prior EO is subject to challenge by any authorized holder of the information. Authorized holders are defined as:

    1. Cleared USG authorized person who is a recipient of the NSI in the course of conducting official business.

    2. Agency security official who is responsible for properly safeguarding classified information.

    3. Cleared contractor personnel or consultant on a contract with classified scope per the NISP.

  2. Challenges of classification decisions are intended to bring about corrective action that ensures only NSI legitimately warranting protection based upon criteria in EO 13526 is classified. The decision to challenge is based on one of the following assumptions:

    1. Information should/should not be classified.

    2. Information should be classified at a lower/higher level (under/over-classification).

    3. Information is improperly classified (including an overly restrictive period or without proper authority).

    4. Information is improperly marked.

  3. Those who exercise a classification challenge will not be subjected to adverse action, reprisal, retribution, retaliation based on their election to engage the challenge provision.

  4. Classification challenges must follow IRM 10.9.1.3.4.1 and be compliant with TD P 15-71, Chap III, Section 20 and 32 CFR 2001.14.

Challenge Requirement and Handling
  1. Classification challenges must be kept unclassified, whenever possible, and sufficiently describe the information being challenged to enable the classifier (or designee) to locate it with a reasonable amount of effort. Regardless of the originating agency, the NSI PM must be directly sent the initial challenge. The authorized holder challenging the classification:

    1. Identifies their rationale behind the challenge.

    2. Ensures that the material in question is suitably protected to prevent unauthorized access commensurate with the level of classification initially assigned to the information, if the information was classified at the time of the challenge. This includes marking, packaging, transmittal, accountability, couriering, reproduction, etc., until such time as a decision is reached.

    3. Ensures, in the case of any material that the holder believes should be NSI but has not been classified at the time of the challenge and marked, the information is protected at the Secret level pending the final decision.

    4. Collaborates with the NSI PM to report to appropriate classifiers any conditions that lead an authorized holder to feel the actual classification or exercise thereof is improper, needless or restrictive.

    5. Must let applicable coworkers know that the NSI is undergoing a challenge.

  2. If the challenge is of Treasury information, the NSI PM engages with the SAO to liaise with OSP on ensuring completion of the challenge review and reporting the results of the review in writing to the challenger.

    1. Since IRS has no OCA, the decision regarding classification challenges of Treasury information must be made at the DO level.

    2. OSP will be contacted within 10 business days of the NSI PM receiving the challenge.

  3. If the challenge is of another agency’s information, the NSI PM contacts the originating agency’s security office within 10 business days of receiving the challenge.

  4. The challenger receives a response regarding the challenge within 60 calendar days of the challenge reaching the appropriate OCA; if unable to respond in that time, the OCA will provide a new date of response.

  5. If the issue is not resolved within 120 calendar days of reaching the appropriate OCA, the challenger may appeal to the Interagency Security Classification Appeals Panel in coordination with the NSI PM and OSP.

  6. If the information being challenged has been the subject of a challenge in the past two years, or that is the subject of pending litigation, the agency is not obligated to process the challenge beyond informing the challenger of this fact and providing appeal rights.

  7. Classification challenges are considered separately from Freedom of Information Act (FOIA) or other requests and should not be processed simultaneously with pending FOIA or other access requests.

Marking

  1. Marking must be accomplished per the requirements stated in TD P 15-71, Chapter III, Section 6.

  2. If NSI in the IRS’s possession is not marked IAW Treasury guidelines, the employee who is holding the NSI must reach out to the individual on the "classified by" line or the originating agency in an unclassified manner to clarify the incorrect marking; if issues arise in contacting the originator, the NSI PM should be contacted for assistance. Records should be kept regarding the request for clarification about the erroneous marking.

  3. If unclassified or SBU is comingled with NSI, the designation of "(U)" must be used in portion marking; pages that are entirely unclassified/SBU should be included as an addendum or in an unclassified version of the document. It is encouraged that unclassified and SBU be kept separate from NSI whenever possible.

Requirements for Paper

  1. Marking will be completed by accomplishing the following:

    1. Portion Markings: Must be marked at the highest level of information contained at the end of the subject/title and start of each paragraph, graph, table, picture, etc.

    2. Overall/Banner Classification Marking: This is determined by the highest level of classification of any one portion of the document and must be placed at the top and bottom of the page. If there is more than one page, the overall marking must be on the front cover, title page, first page, and outside of the back cover/page.

    3. Classification Authority Block consisting of:

      i. "Classified By" line should contain the classifiers name and title or personal identifier and agency of origin.
      ii. "Reason for" must be from EO 13526, Section 1.4.
      iii. "Declassify On" line with the date of downgrade, as applicable, and declassification.

  2. Derivatively Classified Documents: For information derivatively classified based on multiple sources, the derivative classifier carries forward the date or event for declassification that corresponds to the longest period of classification among the sources; the level of classification reflects the highest level of classification of the portions of the source document used.

    1. Portion Markings: Must be marked at the highest level of information contained in the subject/title and each paragraph, graph, table, picture, etc. Note that if a source document is not portion marked, then it cannot be used in a derivatively classified document.

    2. Overall/Banner Classification Marking. This is determined by the highest level of classification of any one portion of the document and must be placed at the top and bottom of the page. If there is more than one page, the overall marking must be on the front cover, title page, first page, and outside of the back cover/page.

    3. Classification Authority Block consisting of:

      i. "Classified By" identifying the derivative classifier by given name and title or personal identifier and agency of origin.
      ii. "Derived From" identifying the source document(s), attaching a follow-on page for a document with multiple sources, if the sources are too numerous to fit in the block.
      iii. "Declassify On" line is furthest date on the classification block of the source documents.
       

    4. An NSI addendum is used whenever NSI constitutes a small portion of an otherwise unclassified document to allow for dissemination at the lowest classification level possible or in unclassified form.

Requirements for Electronic Mail (email)

  1. Emails containing NSI must be sent only on approved systems for the level of NSI (e.g., TSDN for up to Secret NSI) being sent by an employee who is an Authorized Person.

  2. Ensuring all the requirements for marking paper documents from IRM 10.9.1.4.1 are addressed with the following specifics related to the electronic environment:

    1. The subject line of the email must be portion marked and should be kept unclassified.

    2. If attachments exist, the titles of the attachments must be portion marked and should be kept unclassified. The title of the attachment and associated portion mark does not reflect the classification of the attachment.

    3. The overall/banner classification of the email must be marked at the top and bottom (after the classification authority block) of the email.

    4. Portion marking unclassified emails that reside on an NSI system is required.

    5. Classification Authority Block must occur after the signature line but before the bottom banner marking.

    6. When forwarding or replying to an email, individuals must ensure that, in addition to the markings required for the content of the reply or forward email itself, the markings must reflect the overall classification and declassification instructions for the entire string of emails and attachments. This will include any newly drafted material, material received from previous senders, and any attachments.

Working Papers

  1. Working papers are documents (e.g., notes, drafts, prototypes), materials (e.g., printer ribbons, photographic plates), or other media created during development and preparation of a finished product. Working papers and materials are not intended or expected to be disseminated. Working papers and materials containing NSI must be:

    1. Dated when created.

    2. Marked with the highest classification of any information contained therein.

    3. Safeguarded as required for the assigned classification.

    4. Conspicuously marked "Working Paper" on the cover and/or first page of the document or material or comparable location for media/items (e.g., on the CD itself or on the most visible part of an item) in larger typeface than existing text.

  2. Working papers or other working materials must be destroyed in the same manner as NSI.

  3. Marked and controlled as finished products of the appropriate classification when retained more than 180 calendar days from date of origin (regardless of if they are complete), filed permanently, or released outside the IRS.

  4. Shared between cleared employees internal to the IRS, either physically or electronically, without controlling them as permanent documents only when the working materials are shared information (e.g., collaborative documents or coordinating drafts) in the development process.

Document Cover Sheets

  1. SF 703, 704, and 705 are used to alert personnel that a document, file, or folder to which it is affixed contains NSI and must be protected. Document cover sheets shield NSI while being used and provide protection from unauthorized visual contact. Cover sheets are required whenever a document is taken out of the security container, but they are suggested to remain on the document even in the container. The cover sheets are color-coded to provide a visual cue of what is being protected:

    1. Orange for TS information (SF 703)

    2. Red for Secret information (SF 704)

    3. Blue for Confidential information (SF 705)

  2. Individuals preparing, processing, packaging, or hand carrying NSI are responsible for affixing the appropriate document cover sheet. If NSI is delivered or received without the required cover sheet, the recipient is responsible for attaching the proper cover sheet.

  3. Additional maintenance guidance for cover sheets:

    1. Cover sheets should be removed from NSI prior to destruction.

    2. Cover sheets are meant to be continually recycled until worn out.

    3. Cover sheets will not be photocopied in black/white.

    4. To accommodate emergency use, cover sheets may be reproduced on a color copier.

Labels on Equipment and Media

  1. SF 706, 707, and 708 are labels required to identify equipment approved for processing NSI (e.g., copiers, electronic/magnetic media like disks, removable hard drives, or similar; thumb drives are not permitted to store NSI). Labels are color-coded in the same manner as document cover sheets:

    1. Orange for TS (SF 706)

      Note:

      The SF 706 is rarely used within IRS and it requires approval/coordination with the AD, Security before holding TS.

    2. Red for Secret (SF 707)

    3. Blue for Confidential (SF 708)

  2. Additional SF labels exist for equipment and are also required:

    1. Purple for "classified but level determination pending," protection must be at the TS level (SF 709).

      Note:

      The SF 709 is rarely used in IRS.

    2. Green for "unclassified" (SF 710). In environments in which NSI and unclassified is stored, the "unclassified" label must be used to positively identify equipment/media authorized for unclassified use only.

  3. Once applied, the label must not be removed.

    1. A label to identify a higher classification level may be applied on top of a lower classification level, if the classification content changes.

    2. A lower classification label must never be applied to equipment already containing or processing a higher level of NSI.

  4. Employees working with or processing NSI are responsible for properly labeling and controlling equipment in their custody.

  5. All removable electronic and magnetic media used to process NSI will be physically labeled with the highest level of NSI contained therein.

    1. Removable media must be physically detached from the processing equipment at the close of business each business day and secured in a security container.

    2. An exception to the requirement to physically remove and store such media items is authorized when the equipment and processing occurs in a TSDN LA that has been equipped with minimum security standards prescribed for NSI by all current FMSS Standard Operating Procedures (SOP) and the IRS Physical Security Systems Design Guide, then approved by the OSP.

    3. Removable media will always be safeguarded when not in use or under the supervision of an authorized person.

  6. Failure to apply the appropriate labels is a security infraction. If the failure results in improper storage, loss, unauthorized access, or compromise of NSI, it is a security violation.

    Note:

    Flash/thumb drives are not approved for storing or transporting NSI within, or out of, the IRS under any circumstances.

Downgrading and Declassification

  1. Downgrading and declassification are the jurisdiction of the OCA and Agency that originated it. Requesting information to be downgraded or declassified prior to the date on the declassification block is a formal process.

  2. Per Treasury Order (TO) 105-19, Delegation of Original Classification Authority; Requirements for Downgrading and Declassification, the Secretary of Treasury made the following delegation with respect to downgrading and declassification:

    1. The IRS Commissioner may automatically downgrade and declassify NSI that was created by the office or bureau or by a predecessor organization now under the IRS jurisdiction up to the level of his/her own security clearance.

    2. As IRS has never had an OCA, all documents have originated outside the jurisdiction of the IRS. Given this, consultation with Treasury OCA and OSP, NSI PM, subject matter experts, and records management officials must occur prior to the Commissioner making downgrading or declassification decisions.

  3. The OCA of the originating agency must be consulted on the downgrading/declassification if that individual is still serving in the same position and remains a delegated OCA or the originator’s current successor in function if that person has an OCA. If the delegation goes further, the Agency’s security organization must be consulted.

  4. If a document downgrading or declassification date has passed, it is incumbent on the holder of the NSI to ensure that the original classification markings on the document are stricken and replaced with the downgraded or unclassified markings, whichever is appropriate, as required. A downgrade/declassification block consisting of name/title and downgrade/declassification date must be noted on the page with the classification or derivative classification block.

Declassification Reviews

  1. Automatic Declassification Review: All NSI contained in records that are more than 25 years old and that have been determined to have permanent historical value under Title 44 U.S.C. is automatically declassified, unless it meets the requirements of EO 13526 Section 3.3 paragraphs (b)-(d) and (g)-(j). The 25-year automatic declassification process is a sliding scale as records age and applies annually to NSI on December 31.

    1. Information exempted from automatic declassification remains subject to the mandatory and systematic declassification reviews.

    2. NSI cannot be automatically declassified as a result of an unauthorized disclosure of identical or similar information.

    3. Prior to public release, all declassified records must be appropriately marked to reflect the declassified status of the information.

  2. Systematic Declassification Review: This function is carried out by the agency with the OCA responsible for the classification of a given piece of NSI. Detailed information can be found in EO 13526, Section 3.4.

  3. Mandatory Declassification Review: This function is carried out by the OCA responsible for the classification of a given piece of NSI. Detailed information can be found in EO 13526, Section 3.5.

Disseminating NSI

  1. NSI may only be shared with an Authorized Person.

  2. In concert with the Security Container Custodian (SCC), local CDC, and TSCO, the holders of NSI must set in place controls to limit disclosure of NSI to only those authorized persons, as applicable. Controls include:

    1. Physical/oral access (e.g., access control, sound baffling, white noise, etc.).

    2. Internal distribution (e.g., not assuming local IRS employees have need-to-know).

    3. Inventory (e.g., SCC performing mandatory and voluntary inventories).

    4. Reproduction (e.g., ensuring only the minimum number of copies needed are made and that, if TS, the TSCO is consulted beforehand).

    5. Bi-annually updating any automatic/routine or recurring dissemination rosters to distribute NSI to verify those who need to remain on the roster, as well as their status as an authorized person. Those who do not have the need, need-to-know, or lack the clearance will be removed.

  3. NSI in IRS’s possession should remain under the IRS’s control and is not be removed from official premises without authorization from the employee’s manager and the SCC.

  4. Any agency who holds NSI originated from another agency may disseminate it without the prior consent of the originating agency if all access criteria under EO 13526 are met. However, if the originating agency has marked or indicated a consent requirement on the medium containing NSI, then consent must be obtained prior to dissemination.

  5. Documents created prior to June 25, 2010, may not be disseminated outside any other agency to which they have been made available without the consent of the originating agency.

  6. For the procedures regarding provision of NSI to the Legislative and Judicial branches, see TD P 15-71, Chapter III, Section 13.

Secure Voice/Data Communications

  1. IRS employees use secure communications or Secure Telephone Equipment (STE) for conducting NSI discussions. These communications, including voice and data transmissions, must be under provisions established by Treasury systems security officials in TD P 85-01 Volume 1, Part 2.

  2. IRS Criminal Investigation (CI) has the authority to implement and certify secure rooms for the purposes of classified conversations via STE. Documentation of certification must be kept and available for provision.

Safeguarding NSI

  1. NSI, regardless of its form, must be afforded the level of protection against loss or unauthorized disclosure commensurate with its level of classification. It is the responsibility of all authorized persons to ensure its protection and proper handling regardless of if they are the holders of the NSI.

Access to NSI

  1. EO 13526 states that individuals must have the following to access NSI, the combination of which means that the individual is an "authorized person(s/nel)" :

    1. A favorable determination of eligibility for access. An individual is eligible for access to NSI only after a positive showing of trustworthiness as determined by the proper IRS authority based upon an investigation and favorable adjudication IAW national personnel security standards and accompanying Treasury guidance.

    2. A signed SF 312.

    3. A need-to-know the NSI, defined as a determination IAW directives issued pursuant to EO 13526 that a prospective recipient requires access to specific NSI in order to perform or assist in a lawful and authorized USG function.

    4. An annual participation in contemporaneous training on the proper safeguarding of NSI and on the criminal, civil, and administrative sanctions that may be imposed if the NSI is not protected from unauthorized access, termed "NSI Refresher Briefing" in IRS.

  2. Access to NSI must not be permitted until each of the (1) a) through d) above four elements are fulfilled.

  3. No employee must be deemed to be eligible for access to NSI merely by reason of:

    1. Federal service or contracting, licensee, or certificate holder

    2. Grantee status

    3. As a matter of right or privilege, or as a result of any title, rank, position, or affiliation

    4. Solely having a clearance

  4. IRM 10.23.3, Personnel Security, Personnel Security/Suitability for Employment and Personnel Security Operations, must be followed in matters of personnel security, which include but not limited to: requesting employee security clearances, transfer of clearances to attend meetings, etc.

  5. Holders of NSI are responsible for verifying that employees are authorized personnel prior to granting access. For verification of security clearances refer to a) or b) at least seven business days in advance:

    1. For IRS or contractor employees, contact the Personnel Security Office via hco.ps.national.security.programs@irs.gov.

    2. For visitors, see IRM 10.23.1.18, National Security Positions and Access to Classified Information.

General Safeguarding Provisions

  1. Each authorized person is responsible for safeguarding NSI from possible loss, compromise, or unauthorized disclosure. The knowledge and physical custody of, or access to, NSI comes with this responsibility and includes:

    1. Ensuring that NSI is used, processed, stored whenever it is not under the direct control of an authorized person, reproduced, transmitted, and destroyed under conditions that guarantee protection and prevent access by unauthorized persons.

    2. NSI is not communicated over unsecured voice, email, or any other system, nor in public conveyances or places (to include hallways or unsecured conference rooms, even in a government facility), or in any other manner that potentially permits interception by unauthorized persons.

    3. Failure to protect NSI constitutes a security incident. Any potential security incidents must be reported to the local CDC immediately after ensuring that NSI is protected.

  2. "Unauthorized" means those individuals who are cleared, but lack need-to-know, as well as those without an appropriate clearance level.

  3. NSI will only be processed on approved computers/equipment (e.g., TSDN for up to Secret or the Treasury Foreign Intelligence Network (TFIN) for up to TS and SCI. IRS does not have TFIN).

  4. Persons transmitting NSI are responsible for ensuring that intended recipients are authorized persons with the capability to store NSI at the level being sent, regardless of the method of transmission (e.g., electronic, hand-carry).

  5. Secure communications (e.g., STE or other) located in a space certified by the CI, for its spaces, to preclude access to both the equipment (e.g., access control) and unauthorized disclosure of the conversation itself (e.g., white noise, sound baffling, Sound Transmission Class (STC) rating, etc.) or a certified TSDN LA will be used for conducting classified discussions.

  6. NSI approved for destruction must be destroyed IAW this IRM.

  7. NSI may not be removed from IRS premises without authorization from the employee’s manager and the SCC.

  8. An IRS official or employee leaving IRS may not remove NSI from IRS control or direct that information be declassified to remove it from IRS control.

  9. Access to NSI must be terminated when an employee no longer has a need for NSI to accomplish their duties; the employee’s management must ensure the transition to a Public Trust Position Description (PD). Access must also be terminated as required in the IRM 10.23 series, Personnel Security.

    1. To maintain the ability to access NSI, even if access has not occurred in two years or longer, there must be a requirement for the employee to maintain the clearance. The justification on the continued need must be documented.

Standards for Securing NSI

  1. Security containers used for storage of NSI material must conform to standards specified by the General Services Administration (GSA).

    1. For documents, the requirement is a Class 6 container with a lock meeting FF-L-2740B standard.

    2. GSA approved security container meeting Federal Standard (FED STD) AA-C-2786 to store Information Processing Systems (IPS).

    3. GSA-approved field security containers are intended for storage of NSI in situations where normal storage is not possible; they should not be used in an IRS facility.

  2. Whenever a new security container is procured, it must be compliant with the requirements and purchased through the Federal Supply System, and the CDC responsible must input the container into the Security Container Tracker.

  3. NSI should only be stored under conditions designed to deter and detect unauthorized access.

  4. Storage at overseas locations must be at USG facilities, unless it is otherwise stipulated in treaties or international agreements.

  5. The use of the SF 702, Security Container Check Sheet, must have the informational section (e.g., room number, building, container number, month/year) filled out appropriately. The SF 702 must be annotated each time the security container is accessed and checked. A record of the SF 702 must be kept for 90 calendar days.

  6. Security containers designated for NSI storage should only contain NSI; unclassified information must not be stored with NSI.

    Note:

    The tops and sides of the security containers must be kept barren except for the required SF, the GSA certification label, and the "open/close" sign.

Storing Top Secret
  1. Before a Business Unit stores TS NSI, approval must be obtained from AD, Security and a TSCO must be appointed (see Exhibit 10.9.1-2).

  2. TS information will be stored in one of the following ways:

    1. In a Class 6 container with one of the following supplemental controls:

      i. Protective Service Officer (PSO)/duty personnel with a Secret clearance inspecting the security container once every 2 hours.
      ii. An Intrusion Detection System (IDS) with responders arriving within 15 minutes of alarm annunciation.
      iii. Security-in-depth.
       

    2. In a vault built to FED STD 832 or open storage area built to 32 CFR 2001.53 standards with the supplemental controls as follows:

      i. For areas covered by security-in-depth, an IDS with personnel responding within 15 minutes of the alarm annunciation.
      ii. For areas not covered by security-in-depth, personnel responding to the alarm must arrive within 5 minutes of the alarm annunciation.

  3. All IDS must be IAW standards approved by the ISOO. Government and proprietary installed, maintained, or furnished systems are subject to approval only by the agency head.

Storing Secret and Confidential Information
  1. Secret information must be stored according to one of the following methods:

    1. In the same manner prescribed for TS information.

    2. In a GSA-approved security container or a vault built to FED STD 832 without supplemental controls.

    3. If security-in-depth or open storage (e.g., approved TSDN LA) area is used, one of the following supplemental controls is required:

      i. Secret-level cleared personnel must inspect the security container or open storage area once every 4 hours.
      ii. An IDS with responders arriving within 30 minutes of alarm annunciation.

  2. Confidential must be stored in the same manner as TS or Secret, e.g., in a Class 6 security container with an FF-L-2740B compliant lock, except that supplemental controls are not required.

Combination Locks and Security Container Movements

  1. Dial-type locks must meet the FF-L-2740B standard and combinations are considered classified at the highest level of NSI that is protected by the lock. This applies to the locks installed on a container or door of a secure room, e.g., TSDN LA.

  2. Combinations will be changed only by persons with a security clearance, verified prior to the change occurring by emailing hco.ps.national.security.programs@irs.gov, commensurate with the level of NSI in the container and who have knowledge as to how to appropriately change the combination. The combinations should not be sequential numbers, or the standard combination used on decommissioned containers noted below in (7) b) of this section. It is suggested that a six-letter word is chosen then, using a telephone number pad, converting the word into numbers to create a three, two-digit number combination.

    1. The Business Units who hold the information are responsible for arranging the combination change, verifying that the person performing the change has the appropriate clearance level and escorting the person who is performing the change, unless that person has a need-to-know to access to the container. A job aid on changing the combination is available on the IRS NSI website or in TD P 15-71 Chap 5, Sect 3.

    2. Contractors should not be used to change combinations, unless they are GSA certified technicians, it is in the scope of work, and the contract meets NISP requirements. Contact the NSI PM with the contract documents. If no contract was established, and the service is bought via credit card, it is the Business Units responsibility to ensure the technician is GSA certified and has the appropriate clearance prior to the combination being changed.

  3. An individual that is/will be listed on the SF 700 as having authorization to access the security container must be present to specify the desired combination and verify the change.

  4. Combinations must be changed IAW the TD P 15-71 Chap 5, Sect 4.

  5. Before an employee is provided a container combination, their status as an Authorized Person must be verified by the SCC. An individual’s security clearance must be verified through Personnel Security Office via hco.ps.national.security.programs@irs.gov. SCC must list on the SF 700 any individual who received the combination of the container. If there are more than four employees with access, an attachment to the SF 700 can be used to ensure the information of each employee is captured.

  6. Combinations to security containers storing NSI must be recorded on the SF 700, sealed, then stored in a different security container where stored information is the same or higher level of classification.

    1. Part 1, the tear-away, carbon-copy portion that lists the name and contact information of individuals with access to the security container must be placed on the inside of the drawer with the lock on it in a conspicuous place.

    2. Part 2A, the tear-away, perforated portion for the combination, must be placed in the envelope portion, Part 2, of the SF 700. This is the portion of the form that must be stored in another security container.

  7. Regardless of its destination, prior to decommissioning a security container, it must be cleared of all material by the owning Business Unit.

    1. Decommissioning requires a thorough check performed by the CDC or SCC to include, at minimum, each drawer being pulled out to its maximum extent then using a flashlight to check the back of the container, both above and below the drawer, and inspecting the inner parts of the drawers to ensure no NSI, in any form, was left.

    2. The combination should be changed to 50-25-50. If the lock is mechanical and cannot easily be changed, the combination should be affixed to the container once it has been verified to be empty.

    3. The CDC must authorize the decommission or excess of the cleared container, as well as note the disposition in the Security Container Tracker.

    4. Containers that are other than Class 6 with an FF-L-2740B lock must never be repurposed or fixed to store NSI; it must be excessed unless it can be made compliant by a GSA technician.

  8. If repairs to the Class 6 security container or FF-L-2740B lock are required, the technician hired to address them must be GSA certified. The Business Unit must remove NSI from the defunct container and place it in another Class 6 container. If the technician is not GSA certified, then the security container must be decommissioned (i.e., not used to store NSI) until a GSA certified technician can recertify it. The two organizations mentioned in a) and b) maintain lists of certified technicians worldwide, as well as provide GSA certified training:

    1. Lockmasters Security Institute
      1014 South Main Street
      Nicholasville, KY 40356
      Phone: 866-574-8724 (USA Toll Free)
      Phone: 859-887-9633
       

    2. MBA USA, Inc.
      200 Orchard Drive
      Nicholasville, KY 40356
      Phone: 888-622-5495 (USA Toll Free)
      Phone: 859-887-0496

  9. Movements of a security container between rooms or facilities, to include decommissioning to a warehouse or excess, must be tracked by the CDC with responsibility for the container via the Security Container Tracker maintained by the NSI PM.

    1. The tracker should note which other security container is leveraged for holding the SF 700.

Information and Reproduction Controls

  1. The CDC must ensure a system of control measures, which assure access to NSI is provided only to authorized persons. Control measures will be appropriate to the environment in which the access to NSI occurs, as well as the type (e.g., electronic, paper) and volume of information. Examples of different control measures are:

    1. Include administrative, physical, personnel, and technological control measures, as appropriate. Technologies to prevent, discourage, or detect unauthorized reproduction are encouraged.

      i. Administrative measures may include records of internal distribution, access, generation, and inventory.
      ii. Physical measures should include segregation of the equipment used for reproducing NSI from unclassified equipment, ensuring the equipment used in NSI reproduction is marked appropriately, thorough sanitization of the removable memory pieces of the device, escorting individuals (even those cleared who do not have need-to-know), etc.
      iii. Personnel measures may include ensuring personnel are knowledgeable of the procedures for NSI reproduction (e.g., conspicuously identifying the copied material as NSI, etc.), aware of the appropriate machine to reproduce on, understand the limitations originators place on documents, etc.
      iv. Technological controls include specialized paper, copy numbering and distribution restrictions.

  2. Disposition or destruction of NSI is required when control measures are insufficient to deter and detect access by unauthorized persons.

  3. Computer and information system passwords are protected in the same manner as the highest level of NSI that the computer or system is accredited to process. Passwords are never written down or shared with individuals without their status as an authorized person first verified. This is inclusive of the unique passwords associated with IDS installed to protect systems that process NSI.

  4. Reproduction of NSI is held to the minimum standards consistent with operational requirements. The following additional control measures must be taken:

    1. Reproduction is accomplished by authorized persons knowledgeable of the procedures for NSI reproduction and best methods to ensure the protection of NSI (e.g., standing by while copies are made, check copier for original and reproductions before leaving, destroying unusable copies immediately, ‘copy’ several blank pages of paper if the copier stores images, etc.).

    2. Restriction on Reproduction: Per TD P 15-71, the reproduction of TS is prohibited unless the approval of the originator, including documents originating outside of Treasury, is obtained in writing with a limit on the number of copies produced. Secret and Confidential information has no such restriction except that copying must be accomplished only as needed for operational efficiency, unless restricted by the originating agency. All copies are subject to the same protections and accountability as the original.

    3. Reproduction will only be accomplished on authorized equipment bearing the appropriate SF 706, 707, or 708.

    4. Networked copiers on any unclassified network cannot be used to reproduce NSI.

    5. Copiers equipped with remotely accessible memory, diagnostic, or maintenance capability cannot be used to reproduce NSI.

    6. "Original" copies may be made via approved printers connected to the NSI approved system (e.g., TSDN) restricted to the Secret and Confidential levels. The printers must not be mapped to other outside the secured areas and must be kept in the secure space.

    7. Once the reproductions are no longer needed, they are immediately destroyed in a National Security Agency/Central Security Service (NSA/CSS) Evaluated Products List (EPL) approved shredder.

Contractors and NSI

  1. Before contractors can have access to NSI, their contracts must meet the requirements of the NISP per EO 12829, as amended, and Department of Defense (DOD) Manual 5220.22 (NISP Operating Manual, or NISPOM), which include:

    1. Department of Defense Form 254 (DD 254), Contract Security Classification Specification. This document must be created by the NSI PM, reviewed/concurred by the Contracting Officers Representative (COR), and signed by the Contracting Officer (CO) (or designee, with written designation). DD 254 must be incorporated during the following phases of contracting:

      i. Solicitation: Prior to the procurement documents being released for solicitation, the NSI PM must review any whose scope requires the contractors to have access to NSI to perform their duties. The NSI PM will create the initial DD 254 based on the solicitation documentation and route it as described above; a minimum of 3 weeks prior to the issuance of the solicitation is required.

      ii. Pre-Award: Prior to the award being issued, the NSI PM must be made aware of the intended awardee to ensure that the company has the appropriate Facility Clearance (FCL) to handle the NSI required in the scope of the contract. An award DD 254 is also prepared by the NSI PM incorporating the awardee’s information and routed; a minimum of 2 weeks prior to the intended award date is required.
      a. If the company does not have the required FCL, the CO will have to apply for the company to obtain the appropriate FCL per the NISP. The company cannot proceed with working on the contract until the FCL is obtained.

      iii. Modification: If a modification occurs to the contract that affects the security requirements (e.g., higher level of clearance required, additional responsibilities in terms of protecting a secure space, clearances no longer needed), then the documentation of the change must be routed to the NSI PM so that the DD 254 can be modified to reflect the change; a minimum of 2 weeks prior to the signing of the modification is required.
       

    2. Federal Acquisition Regulation (FAR) 52.204-2 must be included as a clause for contracts with classified scope; it must also be included in the solicitation documentation.

    3. Security language specific to the scope of the contract must also be included into the solicitation by the COR, Program Manager, and CO. The NSI PM, in the initial review of the solicitation documentation, can suggest appropriate security language.

  2. Contractors cannot perform security duties (e.g., responsibility for opening/closing a TSDN LA), if these duties are not covered in the scope-specific security language or DD 254.

  3. Contractors cannot access NSI if:

    1. The contractor’s company does not provide Personnel Security Office the required documentation to validate their Tier 3 or 5 (for Secret and TS, respectively) investigations.

    2. The contractor does not maintain their favorably adjudicated clearance.

    3. The contractor’s company does not have (or loses) the required FCL to perform the work or otherwise become non-compliant with the NISP.

    If any of these conditions exist, then access to NSI must cease immediately.

  4. If a Foreign Ownership Control or Influence (FOCI) issues are, or become, present in the contractor’s company, then contractors stop work until the issue is resolved. The CO, CO, NSI PM, and the Defense Counterintelligence Security Agency (DCSA) will coordinate to resolve the issue.

  5. COR must, at a minimum, have a security clearance commensurate to the level of the contract they are managing.

Hand-carrying and Transporting NSI Documents or Equipment

  1. When transmitting NSI documents or material among and between USG employees, ensure that the recipient is an authorized person and has the capability to adequately store NSI prior to transmission.

  2. All NSI packaging must be strong and durable enough to provide protection while in transit, to prevent items from being damaged, to preclude inadvertent access, and to detect possible tampering (e.g., tamper-resistant tape).

    1. NSI may be hand-carried within an IRS facility by direct contact of the employees involved or via other authorized personnel. The material must:

      i. Have the appropriate cover sheet affixed to it if hard-copy or SF sticker denoting the appropriate classification.
      ii. Be placed inside a single, sealed, opaque envelope or file folder, or security locking bag.
       

    2. When hand-carrying outside of an IRS facility, the NSI must have the proper cover sheet/classification sticker and be double-wrapped. Packaging should not inhibit timely delivery of NSI.

      i. The inner, opaque envelope must contain the entirety of the addressee’s information (given name, address), have overall/banner classification markings on both sides of the envelope and have tamper-evident tape placed around seals.
      ii. This envelope must then be put into another opaque envelope that is sealed and addressed with the address of the sender and receiving office only; the names of sender or recipient must not appear on the outer envelope. A locked briefcase, attaché, or portfolio may serve as the outer envelope.
      iii. If the material is too large for envelopes or similar, the material must be enclosed in two sealed opaque boxes, the marking of which will mimic the envelopes.
       

    3. When IRS personnel hand-carry NSI material in official travel status, the physical transport should avoid using non-U.S. flag aircraft or vessels. Travel must be completed by the quickest, most direct route possible.

    4. NSI should be taken across international borders only when essential and with prior coordination with the authorized personnel’s CDC and management. Additionally, the NSI PM and the AD, Security, via the NSI PM, should be made aware of tentative travel plans prior to booking the trip.

    5. If it is required to hand-carry NSI on travel, the following safeguards apply:

      i. Have senior leadership’s approval to transport NSI via hand-carrying prior to departure.
      ii. An inventory of the NSI pre-departure is completed by the CDC. The CDC will retain one copy of the inventory and provide another to the authorized person completing the travel. Upon the authorized person’s return, the CDC must use the inventory to conduct a review of the NSI to ensure accountability.
      iii. NSI must remain in the physical possession of the authorized person if proper storage in a USG facility is not available.
      iv. Overnight trips should be planned to allow for storage in a USG controlled facility whenever possible, necessitating advanced coordination with State Department officials for overseas trips specifically.
      v. NSI must not be read or viewed during the travel or in any non-USG facility.

  3. NSI must not be delivered to unoccupied offices/rooms or to individuals without a verified clearance and need-to-know; if there is doubt regarding the circumstances, protection of the NSI takes precedence.

  4. NSI delivered in diplomatic or other type pouches or by other Federal agencies, receipted to the IRS, and delivered to the intended recipient (leaving a single layer of protection) is not considered a security violation for purposes of proper packaging/safeguarding.

  5. Packaging requirements for safeguarding NSI during transit will not eliminate the need for screening mail or packages to detect or deflect possible hazardous agents being introduced into IRS facilities.

Transmission of NSI within the USG

  1. NSI will be transmitted and received in an authorized manner, which ensures that evidence of tampering can be detected, inadvertent access can be precluded, and provides a method, which assures timely delivery to the intended recipient.

  2. Use of street-side collection boxes is strictly prohibited for any NSI materials.

  3. Communications Security (COMSEC) must not be transmitted via methods noted in IRM 10.9.1.11.2 or IRM 10.9.1.11.3; contact the Treasury COMSEC manager for specific instructions.

Transmission of Top Secret

  1. Transmission of TS information outside of an IRS facility is only accomplished by:

    1. Person-to-person contact between authorized personnel

    2. State Department diplomatic pouch

    3. The Defense Courier Service (DCS) or an authorized government agency courier service

      i. This is an expensive option and should only be used as a last resort; contact the NSI PM with questions.
      ii. The DCS is intended to securely transport TS information; yet, SCI, Secret, or Confidential may be included, if the NSI destination is the same.
       

    4. A designated courier with TS clearance

    5. Electronic means over approved secure communications systems

  2. Under no circumstances is TS information sent via the U.S. Postal Service (USPS) or any commercial messenger service.

  3. Consultation with the TSCO must take place prior to transmission regarding the methods for the transmission, whether the material will be briefed, to whom it will be given, etc.

  4. IRS does not have the capability to store SCI in its facilities, and therefore, its facilities must not store or process SCI.

  5. Transmission of hard-copy TS requires the use of TD F 15-05.8, Receipt for Classified Information.

Transmission of Secret or Confidential Information

  1. Secret and Confidential information cannot be sent via certified mail.

  2. Transmission of Secret or Confidential within the U.S., District of Columbia, and the commonwealth of Puerto Rico must be carried out by any of the following methods:

    1. One of the means authorized for TS information (subject to the DCS restriction in IRM 10.9.1.11.2 (1)c).

    2. The USPS Express or Registered mail, the waiver of signature, and indemnity block on the label must not be completed.

    3. Cleared commercial carriers or cleared messenger services.

  3. Cleared commercial carriers must be U.S.-owned/operated and must provide automated, in-transit tracking of the NSI and ensure package integrity during transit.

    1. Commercial carriers must cooperate with USG inquiries in case of a loss, theft, or possible compromise of NSI.

    2. The sender must ensure an authorized person is available for the reception of the NSI on the carrier’s estimated delivery date and must verify the delivery mailing address is correct.

    3. The package may be addressed to the recipient by name.

    4. The release signature block on the recipient label cannot be executed under any circumstances.

    5. Transfer of custody to a representative of the GSA-contract carrier for overnight delivery must always be carried out person-to-person.

  4. Transmission of hard-copy Secret requires the use of TD F 15-05.8.

  5. Transmission of Secret and Confidential can be done by electronic means on approved systems (e.g., TSDN).

Receipt for NSI

  1. TD F 15-05.8 is used to receive and account for the transfer of all TS and Secret, regardless of agency of origin.

  2. The TD F 15-05.8 must specify addressee, sender, and an unclassified description of the document.

    1. The recipient (or other cleared support staff) must promptly sign and return the receipt to the sender.

    2. The sender maintains a record of outstanding receipts for use in subsequent tracer actions, if the receipt is not returned within 30 calendar days.

    3. Completed receipts are maintained for a 3-year period, after which they may be destroyed. No record of actual destruction of the receipt is required.

    4. Questions involving this process should be directed to the TSCO or NSI PM.

  3. Responsible senior leadership must determine the administrative procedures required to sufficiently handle the volume of NSI being transmitted or received by their organization in conjunction with assistance from local CDC, the NSI PM, and records management officials.

  4. Several items may be transmitted to the same addressee with one receipt form. The TD F 15-05.8 must be kept unclassified. For example, if a subject title is classified, an abbreviated short form or title will be used, i.e., the first letter of each word in the title/subject line.

Courier Requirements

  1. IRS employees must not be currently detailed to another agency to request a courier card or letter from IRS. If an IRS employee is detailed to another agency and needs to courier NSI, the request for a card/letter must be addressed to the agency where detailed. As soon as the detail has ended, the IRS employee must return the card/letter to the issuing agency and request a replacement courier card from IRS, if required.

  2. Employees with a frequent and recurring need (i.e., minimum of 12 times per year) to hand-carry NSI must request a courier card via a TD F 15-05.12, Request and Receipt for Courier Card. The request must be submitted minimum 14 business days in advance.

    1. Treasury has delegated the issuance of courier cards for CI employees to CI. The CI POC must receive and process TD F 15-05.12 for CI employees.

    2. For all other IRS employees, except CI, TD F 15-05.12 must be sent to the NSI PM.

    3. The AD, Security must sign all courier cards.

  3. Employees requesting a courier card must have a final, valid security clearance and provide, with the TD F 15-05.12, a digitized color photograph on a plain background. The employee must have proof of training on courier responsibilities before the card can be issued.

    1. CI POC or NSI PM must use TD F 15-05.7, Courier Card Badge, to create the courier card.

    2. Upon receipt of the courier card, the employee/courier must sign the TD F 15-05.12 and return it to the CI POC or NSI PM.

    3. CI POC and NSI PM must maintain records of the TD F 15-05.12 until the card has expired for the couriers who have been authorized to carry.

  4. Employees who must carry NSI once or routinely on a non-recurring basis must request a courier letter and have a final clearance. CI POC and NSI PM must use Attachment 2 in the TD P 15-71, entitled "Sample Courier Letter Format," to create the courier letter. The request must be submitted minimum of 14 business days in advance. To request a letter, the employee must provide the following information:

    1. Employee name, level of NSI to be carried, dates of couriering (start and stop).

    2. The employee must have proof of training on courier responsibilities before the letter can be issued.

      Note:

      Information requested must be provided to CI, if the requestor is a CI employee. For all other IRS employees, information must be provided to the NSI PM. The AD, Security must sign all courier letters.

  5. If the card or letter authorizes the employee to carry SCI, Treasury’s Special Security Office (SSO) must be the approving official. IRS cannot store SCI at its facilities.

  6. If the card or letter is expired or no longer needed (e.g., employee is terminating employment with the Business Unit, etc.), the card or letter must be returned to the CI or NSI PM who issued it.

NSI and Foreign Governments

  1. Transmission of US NSI to foreign governments takes place between designated representatives of the respective governments or through channels agreed to by the national security authorities of the governments.

    1. When NSI is transferred to a foreign government or its representative, a signed receipt is required; oral discussion of NSI does not require a receipt.

    2. Coordination with OSP and SSO via the NSI PM is required before transferring NSI to any foreign government.

  2. IRS does not hold NATO or FGI. If a need arises to view or hold NATO or FGI, the NSI PM must be contacted prior to doing so, as there are specific requirements for training, storage, transmission, and handling.

Destruction of NSI

  1. Destruction must obstruct retrieval and prevent recognition and reconstruction. Paper documents must be destroyed using an NSA/CSS EPL approved cross-cut shredder, which cuts to 1mm x 5mm. NSI media must be destroyed using an NSA/CSS EPL approved degausser. Equipment used should meet requirements under the latest issued NSA/CSS EPL guidance, and include:

    1. Technical guidance on destruction (methods, equipment, and standards for disposing) of NSI electronic media and processing equipment may be obtained through the NSI PM. Specifications concerning appropriate equipment and standards for destruction of other storage media may be obtained from GSA.

      Note:

      Storage of media or processing equipment must be in a security container until it can be destroyed.

Destruction Process

  1. Destruction of Top Secret information. TS information, to include duplicates, working papers, etc. will be destroyed in the presence of two authorized persons; one person performs the destruction and the other person serves as a witness. Both individuals must sign the TD F 15-05.5, Classified Document Certificate of Destruction. The completed TD F 15-05.5 must be maintained on file for a three-year period, after which it may be destroyed. No record of the destruction certificate is required. Questions regarding this process should be directed to the TSCO.

  2. Destruction of Secret or Confidential Information. Secret or Confidential information, to include duplicates, working papers, etc., does not require a certificate of destruction.

  3. The destruction of any level of NSI must take place as soon as its utility has ended.

  4. Burn-bags for Temporary Storage. Secret and Confidential, excluding Top Secret, may be torn and placed in sealed opaque containers commonly designed as "burn-bags." Burn-bags feature multiple alternating groupings of red and white diagonal stripes.

    1. Burn-bags awaiting destruction must be protected while in the end-user’s custody. Burn-bags will only be collected, and contents immediately destroyed, by authorized persons.

    2. When not in active use, burn-bags containing NSI are protected commensurate with the level of NSI within.

    3. Use of burn-bags should be limited as NSI requiring destruction should be shredded as soon as possible instead of stored awaiting for bulk destruction.

  5. Destruction of Sensitive Information. Sensitive information must be destroyed in the same manner as Secret and Confidential.

  6. The SCC must ensure that a review of the container take place annually to ensure the removal and destruction of NSI that is no longer needed. The review does not require documentation.

  7. Care must be taken not to facilitate the improper handling of NSI, such as placing a paper recycling box next to an NSI copier or placing burn-bags next to unclassified trash containers.

Processing NSI

  1. NSI may only be processed on approved equipment (e.g., TSDN, TFIN, or accredited systems housed in other agencies).

  2. Information systems approved for NSI processing cannot be connected to any system not approved for classified operation. Systems approved for NSI processing will not share peripherals with unclassified processing equipment except through NSA/CSS approved switching devices. Approval for the use of switching devices must be included in the security authorization documentation.

    1. Prior to using the switch, the individual must be taught appropriate protocols by the IRS or DO IT department. The switch must be labeled on both the unclassified and NSI side with the appropriate stickers: SF 710 for unclassified and SF 706, 707, or 708 for NSI at the respective level.

  3. Refer to TD P 85-01 Volume II and TD 15-03 and/or contact the Treasury Office of the Chief Information Officer (OCIO) for information on uniform procedures to ensure automated information systems, including networks and telecommunications systems, that:

    1. Collect, create, communicate, compute, disseminate, process, or store NSI.

    2. Prevent unauthorized access, ensure information integrity.

    3. Use common information technology standards, protocols, and interfaces that maximize the availability of, and access to, the formats to maximize the accessibility of information to persons who meet the standards set by EO 13526 for access to NSI.

End of Day Security Checks

  1. End-of-day security checks will be conducted in areas that handle, process, or store NSI. The SF 701, Activity Security Checklist, is used to document the check. The SF 701 is a systematic means to thoroughly inspect an TSDN LA (optional for other spaces storing NSI) and to allow for employee accountability if any irregularities are discovered.

  2. The SF 701 must include, per the TD P 15-71, the following items:

    1. "Authorized persons have locked or checked Security containers."

    2. "Desks, wastebaskets, and other surfaces and receptacles are free of NSI."

    3. "Windows/doors are locked."

    4. "Electronic media (such as disks, tapes, removable hard drives, etc.) for processing NSI have been properly stored."

    5. "Security alarms and protective equipment are activated."

    6. Note that individual groups may include additional information on the SF 701 to suit any unique circumstances (e.g., "ensure all emergency exits are engaged in the closed position," "ensure the SF 702 notes that the security container has been checked," etc.).

  3. When securing or checking a security container, check each drawer, and note the completed check on the SF 702 "check by" column.

Security Incidents

  1. Each employee or contractor who is an authorized person is individually responsible for protecting NSI. The obligation comes with the possession of the security clearance and includes safeguarding NSI. Any disregard of the protections for NSI, whether it is intentional or negligent, will result in a security incident. Two types of security incidents exist: infraction and violation.

    1. The local CDC of the Business Unit who "owns" the information/security container that was potentially compromised will serve as the Inquiry Official, unless he/she is materially involved.

  2. Incidents must be reported immediately by the discovering employee but no later than noon the next business day to the local CDC in an unclassified manner whenever possible. If the information cannot remain unclassified, then the report should not be disclosed using unclassified network/telephone lines or verbally disclosed in inappropriate places. The report should cover the incident, the level of NSI involved, whether it occurred via physical or electronic means, etc.

  3. Regardless of the type of incident, it is recorded in the personnel file of the individual(s) at fault for consideration in future adjudications. These reports should take place at the conclusion of the inquiry and the CDC, or inquiry official, must ensure the report to two places:

    1. Treasury’s Office of Counterintelligence using the "Other Reportable Activities" link: https://my.treas.gov/collab/oia/security/Reporting/default.aspx.

    2. An unclassified summary of the incident, to include the given name of the individual identified as being at fault, to Personnel Security Office via the email: hco.ps.national.security.programs@irs.gov.

  4. If the security incident gives an indication of an insider threat, espionage, criminal, or employee misconduct, then the Treasury Inspector General for Tax Administration (TIGTA) must be notified immediately via their hotline (800-366-4484) or email complaints@tigta.treas.gov.

    1. The CDC, or Inquiry Official, must consult with TIGTA on any security incidents that have an indication of the above.

    2. The CDC, or Inquiry Official, should discuss with TIGTA whether TIGTA should proceed with the inquiry or not.

    3. Regardless of who is leading the inquiry, the "clean up" of the incident should proceed to ensure that NSI is not further compromised.

  5. The NSI PM, upon initial notification, reports the incident in an unclassified manner to SAMC.

Security Infractions

  1. Security infractions are incidents involving a deviation from governing security regulations that does not result in an unauthorized disclosure, loss, or compromise of NSI, yet increases the probability of an actual security violation.

  2. Examples of security infractions include but are not limited to the following actions/inactions involving NSI:

    1. Not using security forms for safeguarding/accounting for NSI, such as document cover sheets, SF 700, 701, or 702, open/closed signs, as applicable.

    2. Not having an end-of-day check to ensure that NSI work areas before close of business and/or assuming "someone else" will protect NSI.

Security Violations

  1. Security violations are any knowing, willful, or negligent action that could reasonably lead to an unauthorized disclosure of NSI, to include: repeated abuse of the classification process, either by unnecessary or over-classification, or repeated failure, neglect, or disregard of established requirements for safeguarding NSI. Security violations are grounds for appropriate adverse or disciplinary action.

  2. Examples of security violations include but are not limited to the following actions/inactions involving NSI:

    1. Improper transmission, storage, packaging, reproduction, processing on non-approved IT systems/equipment, marking, and destruction.

    2. Failure to secure NSI, apply required markings, lock the security container or arm security equipment, safeguard COMSEC information, verifying recipients are authorized persons prior to sharing NSI with the result that it was sent to an unauthorized individual, or report the loss or possible compromise of NSI.

Incident Inquiry

  1. Any person who knows or suspects a security incident has occurred must, where applicable, take custody of the NSI material and safeguard it. Others affected (e.g., on an email chain) should be made aware of the incident in an unclassified manner to take appropriate steps to guard the information and do not disclose it to others.

  2. The incident must be immediately reported but no later than noon the following business day in an unclassified manner to the local CDC.

  3. The CDC makes appropriate reports and proceeds with the inquiry IAW Exhibit 10.9.1-5.

    1. Inquiries should be completed within 10 business days of the initial report.

    2. An extension beyond the 10 business days needs to be requested, with a valid justification, to the CDC’s supervisor with a courtesy copy to the NSI PM.

    3. If there is an indication that the inquiry is in relation to an insider threat, espionage, or criminal activity, TIGTA should be immediately notified. If TIGTA decides to lead the inquiry, the CDC should prepare to turn the investigation over to the appointed TIGTA representative.

CDC Self-Assessments

  1. CDCs conduct self-assessments at a periodicity set by the AD, Security but no less than bi-annually. Assessments occur in addition to the annual ISOO required reporting on the SF 311, Agency Security Classification Management Program Data.

    1. Self-Assessments must cover all required aspects per 32 CFR 2001, to include (not limited to): markings on IRS derivative documents and the required annual tracking of derivative documents, internal policies to the Business Unit to ensure compliance with this IRM, personnel knowledge of NSI protection practices, use of SF, contractors with access identified on a NISP-compliant contract, etc.

    2. Self-assessment lines of inquiry (LOI) are set by the NSI PM and provided to CDCs, with a due date no sooner than 60 calendar days.

    3. The CDC determines the random sampling procedures necessary to ascertain the operational ability of their NSI programs, but every security container or space that the CDC oversees must be accessed during the assessments at minimum one time during the fiscal year.

    4. Once the assessment is complete, CDC should provide responses to the LOI, along with issues, the corrective actions proposed to address the issues, and the dates for the closures of the corrective actions, to the NSI PM by the due date.

      i. The corrective actions must align with this IRM, Treasury, and national level policy and be measurable.
      ii. It is the CDC’s responsibility to monitor the implementation and close the corrective actions in a timely manner, once they have been satisfactorily implemented.
      iii. The CDC must inform the NSI PM when a corrective action is closed or why closure is delayed.
       

    5. If issues recur in the same location or across the IRS despite corrective actions being implemented, called a "systemic issue," the AD, Security must propose actions or policy across the IRS to prevent future problems.

  2. CDC’s are encouraged to perform and track additional assessments they choose to perform in addition to those required by AD, Security and ISOO.

  3. It is required that Business Units holding NSI ensure that all personnel with access to NSI are included by completing the SF 311 annually and reporting to NSI PM within FMSS.

CDC Duties and Responsibilities

A primary and alternate CDC must be appointed at every facility that houses NSI under a given senior leader (e.g., if 2 Business Units have NSI at a given facility, each Business Unit must appoint a primary/alternate for their NSI). If the facility is a large, multi-building campus or similar with a multitude of security containers, then senior leadership should make a judgement call regarding how many CDCs should work in concert to ensure the safety of the NSI.

CDC must have a clearance commensurate with the highest level of the NSI at the facility(ies) for which they are responsible. The clearance must be validated prior to appointment and the CDC’s responsibilities removed in the event of the clearance’s lapse. The CDC should:

  1. Serve as the principle advisor to the appointing official and supervisor in matters pertaining to security of NSI.

  2. Liaise with the NSI PM on any questions pertaining to the handling, storage, and care of NSI.

  3. Conduct incident inquiries per requirements and provide timely updates to management and NSI PM.

  4. Liaise with TIGTA, Cyber Security Incident Response Center (CSIRC), and NSI PM on security incidents.

  5. Ensure that access to NSI is limited to cleared personnel with a need-to-know.

  6. Conduct self-assessments per instructions developed by the SAO for the NSI program and promulgated by the NSI PM.

  7. Maintain the Security Container Tracker for all containers used to store NSI under their purview.

  8. Clear security containers prior to excessing or otherwise disposing.

  9. Understand and become proficient at securely changing the combinations of security containers, ensuring that the SF 700 records the changes to the combination and personnel with access to the container, as well as being stored securely in another container with a commensurate level of NSI.

  10. Create and maintain a list of the NSI to be taken on travel, once the travel has been approved. Upon return, the CDC must verify that all NSI has been returned by the authorized person who traveled by comparing the documents to the list.

  11. Implement information and reproduction control measures in line with national and treasury policy and liaising with the NSI PM as needed.

  12. Establish, as needed, further written, administrative procedures for the control of NSI appropriate to their local environment. These procedures must then be used to protect NSI. The CDC promulgates these procedures to local staff and must follow requirements of this IRM. Procedures may cover:

    1. Personnel security clearances and need-to-know verification

    2. End-of-day and after-hours security checks

    3. Security containers combinations storage (i.e., all in one container or less centralized)

    4. Additional protections for NSI telephone conversations in spaces certified by Business Units to host them

The CDC may serve concurrently as the TSCO and Security Container Custodian, particularly in the event where the location has only a few security containers.

TSCO Appointment, Duties and Responsibilities

Steps to requesting a TSCO:

  1. Senior leadership of the Business Unit requesting to hold TS must send a justification, in writing, to the NSI PM detailing the need to hold TS, approximate amount of TS (number of documents, items), length of time the TS will be held for, the room planned to store the TS, certification that the container used is a Class 6 with a FF-L-2740B lock, and assurance that the personnel who will have access to the container have TS clearances (to include TSCO).

    1. The NSI PM gathers more information as necessary and present the justification to the AD, Security.

    2. The AD, Security, if security-in-depth is lacking at the facility, decides if the justification warrants the physical security upgrades to the space and the facility’s Federal Protective Services (FPS) Protective Services Officers (PSO) contract.

    3. Requesting Business Unit cannot hold TS until the space meets the requirements specified in 32 CFR 2001.43.

  2. TSCO Duties and Responsibilities:

    1. Initially receive and open all TS information within their organization or made aware of the incoming TS document immediately upon its arrival. This includes TS information delivered to the agency by outside courier and/or brought back to the agency by an authorized person. All incoming TS must be brought to (and logged in by) the TSCO by the next business day.

    2. Maintain current accountability records of TS information received within their office and attendant supply of TS document forms.

    3. Ensure TS information is properly stored, shared, transmitted (to include use of required forms, double-wrapping, systems used, etc.) and that such information under their personal custody is destroyed under two-person control and that the destruction is documented.

    4. Strictly follow prohibitions against reproduction of TS information discussed in IRM 10.9.1.9.

    5. Maintain the TD F 15-05.4, Document Control Register, for all TS information held by the Business Unit. This includes assigning TS Control Number to all incoming and newly created documents in a calendar-year sequence (e.g., for CY2020: TS 20-001 and TS 20-002, where "20" is the calendar year when the document is initially recorded and the "001," "002" are the first and second documents, with numbers continuing sequentially). The control number must be noted on the front page of the document in a conspicuous place. Accountability records must be kept unclassified and can be stored in the security container housing the information so long as the TSCO maintains a backup.

    6. Conduct an annual physical inventory of TS information within the organization under their purview using the TD F 15-05.4, with the designated alternate TSCO (if appointed) or another authorized person to serve as a witness. The results will be provided in an unclassified, written report maintained by the TSCO for review during self-assessments. If there are unaccounted for documents, it is treated as a security violation, and the report includes a plan of action with identifiable milestones and dates for resolving whatever circumstances caused the material to be lost or missing.

    7. Downgrade, declassify, retire, or destroy TS documents, as appropriate, to the markings and/or other caveats on such information.

    8. Affix a TD F 15-05.10, Top Secret Document Record, as well as the TD F 15-05.8, to all copies of Top Secret information leaving the immediate office/IRS prior to delivery to other offices for record/response. The TD F 15-05.8 is maintained for the life of the document.

    9. Maintain accountability records, receipts of the transmission and destruction of TS information for three years from the last date noted and receive follow-up reports from alternate/subordinate TSCO concerning their TS documents, as appropriate.

  3. Verify IRS recipients have a TS security clearance via Personnel Security Office, need-to-know by discussing with their management, and storage capability approved by AD, Security prior to the information being released and/or assigned to appropriate staff for action/response.

TSCO and CDC Appointment Language

  1. TSCO and CDC appointments must be made to the NSI PM via email. The email must come from the senior leadership’s account or their Administrative Assistant with a carbon copy (CC) to the senior leader.

  2. If a TSCO or CDC can no longer perform their duties, a replacement must be appointed within five business days of the departure. It is requested that a replacement be appointed in advance, if possible.

  3. The TSCO and CDC appointment language is in a) and b) below. The bolded portions in parenthesis must be replaced with the appropriate information before being sent to the NSI PM.

    1. TSCO:
      "In accordance with IRM 10.9.1, Classified National Security Information, (given name of person) is appointed to the position of Top Secret Control Officer for (name of Business Unit) at the (facility, campus, etc.). (Name) has been verified to have an active, in-scope Top Secret clearance. (Name) is aware that it is (his/her) duty to understand and perform all the requirements noted in IRM 10.9.1 for the position of Top Secret Control Officer."

    2. CDC:
      "In accordance with IRM 10.9.1, Classified National Security Information, (given name of person) is appointed to the position of the Primary Classified Document Custodian (CDC) and (given name of person) is being appointed to the position of Alternate CDC for (name of business unit) at the (facility, campus, etc.). (Name) and (Name) have been verified to have an active, in-scope clearance at the level of the information being protected. (Name) and (Name) are aware that it is their duty to understand and perform all the requirements noted in IRM 10.9.1 for the position of CDC."

Security Container Custodian Duties and Responsibilities

The first individual noted on the SF 700 Part 1 is the Security Container Custodian; no formal designation beyond that is needed.

  1. Ensure anyone requesting access to the security container be verified to have the clearance of the highest level of information stored in the security container and the requisite need-to-know prior to being added to the SF 700.

  2. Ensure all individuals requiring knowledge of the combination must be listed on the SF 700, an addendum may be affixed to the SF as required in instances where many individuals share one container.

  3. Ensure the individuals with access to the container properly use the SF 701, as required, and SF 702. Any failure to do so is brought to the attention of the employee and their direct manager, as well as be considered an infraction.

  4. Become knowledgeable on how to change the combination to security containers securely or contact the local CDC, when required, to perform the combination change. Ensure use of the SF 700 to record the changes to the combination and personnel with access to the container and that the combination is secured in another security container storing, at minimum, the same level of NSI.

  5. Ensure employees with access to the security container perform an annual review of their material in the container annually to ensure that it is appropriately marked, that it is still required for job performance/records purposes, and that it is destroyed in an NSA/CSS EPL approved shredder.

  6. Work with the CDC, or Inquiry Official, in the inquiry related to the security incidents.

  7. Conduct the inquiry for a Security Incident, if requested by the CDC Manager (or other Managerial level), if the CDC is unable.

  8. Ensure the protocols laid out by the CDC locally and this IRM are followed for the security container(s) under the Custodian’s purview.

  9. Ensure the CDC is aware of security container movements or decommissioning, email is suggested to provide documentation.

  10. Clear the security container prior to its being decommissioned, IRM 10.9.1.8.4 (7), then work with the CDC to have it dispositioned.

Incident Inquiry

The following steps must be accomplished to ensure that a security incident is reviewed appropriately to prevent recurrence and remedy any vulnerabilities. All communications, written or verbal, should be kept unclassified, unless it is impossible to do so, and must accurately convey the facts regarding an incident. If NSI discussions must be had, regardless of form, appropriate planning must take place to securely accommodate them.

  1. Discovery: The discovery of a security incident, whether it is an infraction or violation, must be reported in an unclassified manner no later than noon the next business day to the SCC (as applicable), local CDC, Business Unit management, and NSI PM. CI may have additional reporting requirements to the aforementioned. The NSI PM will notify Treasury OSP and, depending on the incident, may make additional notifications to others such as the IRS/Treasury COMSEC manager or SSO. The evidence related to the incident should be left as is (e.g., preserve SF 702 not filled out, etc.), unless the NSI is at risk of further compromise. If the incident is related to a security container found open, for example, then the container should be closed properly prior to the discovering employee leaving to make reports. NSI must always be secured to prevent further potential compromise.

    1. If the incident was caused by an employee from another agency, but involved IRS employees, notification to the CDC and NSI PM is still required, but no further inquiry actions are required. Cooperation with the at-fault agency’s inquiry is expected.

    2. If an IRS employee detailed to work at an Embassy or another agency is at fault for a security incident, notification to the IRS employee’s CDC, IRS manager, and the NSI PM is required, no later than noon the following business day. IRS will not carry out the inquiry, but the employee must provide their CDC, IRS manager, and NSI PM the finalized report and all attachments. The requirement for the TD F 15-05.6, Record of Security Violation, remains.

    3. If the incident involves TSDN, then Treasury’s OCIO must be notified.

    4. If the incident appears to meet the threshold of TIGTA reporting, then the CDC must report it to TIGTA per IRM 10.9.1.16 (4).

  2. Categorization: The CDC, as the Inquiry Official, decides on the categorization of the incident as an infraction or a violation. This decision must be made within three business days. If in doubt, CDCs will categorize the incident as a violation (higher level incident) pending information that determines the incident was an infraction (lower level incident); inquiries will follow that required for a violation until proven otherwise.

    1. The CDC must inform the NSI PM and the CDC’s management of the categorization of the incident and the justification behind it.

      i. If the CDC requires more time to determine whether unauthorized disclosure was likely to have occurred or did occur, the CDC must communicate with management and the NSI PM.

    2. The process of inquiry is based on the decision as to whether the incident is an infraction or violation.

    3. The primary CDC should conduct the inquiry unless he/she is part of the incident in a material way; if the primary CDC should not conduct the inquiry, then the alternate CDC or a local SSC should be chosen by the manager of the CDC (or other managerial level individual) to serve as Inquiry Official.

    4. All information concerning an inquiry is addressed towards the CDC, but it is required of whomever who is serving in the capacity of Inquiry Official to follow it.

  3. Security Violation: Inquiries for these types of incidents should be comprised of (a)-(h) below, at minimum. Given the fluid nature of violations and their associate inquiries, the following steps are not necessarily listed in the order they should occur though associated timelines must be respected.

    1. Ensure that NSI is secured by protecting the physical material or informing those who may be in possession of the material (whether a physical copy, email, piece of equipment, etc.) in an unclassified manner that it should be secured and not disseminated further. This step is paramount.


      i. If the spillage occurred by having NSI on a system not cleared to the classification level of the NSI compromised, then the email should not be opened or deleted. Anyone receiving the email should be instructed not to access, forward, download attachments, etc., but the email should be left in the inbox.

      • CSIRC should be contacted immediately by the CDC for further instructions.

      • For incidents involving IRS CI, CIDATASPILL@ci.irs.gov should be contacted immediately by the CDC in an unclassified manner.


      ii. A validation of clearance level should be done on all individuals within the IRS, to include those detailed, contracted, etc., who may have had access due to the spillage.
      • Individuals with the appropriate clearance but without need-to-know can be debriefed verbally by the CDC, so they are aware of their duty to protect the NSI.

      • Individuals without the appropriate clearance must be debriefed using an SF 312, unless it is pertinent to not draw their attention to the NSI they encountered (e.g., if they overheard an NSI discussion but did not know it was NSI). It is the CDC’s prerogative to decide what course of action is appropriate to fit the circumstances.
        If debriefing occurs, it is the CDC’s responsibility.

    2. Report any violation to TIGTA that involves insider threat, espionage, criminal conduct, or employee misconduct. Discuss with TIGTA whom should handle the inquiry.

    3. If it was an IRS-caused issue, the CDC must notify other agencies affected in an unclassified manner as soon as possible, but no later than one business day after the incident was discovered to prevent the spread.

    4. Fill out a preliminary TD F 15-05.6 within two business days of the incident, being categorized as a violation, and submit the form to the NSI PM. This form can be resubmitted as the inquiry proceeds, as needed, but it is required to be completed as part of the final submission to the NSI PM.

    5. The CDC gathers pertinent facts regarding the "who, what, where, when, why" of the violation to include, but not limited to: names and interviews of personnel involved, related evidence (SF 701, 702, etc.), review of alarm logs, signed statements, etc.


      i. The NSI involved should be identified by the highest classification involved and originating agency.


      ii. If interviews are conducted, open-ended questions should be used as much as is practicable and care should be taken not to lead the interviewee to an answer. Means of recording the interview using official equipment can be used, if the interviewee agrees, on the record, to being recorded. Instead of recording, notes taken by the interviewer should be clarified for correctness with the interviewee prior to concluding the interview.


      iii. If sworn statements are taken, the full name, position title, and date of those giving the statements must be at both the top and conclusion of the statement to preclude any other information being added without the individual’s consent. The individual must also sign the bottom.


      iv. The goal of the inquiry is to understand whether compromise occurred and to mitigate the chance of a recurrence of a future incident. The CDC must develop corrective actions in line with the policy contained within this IRM, Treasury, and national guidelines to mitigate the potential of a future incident and monitor for implementation.

    6. Once all information has been collected and reviewed, a timeline of the incident should be established using a date/time format to include individuals involved, notifications made, as well as attachments, information on corrective actions, the final TD F 15-05.6, and a summary (covering “what, where/when, who, and why”). This must be provided to the NSI PM and the CDCs management. The inquiry and report must be completed within 10 business days.

    7. If a violation has potential for media interest, the NSI PM should be made aware immediately with an unclassified description of pertinent facts. The NSI PM will brief the issue for disposition by the AD, Security.

    8. If the incident involved a contractor in a material way, the COR, CO, and NSI PM must be notified so that the notification of the incident and final inquiry report can be submitted to the DCSA.

  4. Security Infraction:

    1. Once the CDC has determined that the incident is an infraction, CDC should investigate the events surrounding it to determine the following:


      i. What: The infraction should be spelled out plainly in a short description of the incident.



      ii. Where/When: The reporting infraction should be able to provide where it occurred (e.g., which security container was left open, when it was found open, when it was last opened (date/time), who opened it, etc.).


      iii. Who: The name of the individual(s) who perpetuated the infraction, as well as individuals involved, and notifications made.


      iv. Why: How did the infraction happen? Was it attributed to forgetfulness, inattention to detail, misunderstanding protocol/training issue?


      v. Corrective Actions: How will the infraction be prevented in the future. Corrective actions will be monitored for implementation by the CDC.

    2. Once the above has been addressed, all information in a simple report covering the five topics should be sent to the CDC’s manager and NSI PM within 10 business days.